Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password Attacks Mike. Guessing Default Passwords Many applications and operating systems include built-in default passwords. Lazy administrators Database.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Password Attacks Mike. Guessing Default Passwords Many applications and operating systems include built-in default passwords. Lazy administrators Database."— Presentation transcript:

1 Password Attacks Mike

2 Guessing Default Passwords Many applications and operating systems include built-in default passwords. Lazy administrators Database of default passwords is publicly available at http://www.phenoelit.de/dpl/dpl.html http://www.phenoelit.de/dpl/dpl.html

3 Let ’ s Crack Those Passwords Stealing the encrypted passwords and trying to recover the clear-text password. Create a password guess Encrypt the guess Compare encrypted guess with encrypted value from the stolen password file If match,you’ve got the password! Else,loop back. Dictionary Brute-force cracking Hybrid password cracking Loop

4 Cracking Windows NT/2000 Passwords Using LC5 One of the most hyped security/attack tools. Focuses only on cracking Windows passwords. Available at: http://www.atstake.com/products/lc/downloa d_thanks.html

5 Get Encrypted Passwords Local machine Remote machine

6 Choose Auditing Method Simple checks Normal checks Strong checks

7 Pick Reporting Style The types of report.

8 Auditing Options Import Character type

9 Import

10 Audit Start Got the passwords

11 Report

12 Remote machine Remote machine Check type

13 Remote machine The types of report

14 Remote machine Administrator Passwords

15 Remote machine Start Got it!

16 John the Ripper Focues on cracking UNIX passwords. Available at: –http://www.openwall.com/john/b/john- 1.6.tar.gz Current version 1.6

17 John the Ripper Download John the Ripper Download complete Unzip

18 John the Ripper compiler Start

19 John the Ripper Cracking the password Got the password Try the password

20 Defenses against Password- Cracking Attacks Strong Password Policy User Awareness Password-Filtering Software –UNIX Npasswd Passwd+ –Windows Strongpass…

21 Defenses against Password- Cracking Attacks(cont.) Conduct Your Own Regular Password-Cracking Tests. Protect Your Encrypted/Hashed Password Files.

22 Web Application Attacks

23 Account Harvesting Targeting the authentication process when an application requests a userID and password. Invalid userID Correct userID Incorrect password

24 Account Harvesting Defenses When userID or password was incorrect,all accompanying information sent back to the browser must be completely consistent. Includes: –HTML –URL –Cookies –Hidden form elements

25 Correct userID Incorrect password(123456789)

26 Invalid userID

27 Undermining Web Application Session Tracking Web applications generate a session ID to track user actions. Session ID –Application-level data –Generated by the application

28 Attacking Session Tracking Mechanisms Establish a session,get assigned a session ID,and alter the session ID. The attacker usurps the legitimate user’s session ID to do anything.

29 Achilles Achilles available at http://www.mavensecurity.com/achilles Current version 0.27 Web browser Achilles(proxy) Internet

30 Achilles Start Intercept Modes Intercept information

31 Defending against Web Application Session-Tracking Attacks Ensure the integrity of all session- tracking elements –Digitally sign or session-tracking information using a cryptographic algorithm. –Encrypt the information in the URL, –Hidden form element,or cookie. –Long session IDs. –Dynamic session IDs. –Apply a timestamp.

32 Conclusions Attacker can use to gain access to a target machine by attacking applications.

Download ppt "Password Attacks Mike. Guessing Default Passwords Many applications and operating systems include built-in default passwords. Lazy administrators Database."

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION ©2003 1 Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.

Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Chapter 1 – Introduction

Chapter 1 – Introduction
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Access Control and Site Security (Part 1) Thursday 1/17/2008) © Abdou Illia – Spring 2008.

Access Control and Site Security (Part 1) Thursday 1/17/2008) © Abdou Illia – Spring 2008.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Similar presentations

Ads by Google