So, What’s in a
Password?
Rob Gillen
@argodev

This work is licensed under a Creative Commons Attribution 3.0 License.
Don’t Be Stupid
The following presentation describes real
attacks on real systems. Please note that
most of the attacks de...
Disclaimer
The content of this presentation
represents my personal views and
thoughts at the present time. This
content is...
Password Attacks
A Year in Review
Pixel Federation
In December 2013, a breach of the webbased game community based in Slovakia
exposed over 38,000 accounts ...
Vodafone
In November 2013, Vodafone in Iceland
suffered an attack attributed to the
Turkish hacker collective "Maxn3y". Th...
Adobe
The big one. In October 2013, 153
million accounts were breached with
each containing an internal ID,
username, emai...
Twitter
February 2013 - This week, we detected
unusual access patterns that led to us
identifying unauthorized access atte...
More…
• cvideo.co.il – 10/15/2013 – 3,339

• http://hackread.com/iranian-hackers-hack-israeli-job-site/

• penangmarathon....
More…
• UK emails (part 2) – 7/17/2013 – 7,514

• http://www.techworm.in/2013/07/more-than-15000-emails-usernameand.html

...
More…
• angloplatinum.com – 3/5/2013 – 723

• http://thehackernews.com/2013/03/worlds-largest-platinum-producerhacked.html...
More…
• servicedesk.ufs.ac.za – 1/29/2013 – 3,952

• http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-lea...
Types of Attacks
• Algorithm Weaknesses
• Implementation Weaknesses
• Dictionary Attacks
• Brute-Force Attacks
• Mask Atta...
Algorithmic Weaknesses
• Collision, Second Pre-Image, Pre-Image
• Confirmed:
• GOST, HAVAL, MD2, MD4, MD5, PANAMA,
RadioGa...
Account Hashes
• Windows Hash
• EAD0CC57DDAAE50D876B7DD6386FA9C7

• Linux Hash
• $6$OeKR9qBnzym.Q.VO$hM3uL03hmR4ZqAME/8Ol....
File Encryption
• MS Office
• PDFs
• Zip/7z/rar
• TrueCrypt
http://www.truecrypt.org/docs/volume-format-specification
How do they work?
• Known file-format/implementation
weakness
• Header data to indicate encryption
• Type, keylength, etc....
Is it really
cracking?
Password Guessing
char string1[maxPassLength + 1];
char alphanum[63] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstu...
Slightly Better…
int min = 8;
int max = 12;
char[] valid =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123...
DEMO: Cracking a
Windows Hash
With oclHashCat
Image courtesy of xkcd.com (http://imgs.xkcd.com/comics/password_strength.png)
(more) Intelligent
Password Guessing
• What do people usually use?
• What can we do to reduce the set of
possibilities?
• ...
Determine your goals
• Cracking a single, specific pwd?
• Cracking a large % of an “acquired
set”?
• Mark Burnett, author of Perfect Passwords
• List of 6,000,000, culled down to 10,000
most frequently used
• Top 10,000 p...
• Lots of lists…
https://www.grc.com/haystack.htm
PACK
• Password
Analysis and
Cracking Toolkit
• Peter
Kacherginsky,
PasswordCon,
7/30-7/31

• Intelligent
cycle of
crackin...
Statistical Analysis
• Password Length Analysis
• Character Set Analysis
• Word Mangling Analysis
Example: Length

https://thesprawl.org/media/research/passwords13-smarter-password-cracking-with-pack.pdf
DEMO: Statistics
on Real PWs
Advanced Analytics
• Levenshtein Edit Distance

http://en.wikipedia.org/wiki/Levenshtein_distance
Levenshtein Edit Distance
• Minimum number of
changes required to
change one string into
another
• Measure distance b/t
ac...
What if I don’t have your
Password?
• Pass the Hash
• Demo

• But We use Smart Cards!?
Avoidance Techniques
• Don’t use “monkey”
• Don’t reuse “monkey”
• If you must use monkey, require
something else as well
...
References
• http://haveibeenpwned.com/
• https://lastpass.com/adobe/
• https://lastpass.com/linkedin/
• https://lastpass....
Questions/Contact
Rob Gillen
rob@gillenfamily.net
http://rob.gillenfamily.net
@argodev
Upcoming SlideShare
Loading in...5
×

So whats in a password

2,684

Published on

Talk from CodeMash on Passwords, cracking them, and intelligent approaches to getting past them.

