Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu.

Slides:

Advertisements

Similar presentations

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Advertisements

Conventional Encryption: Algorithms

Password Cracking Lesson 10. Why crack passwords?

Not for noobs…. What even is a GPU?  A GPU (Graphics Processing Unit) is piece of hardware(single chip processor) primarily used for computing 3D functions.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

Cryptography & Security Presented April 16, 2010 By Dave Stycos, Zocalo Data Systems.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Password cracking.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

1 MySQL Passwords Password Strength and “Cracking” Presented by Devin Egan Defcon 12 - July 31, 2004 Password Strength and “Cracking” Presented by Devin.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

HASH Functions.

Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.

Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

CIS 450 – Network Security Chapter 8 – Password Security.

CHAPTER 6 Cryptography. An Overview It is origin from the Greek word kruptos which means hidden. The objective is to hide information so that only the.

Microsoft ® Virtual Academy Module 3 Understanding Security Policies Christopher Chapman | Content PM, Microsoft Thomas Willingham | Content Developer,

Three Basic Identification Methods of password Possession (“something I have”) Possession (“something I have”) Keys Passport Smart Card Knowledge (“Something.

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

Network Security Lecture 11 Presented by: Dr. Munam Ali Shah.

Based on Bruce Schneier Chapter 7: Key Length Dulal C. Kar.

Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.

Strength of Cryptographic Systems Dr. C F Chong, Dr. K P Chow Department of Computer Science and Information Systems The University of Hong Kong.

Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.

6fb52297e004844aa81be d50cc3545bc Hashing!. Hashing  Group Activity 1:  Take the message you were given, and create your own version of hashing.  You.

GPU ASSISTED LM HASH CRACKING WILLIAM GROESBECK UNIVERSITY OF NEVADA, RENO – SPRING 2013 (Psst, the 90’s called - they want their hashing algorithm back)

Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.

Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.

Chapter 11 Message Authentication and Hash Functions.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Lecture 5 User Authentication modified from slides of Lawrie Brown.

Measuring Real-World Accuracies and Biases in Modeling Password Guessability Segreti. et al. Usenix Security 2015.

Cryptography and Network Security (CS435) Part Nine (Message Authentication)

Intro to Cryptography Lesson Introduction

PZAPR Parallel Zip Archive Password Recovery CSCI High Perf Sci Computing Univ. of Colorado Spring 2011 Neelam Agrawal Rodney Beede Yogesh Virkar.

"Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University

Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman.

CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

But first… some key terms…  Hash – Output string from a cryptographic hashing function that is hopefully impossible to go backwards to original input.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

By Collin Donaldson Man in the Middle Attack: Password Sniffing and Cracking.

Understanding Security Policies Lesson 3. Objectives.

MIGHTY CRACKER Chris Bugg Chris Hamm Jon Wright Nick Baum We could consider using the Mighty Cracker Logo located in the Network Folder.

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

Understanding Security Policies

CS 465 PasswordS Last Updated: Nov 7, 2017.

ICS 454 Principles of Cryptography

Security through Encryption

Protecting IT systems (2)

Kiran Subramanyam Password Cracking 1.

ICS 454 Principles of Cryptography

Understanding Security Policies

Exercise: Hashing, Password security, And File Integrity

Hash Function Requirements

Presentation transcript:

Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu

Background A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value. Cryptographic hash functions are used to encrypt passwords in many corporations Password strength can be a key vulnerability in large corporations without proper policies on password security.

Password Security in Relation to Penetration testing Penetration testing involves trying to take control over systems and obtain data One of the ways this is accomplished is by exploiting weak password schemes If password auditing is not a part of penetration testing you leave yourself open to the likelihood of a breach

Password Cracking, What are we trying to prevent? There are several methods for password cracking available. Brute-force cracking, in which a computer tries every possible key or password until it succeeds. Dictionary attacks, pattern checking, word list substitution, etc., attempt to reduce the number of trials required and will usually be attempted before brute force.

Password length and relative security

Focus of this presentation: Brute Force - Hash Suite Demo

-ighashgpu Another good open source program: HashCat: HashCat.net

GPU vs CPU hashing comparison Laptop(Amd A8 3400M... 4 cores): Averages about 100 million passwords per second. (6 characters) Desktop(GPU: ATI Radeon HD cores): Averages about 2.2 billion passwords per second. (7 characters) This is why recommendations are being made currently to have no less than 12 characters using uppercase, lowercase, digits, and special characters.

Questions?

Sources: Wikipedia, Cryptographic Hash Function: h_function#Password_verification Wikipedia, Password Cracking: