Password cracking Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski.

Slides:



Advertisements
Similar presentations
Password Cracking Lesson 10. Why crack passwords?
Advertisements

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
The Cain Tool Presented by: Sagar Chivate CS 685F.
Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
Section 3.2: Operating Systems Security
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Cryptography and Network Security Chapter 20 Intruders
Anti-Hacker Tool Kit Password Cracking Brute-Force Tools Chapter 9
MIS Week 13 Site:
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Sanjay Goel University at Albany, School of Business NYS Center for Information Forensics and Assurance 1 Password Protection.
Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Chapter 2 Accessing Your System and the Common Desktop Environment.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Information Security and Cybercrimes
A Comparison of the Security of Windows NT and UNIX Hans Hedbom, Stefan Lindskog, Stefan Axelsson and Erland Jonsson Originally presented at the Third.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
FORESEC Academy FORESEC Academy Security Essentials (II)
Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Introduction to Linux Installing Linux User accounts and management Linux’s file system.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
The Truth About Protecting Passwords COEN 150: Intro to Information Security Mary Le Carol Reiley.
Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files.
System Hacking Techniques
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
CIS 450 – Network Security Chapter 8 – Password Security.
Mark Shtern. Passwords are the most common authentication method They are inherently insecure.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Users Greg Porter V1.0, 26 Jan 09. What is a user? Users “own” files and directories Permission based on “ownership” Every user has a User ID (UID) 
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
Introduction to Information Security Network Traversal nirkrako at post.tau.ac.il itamargi at post.tau.ac.il.
How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.
Password Cracking By Allison Ramondetta & Christine Giordano.
Protecting Your Password
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
1 AHM -2-4 Sept 2003 e-Science Centre Running SRB Ananta Manandhar.
Lesson 3-Touring Utilities and System Features. Overview Employing fundamental utilities. Linux terminal sessions. Managing input and output. Using special.
Password. On a Unix system without Shadow Suite, user information including passwords is stored in the /etc/passwd file. Each line in /etc/passwd is a.
Ethical Hacking: Defeating Logon Passwords. 2 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information.
System Hacking (Gaining Access) Additions to CEH ed 8, Rev 4 CS3695 – Network Vulnerability Assessment & Risk Mitigation–
Module 4 Password Cracking
CSC414 “Introduction to UNIX/ Linux” Lecture 6. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Managing Users CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
Understanding Security Policies Lesson 3. Objectives.
Password Cracking COEN 252 Computer Forensics. Social Engineering Perps trick Law enforcement, private investigators can ask. Look for clues: Passwords.
COEN 252 Computer Forensics
Penetration Testing Offline Password Cracking
I have edited and added material.
Password Cracking Lesson 10.
IIT Indore © Neminah Hubballi
Information Assurance Day Course
Advanced Penetration testing
Advanced Penetration testing
Advanced Penetration testing
Cyber Operation and Penetration Testing Online Password Cracking Cliff Zou University of Central Florida.
Network Penetration Testing & Defense
Presentation transcript:

Password cracking Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski

Overview Who uses password crackers? List of programs needed Gain access to password list Password Salting Installing John the Ripper How to use PwDump2 and John the Ripper How to make a strong password

Who uses password crackers? System Administrators –Test the strength of the user’s password Hackers –Gain access to the user’s account

List of programs needed Pwdump2 –Retrieves user accounts and passwords in Windows and puts the information into a hash table (not needed in Unix) John the Ripper –Uses hash table from pwdump2 and cracks password

John the Ripper cont. Runs against various encrypted password formats including: Unix (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash It operates by the so-called dictionary attack. It takes text string samples (usually from a file containing words found in a dictionary), encrypting it in the same format as the password being examined, and comparing the output to the encrypted string. It also can operate by the incremental attack. Where JTR tries every possible character combination as passwords. –Several thousand possibilities can be tried per second –Most sufficient way of cracking passwords in the past several decades

Gain Password List Windows –Use Pwdump2 to get SAM file when logged into account –Use a Live Bootable OS CD (Knoppix) to by-pass user login and change directory to the Windows SAM File and dump to disk Unix –Unshadow password in /etc/passwd./unshadow /etc/passwd /etc/master.passwd > pass.txt –ypcat passwd when NIS is used –Use Live Bootable OS CD (Knoppix)

Password Salting Salts help strengthen the password list The salt is suffixed with random values to the password before encrypting it; the salt is stored along with the encrypted password in the hash Salts are different for each user, the attacker can no longer use a single encrypted version of each candidate password. –Makes for longer time of cracking passwords –More difficult for dictionary attack

Installing Pwdump2 and JTR Simply extract both programs to separate directories, no install needed for Windows For Unix: –CD to./src of the JTR dir after extraction. –make –make clean generic

How to use Pwdump2 and JTR

How to make a strong password Do not use single dictionary words Use a combination of words with a punctuation mark in between each word, along with a mix of upper and lower case letters for each word

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.