Presented at CodeMash, January 8, 2014

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,684
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

So whats in a password

  1. 1. So, What’s in a Password? Rob Gillen @argodev This work is licensed under a Creative Commons Attribution 3.0 License.
  2. 2. Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
  3. 3. Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
  4. 4. Password Attacks A Year in Review
  5. 5. Pixel Federation In December 2013, a breach of the webbased game community based in Slovakia exposed over 38,000 accounts which were promptly posted online. The breach included email addresses and unsalted MD5 hashed passwords, many of which were easily converted back to plain text. http://haveibeenpwned.com/
  6. 6. Vodafone In November 2013, Vodafone in Iceland suffered an attack attributed to the Turkish hacker collective "Maxn3y". The data was consequently publicly exposed and included user names, email addresses, social security numbers, SMS message, server logs and passwords from a variety of different internal sources. http://haveibeenpwned.com/
  7. 7. Adobe The big one. In October 2013, 153 million accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced. http://haveibeenpwned.com/
  8. 8. Twitter February 2013 - This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users. https://blog.twitter.com/2013/keeping-our-users-secure
  9. 9. More… • cvideo.co.il – 10/15/2013 – 3,339 • http://hackread.com/iranian-hackers-hack-israeli-job-site/ • penangmarathon.gov.my – 10/8/2013 – 1,387 • http://www.cyberwarnews.info/2013/10/07/45000-penang-marathonparticipants-personal-details-leaked/ • tomsawyer.com – 10/6/2013 – 57,462 • http://www.cyberwarnews.info/2013/10/07/software-company-tomsawyer-hacked-61000-vendors-accounts-leaked/ • ahashare.com – 10/3/2013 – 169,874 • http://www.cyberwarnews.info/2013/10/04/ahashare-com-hackedcomplete-database-with-190-000-user-credentials-leaked/ • Unknown Israeli website – 7/30/2013 – 26,064 • http://hackread.com/opizzah-opisrael-phr0zenmyst-claims-to-leaklogin-details-of-33895-israelis/ • UK emails – 7/17/2013 – 8,002 • http://www.techworm.in/2013/07/more-than-15000-emails-usernameand.html https://shouldichangemypassword.com/all-sources.php
  10. 10. More… • UK emails (part 2) – 7/17/2013 – 7,514 • http://www.techworm.in/2013/07/more-than-15000-emails-usernameand.html • http://www.pakistanintelligence.com – 5/27/2013 – 75,942 • http://www.ehackingnews.com/2013/05/pakistan-intelligence-jobboard-website.html • McDonalds Taiwan – 3/27/2013 – 185,620 • http://www.cyberwarnews.info/2013/03/28/official-mcdonaldsaustria-taiwan-korea-hacked-over-200k-credentials-leaked/ • karjera.ktu.lt – 3/14/2013 – 14,133 • http://www.cyberwarnews.info/2013/03/14/14000-student-credentialsleaked-from-ktu-career-center-lithuania/ • avadas.de – 3/9/2013 – 3,344 • http://hackread.com/avast-germany-website-hacked-defaced-20000user-accounts-leaked-by-maxney/ • angloplatinum.co.za – 3/5/2013 – 7,967 • http://thehackernews.com/2013/03/worlds-largest-platinum-producerhacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Fee d%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_ https://shouldichangemypassword.com/all-sources.php
  11. 11. More… • angloplatinum.com – 3/5/2013 – 723 • http://thehackernews.com/2013/03/worlds-largest-platinum-producerhacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Fee d%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_ • Walla.co.il – 2/19/2013 – 531,526 • http://www.haaretz.com/news/national/anonymous-activists-hackinto-600-000-israeli-email-accounts.premium-1.504093 • Bank Executives – 2/4/2013 – 4,596 • http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executivecredentials-7000010740/ • bee-network.co.za – 1/29/2013 – 81 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • omni-id.com – 1/29/2013 – 1,151 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • moolmans.com – 1/29/2013 – 117 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html https://shouldichangemypassword.com/all-sources.php
