Password Attacks

1
Password Attacks

• Mike

2
Guessing Default Passwords

• Many applications and operating systems include
  built-in default passwords.
• Lazy administrators
• Database of default passwords is publicly
  available at http//www.phenoelit.de/dpl/dpl.html

3
Lets Crack Those Passwords

• Stealing the encrypted passwords and trying to
  recover the clear-text password.

Dictionary
Brute-force cracking

• Create a password guess
• Encrypt the guess
• Compare encrypted guess with encrypted
  value from the stolen password file
• If match,youve got the password!
• Else,loop back.

Hybrid password cracking
Loop
4
Cracking Windows NT/2000 Passwords Using LC5

• One of the most hyped security/attack tools.
• Focuses only on cracking Windows passwords.
• Available at http//www.atstake.com/products/lc/d
  ownload_thanks.html

5
Get Encrypted Passwords
Local machine
Remote machine
6
Choose Auditing Method
Simple checks
Normal checks
Strong checks
7
Pick Reporting Style
The types of report.
8
Auditing Options

• Import

Character type
9
Import
10
Audit
Start
Got the passwords
11
Report
12
Remote machine
Check type
Remote machine
13
Remote machine
The types of report
14
Remote machine
Administrator
Passwords
15
Remote machine
Start
Got it!
16
John the Ripper

• Focues on cracking UNIX passwords.
• Available at
• http//www.openwall.com/john/b/john-1.6.tar.gz
• Current version 1.6

17
John the Ripper
Download John the Ripper
Download complete
Unzip
18
John the Ripper
compiler
Start
19
John the Ripper
Cracking the password
Got the password
Try the password
20
Defenses against Password-Cracking Attacks

• Strong Password Policy
• User Awareness
• Password-Filtering Software
• UNIX
• Npasswd
• Passwd
• Windows
• Strongpass

21
Defenses against Password-Cracking Attacks(cont.)

• Conduct Your Own Regular Password-Cracking Tests.
• Protect Your Encrypted/Hashed Password Files.

22
Web Application Attacks
23
Account Harvesting

• Targeting the authentication process when an
  application requests a userID and password.

Correct userID
Invalid userID
Incorrect password
24
Account Harvesting Defenses

• When userID or password was incorrect,all
  accompanying information sent back to the browser
  must be completely consistent.
• Includes
• HTML
• URL
• Cookies
• Hidden form elements

25
Correct userID
Incorrect password(123456789)
26
Invalid userID
27
Undermining Web Application Session Tracking

• Web applications generate a session ID to track
  user actions.
• Session ID
• Application-level data
• Generated by the application

28
Attacking Session Tracking Mechanisms

• Establish a session,get assigned a session ID,and
  alter the session ID.
• The attacker usurps the legitimate users session
  ID to do anything.

29
Achilles

• Achilles available at http//www.mavensecurity.com
  /achilles
• Current version 0.27

Internet
Web browser
Achilles(proxy)
30
Achilles
Start
Intercept Modes
Intercept information
31
Defending against Web Application
Session-Tracking Attacks

• Ensure the integrity of all session-tracking
  elements
• Digitally sign or session-tracking information
  using a cryptographic algorithm.
• Encrypt the information in the URL,
• Hidden form element,or cookie.
• Long session IDs.
• Dynamic session IDs .
• Apply a timestamp .

32
Conclusions

• Attacker can use to gain access
• to a target machine by attacking applications.