Primer on password security

  • 21,981 views
Uploaded on

This is presentation on password security delivered at security conference at IIT Guwahti, India. …

This is presentation on password security delivered at security conference at IIT Guwahti, India.

It discusses and throws light on following areas

Part I - Operating System, Cryptography & Password Recovery

Part II - Password Cracking/Recovery Techniques

Part III – Advanced Password Stealing Methods

Part IV - Why they are after you and Tips for Protection !

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
21,981
On Slideshare
0
From Embeds
0
Number of Embeds
8

Actions

Shares
Downloads
59
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • note => they do smaller trasactions some times less than 50$ so that it go unnoticed

Transcript

  • 1. Primer on Password Security
    NagareshwarTalekar
    www.SecurityXploded.com
    tnagareshwar@gmail.com
  • 2. Contents
    • Part I - Operating System, Cryptography & Password Recovery
    • 3. Part II - Password Cracking/Recovery Techniques
    • 4. Part III – Advanced Password Stealing Methods
    • 5. Part IV - Why they are after you and Tips for Protection !
    2
    www.SecurityXploded.com
  • 6. Part I
    Operating System, Cryptography & Password Recovery
    3
    www.SecurityXploded.com
  • 7. Windows Login Password Secrets
    • Windows 98 used to store the user account passwords in .PWL files in Windows directory.
    • 8. Windows NT onwards stores the login password into registry hive files named 'SYSTEM' and 'SAM' at following location
    C:WindowsSystem32Config
    4
    www.SecurityXploded.com
  • 9. Windows Login Password Secrets
    • These password files are highly protected and not accessible while Windows is running even for the administrator.
    • 10. SAM hive file refers to registry location
    HKEY_LOCAL_MACHINESAM
    • SYSTEM hive file refers to registry location
    HKEY_LOCAL_MACHINESYSTEM
    • These registry locations (user accounts related content) are visible only from ‘System Account’
    • 11. Login Passwords are encrypted using one way hash algorithm known as LM/NTLM
    • 12. Code Injection technique is used to dump these password hashes from System Process - LSASS.EXE
    5
    www.SecurityXploded.com
  • 13. Windows Login Password Recovery - I
    • Live Password Recovery
    Dumping the LM/NTLM password hashes of users using pwdump/lc5/cain&abel tools
    Recovering the password using Online/RainbowCrack/BruteForce method.
    • Offline Password Recovery - Resetting the Password
    Boot via Backtrack, mount the system partition and use chntpw tool to reset password.
    • Offline Password Recovery - Retrieving the original password
    Boot from BackTrack or any Live CD
    Copy SYSTEM & SAM files from WindowsSystem32Config folder
    Now on another system, use Cain&Abel/LC5 tool to get LM/NTLM hashes from these files
    Finally get the original password using Online/RainbowCrack/BruteForce method.
    6
    www.SecurityXploded.com
  • 14. Windows Login Password Recovery - II
    • Screenshot - Dumping Local password hashes using Cain & Abel Tool
    7
    www.SecurityXploded.com
  • 15. Windows Login Password Recovery - III
    • Bypass Windows Authentication using Kon-Boot
    • 16. Login to any windows system without entering password using Kon-Boot
    • 17. It dynamically modifies Windows kernel to bypass authentication
    • 18. Remote System Password Recovery
    • 19. Use pwdump tool to remotely dump the password hashes from live system
    • 20. Then recover the password using Online/RainbowCrack/BruteForce Method
    • 21. You need to know admin password of remote system.
    8
    www.SecurityXploded.com
  • 22. Linux Login Password Secrets & Recovery
    • Linux stores user login information in /etc/password & /etc/shadow files
    • 23. /etc/password contains only user login related info and encrypted password is actually stored in /etc/shadow file.
