Session Layer Security - PowerPoint PPT Presentation

Loading...

PPT – Session Layer Security PowerPoint presentation | free to download - id: 5a6556-NTI0Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Session Layer Security

Description:

Title: Lecture 6: Session Layer Security Subject: NETE4630 Author: Supakorn Kungpisdan Last modified by: Windows User Created Date: 1/2/2006 5:41:37 PM – PowerPoint PPT presentation

Number of Views:85
Avg rating:3.0/5.0
Slides: 90
Provided by: SupakornK1
Learn more at: http://www.msit2005.mut.ac.th
Category:
Tags: layer | open | security | session

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Session Layer Security


1
Session Layer Security
  • Lecture 6
  • Supakorn Kungpisdan
  • supakorn_at_mut.ac.th

2
Roadmap
  • Introduction
  • SYN Attack
  • Session Hijacking
  • DNS Poisoning
  • SSH Downgrade Attack
  • Authentication Techniques and Attacks

3
Introduction
  • Session layer provides a set of features that
    contributes to the reliability and usefulness of
    modern network communications
  • Session Checkpoint
  • Session Adjournment
  • Session Termination
  • Half- and Full-Duplex Operations

4
Session Checkpoint
  • TCP acknowledgement (ACK) packets are regularly
    passed between hosts to identify the last packet
    that was received
  • TCP delays the transmission of an ACK packet
    until either a timeout is reached or a number of
    packets equal to the TCP window size have been
    sent
  • This delays increases the efficiency of the
    protocol and establishes checkpoints
  • At any point, TCP can resume transmission from
    the previous checkpoint if a delivery failure
    occurs

5
Session Adjournment
  • TCP sessions may be adjourned through setting the
    TCP window to 0 byte.
  • This informs the sending host that no buffer is
    available to hold transmitted data and halts
    communications without losing the connection

6
Session Termination
  • TCP provides a means for both graceful and
    immediate session terminations
  • Graceful termination occur by setting a finish
    (FIN) flag that is subsequently acknowledged by
    the recipient
  • Immediate termination occur by using packets with
    the reset (RST) flag set

Half- and Full-Duplex Operations
  • While TCP operates at full duplex, the session
    layer allows for both full- and half-duplex
    operations

7
Attacking the Session Layer
  • Rely primarily on abuses of the TCP and IP
    headers
  • Several behavior designed into the TCP
    specification allow a wide variety of attacks
  • In particular, TCP flags and Sequence and
    Acknowledgement numbers enable several methods of
    attack
  • Newer attacks may focus on higher layer protocol
    like Session Description Protocol (SDP) and
    Session Initiation Protocol (SIP)

8
SYN Attack
  • Using legitimate TCP functions permits attackers
    with a small number of hosts to conduct DoS,
    which can completely saturate the bandwidth of a
    corporation
  • In TCP three-way handshake, a new source port is
    selected on the client host for each new
    connection that is opened to a particular port on
    a server
  • The server has to allocate a number of resources
    to handle each connection
  • A large number of hosts can use this to great
    effect when attacking a web site

9
SYN Attack (cont.)
  • From an attackers perspective, this approach is
    less than ideal
  • Creating multiple connections is extremely
    inefficient
  • Every established connection consumes a lot of
    resources on the server and the attacking client
  • This kind of attack is not anonymous
  • Many servers limit the number of connections that
    they will accept from a single host

10
Performing SYN Attack
  • Our goal is to consume resources on the victim
    server but not on the DoS client
  • We want to avoid using any system calls to open
    network connections

11
SYN Attack with hping2
  • Hping2 tool provides a simple means for producing
    crafted packets
  • Executing a single SYN packet to port 6666 on the
    victim server
  • hping c 1 p 6666 S 10.10.1.9
  • In this case, we use the attacking machines IP
    as source IP

12
SYN Attack with hping2 (cont.)
Using real IP (196.254.34.6) as source will
immediately terminate SYNACK from target
(10.10.1.9)
13
SYN Attack with hping2 (cont.)
  • However, the DoS client was stymied by attempts
    to circumvent its resource consumption
  • Any TCP stack that meets an unsolicited SYN/ACK
    packet will respond with an RST
  • The solution is to spoof a source IP address
  • hping c 1 a 10.12.250.250 p 6666 S 10.1.1.9

