"Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University E-mail:

Slides:

Advertisements

Similar presentations

UNIT 20 The ex-hacker.

Advertisements

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

Password Cracking Lesson 10. Why crack passwords?

Woodland Hills School District Computer Network Acceptable Use Policy.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Understand Database Security Concepts

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

Access Control Methodologies

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.

Cryptography and Network Security Chapter 20 Intruders

Prepared by: Nahed Al-Salah

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Ethical Hacking by Shivam.

Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.

SSH: An Internet Protocol By Anja Kastl IS World Wide Web Standards.

Principles of Information Security Kris Rosenberg, Chief Technology Officer Oregon State University College of Business Kris Rosenberg, Chief Technology.

Chapter Chapter 13-2 Chapter 13 Data Modeling Introduction An Overview of Databases Steps in Creating a Database Using Rea Creating Database Tables.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Threats to I.T Internet security By Cameron Mundy.

Information Systems Security for the Special Educator MGMT 636 – Information Systems Security.

MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE).

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Enforcing Concurrent Logon Policies with UserLock.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

The Truth About Protecting Passwords COEN 150: Intro to Information Security Mary Le Carol Reiley.

Chapter 18 Intruders.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.

CIS 450 – Network Security Chapter 8 – Password Security.

Computer Security Preventing and Detecting Unauthorized Use of Your Computer.

Microsoft ® Virtual Academy Module 3 Understanding Security Policies Christopher Chapman | Content PM, Microsoft Thomas Willingham | Content Developer,

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu.

KeePass Open Source Software James Hadvabne Open Source Software James Hadvabne.

Chapter 4 – Protection in General-Purpose Operating Systems Section 4.5 User Authentication.

Passwords Internet Safety for grades Introduction to Passwords Become part of our everyday life –Bank cards, , chat programs, online banking,

. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.

STRONG PASSWORDS = SELF-PROTECTION. Why are passwords essential for self protection? Passwords protect hackers from accessing personal information (birthday,

HOW TO AVOID PASSWORD HACKING. Have you ever being HACKED ?

Preventing Privilege Escalation Presented By Chad Frommeyer.

November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.

CIS 250 Advanced Computer Applications Database Management Systems.

1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

Woodland Hills School District Computer Network Acceptable Use Policy.

CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

FERPA & Data Security:FERPA & Data Security: Passwords and Authenticators.

Understanding Security Policies Lesson 3. Objectives.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

Understanding Security Policies

Audit Findings: SQL Database

CS 465 PasswordS Last Updated: Nov 7, 2017.

5 Techniques for a Proper Website Security Testing.

Computer Security Password Management.

Robert Leonard Information Security Manager Hamilton

Cyber Operation and Penetration Testing Online Password Cracking Cliff Zou University of Central Florida.

Dynamic Authentication of Typing Patterns

Understanding Security Policies

Test 3 review FTP & Cybersecurity

Password AL-Salman Mohammed Mohammed Ali Rayan Rasheed.

Keeping Our Data Secure

P2P: Unique Design Challenges in Accountability and Security

Presentation transcript:

"Using An Enhanced Dictionary to Facilitate Auditing Techniques Related to Brute Force SSH and FTP Attacks" Ryan McDougall St. Cloud State University

About Me SCSU Student Student Network Administrator for Computer Networking Department Research Assistant in Business Computing Research Lab

Overview Accounts Audits on Accounts Dictionary Attacks Focus on Username vs. Password Dictionary creation for username emphasis Distributed attack scenario

Accounts Username Password (Security Control) Passwords are a security control to prevent unauthorized access.

Auditing Account auditing (in IT Security) is the proactive evaluation of the security controls in place to protect the accounts from unauthorized access. How can you audit?

Dictionary Attacks Guessing possible user name and password combinations. Usually achieved by utilities that try numerous amounts of times (THC Hydra) Use compilations of user names and passwords (dictionaries).

Dictionary Creation Commonly, when dictionaries are created, there tends to be more emphasis on passwords with common usernames Username vs. Password emphasis Rockyou.com incident – A breach led to the release of 32 million passwords.

Rockyou.com Incident

Rockyou.com Incident “If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts.”

Dictionary Creation Considering the Rockyou.com incident, there is reason to believe it might be more efficient to use dictionaries that put heavy emphasis on usernames. We can write a simple program, which I choose to write in C++.

Dictionary Creation This program takes input files and uses nested for loops and arrays of records to piece the username dictionaries together. The output with this proof of concept is in the format (x 1 y 1 y 2 y 3… y n ) where x is the first letter of a first name and y 1 -y n are the characters that make up a last name. This can be easily adjusted for different user name formats.

Sample Output ***This only shows a small section of the ‘a’ first name combinations***

Distributed Attack Scenario

A distributed method will provide a more efficient attack. Dictionaries are divided up between attackers using ‘chunking’. May aid in avoiding security controls put in place to ban accounts/IP addresses.

Q/A Any questions?