    • 24. Contents of /etc/password
    smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash
    • Contents of /etc/shadow
    smithj:Ep6mckrOLChF.:10063:0:99999:7:::
    • Use "John the Ripper" to crack Linux passwords
    9
    www.SecurityXploded.com
  • 25. Operating System & Cryptography
    • Each OS provides built-in cryptography store & library for Secure storage of Secret/Sensitive Data
    • 26. User Login credentials are used to keep it isolated and protected from other users.
    • 27. Makes it easy & transparent for any application to use it.
    • 28. Apps do not have to worry about security of sensitive data.
    • 29. Windows - DPAPI & Credential Store
    • 30. Linux
    • 31. KDE => Kwallet
    • 32. GNOME => Keyring
    • 33. MAC - KeyChain
    10
    www.SecurityXploded.com
  • 34. Windows Cryptography Internals
    • DPAPI - Data Protection Technology
    • 35. Uses strong Triple-DES algorithm, SHA-1 algorithm and PBKDF2 password-based key derivation routine
    • 36. Uses large secret sizes to greatly reduce the possibility of brute-force attacks to compromise the secrets
    • 37. Only Logged in user can decrypt his/her previously encrypted data
    • 38. It is possible to recover password from the disk if that user's login credential is known.
    • 39. Using DPAPI from Your Application [user specific]
    • 40. CryptProtectData - Encrypt your Password
    • 41. CryptUnprotectData - Decrypt your Password
    11
    www.SecurityXploded.com
  • 42. Windows Cryptography Internals
    • Other useful DPAPI functions
    • 43. CryptEncrypt - [Generic] Encrypt Data
    • 44. CryptDecrypt - [Generic] Decrypt Data
    • 45. CryptProtectMemory - Encrypts memory region
    • 46. CryptUnprotectMemory - Decrypts memory region
    • 47. Applications using DPAPI
    IE, Google Chrome, GTalk, Picassa, Google Desktop Search etc
    12
    www.SecurityXploded.com
  • 48. Using Windows DPAPI
    Just a few lines of code to Encrypt/Decrypt Passwords !
    DATA_BLOB DataIn;
    DATA_BLOB DataOut;
    DATA_BLOB DataFinal;
    DataIn.pbData = "My Secret Password";
    DataIn.cbData = strlen("My Secret Password")+1;;
    //Encrypt the Password
    CryptProtectData(&DataIn, NULL, NULL, NULL, NULL, 0, &DataOut);
    //Decrypt the password
    CryptUnprotectData(&DataOut, NULL, NULL, NULL, NULL, 0, &DataFinal);
    printf("Decrypted password is %s ", DataFinal.pbData);
    Note : Above code is illustration purpose only
    13
    www.SecurityXploded.com
  • 49. Windows DPAPI Secrets
    • Any data encrypted using DPAPI functions has following magic pattern
    01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0
    • Sample DPAPI encrypted data file
    14
    www.SecurityXploded.com
  • 50. Windows Cryptography Internals
    • Credential Store - Provides Secure Storage mechanism to store sensitive data
    • 51. Credential Store Types
    • 52. Generic Password
    • 53. Domain Password - Most Secure
    • 54. Domain Visible Password / .NET Passport
    • 55. Certificates
    • 56. 'Domain password' => It cannot be decrypted by even administrator. Only system process, LSASS.EXE has the privilege to play with it.
    • 57. Generic Password/.NET Passport => Use functions CredEnumerate & CredUnprotectData to enumerate and decrypt all the stored passwords
    • 58. Applications => Outlook, Windows Live Messenger, Remote Destktop, GMailNotifier, Network Passwords etc
    15
    www.SecurityXploded.com
  • 59. Windows Cryptography Internals
    • Protected Storage - Older storage mechanism used by Windows
    • 60. Protected Storage API functions exported from pstorec.dll are used store/enumerate the secret data
    • 61. Used by older versions of Internet Explorer, Outlook & MSN Messenger
    16
    www.SecurityXploded.com
  • 62. Part II
    Password Cracking/Recovery Techniques
    17
