Primer on Password Security<br />NagareshwarTalekar<br />www.SecurityXploded.com<br />tnagareshwar@gmail.com<br />
Contents<br /><ul><li>   Part I   - Operating System, Cryptography & Password Recovery
   Part II  - Password Cracking/Recovery Techniques
   Part III – Advanced Password Stealing Methods
   Part IV -  Why they are after you and Tips for Protection !</li></ul>2<br />www.SecurityXploded.com<br />
Part  I <br />Operating System, Cryptography & Password Recovery<br />3<br />www.SecurityXploded.com<br />
Windows Login Password Secrets<br /><ul><li>Windows 98 used to store the user account passwords in .PWL files in Windows d...
  Windows NT onwards stores the login password into registry hive files named 'SYSTEM' and 'SAM' at following location</li...
Windows Login Password Secrets<br /><ul><li>  These password files are highly protected and not accessible while Windows i...
SAM hive file refers to registry location </li></ul>HKEY_LOCAL_MACHINESAM<br /><ul><li>SYSTEM hive file refers to registry...
Login Passwords are encrypted using one way hash algorithm known as LM/NTLM
   Code Injection technique is used to dump these password hashes from System Process - LSASS.EXE</li></ul>5<br />www.Secu...
Windows Login Password Recovery - I<br /><ul><li>   Live Password Recovery</li></ul>Dumping the LM/NTLM password hashes of...
Windows Login Password Recovery - II<br /><ul><li>   Screenshot - Dumping Local password hashes using Cain & Abel Tool</li...
Windows Login Password Recovery - III<br /><ul><li>Bypass Windows Authentication using Kon-Boot
Login to any windows system without entering password using Kon-Boot
It dynamically modifies Windows kernel to bypass authentication
Remote System Password Recovery
Use pwdump tool to remotely dump the password hashes from live system
Then recover the password using Online/RainbowCrack/BruteForce Method
 You need to know admin password of remote system.</li></ul>8<br />www.SecurityXploded.com<br />
Linux Login Password Secrets & Recovery<br /><ul><li>  Linux stores user login information in /etc/password & /etc/shadow ...
  /etc/password contains only user login related info and encrypted password is actually stored in /etc/shadow file.
  Contents of /etc/password</li></ul>    smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash<br /><ul><li>  Contents of /etc...
Operating System & Cryptography<br /><ul><li>   Each OS provides built-in cryptography store & library for Secure storage ...
   User Login credentials are used to keep it isolated and protected from other users.
   Makes it easy & transparent for any application to use it.
   Apps do not have to worry about security of sensitive data.
   Windows  -  DPAPI & Credential Store
   Linux
KDE => Kwallet
GNOME => Keyring
   MAC  -  KeyChain</li></ul>10<br />www.SecurityXploded.com<br />
Windows Cryptography Internals<br /><ul><li>DPAPI -  Data Protection Technology
Uses strong Triple-DES algorithm, SHA-1 algorithm and PBKDF2 password-based key derivation routine
Uses large secret sizes to greatly reduce the possibility of brute-force attacks to compromise the secrets
  Only Logged in user can decrypt his/her previously encrypted data
  It is possible to recover password from the disk if that user's login credential is known.
  Using DPAPI from Your Application [user specific]
CryptProtectData - Encrypt your Password
CryptUnprotectData - Decrypt your Password</li></ul>11<br />www.SecurityXploded.com<br />
Windows Cryptography Internals<br /><ul><li>   Other useful DPAPI functions
Upcoming SlideShare
Loading in...5
×

Primer on password security

23,025

Published on

This is presentation on password security delivered at security conference at IIT Guwahti, India.

It discusses and throws light on following areas

Part I - Operating System, Cryptography & Password Recovery

Part II - Password Cracking/Recovery Techniques

Part III – Advanced Password Stealing Methods

Part IV - Why they are after you and Tips for Protection !

