ITCamp 2011 - Paula Januszkiewicz - Password secrets revealed

1,591 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,591
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
36
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

ITCamp 2011 - Paula Januszkiewicz - Password secrets revealed

  1. 1. …or had no time to check it!Password Secrets Revealed!Everything you want to know but are afraid to ask… Paula Januszkiewicz CQURE: IT Security Auditor, MVP, MCT http://blogs.technet.com/plwit/ paula@cqure.pl Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  2. 2. IT Camp 2011• Thanks for coming!• ITCamp is made possible by our sponsors: Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  3. 3. MVP-Press Training CoursePlanning, Deploying and ManagingMicrosoft Forefront Threat ManagementGateway 2010Available for online purchase:http://www.mvp-press.comFollow us on: http://facebook.com/MVPpress http://twitter.com/MVPpress 3 Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  4. 4. Agenda SummaryWhat are passwords for… nothing! (Things you should remember) 1 2 3 Passwords – some examples Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  5. 5. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  6. 6. Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  7. 7. … would be beautiful, but it is not • Strong passwords or / and user awarenessComplexity Letters Letters (Upper Letters (All) & Letters &Characters (Lower) & Lower) Digits Digits & Special6 308,915,776 19,770,609,664 56,800,235,584 304,006,671,42 48 208,827,064,57 53,459,728,531 218,340,105,58 2,044,140,858, 6 ,456 4,896 654,97610 141,167,095,65 144,555,105,94 839,299,365,86 13,744,803,133 3,376 9,057,024 8,340,224 ,596,058,62412 95,428,956,661 390,877,006,48 3,226,266,762, 92,420,056,270 ,682,176 6,250,192,896 397,899,821,05 ,299,898,187,7 6 76 Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  8. 8. Time to crack passwordsComplexity Letters Letters (Upper Letters (All) Letters & DigitsCharacters (Lower) & Lower) & Digits & Special6 154,4 seconds 164,7 hours8 29 hours … … …10 816 days … … …12 51152123 years … … 87918622783,7 yearsAvg. password cracking: 2 millions per second Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  9. 9. 3 cryptograpgy basisPremium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  10. 10. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  11. 11. Passwords in the Web: Null Byte Injection, Inside the SSL TunnelDEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  12. 12. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  13. 13. Protected Storage• Now: Read-Only• DPAPI – Data Blob + Entropy – Master Key – User Password Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  14. 14. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  15. 15. VNCDEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  16. 16. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  17. 17. Wireless (In) SecurityDEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  18. 18. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  19. 19. Crack Basics: Windows• Locally: Security Accounts Manager• Domain: NTLS• Direct reading? Why not? – SAMInside, Cain, ERD Commander, pwdump + LC5, john the ripper• PSTORE Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  20. 20. SAM (Tools), DefineDosDevice, System Privileges, SAPD,Notification Package, GINA.DLLDEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  21. 21. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  22. 22. Rainbow Tables• OphCrack• RainbowCrack• http://www.insidepro.com/tables.php• http://www.freerainbowtables.com/en/tables/ntlm/• https://www.objectif- securite.ch/en/products.php?hash=EE84987FE4DC6997 ABD2655ED5D5C144&drgn=2 Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  23. 23. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  24. 24. Password Cracking Tools• Linux – John the Ripper (http://www.openwall.com/john/)• Windows – John the Ripper – SamInside / Passwords Pro (http://www.insidepro.com) – Cain (http://www.oxid.it/cain.html ) – LC5 / pwdump – Top 10 Tools: http://sectools.org/crackers.html Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  25. 25. What to expect?Life without passwords…Passwords in the WebProtected StorageVNCWireless (In) SecurityPasswords in the Operating SystemRainbow tablesCracking toolkitSummary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  26. 26. Summary• Have your own dictionary file• Use well-designed password policies• Train users – show them what may happen if their password is revealed• Test your users’ passwords Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  27. 27. Q&A Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
  28. 28. Don’t forget!Get your free Azure pass! We want your feedback!• 30+15 days, no CC req’d • Win a WP7 smartphone – http://bit.ly/ITCAMP11 – Fill in your feedback forms – Promo code: ITCAMP11 – Raffle: end of the day Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro

×