    www.SecurityXploded.com
  • 63. Password Cracking/Recovery Techniques I
    • Dictionary Method
    • 64. Quickly find any dictionary based passwords
    • 65. Brute-Force Method
    • 66. Use a specific character set or combination such as lowercase, uppercase, numeric, special characters
    • 67. Takes long time based on the length and character set used
    • 68. Hybrid Method
    • 69. Combination of dictionary word and brute force technique
    • 70. Detect smart passwords such as password123, 123password etc
    • 71. Pattern based Brute-Force Method
    • 72. Here user knows the part of the password (say ending with 123)
    • 73. Reduces the number of attempts and significantly reduces total time
    18
    www.SecurityXploded.com
  • 74. Password Recovery Techniques II
    • GPU/Distributed based Brute-Force
    • 75. Password cracking/recovery is performed on high end GPU based or distributed systems
    • 76. Speeds up the recovery process significantly
    • 77. Rainbow Crack
    • 78. Hashes of known algorithm (such as LM/NTLM/MD5/SHA) for all possible character sets are pre-computed and kept in sorted tables
    • 79. Then Password hash is searched in these tables to find the original plain text password.
    • 80. Very efficient and fastest way to crack any complex passwords
    19
    www.SecurityXploded.com
  • 81. Rainbow Cracker Tool
    20
    www.SecurityXploded.com
    Screenshot of RainbowCrack GUI Tool.
  • 82. Creating your Own Password Tools
    • Preparation - Ask Google and get all possible password info for the target App
    • 83. Goal 1 : Find out password storage location : Registry or File ?
    • 84. Goal 2 : Password Decryption Algorithm
    • 85. Reverse Engineering - Static Analysis using IDA Pro Disassembler
    - Search for password strings/file names/registry key names
    - Trace backwards, decompile the function
    - Find the right function handling the password decryption
    • Reverse Engineering - Live Debugging using OllyDbg
    - Break on CredEnumerate/CryptUnprotectData functions
    - Directly debug/trace the password functions
    - Decode the password decryption algorithm
    21
    www.SecurityXploded.com
  • 86. Case Study : First ever Disclosure on Password Secrets of Apple Safari
    • Google Search - Failed : Almost no information on Safari password recovery
    • 87. Goal 1 : Finding Password Storage Location
    • 88. Random checks in %appdata%, %localappdata%, %programfiles% location - Found Nothing
    • 89. Checked Registry : HKEY_CURRENT_USER - Found Nothing
    • 90. Traced Safari with ProcMon & Found it !
    C:UsersAdministratorAppDataRoamingApple ComputerPreferences
    • Little more investigation and found exact password file "keychain.plist“
    • 91. Goal 1.1 : Decoding the Password File
    • 92. Tried manual decoding and smart guesses – FAILED
    • 93. Found that it is using Windows DPAPI technology for encryption
    • 94. Google search to find out what is plist ?
    • 95. Found Tool - plutil.exe to convert plist to neat xml file
    22
    www.SecurityXploded.com
  • 96. Case Study : Making of
    Safari Password Decryptor
    • Goal 2 : Decrypting the Password
    • 97. Debugging with breakpoint on CryptUnprotectdata & CryptDecrypt
    • 98. It hit on CryptUnprotectdata (in CFNetwork.dll) and on return I had decrypted password
    • 99. Here it was using entropy/salt for enhanced security
    • 100. Goal 2.1 : Decoding the Entropy/Salt
    • 101. Disassembled CFNetwork.dll to understand entropy/salt calculating function – Down !
    • 102. Debugged again with breakpoint on salt function - Alice in the Wonderland :)
    • 103. Finally copied the salt/entropy data and tested with dummy program – Worked !
    • 104. Next step was to verify if this salt is constant or different for each system/user
    • 105. Tested on Other system and it was Static !