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
23,025
On Slideshare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
64
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • note =&gt; they do smaller trasactions some times less than 50$ so that it go unnoticed
  • Primer on password security

    1. 1. Primer on Password Security<br />NagareshwarTalekar<br />www.SecurityXploded.com<br />tnagareshwar@gmail.com<br />
    2. 2. Contents<br /><ul><li> Part I - Operating System, Cryptography & Password Recovery
    3. 3. Part II - Password Cracking/Recovery Techniques
    4. 4. Part III – Advanced Password Stealing Methods
    5. 5. Part IV - Why they are after you and Tips for Protection !</li></ul>2<br />www.SecurityXploded.com<br />
    6. 6. Part I <br />Operating System, Cryptography & Password Recovery<br />3<br />www.SecurityXploded.com<br />
    7. 7. Windows Login Password Secrets<br /><ul><li>Windows 98 used to store the user account passwords in .PWL files in Windows directory.
    8. 8. Windows NT onwards stores the login password into registry hive files named 'SYSTEM' and 'SAM' at following location</li></ul>C:WindowsSystem32Config<br />4<br />www.SecurityXploded.com<br />
    9. 9. Windows Login Password Secrets<br /><ul><li> These password files are highly protected and not accessible while Windows is running even for the administrator.
    10. 10. SAM hive file refers to registry location </li></ul>HKEY_LOCAL_MACHINESAM<br /><ul><li>SYSTEM hive file refers to registry location </li></ul>HKEY_LOCAL_MACHINESYSTEM<br /><ul><li> These registry locations (user accounts related content) are visible only from ‘System Account’
    11. 11. Login Passwords are encrypted using one way hash algorithm known as LM/NTLM
    12. 12. Code Injection technique is used to dump these password hashes from System Process - LSASS.EXE</li></ul>5<br />www.SecurityXploded.com<br />
    13. 13. Windows Login Password Recovery - I<br /><ul><li> Live Password Recovery</li></ul>Dumping the LM/NTLM password hashes of users using pwdump/lc5/cain&abel tools<br />Recovering the password using Online/RainbowCrack/BruteForce method.<br /><ul><li>Offline Password Recovery - Resetting the Password</li></ul>Boot via Backtrack, mount the system partition and use chntpw tool to reset password. <br /><ul><li>Offline Password Recovery - Retrieving the original password </li></ul>Boot from BackTrack or any Live CD<br />Copy SYSTEM & SAM files from WindowsSystem32Config folder<br />Now on another system, use Cain&Abel/LC5 tool to get LM/NTLM hashes from these files<br />Finally get the original password using Online/RainbowCrack/BruteForce method.<br />6<br />www.SecurityXploded.com<br />
    14. 14. Windows Login Password Recovery - II<br /><ul><li> Screenshot - Dumping Local password hashes using Cain & Abel Tool</li></ul>7<br />www.SecurityXploded.com<br />
    15. 15. Windows Login Password Recovery - III<br /><ul><li>Bypass Windows Authentication using Kon-Boot
    16. 16. Login to any windows system without entering password using Kon-Boot
    17. 17. It dynamically modifies Windows kernel to bypass authentication
    18. 18. Remote System Password Recovery
    19. 19. Use pwdump tool to remotely dump the password hashes from live system
    20. 20. Then recover the password using Online/RainbowCrack/BruteForce Method
    21. 21. You need to know admin password of remote system.</li></ul>8<br />www.SecurityXploded.com<br />
    22. 22. Linux Login Password Secrets & Recovery<br /><ul><li> Linux stores user login information in /etc/password & /etc/shadow files
    23. 23. /etc/password contains only user login related info and encrypted password is actually stored in /etc/shadow file.
    24. 24. Contents of /etc/password</li></ul> smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash<br /><ul><li> Contents of /etc/shadow</li></ul>smithj:Ep6mckrOLChF.:10063:0:99999:7:::<br /><ul><li> Use "John the Ripper" to crack Linux passwords</li></ul>9<br />www.SecurityXploded.com<br />
    25. 25. Operating System & Cryptography<br /><ul><li> Each OS provides built-in cryptography store & library for Secure storage of Secret/Sensitive Data
