0
…or had                                                                      no time to                                   ...
IT Camp 2011• Thanks for coming!• ITCamp is made possible by our sponsors:      Premium conference on Microsoft’s Dev and ...
MVP-Press Training CoursePlanning, Deploying and ManagingMicrosoft Forefront Threat ManagementGateway 2010Available for on...
Agenda                                                                     SummaryWhat are passwords for… nothing!        ...
What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Opera...
Premium conference on Microsoft’s Dev and ITPro technologies   @itcampro / #itcampro
… would be beautiful, but it is not    • Strong passwords or / and user awarenessComplexity   Letters                 Lett...
Time to crack passwordsComplexity   Letters                  Letters (Upper           Letters (All)    Letters & DigitsCha...
3 cryptograpgy basisPremium conference on Microsoft’s Dev and ITPro technologies   @itcampro / #itcampro
What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Opera...
Passwords in the Web: Null Byte Injection, Inside the SSL TunnelDEMO       Premium conference on Microsoft’s Dev and ITPro...
What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Opera...
Protected Storage• Now: Read-Only• DPAPI  – Data Blob + Entropy  – Master Key  – User Password      Premium conference on ...
What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Opera...
VNCDEMO      Premium conference on Microsoft’s Dev and ITPro technologies   @itcampro / #itcampro
What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Opera...
Wireless (In) SecurityDEMO        Premium conference on Microsoft’s Dev and ITPro technologies   @itcampro / #itcampro
What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Opera...
Crack Basics: Windows• Locally: Security Accounts Manager• Domain: NTLS• Direct reading? Why not?  – SAMInside, Cain, ERD ...
SAM (Tools), DefineDosDevice, System Privileges, SAPD,Notification Package, GINA.DLLDEMO       Premium conference on Micro...
What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Opera...
Rainbow Tables• OphCrack• RainbowCrack• http://www.insidepro.com/tables.php• http://www.freerainbowtables.com/en/tables/nt...
What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Opera...
Password Cracking Tools• Linux  – John the Ripper (http://www.openwall.com/john/)• Windows  – John the Ripper  – SamInside...
What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Opera...
Summary• Have your own dictionary file• Use well-designed password policies• Train users – show them what may  happen if t...
Q&A  Premium conference on Microsoft’s Dev and ITPro technologies   @itcampro / #itcampro
Don’t forget!Get your free Azure pass!                            We want your feedback!• 30+15 days, no CC req’d         ...
Upcoming SlideShare
Loading in...5
×

ITCamp 2011 - Paula Januszkiewicz - Password secrets revealed

1,290

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,290
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "ITCamp 2011 - Paula Januszkiewicz - Password secrets revealed"

  1. 1. …or had no time to check it!Password Secrets Revealed!Everything you want to know but are afraid to ask… Paula Januszkiewicz CQURE: IT Security Auditor, MVP, MCT http://blogs.technet.com/plwit/ paula@cqure.pl Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  2. 2. IT Camp 2011• Thanks for coming!• ITCamp is made possible by our sponsors: Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  3. 3. MVP-Press Training CoursePlanning, Deploying and ManagingMicrosoft Forefront Threat ManagementGateway 2010Available for online purchase:http://www.mvp-press.comFollow us on: http://facebook.com/MVPpress http://twitter.com/MVPpress 3 Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  4. 4. Agenda SummaryWhat are passwords for… nothing! (Things you should remember) 1 2 3 Passwords – some examples Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  5. 5. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  6. 6. Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  7. 7. … would be beautiful, but it is not • Strong passwords or / and user awarenessComplexity Letters Letters (Upper Letters (All) & Letters &Characters (Lower) & Lower) Digits Digits & Special6 308,915,776 19,770,609,664 56,800,235,584 304,006,671,42 48 208,827,064,57 53,459,728,531 218,340,105,58 2,044,140,858, 6 ,456 4,896 654,97610 141,167,095,65 144,555,105,94 839,299,365,86 13,744,803,133 3,376 9,057,024 8,340,224 ,596,058,62412 95,428,956,661 390,877,006,48 3,226,266,762, 92,420,056,270 ,682,176 6,250,192,896 397,899,821,05 ,299,898,187,7 6 76 Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  8. 8. Time to crack passwordsComplexity Letters Letters (Upper Letters (All) Letters & DigitsCharacters (Lower) & Lower) & Digits & Special6 154,4 seconds 164,7 hours8 29 hours … … …10 816 days … … …12 51152123 years … … 87918622783,7 yearsAvg. password cracking: 2 millions per second Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  9. 9. 3 cryptograpgy basisPremium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  10. 10. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  11. 11. Passwords in the Web: Null Byte Injection, Inside the SSL TunnelDEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  12. 12. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  13. 13. Protected Storage• Now: Read-Only• DPAPI – Data Blob + Entropy – Master Key – User Password Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  14. 14. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  15. 15. VNCDEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  16. 16. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  17. 17. Wireless (In) SecurityDEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  18. 18. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  19. 19. Crack Basics: Windows• Locally: Security Accounts Manager• Domain: NTLS• Direct reading? Why not? – SAMInside, Cain, ERD Commander, pwdump + LC5, john the ripper• PSTORE Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  20. 20. SAM (Tools), DefineDosDevice, System Privileges, SAPD,Notification Package, GINA.DLLDEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  21. 21. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  22. 22. Rainbow Tables• OphCrack• RainbowCrack• http://www.insidepro.com/tables.php• http://www.freerainbowtables.com/en/tables/ntlm/• https://www.objectif- securite.ch/en/products.php?hash=EE84987FE4DC6997 ABD2655ED5D5C144&drgn=2 Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  23. 23. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  24. 24. Password Cracking Tools• Linux – John the Ripper (http://www.openwall.com/john/)• Windows – John the Ripper – SamInside / Passwords Pro (http://www.insidepro.com) – Cain (http://www.oxid.it/cain.html ) – LC5 / pwdump – Top 10 Tools: http://sectools.org/crackers.html Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  25. 25. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  26. 26. Summary• Have your own dictionary file• Use well-designed password policies• Train users – show them what may happen if their password is revealed• Test your users’ passwords Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  27. 27. Q&A Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  28. 28. Don’t forget!Get your free Azure pass! We want your feedback!• 30+15 days, no CC req’d • Win a WP7 smartphone – http://bit.ly/ITCAMP11 – Fill in your feedback forms – Promo code: ITCAMP11 – Raffle: end of the day Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×