Spoofed IP address
14
SYN Attack with hping2 (cont.)
Target keeps sending SYN/ACK to the spoofed
source until reaching timeout
15
SYN Attack with hping2 (cont.)
  • The victim server attempts to reply to the
    non-existent host with SYN/ACK
  • TCP tries to ensure reliable delivery and will
    continue to complete the handshake until timeout
  • The DoS client can now produce packets as fast as
    it can spoof them, while at the same time the
    victim server attempts to complete handshakes in
    vain

16
Note on SYN Attack
  • Careful selection of the spoofed IP is necessary
    to conduct a successful DoS attack
  • The most successful method to ensure delivery of
    a spoofed packet is to select an unused IP on the
    same subnet as the attacking host

17
Reflective Attack
  • A variation of SYN attack
  • Launched by sending a large number of SYN packets
    to a web server but alters the source address so
    that it is to match the address of the victim
  • The web server responds to the large number of
    SYN packets by issuing a flood of traffic back to
    the spoofed victims address

18
Session Hijacking
  • Session hijacking works by taking advantage of
    the fact that most communications are protected
    (by providing credentials) at session setup, but
    not thereafter.
  • These attacks generally fall into three
    categories
  • Man-in-the-middle (MITM)
  • Blind Hijacking
  • Session Theft

Ref http//technet.microsoft.com/en-us/magazine/c
c160809(TechNet.10).aspx
19
MITM Attacks
  • Attacker intercepts all communications between
    two hosts.
  • With communications between a client and server
    now flowing through the attacker, he or she is
    free to modify their content.
  • Protocols that rely on the exchange of public
    keys to protect communications are often the
    target of these types of attacks

20
Blind Hijacking
  • An attacker injects data such as malicious
    commands into intercepted communications between
    two hosts commands like "net.exe localgroup
    administrators /add EvilAttacker".
  • This is called blind hijacking because the
    attacker can only inject data into the
    communications stream, but cannot see the
    response to that data (such as "The command
    completed successfully.")
  • Essentially, the blind hijack attacker is
    shooting data in the dark, but this method is
    still very effective

21
Session Theft Attacks
  • Attacker neither intercepts nor injects data into
    existing communications between two hosts.
  • Instead, the attacker creates new sessions or
    uses old ones.
  • This type of session hijacking is most common at
    the application level, especially Web
    applications.

22
Hijacking A TCP Session
Session establishment
Data transfer
23
Hijacking A TCP Session (cont.)
  • If the attacker wanted to inject data into the
    TCP session as the client, he or she would need
    to
  • Spoof the client's IP address
  • Determine the correct sequence number that is
    expected by the server from the client
  • Inject data into the session before the client
    sends its next packet
  • To achieve the third, the attacker could just
    send the data to inject and hope it is received
    before the real client does
  • Or, the attacker could perform a DoS attack on
    the client, or use ARP spoofing

24
Blind Injection
When the client receives the ACK packet, it will
be confused, either because it did not send any
data or because the next expected sequence is
incorrect.
25
Hijacking A TCP Session (cont.)
  • Maybe the attacker can send something "nice" like
    "mv which emacs /vmunix shutdown r now" and
    not just a single character)
  • This confusion can cause a TCP ACK storm, which
    can disrupt a network
  • Attackers can automate the session hijacking
    process with tools such as Juggernaut, Hunt, and
    Ettercap

26
Hijacking A UDP Session
  • Attackers do not have to worry about the overhead
    of managing sequence numbers and other TCP
    mechanisms.
  • Since UDP is connectionless, injecting data into
    a session without being detected is extremely easy

DNS queries, online games like the Quake series
and Half-Life, and peer-to-peer sessions are
common protocols that work over UDP all are
popular targets for this kind of session hijacking
27
Determining Susceptibility
  • One way to check if your network is vulnerable to
    session hijacking is to hijack actual network
    sessions using common attacker tools e.g.
    Juggernaut or Hunt (now Ettercap)
  • Alternatively, try to find out if using transport
    protocols that do not use cryptographic
    protection
  • Protocols such as Telnet and FTP are extremely
    susceptible to hijacking when not protected
    inside encrypted tunnels
  • Countermeasure is to use SSL, SSH, and IPSec