  12. 12. More… • servicedesk.ufs.ac.za – 1/29/2013 – 3,952 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • servicedesk.ufs.ac.za (part 2) – 1/29/2013 – 355 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • westcol.co.za – 1/29/2013 – 99 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • digital.postnet.co.za – 1/29/2013 – 45,245 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • French Chamber of Commerce – 1/29/2013 – 515 • http://news.softpedia.com/news/French-Chamber-of-Commerceand-Industry-Portal-Hacked-by-Tunisian-Cyber-Army324716.shtml https://shouldichangemypassword.com/all-sources.php
  13. 13. Types of Attacks • Algorithm Weaknesses • Implementation Weaknesses • Dictionary Attacks • Brute-Force Attacks • Mask Attacks
  14. 14. Algorithmic Weaknesses • Collision, Second Pre-Image, Pre-Image • Confirmed: • GOST, HAVAL, MD2, MD4, MD5, PANAMA, RadioGatun, RIPEMD, RIPEMD-160, SHA-0, SHA-1, Tiger(2) – 192/160/128, WHIRLPOOL • Theoretical: • SHA-256/224 • SHA-512/384 http://en.wikipedia.org/wiki/Cryptographic_hash_function
  15. 15. Account Hashes • Windows Hash • EAD0CC57DDAAE50D876B7DD6386FA9C7 • Linux Hash • $6$OeKR9qBnzym.Q.VO$hM3uL03hmR4ZqAME/8Ol. xWGYAmVdpi3S4hWGLeugaKNj/HLzQPTz7FhjATYO/ KXCNHZ8P7zJDi2HHb1K.xfE.
  16. 16. File Encryption • MS Office • PDFs • Zip/7z/rar • TrueCrypt
  17. 17. http://www.truecrypt.org/docs/volume-format-specification
  18. 18. How do they work? • Known file-format/implementation weakness • Header data to indicate encryption • Type, keylength, etc. • Often some small portion to decrypt/validate • How is it that changing encryption keys is fast? • Your key encrypts “real” key
  19. 19. Is it really cracking?
  20. 20. Password Guessing char string1[maxPassLength + 1]; char alphanum[63] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; for 0  maxLength for each char in alphanum…
  21. 21. Slightly Better… int min = 8; int max = 12; char[] valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; # # # # known rules first & last must be char no consecutive-ordered chars/nums no repeated chars/nums
  22. 22. DEMO: Cracking a Windows Hash With oclHashCat
  23. 23. Image courtesy of xkcd.com (http://imgs.xkcd.com/comics/password_strength.png)
  24. 24. (more) Intelligent Password Guessing • What do people usually use? • What can we do to reduce the set of possibilities? • Cull terms/domain knowledge from relevant data • Dating sites, religious sites, others Best: Already used/real-world passwords
  25. 25. Determine your goals • Cracking a single, specific pwd? • Cracking a large % of an “acquired set”?
  26. 26. • Mark Burnett, author of Perfect Passwords • List of 6,000,000, culled down to 10,000 most frequently used • Top 10,000 passwords are used by 98.8% of all users • 2,342,603 (that’s 99.6%) unique passwords remaining that are in use by only .18% of users! https://xato.net/passwords/more-top-worst-passwords/
  27. 27. • Lots of lists…
  28. 28. https://www.grc.com/haystack.htm
  29. 29. PACK • Password Analysis and Cracking Toolkit • Peter Kacherginsky, PasswordCon, 7/30-7/31 • Intelligent cycle of cracking, analysis, rule generation http://thesprawl.org/projects/pack/
  30. 30. Statistical Analysis • Password Length Analysis • Character Set Analysis • Word Mangling Analysis
  31. 31. Example: Length https://thesprawl.org/media/research/passwords13-smarter-password-cracking-with-pack.pdf
  32. 32. DEMO: Statistics on Real PWs
  33. 33. Advanced Analytics • Levenshtein Edit Distance http://en.wikipedia.org/wiki/Levenshtein_distance
  34. 34. Levenshtein Edit Distance • Minimum number of changes required to change one string into another • Measure distance b/t actual words and cracked list to optimize the word mangling rules • i.e. XX% of words can be achieved with Levenshtein edit distance of <=2 • Only gen rules that match http://www.let.rug.nl/~kleiweg/lev/ http://www.kurzhals.info/static/samples/levenshtein_distance/
  35. 35. What if I don’t have your Password? • Pass the Hash • Demo • But We use Smart Cards!?
  36. 36. Avoidance Techniques • Don’t use “monkey” • Don’t reuse “monkey” • If you must use monkey, require something else as well • Salt is good • Your own salt is better • Utilize memory-hard algorithms • Utilize multiple iterations (a lot) • Your username is half of the equation
  37. 37. References • http://haveibeenpwned.com/ • https://lastpass.com/adobe/ • https://lastpass.com/linkedin/ • https://lastpass.com/lastfm/ • https://shouldichangemypassword.com/al l-sources.php
  38. 38. Questions/Contact Rob Gillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×