Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

Published byClarissa Lynette Robinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also."— Presentation transcript:

1 Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also indicated that anything short of one-time passwords was not strong password authentication. So… how are passwords broken – GUESSING AND CRACKING. Guessing – Find or guess a user’s identifier –Create a list of possible password –Try each one –On success you are in, else keep trying Hampered by unsuccessful login timeout – If (n) attempts are unsuccessful, lock the system for (m) minutes – n & m variable.

2 Password CrackingSECURITY INNOVATION ©2003 2 Windows NT Passwords Length –Anywhere from 0 to 14 characters Characters –All letters (upper and lowercase), numbers, and symbols are acceptable Stored in SAM database

3 Password CrackingSECURITY INNOVATION ©2003 3 Windows NT Security Local Security Authority (LSA) –Determines whether a logon attempt is valid Security Accounts Manager (SAM) –Receives user logon information and checks it with its database to verify a correct username/password SAM Database –Stores the LM and NT password hashes

4 Password CrackingSECURITY INNOVATION ©2003 4Cracking Obtain copy of SAM and run L0phtCrack BUT – can’t get “real” SAM if system uses Active Directory UNLESS, use PWDUMP3 first…

5 Password CrackingSECURITY INNOVATION ©2003 5 Password Cracking – Off Line Most cracking is done off-line to avoid the timeout problem. Major steps: –Find user ids –Get encrypted or hashed passwords or password files –Create a list of trial passwords –Encrypt or hash the trial passwords See if there is a match

6 Password CrackingSECURITY INNOVATION ©2003 6 Password Cracking – Off Line Attacks: –Dictionary attacks (build a dictionary of passwords). –Brute force (try all possible passwords). –Hybrid attacks (modified dictionary attack using altered dictionary words (party becomes p$art%y). This really is still guessing – these systems don’t break encryption!

7 Password CrackingSECURITY INNOVATION ©2003 7 Password Cracking - Starters What can we find out up front – commercial systems?What can we find out up front – commercial systems? –Format for user id. –Some user ids (e.g., guest, system, administrator) –Password minimum/maximum length, legal characters. –Rules of construction. –The encryption or hash algorithm. –Where the password file is stored by default.

8 Password CrackingSECURITY INNOVATION ©2003 8 Password Cracking – Generic Methods Assume we have an encrypted or hashed passwords – the following methods are used to recover the plaintext password. Create a dictionary of words – encrypt or hash each word and test to see if the result matches the original encrypted/hashed password. Many Internet sites have downloadable dictionaries.

9 Password CrackingSECURITY INNOVATION ©2003 9 Password Cracking – Generic Methods Pros/Cons –Brute force means trying every possible combination (e.g., a, aa, aaa to zzzzzzzzzzzzzz, azbycx, etc.). This method will always recover the password sooner or later – later may be a long time, but gets shorter with each new technology advance –Hybrid methods use a dictionary, but insert special characters (e.g., %, $ # or r0ya1- Zero for o and one for l) and/or permute words.

10 Password CrackingSECURITY INNOVATION ©2003 10 Password Cracking – How Do We get the Passwords? If administrator – Dump the hashes to a file If not administrator – Sniff the passwords off the network –Get administrator privilege –Boot another OS and read the file –Copy from backup –Copy from emergency repair disk Reminder to physically protect the system and all media. Also to install patches that allow intrusions that result in root or administrator access.

11 Password CrackingSECURITY INNOVATION ©2003 11 NTFSDos and SAMDump NTFSDos –Utility that allows DOS to view NTFS partitions –Can be placed on a boot disk and used to access files that can’t be accessed in Windows SAMDump –Utility that “dumps” the password hashes in the SAM database –Can be used to view the password hashes or to export them into a text file –If Syskey is used, displayed hashes will be incorrect

12 Password CrackingSECURITY INNOVATION ©2003 12PWDump3 A utility similar to SAMDump Grabs password hashes from memory instead of the SAM database –Because of this, it will work with Syskey enabled Can only be used by the Administrator on each system

13 Password CrackingSECURITY INNOVATION ©2003 13 Password Cracking Tools – L0phtCrack The windows tool of choice – Win 9x, NT, 2000, XP. Cracks two types or passwords – LANMAN/NT. LAN MANager – Older network password system used to log onto a Microsoft network domain – used for mixed 9x & NT/2000/XP nets. NT – Newer network password system used in NT/2000/XP-only nets. Fully featured tool: –Sniffs passwords –Dumps passwords from the registry –Cracks passwords –Easy to use Graphical user Interface (GUI)

