1 / 53

Password Cracking, Sniffing and Man-in-the Middle

Learn about password storage, cracking techniques, defenses, and tools like L0phtCrack and John the Ripper in Windows and Unix environments.

alejandrog
Download Presentation

Password Cracking, Sniffing and Man-in-the Middle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Password Cracking, Sniffing and Man-in-the Middle • Agenda • Storing Passwords on the system • Password Cracking on Windows and Linux • Defenses against Password cracking • Address Resolution Protocol (ARP) • Sniffing • Defenses against Sniffing • Man in the Middle ECE 4112 - Internetwork Security

  2. Cracking Passwords • Passwords that can be guessed easily are a problem • Lots of tools available to figure out passwords • L0phtcrack windows password cracker • “John the Ripper” Unix password cracker • Default passwords remaining on a system are a typical vulnerability ECE 4112 - Internetwork Security

  3. Password storage • Password files have passwords stored in a hashed or encrypted form • Hash algorithm example is message digest 4 (MD4) • Encrypted algorithm example is Data Encryption Standard (DES) • When you use your password, it is hashed or encrypted and then compared to the stored value • Crackers use a downloaded local copy of password file on their own machine ECE 4112 - Internetwork Security

  4. Storing Passwords • Systems have a file with all hashed/encrypted passwords • Windows – SAM (Security Accounts Manager) database • UNIX - /etc/passwd or /etc/shadow • Access to these files can make it easy for a hacker to break in ECE 4112 - Internetwork Security

  5. Windows Passwords • Security Accounts Manager (SAM) has two versions for each password • LanMan (LM) password version for backward compatibility with windows workgroups • NT Hash – cryptographic hash for windows NT/2000 (Uses MD4) • SAM file is in \WINNT\system32\config\ directory which is a binary file that is hard to read • Back up copy stored in \WINNT\repair ECE 4112 - Internetwork Security

  6. Using Passwords • System has a hashed/encrypted version of the password stored in a file • On login attempt– • system hashes/encrypts the password typed in by using for example crypt() function in linux • Compares hashed/encrypted value to stored hashed/encrypted value • Idea behind password cracking is to get a copy of the hashed/encrypted passwords and then make guesses, hash/encrypt the guess and compare ECE 4112 - Internetwork Security

  7. Password Cracking • Dictionary Attack • Hackers steal a copy of the stored password file • Guess a password (may use a dictionary) • Find hash/encrypted value of the guess • Compare hash to entries from stored file • Continue this until success or out of options for password guesses. • Brute Force – Guess every possible combination of characters • Hybrid – Use dictionary but add characters to dictionary entries ECE 4112 - Internetwork Security

  8. Password retrieval on Windows • Sniff the network for passwords being transmitted • From Administrator’s emergency repair disk • From back-up directory ECE 4112 - Internetwork Security

  9. Password Cracking on Windows • L0phtCrack – lc4 (Windows) • Available at www.@stake.com/research/lc/ • Password Auditing and Recovery Application • Default English dictionary 50,000 words • Does “hybrid” attacks • Our free trial version does not allow brute force (for $350 can purchase with that capability) • Works on weaker LanMan (LM) as well as NT hashes • Can sniff a network for LanMan hashed passwords • Can download from a local machine or remote computer the hashed password file ECE 4112 - Internetwork Security

  10. L0phtCrack (lc4) • Some statistics (from the website) • L0phtCrack obtained 18% of the passwords in 10 minutes • 90% of the passwords were recovered within 48 hours on a Pentium II/300 • The Administrator and most Domain Admin passwords were cracked ECE 4112 - Internetwork Security

  11. ECE 4112 - Internetwork Security

  12. Password Cracking on UNIX • John the Ripper • Available at http://www.openwall.com/john/ • Supports six hashing schemes including XP • Old Unix used /etc/passwd to store passwords • Password is stored after cryptographically altered • Various algorithms (hash/encrypted) used by various Unix platforms • /etc/password is readable by everyone • Some Unix store in a shadow password file thus /etc/passwd does not contain the passwords since they are instead in /etc/shadow or /etc/secure, only root can access these files • If shadow file used, must have root to copy ECE 4112 - Internetwork Security

