1 / 15

Password Cracking

Password Cracking. By Mike Kwiatkowski. Password Usage and Hygiene. Exercise! What are good password practices? What are bad password practices?. Why Use Passwords?. Data needs to be secured by some method There are three ways to secure something What you know What you have Who you are

edison
Download Presentation

Password Cracking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Password Cracking By Mike Kwiatkowski

  2. Password Usage and Hygiene Exercise! What are good password practices? What are bad password practices?

  3. Why Use Passwords? • Data needs to be secured by some method • There are three ways to secure something • What you know • What you have • Who you are • Passwords secure information by “What you know” • You may not think your information is import, but an attacker might be after something else! • Assignment: If you are unfamiliar with good password practices, look it up! • There a several ways to secure passwords

  4. Saving Passwords on a System • You should personally never save passwords on your system • Servers must save passwords for authentication to resources • Paradox? How are servers special? • Passwords should NEVER be saved in plaintext • Never • Ever • Never • When “saved” locally passwords and other sensitive information should be encrypted

  5. Encryption • Encryption is the act of hiding a message from its original form • Message encryption has been around for thousands of years • There are a number of different ways to encrypt information • Caesar Cipher, Enigma, Block Cipher, One time pad, public key… • The encryption method used depends on a number of factors • Sensitivity of information • Computational capability • Lifetime of significance • Encrypt/Decrypt times

  6. Encryption types • One-way • Used for passwords and to detect changes in data • Hashing algorithms • Information can only be encrypted • There is no reversing process (decryption) • Two-way • Used for message passing • Message is encrypted at the source and decrypted by the receiver • The old Caesar Cipher classic example

  7. Hashing • Hashing changes an input string into something unrecognizable • A small change in input can have a large change in a hashed output • It is a one-way encryption • A hash can’t be decrypted • It can be guessed • The same input produces the same output • Hashing is used to store sensitive information for comparison • It can also be used to compare for changes • Several methods: MD5, SHA-1, SHA-2 and SHA-3

  8. Hashing Activity In a terminal do the following • touch testfile.txt • echo This is a hashing test > testfile.txt • md5sum testfile.txt • echo ! >> testfile.txt • md5sum testfile.txt Note change in hash value

  9. Salting • Used to increase effectiveness of hashed passwords • Adds a random value to a password before it is hashed • Increases length of password and helps mitigate certain cracking methods • The salt value doesn’t need to be secret and is typically stored with the password hash

  10. Password Storage - Windows • In Windows passwords for local users are stored in • C:\Windows\System32\Config • Two files, sam and system, are needed • Sam contains the hashed user passwords • System contains the boot hash for the system • This information can also be found in the registry keys • KHLM\SAM • KHLM\SYSTEM

  11. Password Storage - Linux • User information is stored in a plaintext file • /etc/passwd • This file contains all user information except password hash and can be read by anyone • The file with the password hashes is • /etc/shadow

  12. Kali • Kali is a Linux distribution based on Debian • It is a security toolbox with a number of open source tools pre-installed • The tools give Kali a wide range of abilities • Enumeration, fingerprinting, password cracking, sniffing and attacking to name a few • It can be run on an Intel or ARM platform

  13. Password Cracking • Since most systems store passwords as one-way hashes, password cracking is really password guessing • You cannot actually decode/decrypt the hashed password • You can, however, guess the password, hash it and then compare the results • If they match, then you have more than likely “cracked” the password

  14. Password Cracking Exercise Important files The all.gz file from: http://download.openwall.net/pub/wordlists/ Sample Hashed password file