28
Tricks and Techniques
  • TCP ACK Storm
  • ARP Table Modification
  • TCP Resynchronizing
  • Remotely Modifying Routing Table

29
TCP ACK Packet Storm
As the attacker injects more and more data, the
size of the ACK storm increases and can quickly
degrade network performance.
If neither the attacker nor the client explicitly
closes the session, the storm will likely stop
itself eventually when ACK packets are lost in
the storm.
30
ARP Table Modification
Finding owner of MAC address
Spoofed reply
31
ARP Table Modification (cont.)
Stopping TCP ACK Storm
32
TCP Resynchronizing
  • To hide his/her tracks, an attacker who is
    finished session hijacking might want to
    resynchronize the communicating hosts.
  • The problem is that, after the attack, the two
    hosts whose session was hijacked will be at
    different points in the session.
  • In other words, each host will be expecting
    different sequence numbers.
  • For example, server might think that it is 40
    bytes into the session when the client might have
    sent only 29 bytes.

33
TCP Resynchronizing (cont.)
  • Since sequence numbers move in only a positive
    direction, it's not possible to manipulate the
    server so that its expected sequence number moves
    downward to match the client's sequence number.
  • Tools like Hunt try to solve this problem by
    sending a message to the client
  • msg from root power failure try to type 13
    chars

34
Remotely Modifying Routing Table
  • Attacker who wants to hijack a session wants to
    route all communications between a client and
    server through him or her making it easy to
    monitor, modify, and inject data into the
    session, as in MITM attacks.
  • Attacker modifies the routing table of the host
    is to forge ICMP Redirect (type 5) packets and
    advertise them as the route to take when sending
    data.
  • To protect Windows hosts from forged ICMP
    redirect, set the EnableICMPRedirect value to 0
    under the registry key HKLM\System\CurrentControlS
    et\Services\AFD\Parameters

35
DNS Poisoning
  • A more common example of session hijacking is DNS
    poisoning
  • DNS poisoning allows you to convince a DNS server
    that a hostname resolves to an arbitrary IP

36
DNS Resolution
Client does not query the canonical nameserver
because of the efficiency provided by caching at
the local nameserver
4
3
5
6
1
2
37
DNS Poisoning (cont.)
Attackers nameserver
4
3
6
7
5
Spoofed web server
1
2
37
NETE4630
38
DNS Poisoning (cont.)
  • Implementing DNS poisoning is difficult
  • Each DNS query contains a 2-byte identification
    field that allows responses to be matched to
    queries
  • An attacker has a 1 in 65,536 (216) chance of
    guessing the correct identification value
  • Normally an attacker needs to sniff the
    identification number of the query in order to
    successfully spoof a response

39
DNS Poisoning with Ettercap
1
3
2
40
DNS Poisoning with Ettercap (cont.)
4
5
41
DNS Poisoning with Ettercap (cont.)
6
8
7
42
DNS Poisoning with Ettercap (cont.)
Ettercap.dns
9
10
43
SSL Spoofing with Ettercap
44
SSH Downgrade Attack
  • SSH is the most famous example of a downgrade
    attack where the attacker forces the client and
    the server to use the insecure SSH1 protocol.
  • The client sends a request to establish a SSH
    link to the server and asks it for the version it
    supports
  • The server answers either with
  • ssh-2.xx The server supports only SSH2
  • ssh-1.99 The server supports SSH1 and SSH2
  • ssh-1.51 The server supports only SSH1
  • This attack occurs at the server that supports
    both SSH1 and SSH2

Ref http//openmaniak.com/ettercap_filter.php
45
SSH Downgrade Attack (cont.)
46
SSH Downgrade Attack (cont.)
47
SSH Downgrade Attack with ettercap
  • Configure SSH server to support SSH1 and SSH2
  • apt-get install openssh-server
  • vim /etc/ssh/sshd_config
  • Protocol 1, 2
  • 2. Create a SSH1 key pair
  • ssh-keygen t rsa1 f /etc/ssh/ssh_host_key N
  • 3. Add the key path into sshd_config file
  • HostKey /etc/ssh/ssh_host_key
  • 4. Try to telnet to server to check if it has
    SSH1
  • Trying server_ip_address...Connected to
    server_ip_address.Escape character is
    ''.SSH-1.99-OpenSSH_4.6p1 Debian-5ubuntu0.1