  13. Password retrieval on Linux • List of login names and usernames in /etc/passwd • List of encrypted passwords in /etc/shadow • Only /etc/shadow is enough to crack the passwords. • Having both files makes it easier ECE 4112 - Internetwork Security

  14. John the Ripper • Combine information from /etc/passwd and /etc/shadow into one file • Use this file as input for John the Ripper • John can create guesses by • Using built-in dictionary • Using account information • Using brute-force guessing algorithm ECE 4112 - Internetwork Security

  15. John the Ripper • Scrambling used for each guess • When a password is cracked, result displayed on screen • During execution of this tool, hitting any key will give current guess and status • Password complexity determines time needed for cracking them ECE 4112 - Internetwork Security

  16. Defenses against Password Cracking • Select good passwords (not dictionary based) • Change regularly • Use tools to prevent easy passwords • Use password cracking tests against own systems • Protect system back ups that have password files • Unix: activate password shadowing • Windows: disable weaker LM authentication if no windows 95/98 machines on network ECE 4112 - Internetwork Security

  17. Agenda • Storing Passwords on the system • Password Cracking on Windows and Linux • Defenses against Password cracking • Address Resolution Protocol (ARP) • Sniffing • Defenses against Sniffing • Man in the Middle ECE 4112 - Internetwork Security

  18. What is ARP? • Address Resolution Protocol • Used to convert IP addresses to MAC addresses • Low-Level Protocol • Essential for inter-network communication • Used in networks with broadcast capabilities; usually Ethernet ECE 4112 - Internetwork Security

  19. How does ARP work? • Internetwork Example • A forwards packet to Gateway • Gateway checks to see if it has the IP address in the cache • If so, change the MAC address and format packet appropriately and forward on the network • Otherwise broadcast a request on the network. B will respond with MAC address. Format packet and forward to B. ECE 4112 - Internetwork Security

  20. How does ARP work? • LAN Example • A sends ARP request packet on LAN • Only the machine with matching IP responds with MAC • B caches the IP & MAC pair • Forwards all packets for same IP to the cached MAC ECE 4112 - Internetwork Security

  21. Example of ARP in Use The figure shows the use of ARP when a computer is trying to contact another computer on the same LAN using ping: ECE 4112 - Internetwork Security

  22. Four Types of ARP Messages ARP request ARP reply RARP request RARP reply ECE 4112 - Internetwork Security

  23. Reverse Address Resolution Protocol (RARP) • Physical address of host machine is able to request its IP from a gateway server’s ARP table • A router maps the MAC address to corresponding Internet Protocol addresses • RARP client program requests from the RARP server on the router to be sent its IP address • RARP then returns the IP address to the machine which can store it for future use ECE 4112 - Internetwork Security

  24. Format of ARP Message The ARP request includes: -target machine (TARGET IP) -IP address of the sender machine (SENDER IP) -physical address of the sender (SENDER HA) -physical address of target machine (TARGET HA) ECE 4112 - Internetwork Security

  25. ARPPoisoning Note: ARP is stateless The malicious computer (Machine C) can send an ARP Reply to A and cause A to associate B’s IP with C’s MAC address. This will cause all messages from A to B to go to C Do the same to B ECE 4112 - Internetwork Security

  26. ARPPoisoning C can now act as middle man for all communications between A and B. C can decide which packets are forwarded and which are discarded. C can also alter communications packets between A and B. ECE 4112 - Internetwork Security

  27. Agenda • Storing Passwords on the system • Password Cracking on Windows and Linux • Defenses against Password cracking • Address Resolution Protocol (ARP) • Sniffing • Defenses against Sniffing • Man in the Middle ECE 4112 - Internetwork Security

  28. Sniffing • Collect information being transmitted on the network • Attacker must be either on source, destination or intermediate network • Sniffed information can be stored/logged ECE 4112 - Internetwork Security

  29. Sniffing traditional LANS • Traditional networks • Broadcast medium – easy to sniff attacker Data A Data A HUB Data A Data A ECE 4112 - Internetwork Security

  30. Sniffing Switched LANS • Switched LANS • Difficult to do, but possible • Address Resolution Protocol Cache Poisoning - Attacker must inject packets into the network to redirect traffic • Attacker lies about the MAC address intercepts traffic • ARP tells which MAC address corresponds to which IP address ECE 4112 - Internetwork Security