    26. 26. User Login credentials are used to keep it isolated and protected from other users.
    27. 27. Makes it easy & transparent for any application to use it.
    28. 28. Apps do not have to worry about security of sensitive data.
    29. 29. Windows - DPAPI & Credential Store
    30. 30. Linux
    31. 31. KDE => Kwallet
    32. 32. GNOME => Keyring
    33. 33. MAC - KeyChain</li></ul>10<br />www.SecurityXploded.com<br />
    34. 34. Windows Cryptography Internals<br /><ul><li>DPAPI - Data Protection Technology
    35. 35. Uses strong Triple-DES algorithm, SHA-1 algorithm and PBKDF2 password-based key derivation routine
    36. 36. Uses large secret sizes to greatly reduce the possibility of brute-force attacks to compromise the secrets
    37. 37. Only Logged in user can decrypt his/her previously encrypted data
    38. 38. It is possible to recover password from the disk if that user's login credential is known.
    39. 39. Using DPAPI from Your Application [user specific]
    40. 40. CryptProtectData - Encrypt your Password
    41. 41. CryptUnprotectData - Decrypt your Password</li></ul>11<br />www.SecurityXploded.com<br />
    42. 42. Windows Cryptography Internals<br /><ul><li> Other useful DPAPI functions
    43. 43. CryptEncrypt - [Generic] Encrypt Data
    44. 44. CryptDecrypt - [Generic] Decrypt Data
    45. 45. CryptProtectMemory - Encrypts memory region
    46. 46. CryptUnprotectMemory - Decrypts memory region
    47. 47. Applications using DPAPI</li></ul>IE, Google Chrome, GTalk, Picassa, Google Desktop Search etc<br />12<br />www.SecurityXploded.com<br />
    48. 48. Using Windows DPAPI<br />Just a few lines of code to Encrypt/Decrypt Passwords !<br />DATA_BLOB DataIn;<br />DATA_BLOB DataOut;<br />DATA_BLOB DataFinal;<br />DataIn.pbData = "My Secret Password"; <br />DataIn.cbData = strlen("My Secret Password")+1;;<br />//Encrypt the Password<br />CryptProtectData(&DataIn, NULL, NULL, NULL, NULL, 0, &DataOut);<br />//Decrypt the password <br />CryptUnprotectData(&DataOut, NULL, NULL, NULL, NULL, 0, &DataFinal);<br />printf("Decrypted password is %s ", DataFinal.pbData);<br />Note : Above code is illustration purpose only<br />13<br />www.SecurityXploded.com<br />
    49. 49. Windows DPAPI Secrets<br /><ul><li> Any data encrypted using DPAPI functions has following magic pattern </li></ul>01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 <br /><ul><li> Sample DPAPI encrypted data file</li></ul>14<br />www.SecurityXploded.com<br />
    50. 50. Windows Cryptography Internals<br /><ul><li>Credential Store - Provides Secure Storage mechanism to store sensitive data
    51. 51. Credential Store Types
    52. 52. Generic Password
    53. 53. Domain Password - Most Secure
    54. 54. Domain Visible Password / .NET Passport
    55. 55. Certificates
    56. 56. 'Domain password' => It cannot be decrypted by even administrator. Only system process, LSASS.EXE has the privilege to play with it.
    57. 57. Generic Password/.NET Passport => Use functions CredEnumerate & CredUnprotectData to enumerate and decrypt all the stored passwords
    58. 58. Applications => Outlook, Windows Live Messenger, Remote Destktop, GMailNotifier, Network Passwords etc</li></ul>15<br />www.SecurityXploded.com<br />
    59. 59. Windows Cryptography Internals<br /><ul><li>Protected Storage - Older storage mechanism used by Windows
    60. 60. Protected Storage API functions exported from pstorec.dll are used store/enumerate the secret data
    61. 61. Used by older versions of Internet Explorer, Outlook & MSN Messenger</li></ul>16<br />www.SecurityXploded.com<br />
    62. 62. Part II <br />Password Cracking/Recovery Techniques<br />17<br />www.SecurityXploded.com<br />
    63. 63. Password Cracking/Recovery Techniques I <br /><ul><li>Dictionary Method
    64. 64. Quickly find any dictionary based passwords
    65. 65. Brute-Force Method
    66. 66. Use a specific character set or combination such as lowercase, uppercase, numeric, special characters
    67. 67. Takes long time based on the length and character set used
    68. 68. Hybrid Method
    69. 69. Combination of dictionary word and brute force technique
    70. 70. Detect smart passwords such as password123, 123password etc
    71. 71. Pattern based Brute-Force Method
    72. 72. Here user knows the part of the password (say ending with 123)
    73. 73. Reduces the number of attempts and significantly reduces total time</li></ul>18<br />www.SecurityXploded.com<br />
    74. 74. Password Recovery Techniques II<br /><ul><li>GPU/Distributed based Brute-Force
    75. 75. Password cracking/recovery is performed on high end GPU based or distributed systems
    76. 76. Speeds up the recovery process significantly
    77. 77. Rainbow Crack
    78. 78. Hashes of known algorithm (such as LM/NTLM/MD5/SHA) for all possible character sets are pre-computed and kept in sorted tables
    79. 79. Then Password hash is searched in these tables to find the original plain text password.
    80. 80. Very efficient and fastest way to crack any complex passwords</li></ul>19<br />www.SecurityXploded.com<br />
    81. 81. Rainbow Cracker Tool<br />20<br />www.SecurityXploded.com<br />Screenshot of RainbowCrack GUI Tool. <br />
    82. 82. Creating your Own Password Tools <br /><ul><li> Preparation - Ask Google and get all possible password info for the target App
    83. 83. Goal 1 : Find out password storage location : Registry or File ?
    84. 84. Goal 2 : Password Decryption Algorithm
    85. 85. Reverse Engineering - Static Analysis using IDA Pro Disassembler</li></ul> - Search for password strings/file names/registry key names<br /> - Trace backwards, decompile the function<br /> - Find the right function handling the password decryption<br /><ul><li> Reverse Engineering - Live Debugging using OllyDbg</li></ul> - Break on CredEnumerate/CryptUnprotectData functions<br /> - Directly debug/trace the password functions<br /> - Decode the password decryption algorithm<br />21<br />www.SecurityXploded.com<br />
    86. 86. Case Study : First ever Disclosure on Password Secrets of Apple Safari <br /><ul><li> Google Search - Failed : Almost no information on Safari password recovery
    87. 87. Goal 1 : Finding Password Storage Location
    88. 88. Random checks in %appdata%, %localappdata%, %programfiles% location - Found Nothing
    89. 89. Checked Registry : HKEY_CURRENT_USER - Found Nothing
    90. 90. Traced Safari with ProcMon & Found it !</li></ul>C:UsersAdministratorAppDataRoamingApple ComputerPreferences<br /><ul><li>Little more investigation and found exact password file "keychain.plist“
    91. 91. Goal 1.1 : Decoding the Password File
    92. 92. Tried manual decoding and smart guesses – FAILED
    93. 93. Found that it is using Windows DPAPI technology for encryption
    94. 94. Google search to find out what is plist ?
    95. 95. Found Tool - plutil.exe to convert plist to neat xml file</li></ul>22<br />www.SecurityXploded.com<br />
    96. 96. Case Study : Making of <br />Safari Password Decryptor<br /><ul><li> Goal 2 : Decrypting the Password
    97. 97. Debugging with breakpoint on CryptUnprotectdata & CryptDecrypt
    98. 98. It hit on CryptUnprotectdata (in CFNetwork.dll) and on return I had decrypted password
    99. 99. Here it was using entropy/salt for enhanced security
    100. 100. Goal 2.1 : Decoding the Entropy/Salt
    101. 101. Disassembled CFNetwork.dll to understand entropy/salt calculating function – Down !
    102. 102. Debugged again with breakpoint on salt function - Alice in the Wonderland :)
    103. 103. Finally copied the salt/entropy data and tested with dummy program – Worked !
    104. 104. Next step was to verify if this salt is constant or different for each system/user
    105. 105. Tested on Other system and it was Static !
    106. 106. Finally I wrote parser for xml password file and decryption code with salt to bring out - Safari Password Decryptor !</li></ul>23<br />www.SecurityXploded.com<br />
    107. 107. Safari Password Decryptor<br />Demonstration of Safari Password Decryptor in Action !<br />24<br />www.SecurityXploded.com<br />