48
Clients PuTTY Screen
Version 2 is preferred but not restricted
49
Ettercap Filter
50
SSH Downgrade Attack Filter
/usr/share/ettercap/ettercap.filter.ssh
51
Compiling the Filter
52
Loading the Compiled Filter
53
SSH Downgrade Attack Result
54
Avoiding SSH Downgrade Attack
  • Never use SSH1 on both server and client
  • At /etc/ssh/sshd_config file
  • Protocol 2
  • telnet server_ip_address 22
  • Trying server_ip_address
  • Connected to server_ip_Address.
  • Escape character is .
  • SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1

55
Avoiding SSH Downgrade Attack (cont.)
SSH Client
56
Authentication
  • Two main categories of authentication
  • Synchronous and asynchronous authentication
    protocols
  • Synchronous authentication protocols provide
    credentials at the start of the authentication
    process
  • Asynchronous authentication involves a
    challenge-response model

57
Password Authentication Protocol
  • Password Authentication Protocol (PAP) is one of
    the least secure authentication protocol
  • Password and username are sent in cleartext to
    the authentication server after a connection has
    been established.
  • Some systems revert to PAP if they cannot agree
    on any other authentication protocol.
  • Both entities will try to negotiate and agree
    upon the most secure method of authentication
  • Start with EAP, CHAP, then PAP

58
Challenge Handshake Authentication Protocol
59
NT Lan Manager v1 (NTLMv1)
8-byte random number
Enter password
Compare hash value
R1, R2
60
NTLMv1 (cont.)
  • User password and challenge are used to calculate
    LANMAN hash and MD4 hash
  • C 8-byte random challenge
  • Hash1 MD4(password)
  • K1, K2, K3 Hash1, 5-byte-0s
  • R1 DES(K1, C), DES(K2, C), DES(K3, C)
  • Hash2 LM-hash(password)
  • K4, K5, K6 Hash2, 5-byte-0s
  • R2 DES(K4, C), DES(K5, C), DES(K6, C)
  • Client sends R1, R2 as a response to the server

61
LM challenge/response
uppercase(password1..7)
as KEY
magic word
LM_hash1..8
DES
uppercase(password8..14)
as KEY
magic word
LM_hash9..16
DES
LM_hash17..21
00
00
00
00
00
magic word is KGS!_at_
Urity_at_SecurityFriday.com, Cracking NTMLv2
Authentication
62
LM challenge/response (cont.)
LM_hash1..7
as KEY
challenge code
DES
LM_response1..8
LM_hash8..14
as KEY
challenge code
LM_response9..16
DES
00
00
00
00
00
LM_hash15..21
as KEY
DES
LM_response17..24
challenge code
Urity_at_SecurityFriday.com, Cracking NTMLv2
Authentication
63
NTLM 2 Authentication
unicode(password)
MD4
as KEY
unicode( uppercase(account name) domain_or_hostna
me)
HMAC_MD5
as KEY
NTLMv2 Response
server_challenge client_challenge
HMAC_MD5
Urity_at_SecurityFriday.com, Cracking NTMLv2
Authentication
64
LM, NTLMv1, NTLMv2
LM NTLMv1 NTLMv2
Password case sensitive No Yes Yes
Hash key length 56bit 56bit - -
Password hash algorithm DES (ECB mode) MD4 MD4
Hash value length 64bit 64bit 128bit 128bit
C/R key length 56bit 56bit 16bit 56bit 56bit 16bit 128bit
C/R algorithm DES (ECB mode) DES (ECB mode) HMAC_MD5
C/R value length 64bit 64bit 64bit 64bit 64bit 64bit 128bit
Urity_at_SecurityFriday.com, Cracking NTMLv2
Authentication
65
Authenticating with Kerberos
  • Default authentication mechanism used by Windows
    2000, XP, and 2003 hosts when part of an active
    directory
  • Strong protocol, relying on a central server
    (normally Active Directory Controller) to grant
    access privileges to systems
  • The main weakness of Kerberos is that all
    authentication tokens have a lifespan
  • Any network using Kerberos must synchronize
    clocks on all systems using a protocol e.g.
    Network Time Protocol (NTP)

