So whats in a password
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

So whats in a password

on

  • 1,800 views

Talk from CodeMash on Passwords, cracking them, and intelligent approaches to getting past them.

Talk from CodeMash on Passwords, cracking them, and intelligent approaches to getting past them.

Presented at CodeMash, January 8, 2014

Statistics

Views

Total Views
1,800
Views on SlideShare
1,800
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

So whats in a password Presentation Transcript

  • 1. So, What’s in a Password? Rob Gillen @argodev This work is licensed under a Creative Commons Attribution 3.0 License.
  • 2. Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
  • 3. Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
  • 4. Password Attacks A Year in Review
  • 5. Pixel Federation In December 2013, a breach of the webbased game community based in Slovakia exposed over 38,000 accounts which were promptly posted online. The breach included email addresses and unsalted MD5 hashed passwords, many of which were easily converted back to plain text. http://haveibeenpwned.com/
  • 6. Vodafone In November 2013, Vodafone in Iceland suffered an attack attributed to the Turkish hacker collective "Maxn3y". The data was consequently publicly exposed and included user names, email addresses, social security numbers, SMS message, server logs and passwords from a variety of different internal sources. http://haveibeenpwned.com/
  • 7. Adobe The big one. In October 2013, 153 million accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced. http://haveibeenpwned.com/
  • 8. Twitter February 2013 - This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users. https://blog.twitter.com/2013/keeping-our-users-secure
  • 9. More… • cvideo.co.il – 10/15/2013 – 3,339 • http://hackread.com/iranian-hackers-hack-israeli-job-site/ • penangmarathon.gov.my – 10/8/2013 – 1,387 • http://www.cyberwarnews.info/2013/10/07/45000-penang-marathonparticipants-personal-details-leaked/ • tomsawyer.com – 10/6/2013 – 57,462 • http://www.cyberwarnews.info/2013/10/07/software-company-tomsawyer-hacked-61000-vendors-accounts-leaked/ • ahashare.com – 10/3/2013 – 169,874 • http://www.cyberwarnews.info/2013/10/04/ahashare-com-hackedcomplete-database-with-190-000-user-credentials-leaked/ • Unknown Israeli website – 7/30/2013 – 26,064 • http://hackread.com/opizzah-opisrael-phr0zenmyst-claims-to-leaklogin-details-of-33895-israelis/ • UK emails – 7/17/2013 – 8,002 • http://www.techworm.in/2013/07/more-than-15000-emails-usernameand.html https://shouldichangemypassword.com/all-sources.php
  • 10. More… • UK emails (part 2) – 7/17/2013 – 7,514 • http://www.techworm.in/2013/07/more-than-15000-emails-usernameand.html • http://www.pakistanintelligence.com – 5/27/2013 – 75,942 • http://www.ehackingnews.com/2013/05/pakistan-intelligence-jobboard-website.html • McDonalds Taiwan – 3/27/2013 – 185,620 • http://www.cyberwarnews.info/2013/03/28/official-mcdonaldsaustria-taiwan-korea-hacked-over-200k-credentials-leaked/ • karjera.ktu.lt – 3/14/2013 – 14,133 • http://www.cyberwarnews.info/2013/03/14/14000-student-credentialsleaked-from-ktu-career-center-lithuania/ • avadas.de – 3/9/2013 – 3,344 • http://hackread.com/avast-germany-website-hacked-defaced-20000user-accounts-leaked-by-maxney/ • angloplatinum.co.za – 3/5/2013 – 7,967 • http://thehackernews.com/2013/03/worlds-largest-platinum-producerhacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Fee d%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_ https://shouldichangemypassword.com/all-sources.php
  • 11. More… • angloplatinum.com – 3/5/2013 – 723 • http://thehackernews.com/2013/03/worlds-largest-platinum-producerhacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Fee d%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_ • Walla.co.il – 2/19/2013 – 531,526 • http://www.haaretz.com/news/national/anonymous-activists-hackinto-600-000-israeli-email-accounts.premium-1.504093 • Bank Executives – 2/4/2013 – 4,596 • http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executivecredentials-7000010740/ • bee-network.co.za – 1/29/2013 – 81 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • omni-id.com – 1/29/2013 – 1,151 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • moolmans.com – 1/29/2013 – 117 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html https://shouldichangemypassword.com/all-sources.php