    108. 108. Part III <br />Advanced Password Stealing Methods<br />25<br />www.SecurityXploded.com<br />
    109. 109. Password Sniffing on the Wire<br /><ul><li> Automatically capture plain text passwords flowing through wire
    110. 110. Capture Password for Services such as FTP, SMTP, HTTP Basic, POP3, IMAP4 etc
    111. 111. Network Password Sniffer Tools
    112. 112. Dsniff
    113. 113. SniffPass
    114. 114. Cain & Abel
    115. 115. FTPPasswordSniffer</li></ul>26<br />www.SecurityXploded.com<br />
    116. 116. FTP Password Sniffing Demo<br />27<br />www.SecurityXploded.com<br />
    117. 117. Advanced Password Stealing I<br /><ul><li>Man in the Middle Attack - SSL Sniffing
    118. 118. Use man in the middle attack to divert the target user's network session through attacker's system
    119. 119. Perform SSL MITM attack to get complete control over user session and steal credentials
    120. 120. Tools - Webscarab, Ettercap, Cain & Abel
    121. 121. Phishing
    122. 122. Users are redirected to duplicate/fake bank/mail login webpages and passwords are recorded
    123. 123. Using techniques such as DNS poisoning, Fake Websites, DNS Redirection, Scary Emails etc
    124. 124. Session Hijacking
    125. 125. Steal user mail or bank transaction session by stealing cookie or other session based parameters thorugh Sniffing.
    126. 126. Simultaneously access user session - view/perform privileges operations</li></ul>28<br />www.SecurityXploded.com<br />
    127. 127. Advanced Password Stealing II<br /><ul><li>Custom Hooks/Patches for Silent Password Stealing
    128. 128. Important applications such as browsers, messengers are patched
    129. 129. Using custom Dll/API hooks/runtime memory modification techniques
    130. 130. Write stolen passwords to file
    131. 131. Hardware Keyloggers
    132. 132. Switches for Keyboard Cables which can collect all keyboard data
    133. 133. Requires physical access, easy and highly stealthy, not detected by Anti-Keyloggers</li></ul>29<br />www.SecurityXploded.com<br />
    134. 134. Penetration Testing & Password Recovery <br /><ul><li> Once system is compromised - fire up a cmd prompt & use console based Password Tools
    135. 135. Crack/Recover following Passwords
    136. 136. Operating System - User Login passwords
    137. 137. Password stored by Popular Browsers (Firefox, Chrome, IE etc)
    138. 138. Password stored by Popular Messnegers (Gtalk, AIM, Windows Messenger, Trillian etc)
    139. 139. Password stored by Email Clients (Outlook, Thunderbird etc)
    140. 140. Stored Network Passwords
    141. 141. Application Specific Passwords (Facebook & Twitter Desktop Clients)
    142. 142. Sniff Passwords on the Network
    143. 143. Tools – Pwdump, Browser/Mail/IM/Network PasswordDecryptor, SniffPass etc</li></ul>30<br />www.SecurityXploded.com<br />
    144. 144. Demonstration<br />Stealing Browser Passwords using Metasploit – Penetration Testing Framework <br />31<br />www.SecurityXploded.com<br />
    145. 145. Browser Password Decryptor Demo<br />32<br />www.SecurityXploded.com<br />Recovering passwords stored by all popular web browsers. <br />
    146. 146. Part IV <br />Why They are After You and Tips for Protection ! <br />33<br />www.SecurityXploded.com<br />
    147. 147. Why Hackers/Spywares/Trojans Steal your Passwords ? <br /><ul><li> Now it is all about MONEY - no more Status quo
    148. 148. Quickest, Easiest & Dirtiest way to make money
    149. 149. Use Automated Tools to build the worm integrated with latest zero day exploit
    150. 150. One Sophisticated Worm/Trojan can bring in Money worth 6+ digits</li></ul>34<br />www.SecurityXploded.com<br />
    151. 151. How They Make Money ?<br /><ul><li>Data is Highly precious - Are you a CEO, Higher Gov Officer, Nuke Researcher ?
    152. 152. Sell the Secret data to your Enemies - Competitor Companies, Opponent Countries.
    153. 153. Steal your credit card details and use it to buy Benz !
    154. 154. Get access to your bank/email/corporate account and demand money to give it back to you
    155. 155. Encrypt your hard disk and ask money to decrypt it !