66
Attacks Against Password Hashes
  • Brute Force Attack
  • Iterate through every possible input and hashes
    it, comparing the output with the hash value
  • Guaranteed to crack the hash if run long enough
  • Dictionary Attack
  • Iterate through possible passwords and common
    substitutions of these words
  • Not guaranteed to produce results
  • E.g. John The Ripper (or John The Ripper Pro for
    Commercial version) available at
    http//www.openwall.com/john/

67
Attacks Against Password Hashes (cont.)
  • Rainbow Table Attack
  • Compute every hash ahead of time, allowing the
    attacker to check his/her database of hashes just
    for one he/she is trying to crack
  • Several tools can be used for password cracking
    including windows password in SAM, LM, NTLM
    password hashes
  • Rainbow Crack, Ophcrack, John the Ripper, Cain
    and Abel
  • Rainbow Crack can be used to crack LM, MD5,
    Office hashes

68
Rainbow Table
69
Rainbow Table (cont.)
70
Cracking LM Password with Rainbow Crack
  • Dump password hashes using samdump, pwdump,
    fgdump
  • Install Rainbow Crack
  • Before cracking the password, generate the
    rainbow table first
  • LM Configuration0 6
  • Sort the rainbow table using rtsort command
  • Crack the password using rcrack command

Ref http//www.ethicalhacker.net/content/view/94/
24/
71
Password Hashes from pwdump
  • testuser1""0F20048EFC645D0A179B4D5D6690BDF31120
    ACB74670C7DD46F1D3F5038A5CE8
  • remote""E52CAC67419A9A224A3B108F3FA6CB6D8846F7E
    AEE8FB117AD06BDD830B7586C
  • joeuser""E52CAC67419A9A224A3B108F3FA6CB6D8846F7
    EAEE8FB117AD06BDD830B7586C
  • averageguy""299CCF964D9A359BAAD3B435B51404EEA5C
    07214487C87B584E8877DE72DCA0B
  • harderpass""B75838F7A57EE67993E28745B8BF4BA6EC5
    0F8A8149C93EF45AECB8AF96658E6
  • demouser""261A6631FE44BA4993E28745B8BF4BA6371D5
    760453C1B000BCC016F8E23A83C
  • randy""98B5AFEB67293D6AAAD3B435B51404EEA9F34664
    151F6360757B31644F37E025
  • Asmith""E165F0192EF85EBBAAD3B435B51404EEE4EBE0E
    7EF708DC9FD240135D3D43D89

72
Generating Rainbow Table
  • To generate other configuration, use rtgen
    command
  • rtgen lm alpha-numeric 1 7 0 2400 40000000
    all rtgen lm alpha-numeric 1 7 1 2400 40000000
    all rtgen lm alpha-numeric 1 7 2 2400 40000000
    all rtgen lm alpha-numeric 1 7 3 2400 40000000
    all rtgen lm alpha-numeric 1 7 4 2400 40000000
    all

73
Generating Rainbow Table (cont.)
  • 1 and 7 are our plaintext ranges.  So we want
    passwords from A to ZZZZZZZ. 
  • If we had put plaintext length range "4-6",
    "AAAA" and "ZZZZZZ" would be among the key space
  • 0, 1, 2, 3, 4 are table numbers
  • 2400 is chain length. Chain length increases the
    success rate per table but does not increase
    table size. 
  • It computes more hashes per chain but also takes
    longer to create and search the tab
  • 8000000 is chain count of each rainbow table. 
  • Chain count is simply how many chains you want
    per table.  Increasing this value produces larger
    files with higher success rates, but the overall
    computation time isnt affected.