  31. attacker SWITCH Data A Data A Sniffing Switched LANS ECE 4112 - Internetwork Security

  32. Sniffit • Easy to use sniffer • Available at: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html • Can be run in interactive mode • Can be used to sniff traditional LANS • For Switched LANS, must be used with ARP Cache Poisoning tools ECE 4112 - Internetwork Security

  33. Sniffit • Conditions (from the Sniffit web page): • You should be ROOT on your machine • The machine has to be connected to a network • You have to be allowed to sniff (ethical condition) ECE 4112 - Internetwork Security

  34. Sniffit – Interactive mode • All TCP traffic can be viewed in main screen • Traffic from each system and port to each system and port can be seen • Has option to see data in a particular stream flow ECE 4112 - Internetwork Security

  35. ethereal • From http://www.ethereal.com/ • Ethereal is a free network protocol analyzer for Unix and Windows. • It allows you to examine data from a live network or from a capture file on disk. • You can interactively browse the capture data, viewing summary and detail information for each packet. • Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. ECE 4112 - Internetwork Security Source: www.ethereal.com

  36. Source: www.ethereal.com ECE 4112 - Internetwork Security

  37. Defense against Sniffing • Transmit encrypted data across a network • Don’t use telnet, rsh,rlogin • Use Secure Shell • Use VPNs to encrypt data between systems • Use switches instead of hubs – makes sniffing more difficult ECE 4112 - Internetwork Security

  38. Defense against Sniffing • For critical systems • MAC address filtering on switches • Restrict MAC addresses that can send and receive data on specific switch connectors (plugs) • Hard code ARP tables on critical systems ECE 4112 - Internetwork Security

  39. Agenda • Storing Passwords on the system • Password Cracking on Windows and Linux • Defenses against Password cracking • Address Resolution Protocol (ARP) • Sniffing • Defenses against Sniffing • Man in the Middle ECE 4112 - Internetwork Security

  40. Man in the Middle:Sniffing • It is the easiest attack to launch since all the packets transit through the attacker. • All the “plain text” protocols are compromised (the attacker can sniff user and password of many widely used protocol such as telnet, ftp, http) ECE 4112 - Internetwork Security

  41. Man in the Middle: Hijacking • Easy to launch • It isn’t blind (the attacker knows exactly the sequence numbers of the TCP connection) ECE 4112 - Internetwork Security

  42. Man in the Middle: Injecting • Possibility to add packets to an already established connection (only possible in full-duplex MITM) • The attacker can modify the sequence numbers and keep the connection synchronized while injecting packets. • If the MITM attack is a “proxy attack” it is even easier to inject (there are two distinct connections) ECE 4112 - Internetwork Security

  43. Attacks examples (1)Command injection • Useful in scenarios where a one time authentication is used (e.g. RSA token). In such scenarios sniffing the password is useless, but hijacking an already authenticated session is possible • Injection of commands to the server • Emulation of fake replies to the client ECE 4112 - Internetwork Security

  44. Attacks examples (2)Malicious code injection • Insertion of malicious code into web pages or mail (javascript, trojans, virus, etc) • Modification on the fly of binary files during the download phase (virus, backdoor, etc) ECE 4112 - Internetwork Security

  45. Attacks examples (3)Payload modification • The attacker can modify the payload of the packets by recalculating the checksum • The length of the payload can also be changed but only in full-duplex (in this case the seq number has to be adjusted) ECE 4112 - Internetwork Security

  46. Red Hat WS 4.0 Host 57.35.6.x The Lab Exercise – Set up Red Hat WS 4.0 ECE 4112 - Internetwork Security

  47. The Exercise - Tools • Address Resolution Protocol • Ettercap to passively sniff a connection • Ettercap to actively disrupt a connection • Hunt to hijack a connection ECE 4112 - Internetwork Security

  48. Exercise – Investigating ARP • Check ARP Table on all machines • Observe changes to the ARP table using Ethereal as unknown IP addresses are pinged • Get a better feel for ARP by making manual changes to the ARP table • Observe effects of making incorrect entries into the ARP table ECE 4112 - Internetwork Security

  49. Exercise – Using Ettercap ECE 4112 - Internetwork Security

  50. The Lab - Introduce Ettercap ECE 4112 - Internetwork Security

More Related