  • 12. More… • servicedesk.ufs.ac.za – 1/29/2013 – 3,952 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • servicedesk.ufs.ac.za (part 2) – 1/29/2013 – 355 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • westcol.co.za – 1/29/2013 – 99 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • digital.postnet.co.za – 1/29/2013 – 45,245 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • French Chamber of Commerce – 1/29/2013 – 515 • http://news.softpedia.com/news/French-Chamber-of-Commerceand-Industry-Portal-Hacked-by-Tunisian-Cyber-Army324716.shtml https://shouldichangemypassword.com/all-sources.php
  • 13. Types of Attacks • Algorithm Weaknesses • Implementation Weaknesses • Dictionary Attacks • Brute-Force Attacks • Mask Attacks
  • 14. Algorithmic Weaknesses • Collision, Second Pre-Image, Pre-Image • Confirmed: • GOST, HAVAL, MD2, MD4, MD5, PANAMA, RadioGatun, RIPEMD, RIPEMD-160, SHA-0, SHA-1, Tiger(2) – 192/160/128, WHIRLPOOL • Theoretical: • SHA-256/224 • SHA-512/384 http://en.wikipedia.org/wiki/Cryptographic_hash_function
  • 15. Account Hashes • Windows Hash • EAD0CC57DDAAE50D876B7DD6386FA9C7 • Linux Hash • $6$OeKR9qBnzym.Q.VO$hM3uL03hmR4ZqAME/8Ol. xWGYAmVdpi3S4hWGLeugaKNj/HLzQPTz7FhjATYO/ KXCNHZ8P7zJDi2HHb1K.xfE.
  • 16. File Encryption • MS Office • PDFs • Zip/7z/rar • TrueCrypt
  • 17. http://www.truecrypt.org/docs/volume-format-specification
  • 18. How do they work? • Known file-format/implementation weakness • Header data to indicate encryption • Type, keylength, etc. • Often some small portion to decrypt/validate • How is it that changing encryption keys is fast? • Your key encrypts “real” key
  • 19. Is it really cracking?
  • 20. Password Guessing char string1[maxPassLength + 1]; char alphanum[63] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; for 0  maxLength for each char in alphanum…
  • 21. Slightly Better… int min = 8; int max = 12; char[] valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; # # # # known rules first & last must be char no consecutive-ordered chars/nums no repeated chars/nums
  • 22. DEMO: Cracking a Windows Hash With oclHashCat
  • 23. Image courtesy of xkcd.com (http://imgs.xkcd.com/comics/password_strength.png)
  • 24. (more) Intelligent Password Guessing • What do people usually use? • What can we do to reduce the set of possibilities? • Cull terms/domain knowledge from relevant data • Dating sites, religious sites, others Best: Already used/real-world passwords
  • 25. Determine your goals • Cracking a single, specific pwd? • Cracking a large % of an “acquired set”?
  • 26. • Mark Burnett, author of Perfect Passwords • List of 6,000,000, culled down to 10,000 most frequently used • Top 10,000 passwords are used by 98.8% of all users • 2,342,603 (that’s 99.6%) unique passwords remaining that are in use by only .18% of users! https://xato.net/passwords/more-top-worst-passwords/
  • 27. • Lots of lists…
  • 28. https://www.grc.com/haystack.htm
  • 29. PACK • Password Analysis and Cracking Toolkit • Peter Kacherginsky, PasswordCon, 7/30-7/31 • Intelligent cycle of cracking, analysis, rule generation http://thesprawl.org/projects/pack/
  • 30. Statistical Analysis • Password Length Analysis • Character Set Analysis • Word Mangling Analysis
  • 31. Example: Length https://thesprawl.org/media/research/passwords13-smarter-password-cracking-with-pack.pdf
  • 32. DEMO: Statistics on Real PWs
  • 33. Advanced Analytics • Levenshtein Edit Distance http://en.wikipedia.org/wiki/Levenshtein_distance
  • 34. Levenshtein Edit Distance • Minimum number of changes required to change one string into another • Measure distance b/t actual words and cracked list to optimize the word mangling rules • i.e. XX% of words can be achieved with Levenshtein edit distance of <=2 • Only gen rules that match http://www.let.rug.nl/~kleiweg/lev/ http://www.kurzhals.info/static/samples/levenshtein_distance/
  • 35. What if I don’t have your Password? • Pass the Hash • Demo • But We use Smart Cards!?
  • 36. Avoidance Techniques • Don’t use “monkey” • Don’t reuse “monkey” • If you must use monkey, require something else as well • Salt is good • Your own salt is better • Utilize memory-hard algorithms • Utilize multiple iterations (a lot) • Your username is half of the equation
  • 37. References • http://haveibeenpwned.com/ • https://lastpass.com/adobe/ • https://lastpass.com/linkedin/ • https://lastpass.com/lastfm/ • https://shouldichangemypassword.com/al l-sources.php
  • 38. Questions/Contact Rob Gillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev