1 / 20

Passwords Everywhere

Passwords Everywhere. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | ondrej@sevecek.com | www.sevecek.com |. GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS. Take care of your passwords.

esben
Download Presentation

Passwords Everywhere

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Passwords Everywhere Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | ondrej@sevecek.com | www.sevecek.com | GOPAS: info@gopas,cz| www.gopas.cz | www.facebook.com/P.S.GOPAS

  2. Take care of your passwords • People use the same passwords for different services • AD network, mobile phone, credit card PIN, facebook, e-shops, free-mail, … • People type their passwords on unknown computers • Passwords travel over network unencrypted • Somebody else is your computer administrator • Computers store passwords often in full form

  3. Hardware keyloggers • Easy soldier

  4. Different service = different password? • Do you thing the databases of facebook, google+, gmail, microsoft, alza, seznam, … are encrypted? • nonsense • What do you thing the Indians do when bored? • are they surfing your email, or facebook? • What do you thing is the first thing a virus is going to do after infection? • list all user accounts • touch anything in your network with your current password

  5. User Account Control (UAC) • Locally limits Administrators group membership • Does nothing over network • It matters only for a BFU on a single machine • It does not affect administrative accounts

  6. Windows authentication seems secure • Kerberos, Kerberos, Kerberos, sometimes NTLM • Encrypted network transport • AES, mutual authentication, rekeying, etc.

  7. Passwords are in memory plaintext password LSASS ISClient Internet Explorer Ctrl-Alt-Del Outlook Lync

  8. Passwords are in LSASS memory plaintext password Local LSASS ServerLSASS ISClient Kerberos Server Internet Explorer NTLM Outlook Lync

  9. Who can steal passwords from LSASS • Local Administrators • Debug privilege is just the only necessary to break into LSASS memory

  10. Basic authentication • HTTP Basic authentication • used veeeeery often even on intranets • mostly BFU accounts • LDAP Simple bind • used veeeeery often by third-party NAS, VPN, VoIP, gateways, routers, VMWare console, etc. • often administrative accounts • RDP • used extreeeeemely often • extreeeeemely often administrative accounts

  11. Passwords are in LSASS memory ServerLSASS plaintext password VPN MSTSC ISClient plain-text Server Internet Explorer Outlook Lync

  12. Passwords are stored in full form • IIS application pools • Services • Scheduled tasks

  13. After attack, change your password! • Really? • Password filter on DC or on local SAM database

  14. Good password • Long at least 12 characters • All four types of characters (a-z, A-Z, 0-9, #$%^…) • 80% passwords are alfa-numeric • Never reuse the same password for critical services • not too much change necessary

  15. Password locking? • Do not exagerate • 6 characters complex password • 75 trials per one lock • for 1 minute • = 3 300 years

  16. Cracking from local/AD hashes (non-cache) • MD4 hashes • brute-force 8 characters complex • 1 CPU = 25 years • 10 GPUs = 15 days • rainbow-table 8 characters complex • = minutes • = 120 GB • Every character makes it 80x more difficult • 12 characters complex password is unbreakable • at least for non-NSA mortals

  17. Cracking from network trace and password cache • No use for rainbow-table • MD4 salted • Only brute-force possible

  18. What to remember • Never type a password on an unknown computer • Accessing remote machines with RDP sends there your password • Disable all HTTP Basic and LDAP Simple bind authentications • Use smart cards instead

  19. Where to read more http://www.sevecek.com/Lists/Categories/Category.aspx?CategoryId=17&Name=(Anti)hacking http://www.sevecek.com/Lists/Posts/Post.aspx?ID=145

  20. NASHLEDANOU nakurzech v počítačové škole GOPAS, a.s. GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI Deployment GOC175 - Administering Security GOPAS: info@gopas,cz| www.gopas.cz | www.facebook.com/P.S.GOPAS

More Related