1. Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu

2. Background A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value. Cryptographic hash functions are used to encrypt passwords in many corporations Password strength can be a key vulnerability in large corporations without proper policies on password security.

3. Password Security in Relation to Penetration testing Penetration testing involves trying to take control over systems and obtain data One of the ways this is accomplished is by exploiting weak password schemes If password auditing is not a part of penetration testing you leave yourself open to the likelihood of a breach

4. Password Cracking, What are we trying to prevent? There are several methods for password cracking available. Brute-force cracking, in which a computer tries every possible key or password until it succeeds. Dictionary attacks, pattern checking, word list substitution, etc., attempt to reduce the number of trials required and will usually be attempted before brute force.

5. Password length and relative security

6. Focus of this presentation: Brute Force Http://hashsuite.openwall.net - Hash Suite Demo

7. Http://www.golubev.com/blog -ighashgpu Another good open source program: HashCat: HashCat.net

8. GPU vs CPU hashing comparison Laptop(Amd A8 3400M... 4 cores): Averages about 100 million passwords per second. (6 characters) Desktop(GPU: ATI Radeon HD 5970... 40 cores): Averages about 2.2 billion passwords per second. (7 characters) This is why recommendations are being made currently to have no less than 12 characters using uppercase, lowercase, digits, and special characters.

9. Questions?

10. Sources: Wikipedia, Cryptographic Hash Function: http://en.wikipedia.org/wiki/Cryptographic_has h_function#Password_verification Wikipedia, Password Cracking: