Your SlideShare is downloading. ×
Primer on password security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Primer on password security

22,589

Published on

This is presentation on password security delivered at security conference at IIT Guwahti, India. …

This is presentation on password security delivered at security conference at IIT Guwahti, India.

It discusses and throws light on following areas

Part I - Operating System, Cryptography & Password Recovery

Part II - Password Cracking/Recovery Techniques

Part III – Advanced Password Stealing Methods

Part IV - Why they are after you and Tips for Protection !

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
22,589
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
62
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • note => they do smaller trasactions some times less than 50$ so that it go unnoticed
  • Transcript

    • 1. Primer on Password Security
      NagareshwarTalekar
      www.SecurityXploded.com
      tnagareshwar@gmail.com
    • 2. Contents
      • Part I - Operating System, Cryptography & Password Recovery
      • 3. Part II - Password Cracking/Recovery Techniques
      • 4. Part III – Advanced Password Stealing Methods
      • 5. Part IV - Why they are after you and Tips for Protection !
      2
      www.SecurityXploded.com
    • 6. Part I
      Operating System, Cryptography & Password Recovery
      3
      www.SecurityXploded.com
    • 7. Windows Login Password Secrets
      • Windows 98 used to store the user account passwords in .PWL files in Windows directory.
      • 8. Windows NT onwards stores the login password into registry hive files named 'SYSTEM' and 'SAM' at following location
      C:WindowsSystem32Config
      4
      www.SecurityXploded.com
    • 9. Windows Login Password Secrets
      • These password files are highly protected and not accessible while Windows is running even for the administrator.
      • 10. SAM hive file refers to registry location
      HKEY_LOCAL_MACHINESAM
      • SYSTEM hive file refers to registry location
      HKEY_LOCAL_MACHINESYSTEM
      • These registry locations (user accounts related content) are visible only from ‘System Account’
      • 11. Login Passwords are encrypted using one way hash algorithm known as LM/NTLM
      • 12. Code Injection technique is used to dump these password hashes from System Process - LSASS.EXE
      5
      www.SecurityXploded.com
    • 13. Windows Login Password Recovery - I
      • Live Password Recovery
      Dumping the LM/NTLM password hashes of users using pwdump/lc5/cain&abel tools
      Recovering the password using Online/RainbowCrack/BruteForce method.
      • Offline Password Recovery - Resetting the Password
      Boot via Backtrack, mount the system partition and use chntpw tool to reset password.
      • Offline Password Recovery - Retrieving the original password
      Boot from BackTrack or any Live CD
      Copy SYSTEM & SAM files from WindowsSystem32Config folder
      Now on another system, use Cain&Abel/LC5 tool to get LM/NTLM hashes from these files
      Finally get the original password using Online/RainbowCrack/BruteForce method.
      6
      www.SecurityXploded.com
    • 14. Windows Login Password Recovery - II
      • Screenshot - Dumping Local password hashes using Cain & Abel Tool
      7
      www.SecurityXploded.com
    • 15. Windows Login Password Recovery - III
      • Bypass Windows Authentication using Kon-Boot
      • 16. Login to any windows system without entering password using Kon-Boot
      • 17. It dynamically modifies Windows kernel to bypass authentication
      • 18. Remote System Password Recovery
      • 19. Use pwdump tool to remotely dump the password hashes from live system
      • 20. Then recover the password using Online/RainbowCrack/BruteForce Method
      • 21. You need to know admin password of remote system.
      8
      www.SecurityXploded.com
    • 22. Linux Login Password Secrets & Recovery
      • Linux stores user login information in /etc/password & /etc/shadow files
      • 23. /etc/password contains only user login related info and encrypted password is actually stored in /etc/shadow file.
      • 24. Contents of /etc/password
      smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash
      • Contents of /etc/shadow
      smithj:Ep6mckrOLChF.:10063:0:99999:7:::
      • Use "John the Ripper" to crack Linux passwords
      9
      www.SecurityXploded.com
    • 25. Operating System & Cryptography
      • Each OS provides built-in cryptography store & library for Secure storage of Secret/Sensitive Data
      • 26. User Login credentials are used to keep it isolated and protected from other users.
      • 27. Makes it easy & transparent for any application to use it.
      • 28. Apps do not have to worry about security of sensitive data.
      • 29. Windows - DPAPI & Credential Store
      • 30. Linux
      • 31. KDE => Kwallet
      • 32. GNOME => Keyring
      • 33. MAC - KeyChain
      10
      www.SecurityXploded.com
    • 34. Windows Cryptography Internals
      • DPAPI - Data Protection Technology
      • 35. Uses strong Triple-DES algorithm, SHA-1 algorithm and PBKDF2 password-based key derivation routine
      • 36. Uses large secret sizes to greatly reduce the possibility of brute-force attacks to compromise the secrets
      • 37. Only Logged in user can decrypt his/her previously encrypted data
      • 38. It is possible to recover password from the disk if that user's login credential is known.
      • 39. Using DPAPI from Your Application [user specific]
      • 40. CryptProtectData - Encrypt your Password
      • 41. CryptUnprotectData - Decrypt your Password
      11
      www.SecurityXploded.com
    • 42. Windows Cryptography Internals
      • Other useful DPAPI functions
      • 43. CryptEncrypt - [Generic] Encrypt Data
      • 44. CryptDecrypt - [Generic] Decrypt Data
      • 45. CryptProtectMemory - Encrypts memory region
      • 46. CryptUnprotectMemory - Decrypts memory region
      • 47. Applications using DPAPI
      IE, Google Chrome, GTalk, Picassa, Google Desktop Search etc
      12
      www.SecurityXploded.com
    • 48. Using Windows DPAPI
      Just a few lines of code to Encrypt/Decrypt Passwords !
      DATA_BLOB DataIn;
      DATA_BLOB DataOut;
      DATA_BLOB DataFinal;
      DataIn.pbData = "My Secret Password";
      DataIn.cbData = strlen("My Secret Password")+1;;
      //Encrypt the Password
      CryptProtectData(&DataIn, NULL, NULL, NULL, NULL, 0, &DataOut);
      //Decrypt the password
      CryptUnprotectData(&DataOut, NULL, NULL, NULL, NULL, 0, &DataFinal);
      printf("Decrypted password is %s ", DataFinal.pbData);
      Note : Above code is illustration purpose only
      13
      www.SecurityXploded.com
    • 49. Windows DPAPI Secrets
      • Any data encrypted using DPAPI functions has following magic pattern
      01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0
      • Sample DPAPI encrypted data file
      14
      www.SecurityXploded.com
    • 50. Windows Cryptography Internals
      • Credential Store - Provides Secure Storage mechanism to store sensitive data
      • 51. Credential Store Types
      • 52. Generic Password
      • 53. Domain Password - Most Secure
      • 54. Domain Visible Password / .NET Passport
      • 55. Certificates
      • 56. 'Domain password' => It cannot be decrypted by even administrator. Only system process, LSASS.EXE has the privilege to play with it.
      • 57. Generic Password/.NET Passport => Use functions CredEnumerate & CredUnprotectData to enumerate and decrypt all the stored passwords
      • 58. Applications => Outlook, Windows Live Messenger, Remote Destktop, GMailNotifier, Network Passwords etc
      15
      www.SecurityXploded.com
    • 59. Windows Cryptography Internals
      • Protected Storage - Older storage mechanism used by Windows
      • 60. Protected Storage API functions exported from pstorec.dll are used store/enumerate the secret data
      • 61. Used by older versions of Internet Explorer, Outlook & MSN Messenger
      16
      www.SecurityXploded.com
    • 62. Part II
      Password Cracking/Recovery Techniques
      17
      www.SecurityXploded.com
    • 63. Password Cracking/Recovery Techniques I
      • Dictionary Method
      • 64. Quickly find any dictionary based passwords
      • 65. Brute-Force Method
      • 66. Use a specific character set or combination such as lowercase, uppercase, numeric, special characters
      • 67. Takes long time based on the length and character set used
      • 68. Hybrid Method
      • 69. Combination of dictionary word and brute force technique
      • 70. Detect smart passwords such as password123, 123password etc
      • 71. Pattern based Brute-Force Method
      • 72. Here user knows the part of the password (say ending with 123)
      • 73. Reduces the number of attempts and significantly reduces total time
      18
      www.SecurityXploded.com
    • 74. Password Recovery Techniques II
      • GPU/Distributed based Brute-Force
      • 75. Password cracking/recovery is performed on high end GPU based or distributed systems
      • 76. Speeds up the recovery process significantly
      • 77. Rainbow Crack
      • 78. Hashes of known algorithm (such as LM/NTLM/MD5/SHA) for all possible character sets are pre-computed and kept in sorted tables
      • 79. Then Password hash is searched in these tables to find the original plain text password.
      • 80. Very efficient and fastest way to crack any complex passwords
      19
      www.SecurityXploded.com
    • 81. Rainbow Cracker Tool
      20
      www.SecurityXploded.com
      Screenshot of RainbowCrack GUI Tool.
    • 82. Creating your Own Password Tools
      • Preparation - Ask Google and get all possible password info for the target App
      • 83. Goal 1 : Find out password storage location : Registry or File ?
      • 84. Goal 2 : Password Decryption Algorithm
      • 85. Reverse Engineering - Static Analysis using IDA Pro Disassembler
      - Search for password strings/file names/registry key names
      - Trace backwards, decompile the function
      - Find the right function handling the password decryption
      • Reverse Engineering - Live Debugging using OllyDbg
      - Break on CredEnumerate/CryptUnprotectData functions
      - Directly debug/trace the password functions
      - Decode the password decryption algorithm
      21
      www.SecurityXploded.com
    • 86. Case Study : First ever Disclosure on Password Secrets of Apple Safari
      • Google Search - Failed : Almost no information on Safari password recovery
      • 87. Goal 1 : Finding Password Storage Location
      • 88. Random checks in %appdata%, %localappdata%, %programfiles% location - Found Nothing
      • 89. Checked Registry : HKEY_CURRENT_USER - Found Nothing
      • 90. Traced Safari with ProcMon & Found it !
      C:UsersAdministratorAppDataRoamingApple ComputerPreferences
      • Little more investigation and found exact password file "keychain.plist“
      • 91. Goal 1.1 : Decoding the Password File
      • 92. Tried manual decoding and smart guesses – FAILED
      • 93. Found that it is using Windows DPAPI technology for encryption
      • 94. Google search to find out what is plist ?
      • 95. Found Tool - plutil.exe to convert plist to neat xml file
      22
      www.SecurityXploded.com
    • 96. Case Study : Making of
      Safari Password Decryptor
      • Goal 2 : Decrypting the Password
      • 97. Debugging with breakpoint on CryptUnprotectdata & CryptDecrypt
      • 98. It hit on CryptUnprotectdata (in CFNetwork.dll) and on return I had decrypted password
      • 99. Here it was using entropy/salt for enhanced security
      • 100. Goal 2.1 : Decoding the Entropy/Salt
      • 101. Disassembled CFNetwork.dll to understand entropy/salt calculating function – Down !
      • 102. Debugged again with breakpoint on salt function - Alice in the Wonderland :)
      • 103. Finally copied the salt/entropy data and tested with dummy program – Worked !
      • 104. Next step was to verify if this salt is constant or different for each system/user
      • 105. Tested on Other system and it was Static !
      • 106. Finally I wrote parser for xml password file and decryption code with salt to bring out - Safari Password Decryptor !
      23
      www.SecurityXploded.com
    • 107. Safari Password Decryptor
      Demonstration of Safari Password Decryptor in Action !
      24
      www.SecurityXploded.com
    • 108. Part III
      Advanced Password Stealing Methods
      25
      www.SecurityXploded.com
    • 109. Password Sniffing on the Wire
      • Automatically capture plain text passwords flowing through wire
      • 110. Capture Password for Services such as FTP, SMTP, HTTP Basic, POP3, IMAP4 etc
      • 111. Network Password Sniffer Tools
      • 112. Dsniff
      • 113. SniffPass
      • 114. Cain & Abel
      • 115. FTPPasswordSniffer
      26
      www.SecurityXploded.com
    • 116. FTP Password Sniffing Demo
      27
      www.SecurityXploded.com
    • 117. Advanced Password Stealing I
      • Man in the Middle Attack - SSL Sniffing
      • 118. Use man in the middle attack to divert the target user's network session through attacker's system
      • 119. Perform SSL MITM attack to get complete control over user session and steal credentials
      • 120. Tools - Webscarab, Ettercap, Cain & Abel
      • 121. Phishing
      • 122. Users are redirected to duplicate/fake bank/mail login webpages and passwords are recorded
      • 123. Using techniques such as DNS poisoning, Fake Websites, DNS Redirection, Scary Emails etc
      • 124. Session Hijacking
      • 125. Steal user mail or bank transaction session by stealing cookie or other session based parameters thorugh Sniffing.
      • 126. Simultaneously access user session - view/perform privileges operations
      28
      www.SecurityXploded.com
    • 127. Advanced Password Stealing II
      • Custom Hooks/Patches for Silent Password Stealing
      • 128. Important applications such as browsers, messengers are patched
      • 129. Using custom Dll/API hooks/runtime memory modification techniques
      • 130. Write stolen passwords to file
      • 131. Hardware Keyloggers
      • 132. Switches for Keyboard Cables which can collect all keyboard data
      • 133. Requires physical access, easy and highly stealthy, not detected by Anti-Keyloggers
      29
      www.SecurityXploded.com
    • 134. Penetration Testing & Password Recovery
      • Once system is compromised - fire up a cmd prompt & use console based Password Tools
      • 135. Crack/Recover following Passwords
      • 136. Operating System - User Login passwords
      • 137. Password stored by Popular Browsers (Firefox, Chrome, IE etc)
      • 138. Password stored by Popular Messnegers (Gtalk, AIM, Windows Messenger, Trillian etc)
      • 139. Password stored by Email Clients (Outlook, Thunderbird etc)
      • 140. Stored Network Passwords
      • 141. Application Specific Passwords (Facebook & Twitter Desktop Clients)
      • 142. Sniff Passwords on the Network
      • 143. Tools – Pwdump, Browser/Mail/IM/Network PasswordDecryptor, SniffPass etc
      30
      www.SecurityXploded.com
    • 144. Demonstration
      Stealing Browser Passwords using Metasploit – Penetration Testing Framework
      31
      www.SecurityXploded.com
    • 145. Browser Password Decryptor Demo
      32
      www.SecurityXploded.com
      Recovering passwords stored by all popular web browsers.
    • 146. Part IV
      Why They are After You and Tips for Protection !
      33
      www.SecurityXploded.com
    • 147. Why Hackers/Spywares/Trojans Steal your Passwords ?
      • Now it is all about MONEY - no more Status quo
      • 148. Quickest, Easiest & Dirtiest way to make money
      • 149. Use Automated Tools to build the worm integrated with latest zero day exploit
      • 150. One Sophisticated Worm/Trojan can bring in Money worth 6+ digits
      34
      www.SecurityXploded.com
    • 151. How They Make Money ?
      • Data is Highly precious - Are you a CEO, Higher Gov Officer, Nuke Researcher ?
      • 152. Sell the Secret data to your Enemies - Competitor Companies, Opponent Countries.
      • 153. Steal your credit card details and use it to buy Benz !
