1 / 15

Figure 2-2: Server Password Cracking:

Figure 2-2: Server Password Cracking:. Reusable Passwords A password you use repeatedly to get access to a resource on multiple occasions Bad because attacker will have time to learn it; then can use it Difficulty of Cracking Passwords by Guessing Remotely Usually cut off after a few attempts.

aideen
Download Presentation

Figure 2-2: Server Password Cracking:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Figure 2-2: Server Password Cracking: • Reusable Passwords • A password you use repeatedly to get access to a resource on multiple occasions • Bad because attacker will have time to learn it; then can use it • Difficulty of Cracking Passwords by Guessing Remotely • Usually cut off after a few attempts

  2. Figure 2-2: Server Password Cracking • Hacking Root • Super accounts (can take any action in any directory) • Hacking root in UNIX • Super accounts in Windows (administrator) and NetWare (supervisor) • Hacking root is rare; usually can only hack an ordinary user account • May be able to elevate the privileges of the user account to take root action

  3. Figure 2-2: Server Password Cracking • Physical Access Password Cracking • Brute-force password guessing • Try all possible character combinations • Longer passwords take longer to crack • Using more characters also takes longer • Alphabetic, no case (26 possibilities) • Alphabetic, case (52) • Alphanumeric (letters and numbers) (62) • All keyboard characters (~80) • Slow with passwords of reasonable length

  4. Figure 2-2: Password Length Password Length In Characters Alphabetic, No Case (N=26) Alphabetic, Case (N=52) Alphanumeric: Letters & Digits (N=62) All Keyboard Characters (N=~80) 1 26 52 62 80 2 (N2) 676 2,704 3,844 6,400 4 (N4) 456,976 7,311,616 14,776,336 40,960,000 6 308,915,776 19,770,609,664 56,800,235,584 2.62144E+11 8 2.08827E+11 5.34597E+13 2.1834E+14 1.67772E+15 10 1.41167E+14 1.44555E+17 8.39299E+17 1.07374E+19

  5. Figure 2-2: Server Password Cracking • Physical Access Password Cracking • Dictionary attacks • Try common words • There are only a few thousand of these • Very rapidly cracked • Hybrid attacks • Common word with single digit at end, etc. • l0phtcrack • Lower-case L, zero, phtcrack • Password cracking program • Run on a server (need physical access) • Or copy password file and run l0phtcrack on another machine.

  6. Figure 2-2: Server Password Cracking • Password Policies • Good passwords • At least 8 characters long • Change of case not at beginning • Digit (0 through 9) not at end • Other keyboard character not at end • Example: triV6#ial • Testing and enforcing password policies • Run password cracking program against own servers (Caution: requires approval! SysAdmins have been fired for doing this without permission—and should be) • Password duration policies: How often passwords must be changed

  7. Figure 2-2: Server Password Cracking • Password Policies • Password sharing policies: Generally, forbid shared passwords • Removes ability to learn who took actions; loses accountability • Usually is not changed often or at all because of need to inform all sharers • Disabling passwords that are no longer valid • As soon as an employee leaves the firm, etc. • As soon as contractors, consultants leave • In many firms, a large percentage of all accounts are for people no longer with the firm

  8. Figure 2-2: Server Password Cracking • Password Policies • Lost passwords • Password resets: Help desk gives new password for the account • Opportunities for social engineering attacks • Leave changed password on answering machine • Biometrics: voice print identification for requestor (but considerable false rejection rate) New: Not In Book

  9. Figure 2-2: Server Password Cracking • Password Policies • Lost passwords • Automated password resets • Employee goes to website • Must answer a question, such as “In what city were you born?” • Problem of easily-guessed questions that can be answered with research

  10. Figure 2-2: Server Password Cracking • Password Policies • Encrypted (hashed) password files (Figure 2-4) • Passwords not stored in readable form • Encrypted with DES or hashed with MD5 • In UNIX, etc/passwd puts x in place of password • Encrypted or hashed passwords are stored in a different (shadow) file to which only high-level accounts have access

  11. Server Figure 2-4: Password Hashing 2. Hash My4Bad = 11110000 1. User = Lee Password = My4Bad 3. Hashes Match Client PC User Lee Hashed Password File Brown 11001100 Lee 11110000 Chun 00110011 Hatori 11100010 4. Hashes Match, So User is Authenticated

  12. User Name User ID GCOS Shell plee:6babc345d7256:47:3:Pat Lee:/usr/plee/:/bin/csh Group ID Password Home Directory Figure 2-5: UNIX/etc/passwd File Entries Without Shadow Password File With Shadow Password File Plee:x:47:3:Pat Lee:/usr/plee/:/bin/csh Asterisk instead of x indicates that the password is stored in a separate shadow password file

  13. Figure 2-2: Server Password Cracking • Password Policies • Windows passwords • Obsolete LAN manager passwords (7 characters maximum) should not be used • Windows NTLM passwords are better • Option (not default) to enforce strong passwords

  14. Figure 2-2: Server Password Cracking • Shoulder Surfing • Watch someone as they type their password • Keystroke Capture Software • Professional versions of windows protect RAM during password typing • Consumer versions do not • Trojan horse throws up a login screen later, reports its finding to attackers

  15. Figure 2-2: Server Password Cracking • Windows Client PC Software • Consumer version login screen is not for security • Windows professional and server versions provide good security with the login password • BIOS passwords allow boot-up security • Can be disabled by removing battery • But during a battery removal, the attacker will be very visible • Screen savers with passwords allow away-from-desk security after boot-up

More Related