  15. 1925f1a061df98c868b8a00fb3be4d75b08984bb:rebeca950bb52a92d051e1f15231bb616e1afc637d7fb5:superman11000ca2ab999e2b552465e7b49e3ee3e4f5098649:carman771460ecbf64fc384094605f772e7cf5c0859a01:johnnyboy148abbdfeb2888b5111fc27648f7f3b900aeff9a:rainmanf144f3b3ef0fc20bdc18eeefb39e7d13f379a1ec:printesa23a3bff36120fbca341dfb1b0fb5b1308dc8611b:tina1377fd085296b6f32bd68cb22986d91fca4835beb3:rock233c68531bd551e32f4ace9c55d849b428ca914bcd:clarkie391cb1e07c5f1f4e3000e0fd125802c7a9b1dc96:deliveryc6913a449e9d8f842d732689d3d67fbf8be417d5:linus18c0637e70854e336318fd1fd04023f3580b29de8:woodchuck02a6225d5ad75f2ce3f3fd1cee0daeca43cb1f54:shahbaz1a2e3739d7ad4f5d5398acb250fc289704a48cc9:merlijn2427f0f56306123dfffc5fcca045611e457d4d0b:dedetteccdab2127e4b956c4af2cff18c19ae860b8c456a:gibbera39b6c738dadeef190361cf47397243ad174c183:tessanf3f96e38bb686c14553e5a9441c5ab35755980b1:tmiller1dd6d53f70106ef6fcf9ae21dc4a79bf0eb3ee934:fialottac6a934e92ad9a4e65c90172376774c298a8ef547:libellule7010730ee5a91de72385564327c398065c810ec8:mirmur2f59e613fd9e9e13e5480b3fd588946022b97782:aware186f2fd18cbf4517473c7d3f11b88fae16ae348b2:aeroaeroa3c998b8a45c0c30bec91e82260b66a15bda0bc4:57415741c79472ced23bbadce31e3971a4befaced4d7731c:refosco15898d02e159e8eba00fb08b09f8eaa9cb7364e3:merle3ce2f59de8f8ed64fef72afce8b3a8f3a80c33c74:a13xandra3741aa5c9d7c6a48f4ae8784ab1bd233b9b4d30e:Honniee4ce2cfae2e471f664d97a024b827a2eec1d288e:45390701925f1a061df98c868b8a00fb3be4d75b08984bb:rebeca950bb52a92d051e1f15231bb616e1afc637d7fb5:superman11000ca2ab999e2b552465e7b49e3ee3e4f5098649:carman771460ecbf64fc384094605f772e7cf5c0859a01:johnnyboy148abbdfeb2888b5111fc27648f7f3b900aeff9a:rainmanf144f3b3ef0fc20bdc18eeefb39e7d13f379a1ec:printesa23a3bff36120fbca341dfb1b0fb5b1308dc8611b:tina1377fd085296b6f32bd68cb22986d91fca4835beb3:rock233c68531bd551e32f4ace9c55d849b428ca914bcd:clarkie391cb1e07c5f1f4e3000e0fd125802c7a9b1dc96:deliveryc6913a449e9d8f842d732689d3d67fbf8be417d5:linus18c0637e70854e336318fd1fd04023f3580b29de8:woodchuck02a6225d5ad75f2ce3f3fd1cee0daeca43cb1f54:shahbaz1a2e3739d7ad4f5d5398acb250fc289704a48cc9:merlijn2427f0f56306123dfffc5fcca045611e457d4d0b:dedetteccdab2127e4b956c4af2cff18c19ae860b8c456a:gibbera39b6c738dadeef190361cf47397243ad174c183:tessanf3f96e38bb686c14553e5a9441c5ab35755980b1:tmiller1dd6d53f70106ef6fcf9ae21dc4a79bf0eb3ee934:fialottac6a934e92ad9a4e65c90172376774c298a8ef547:libellule7010730ee5a91de72385564327c398065c810ec8:mirmur2f59e613fd9e9e13e5480b3fd588946022b97782:aware186f2fd18cbf4517473c7d3f11b88fae16ae348b2:aeroaeroa3c998b8a45c0c30bec91e82260b66a15bda0bc4:57415741c79472ced23bbadce31e3971a4befaced4d7731c:refosco15898d02e159e8eba00fb08b09f8eaa9cb7364e3:merle3ce2f59de8f8ed64fef72afce8b3a8f3a80c33c74:a13xandra3741aa5c9d7c6a48f4ae8784ab1bd233b9b4d30e:Honniee4ce2cfae2e471f664d97a024b827a2eec1d288e:4539070

More Related