      • 154. Get access to your bank/email/corporate account and demand money to give it back to you
      • 155. Encrypt your hard disk and ask money to decrypt it !
      • 156. Lock your Desktop and ask money to unlock it !
      • 157. Many more innovative ways...!
      35
      www.SecurityXploded.com
    • 158. How Spywares/Trojans Steal your passwords
      • Spread trojan/spyware through following means
      • 159. game softwares
      • 160. serial crackers
      • 161. other freewares
      • 162. network shares
      • 163. malicious websites
      • 164. malicious documents (PDF/Flash/Office)
      • 165. Once compromised, trojan uses one of following ways to steal your passwords
      • 166. KeyLoggers [Kernel/User level]
      • 167. Password Crackers
      • 168. Network Password Sniffers
      • 169. Custom Hooks/Patches for Hot Applications to silently steal passwords
      36
      www.SecurityXploded.com
    • 170. Password Protection – Tips I
      • Use unique password for all important accounts
      • 171. Never store password for important accounts in browsers/messengers or other applications
      • 172. Choose Strong Password – but not complex one 
      • 173. use uppercase (even one will do) + lowercase + number/special character
      • 174. choose uncommon special character
      • 175. length should be above 8
      • 176. Use master password (even simple one will do) to protect all the stored passwords
      (example, Firefox )
      • Setup alternate email account for password reset operations
      • 177. You are not Lucky to get 100 million $$$ - don’t reply to Lottery emails and give away your account details
      37
      www.SecurityXploded.com
    • 178. Password Protection – Tips II
      • On compromise or spyware infection, change passwords of all main accounts (banks/mail/corporate/social network)
      • 179. Do not do Bank or any Imp transactions and view mail accounts through
      • 180. Wireless Network
      • 181. Cyber Cafe
      • 182. Shared System
      • 183. In emergency case use SSL and make sure SSL certificate is valid/no warnings
      • 184. Use one time password for online transactions wherever available !
      • 185. Phishing Protection
      • 186. Verify SSL GREEN status in the browser,
      • 187. Check the URL if it is proper one
      • 188. Do not click through email content - type it manually
      38
      www.SecurityXploded.com
    • 189. Password Recovery Workshop
      Post Lunch Session
      • Windows Password Cracking
      • 190. Cain & Abel to dump Password hashes from Live system
      • 191. BackTrack - Resetting the Windows Password
      • 192. BackTrack and Cain/Abel - Offline Windows Password Recovery
      • 193. Rainbow Password Cracking
      • 194. Generating Rainbow Crack Tables
      • 195. Using it to crack password hashes
      • 196. Password Sniffing on Wire
      • 197. Network Sniffing using WireShark
      • 198. Using Password Sniffing Tools such as SniffPass/FtpPasswordSniffer
      • 199. Browser & Messenger Password Recovery
      • 200. Recovering passwords from Mozilla/Firefox/Chrome/Safari browsers
      • 201. Recovering passwords from Messengers (GTalk, Windows Messenger, Trillian, Gaim etc)
      39
      www.SecurityXploded.com
    • 202. References
      • Windows Login Password Recovery
      • 203. Linux Password & Shadow File Formats
      • 204. Windows Data Protection Technology – DPAPI
      • 205. Exposing the Secret of Decrypting Network Passwords
      • 206. Password Secrets of Popular Windows Applications
      • 207. Browser Password Decryptor - All Browser Password Recovery Tool
      • 208. The Rainbow Crack Project
      • 209. Cain & Abel - The Windows multi purpose Password Tool
      • 210. BackTrack - Most popular Linux Security Distribution
      • 211. Pwdump6 - Windows Password Dumping Tool
      40
      www.SecurityXploded.com
    • 212. Questions ?
      41
      www.SecurityXploded.com
    • 213. Thank You !
      www.SecurityXploded.com
      [tnagareshwar@gmail.com]
      42
      www.SecurityXploded.com

    ×