    • 106. Finally I wrote parser for xml password file and decryption code with salt to bring out - Safari Password Decryptor !
    23
    www.SecurityXploded.com
  • 107. Safari Password Decryptor
    Demonstration of Safari Password Decryptor in Action !
    24
    www.SecurityXploded.com
  • 108. Part III
    Advanced Password Stealing Methods
    25
    www.SecurityXploded.com
  • 109. Password Sniffing on the Wire
    • Automatically capture plain text passwords flowing through wire
    • 110. Capture Password for Services such as FTP, SMTP, HTTP Basic, POP3, IMAP4 etc
    • 111. Network Password Sniffer Tools
    • 112. Dsniff
    • 113. SniffPass
    • 114. Cain & Abel
    • 115. FTPPasswordSniffer
    26
    www.SecurityXploded.com
  • 116. FTP Password Sniffing Demo
    27
    www.SecurityXploded.com
  • 117. Advanced Password Stealing I
    • Man in the Middle Attack - SSL Sniffing
    • 118. Use man in the middle attack to divert the target user's network session through attacker's system
    • 119. Perform SSL MITM attack to get complete control over user session and steal credentials
    • 120. Tools - Webscarab, Ettercap, Cain & Abel
    • 121. Phishing
    • 122. Users are redirected to duplicate/fake bank/mail login webpages and passwords are recorded
    • 123. Using techniques such as DNS poisoning, Fake Websites, DNS Redirection, Scary Emails etc
    • 124. Session Hijacking
    • 125. Steal user mail or bank transaction session by stealing cookie or other session based parameters thorugh Sniffing.
    • 126. Simultaneously access user session - view/perform privileges operations
    28
    www.SecurityXploded.com
  • 127. Advanced Password Stealing II
    • Custom Hooks/Patches for Silent Password Stealing
    • 128. Important applications such as browsers, messengers are patched
    • 129. Using custom Dll/API hooks/runtime memory modification techniques
    • 130. Write stolen passwords to file
    • 131. Hardware Keyloggers
    • 132. Switches for Keyboard Cables which can collect all keyboard data
    • 133. Requires physical access, easy and highly stealthy, not detected by Anti-Keyloggers
    29
    www.SecurityXploded.com
  • 134. Penetration Testing & Password Recovery
    • Once system is compromised - fire up a cmd prompt & use console based Password Tools
    • 135. Crack/Recover following Passwords
    • 136. Operating System - User Login passwords
    • 137. Password stored by Popular Browsers (Firefox, Chrome, IE etc)
    • 138. Password stored by Popular Messnegers (Gtalk, AIM, Windows Messenger, Trillian etc)
    • 139. Password stored by Email Clients (Outlook, Thunderbird etc)
    • 140. Stored Network Passwords
    • 141. Application Specific Passwords (Facebook & Twitter Desktop Clients)
    • 142. Sniff Passwords on the Network
    • 143. Tools – Pwdump, Browser/Mail/IM/Network PasswordDecryptor, SniffPass etc
    30
    www.SecurityXploded.com
  • 144. Demonstration
    Stealing Browser Passwords using Metasploit – Penetration Testing Framework
    31
    www.SecurityXploded.com
  • 145. Browser Password Decryptor Demo
    32
    www.SecurityXploded.com
    Recovering passwords stored by all popular web browsers.
  • 146. Part IV
    Why They are After You and Tips for Protection !
    33
    www.SecurityXploded.com
  • 147. Why Hackers/Spywares/Trojans Steal your Passwords ?
    • Now it is all about MONEY - no more Status quo
    • 148. Quickest, Easiest & Dirtiest way to make money
    • 149. Use Automated Tools to build the worm integrated with latest zero day exploit
    • 150. One Sophisticated Worm/Trojan can bring in Money worth 6+ digits
    34
    www.SecurityXploded.com
  • 151. How They Make Money ?
    • Data is Highly precious - Are you a CEO, Higher Gov Officer, Nuke Researcher ?
    • 152. Sell the Secret data to your Enemies - Competitor Companies, Opponent Countries.
    • 153. Steal your credit card details and use it to buy Benz !
    • 154. Get access to your bank/email/corporate account and demand money to give it back to you
    • 155. Encrypt your hard disk and ask money to decrypt it !
    • 156. Lock your Desktop and ask money to unlock it !
    • 157. Many more innovative ways...!
    35
    www.SecurityXploded.com
  • 158. How Spywares/Trojans Steal your passwords
    • Spread trojan/spyware through following means
    • 159. game softwares
    • 160. serial crackers
    • 161. other freewares
    • 162. network shares
    • 163. malicious websites
    • 164. malicious documents (PDF/Flash/Office)
    • 165. Once compromised, trojan uses one of following ways to steal your passwords
    • 166. KeyLoggers [Kernel/User level]
    • 167. Password Crackers
    • 168. Network Password Sniffers
    • 169. Custom Hooks/Patches for Hot Applications to silently steal passwords
    36
    www.SecurityXploded.com
  • 170. Password Protection – Tips I
    • Use unique password for all important accounts
    • 171. Never store password for important accounts in browsers/messengers or other applications
    • 172. Choose Strong Password – but not complex one 
    • 173. use uppercase (even one will do) + lowercase + number/special character
    • 174. choose uncommon special character
    • 175. length should be above 8
    • 176. Use master password (even simple one will do) to protect all the stored passwords
    (example, Firefox )
    • Setup alternate email account for password reset operations
    • 177. You are not Lucky to get 100 million $$$ - don’t reply to Lottery emails and give away your account details
    37
    www.SecurityXploded.com
  • 178. Password Protection – Tips II
    • On compromise or spyware infection, change passwords of all main accounts (banks/mail/corporate/social network)
    • 179. Do not do Bank or any Imp transactions and view mail accounts through
    • 180. Wireless Network
    • 181. Cyber Cafe
    • 182. Shared System
    • 183. In emergency case use SSL and make sure SSL certificate is valid/no warnings
    • 184. Use one time password for online transactions wherever available !
    • 185. Phishing Protection
    • 186. Verify SSL GREEN status in the browser,
    • 187. Check the URL if it is proper one
    • 188. Do not click through email content - type it manually
    38
    www.SecurityXploded.com
  • 189. Password Recovery Workshop
    Post Lunch Session
    • Windows Password Cracking
    • 190. Cain & Abel to dump Password hashes from Live system
    • 191. BackTrack - Resetting the Windows Password
    • 192. BackTrack and Cain/Abel - Offline Windows Password Recovery
    • 193. Rainbow Password Cracking
    • 194. Generating Rainbow Crack Tables
    • 195. Using it to crack password hashes
    • 196. Password Sniffing on Wire
    • 197. Network Sniffing using WireShark
    • 198. Using Password Sniffing Tools such as SniffPass/FtpPasswordSniffer
    • 199. Browser & Messenger Password Recovery
    • 200. Recovering passwords from Mozilla/Firefox/Chrome/Safari browsers
    • 201. Recovering passwords from Messengers (GTalk, Windows Messenger, Trillian, Gaim etc)
    39
    www.SecurityXploded.com
  • 202. References
    • Windows Login Password Recovery
    • 203. Linux Password & Shadow File Formats
    • 204. Windows Data Protection Technology – DPAPI
    • 205. Exposing the Secret of Decrypting Network Passwords
    • 206. Password Secrets of Popular Windows Applications
    • 207. Browser Password Decryptor - All Browser Password Recovery Tool
    • 208. The Rainbow Crack Project
    • 209. Cain & Abel - The Windows multi purpose Password Tool
    • 210. BackTrack - Most popular Linux Security Distribution
    • 211. Pwdump6 - Windows Password Dumping Tool
    40
    www.SecurityXploded.com
  • 212. Questions ?
    41
    www.SecurityXploded.com
  • 213. Thank You !
    www.SecurityXploded.com
    [tnagareshwar@gmail.com]
    42
    www.SecurityXploded.com