1 / 19

Password cracking Team bam! Scott Amack , Everett Bloch, Maxine MAjor

Nothing is Safe. Password cracking Team bam! Scott Amack , Everett Bloch, Maxine MAjor. Overview. Why Passwords? Current Events Password Security & Cracking Tools Demonstrations Linux GPU Windows Conclusions. Benefits of Using Passwords. Security Security Security Security

morna
Download Presentation

Password cracking Team bam! Scott Amack , Everett Bloch, Maxine MAjor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nothing is Safe Password crackingTeam bam!Scott Amack, Everett Bloch, Maxine MAjor

  2. Overview • Why Passwords? • Current Events • Password Security & Cracking • Tools • Demonstrations • Linux • GPU • Windows • Conclusions

  3. Benefits of Using Passwords • Security • Security • Security • Security • Security …. Is there any other reason?

  4. The password landscape is changing. With increased computing power, the time to crack passwords is dropping significantly

  5. Password Events • In 2009, three Filipino residents hacked thousands of phone networks for profit by exploiting default passwords left on the private branch exchange (PBX) systems. (washingtonpost.com) • June 2011, LulzSec hacked FBI affiliate Infragard. Stolen passwords included plaintext passwords which were reused on other services and websites, leading to a wider-scale hack. (naked security) • Dec 2012, a 25-GPU cluster was developed with the power to check 350 billion guesses/sec. It can crack any 8 character Windows NTLM password in less than 6 hours. (arstechnica) • Jan 2013, Google has been researching password-replacing technology. Currently this includes authentication via finger rings, USB cryptographic cards, and could potentially include wireless verification in the future. (wired)

  6. In 2012, a Verizon analysis revealed that 90 percent of intrusions were the result of either weak passwords, default passwords, reused passwords, or stolen credentials. (knowledge miner)

  7. Password Security • Windows recommendation:

  8. Password Security • University of Idaho’s Password Requirements: • A-Z, a-z, 0-9, symbols • Password (expires in 90 days) 8 characters+ No dictionary words over 3 letters long • Passphrase (expires in 400 days)15+ characters Dictionary words allowed

  9. Brute Force Crack Times • Class D: 10,000,000 Passwords/sec , Fast PC, Dual Processor PC. • Class E. 100,000,000 Passwords/sec, Workstation, or multiple PC's working together. • Class F. 1,000,000,000 Passwords/sec, Typical for medium to large scale distributed computing, Supercomputers. (lockdown)

  10. Cracking Helpers • Dictionaries: • Wordlists containing cracked passwords • Also contain dictionary words • May also have custom word lists for foreign languages • Rainbow Tables: • A table of hashed passwords • Computationally expensive to produce • Password lookup is quick once the table is generated

  11. Password Salting • A salt is random data that is added in a unique way to a password to make decrypting passwords from hashes more difficult. • Salts are usually generated at the time of account creation and stored in a database table separate from the password hash. • When a user logs onto a system, their stored salt is added to the typed in password and then hashed to compare to the stored password hash for verification.

  12. Tools – John the Ripper • Attempts to crack hashed passwords from almost all commonly used hashing algorithms using user characteristics, word lists, and brute force modes. • JTR has three modes:-single-wordlist-incrementalDefault behavior is to run through each mode, in that order. (backreference)

  13. Tools – Cain & Abel • “Allows easy recovery of various kinds of passwords by: • sniffing the network, • cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks, • recording VoIP conversations, • decoding scrambled passwords, • recovering wireless network keys, • revealing password boxes, • uncovering cached passwords, and • analyzing routing protocols.” (oxid)

  14. Tools - Hashcat • Hashcat is a multi-platform password cracking tool that can take advantage of your GPU and can run on up to 128 GPU’s. It has 4 variants that can be used depending on your needs.

  15. Tools – Hashcat Attack Modes: • Combinator • Dictionary • Fingerprinting • Mask • Permutation • Rules-based • Table-based • Toggle-case

  16. Demonstrations • John the Ripper • Cain & Abel • Hashcat

  17. Conclusions • Many password cracking utilities are free and readily available. • With technological advances (Moore’s Law), password cracking is becoming faster and easier. • Because of increases in password cracking technology, alternate authentication technologies are being developed.

  18. Summary • Why Passwords? • Current Events • Password Security and Crack Times • Cracking Demonstrations

  19. References • http://support.uidaho.edu/2011/09/23/passphrases/ • http://support.uidaho.edu/security/password-guidelines/ • http://www.lockdown.co.uk/?pg=combi • http://voices.washingtonpost.com/securityfix/2009/06/default_passwords_led_to_55_mi.html • http://nakedsecurity.sophos.com/2011/06/04/infragard-atlanta-an-fbi-affiliate-hacked-by-lulzsec/ • http://www.wired.co.uk/magazine/archive/2013/01/features/hacked • http://www.knowledgeminer.net/major-security-risks-for-this-year-2013.htm • http://backreference.org/2009/10/26/password-recovery-with-john-the-ripper/ • www.wired.com/wiredenterprise/2013/01/google-password/all/ • http://hashcat.net/oclhashcat-plus/ • http://www.oxid.it/cain.html • http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

More Related