    156. 156. Lock your Desktop and ask money to unlock it !
    157. 157. Many more innovative ways...!</li></ul>35<br />www.SecurityXploded.com<br />
    158. 158. How Spywares/Trojans Steal your passwords<br /><ul><li>Spread trojan/spyware through following means
    159. 159. game softwares
    160. 160. serial crackers
    161. 161. other freewares
    162. 162. network shares
    163. 163. malicious websites
    164. 164. malicious documents (PDF/Flash/Office)
    165. 165. Once compromised, trojan uses one of following ways to steal your passwords
    166. 166. KeyLoggers [Kernel/User level]
    167. 167. Password Crackers
    168. 168. Network Password Sniffers
    169. 169. Custom Hooks/Patches for Hot Applications to silently steal passwords </li></ul>36<br />www.SecurityXploded.com<br />
    170. 170. Password Protection – Tips I<br /><ul><li>Use unique password for all important accounts
    171. 171. Never store password for important accounts in browsers/messengers or other applications
    172. 172. Choose Strong Password – but not complex one 
    173. 173. use uppercase (even one will do) + lowercase + number/special character
    174. 174. choose uncommon special character
    175. 175. length should be above 8
    176. 176. Use master password (even simple one will do) to protect all the stored passwords</li></ul> (example, Firefox )<br /><ul><li> Setup alternate email account for password reset operations
    177. 177. You are not Lucky to get 100 million $$$ - don’t reply to Lottery emails and give away your account details</li></ul>37<br />www.SecurityXploded.com<br />
    178. 178. Password Protection – Tips II<br /><ul><li>On compromise or spyware infection, change passwords of all main accounts (banks/mail/corporate/social network)
    179. 179. Do not do Bank or any Imp transactions and view mail accounts through
    180. 180. Wireless Network
    181. 181. Cyber Cafe
    182. 182. Shared System
    183. 183. In emergency case use SSL and make sure SSL certificate is valid/no warnings
    184. 184. Use one time password for online transactions wherever available !
    185. 185. Phishing Protection
    186. 186. Verify SSL GREEN status in the browser,
    187. 187. Check the URL if it is proper one
    188. 188. Do not click through email content - type it manually</li></ul>38<br />www.SecurityXploded.com<br />
    189. 189. Password Recovery Workshop <br />Post Lunch Session<br /><ul><li>Windows Password Cracking
    190. 190. Cain & Abel to dump Password hashes from Live system
    191. 191. BackTrack - Resetting the Windows Password
    192. 192. BackTrack and Cain/Abel - Offline Windows Password Recovery
    193. 193. Rainbow Password Cracking
    194. 194. Generating Rainbow Crack Tables
    195. 195. Using it to crack password hashes
    196. 196. Password Sniffing on Wire
    197. 197. Network Sniffing using WireShark
    198. 198. Using Password Sniffing Tools such as SniffPass/FtpPasswordSniffer
    199. 199. Browser & Messenger Password Recovery
    200. 200. Recovering passwords from Mozilla/Firefox/Chrome/Safari browsers
    201. 201. Recovering passwords from Messengers (GTalk, Windows Messenger, Trillian, Gaim etc)</li></ul>39<br />www.SecurityXploded.com<br />
    202. 202. References<br /><ul><li>Windows Login Password Recovery
    203. 203. Linux Password & Shadow File Formats
    204. 204. Windows Data Protection Technology – DPAPI
    205. 205. Exposing the Secret of Decrypting Network Passwords
    206. 206. Password Secrets of Popular Windows Applications
    207. 207. Browser Password Decryptor - All Browser Password Recovery Tool
    208. 208. The Rainbow Crack Project
    209. 209. Cain & Abel - The Windows multi purpose Password Tool
    210. 210. BackTrack - Most popular Linux Security Distribution
    211. 211. Pwdump6 - Windows Password Dumping Tool</li></ul>40<br />www.SecurityXploded.com<br />
    212. 212. Questions ?<br />41<br />www.SecurityXploded.com<br />
    213. 213. Thank You !<br />www.SecurityXploded.com<br />[tnagareshwar@gmail.com]<br />42<br />www.SecurityXploded.com<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×