14 Password CrackingSECURITY INNOVATION ©2003 14 Windows NT Passwords LM Password –Used for backward compatibility –Stores passwords in CAPS –Much easier to crack than NT Hashes –Password is not hashed or encrypted –Broken up into 2 groups of 7 characters –Usually gives away the NT password if cracked NT Password –Used for compatibility with Windows NT/2000 systems –Stores password exactly how they were entered by the user –Uses a series of 2 one way hashes to hash the password –Does not salt passwords like Unix

15 Password CrackingSECURITY INNOVATION ©2003 15 LM Passwords VS. NT Passwords An 8 character LM password is 890 times easier to crack than an 8 character NT password A 14 character LM password is 450 trillion times easier to crack than a 14 character NT Password –450 trillion = 450,000,000,000,000

16 Password CrackingSECURITY INNOVATION ©2003 16 LANMAN Passwords Maximum Length – 14 Characters (128 bits). Case – Converted to all upper case before processing. Processing – Split 14 characters into 2 7-Byte halves. Use each half as a DES key. Multiple encrypt each half and store in the Security Account Manager (SAM) database. Trouble is:Encryption algorithm is known. –Only uses a 7-Byte key (56 bits). –Easy to find the key. –Why??

17 Password CrackingSECURITY INNOVATION ©2003 17 LANMAN Passwords – Easy Cracking Character Set = Uppercase alpha, numeric, specials, and punctuation. About 80 symbols. N = SL = 807 ~ 2.1 x 1013 Time = (2.1 x 1013)/(108 sec)(1/60x60x24) = 2.4 days (really easier). Password = Choose “Karen12$”. –Becomes KAREN12$ (convert to upper case). –Becomes KAREN12 & $_______ (split & pad). –KAREN12 breaks with dictionary. –$_______ breaks with brute force. –More like minutes to break!

18 Password CrackingSECURITY INNOVATION ©2003 18 NT Passwords 1. Hashed using RSA MD4 function –Not reversable! But can be replicated… 2. Hashed again using MS function into SAM –Reversable and fairly simple 3. Encrypted using Syskey function –Strong encryption of SAM on disk

19 Password CrackingSECURITY INNOVATION ©2003 19 NT Passwords – Not So Easy Cracking Character Set = Upper & lower case alpha, numeric, specials and punctuation – about 106 characters –N = SL = 807 ~ 2.26 x 1028 –Time = (2.26 x 1028)/(108 sec)(1/60x60x24) ~ 2.62 x 1015 days (harder) Now issue becomes the quality of construction – remember we are assuming that all passwords are equally likely – this is theory! The real result is the historical work function for a large set of user generated passwords. If poorly constructed, the dictionary will get them. Makes a very, very good audit tool for security folks!

20 Password CrackingSECURITY INNOVATION ©2003 20 Unix Passwords – John The Ripper Very capable password cracker for Unix systems including S/Key files and Kerberos Ticket Granting Tickets for the Andrew File System. Runs cross platform (Unix, DOE, 9x, NT). Takes a Unix password file as input - etc/passwd or etc/shadow. –etc/passwd is a user-level public file –etc/shadow requires root-level access Modes: –Dictionary (called wordlist) – specify a text file to use as a dictionary. –Brute force (called incremental mode) – tries all possible combinations.

21 Password CrackingSECURITY INNOVATION ©2003 21 Unix Passwords – John The Ripper Modes: Single Crack mode – simplest mode. External mode – provides the means to add external functions that can be used to generate passwords to try. Since Unix uses different hash/encryption algorithms, the program Detects the encryption type: –DES and double length DES –BSDI’s DES, –OpenBSD’s Blowfish, –FreeBSD’s MD5 hashes Others are out there: Crack, Cracker Jack

Download ppt "Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
The Cain Tool Presented by: Sagar Chivate CS 685F.

The Cain Tool Presented by: Sagar Chivate CS 685F.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Anti-Hacker Tool Kit Password Cracking Brute-Force Tools Chapter 9

Anti-Hacker Tool Kit Password Cracking Brute-Force Tools Chapter 9
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Securing Operating Systems Chapter 10. Security Maintenance Practices and Principles Basic proactive security can prevent many problems Maintenance involves.

Securing Operating Systems Chapter 10. Security Maintenance Practices and Principles Basic proactive security can prevent many problems Maintenance involves.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Similar presentations

Ads by Google