74
Rainbow Table Configuration
75
Generating Rainbow Table with Winrtgen
  • Winrtgen (now in Cain and Abel) is a graphical
    Rainbow Tables Generator that supports LM,
    FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL,
    MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160,
    MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2
    (256), SHA-2 (384) and SHA-2 (512) hashes.
  • Winrtgen can generate only rainbow table
    configuration0

76
Generating Rainbow Table with Winrtgen (cont.)
Generating 1 configuration0 table takes 2 days
on P3 1GHz machine
77
Generating Rainbow Table with Winrtgen (cont.)
Generating 5 configuration0 tables take 12 days
on P3 1GHz machine
78
Generating Rainbow Table (cont.)
  • 128,000,000 bytes    lm_alpha1-7_0_2100x8000000_a
    ll.rt
  • 128,000,000 bytes    lm_alpha1-7_1_2100x8000000_a
    ll.rt
  • 128,000,000 bytes    lm_alpha1-7_2_2100x8000000_a
    ll.rt
  • 128,000,000 bytes    lm_alpha1-7_3_2100x8000000_a
    ll.rt
  • 128,000,000 bytes    lm_alpha1-7_4_2100x8000000_a
    ll.rt
  • Sort the rainbow table
  • rtsort lm_alpha1-7_0_2100x8000000_all.rt
  • rtsort lm_alpha1-7_1_2100x8000000_all.rt
  • rtsort lm_alpha1-7_2_2100x8000000_all.rt
  • rtsort lm_alpha1-7_3_2100x8000000_all.rt
  • rtsort lm_alpha1-7_4_2100x8000000_all.rt

79
Cracking the Password
  • C\rainbowcrack-1.2-win\rainbowcrack-1.2-wingtrcrac
    k
  • RainbowCrack 1.2 - Making a Faster Cryptanalytic
    Time-Memory Trade-Off
  • by Zhu Shuanglei lt shuanglei_at_hotmail.com This
    e-mail address is being protected from spam bots,
    you need JavaScript enabled to view it gt
  • http//www.antsight.com/zsl/rainbowcrack/
  • usage rcrack rainbow_table_pathname -h hash
  •        rcrack rainbow_table_pathname -l
    hash_list_file
  •        rcrack rainbow_table_pathname -f
    pwdump_file
  • rainbow_table_pathname pathname of the rainbow
    table(s), wildchar(, ?) supported
  • -h hash             use raw hash as input
  • -l hash_list_file   use hash list file as input,
    each hash in a line
  • -f pwdump_file      use pwdump file as input,
    this will handle LAN Manager  hash only
  •  
  • example rcrack .rt -h 5d41402abc4b2a76b9719d9110
    17c592
  •          rcrack .rt -l hash.txt
  •          rcrack .rt -f hash.txt

80
Cracking the Password (cont.)
  • rcrack c\rainbowcrack\.rt -f pwdumpfile.txt
  • rcrack c\rainbowcrack\.rt -l justhashlist.txt
  • rcrack  c\rainbowcrack\.rt h
    213D466DB5B288F0F82E44EC0938F4F4
  • Where pwdumpfile.txt is the results of using a
    hash dumping utility like pwdump2, pwdump3,
    samdump, etc to dump the LAN Manager's passwords.
  • If your password consists of only letters only,
    rcrack should be able to crack it with a success
    rate of  99.9.

81
Cracking the Password (cont.)
82
Cracking the Password (cont.)
  • 26 of our 41 hashes found in about 12 minutes. 
  • Also notice that the hash for the password
    password is the same because there is no
    salting with the LAN Manager hashing algorithm.

83
Protecting yourself against RainbowCrack attacks
and other password attacks
  • Limiting physical access
  • Continue to force the use of special characters
  • Use ALT-XXX characters in your passwords
  • Keep up with updates
  • Use Pass phrases
  • Use Multi-factor authentication
  • Password Policy
  • Use NTLM or NTLMv2

84
Limiting Physical Access
  • One common attack if you have physical access to
    a machine is to use a bootable Linux distro to
    simply boot into Linux and grab the SAM file off
    the windows partition. 
  • IronGeek wrote a good tutorial on this method and
    even has a video you can watch.  You can get it
    here http//www.irongeek.com/i.php?pagesecurity/
    localsamcrack2. 
  • Another interesting tool released by Eeye is
    SysRQ2 http//research.eeye.com/html/tools/RT2006
    0801-8.html.
  • SysRq is a bootable CD image that allows a user
    to open a fully privileged (SYSTEM) command
    prompt on Windows 2000, Windows XP, and Windows
    Server 2003 systems by pressing CtrlShiftSysRq
    at any time after startup.

85
Continue to force the use of special characters
  • Rainbow tables can rip thru a LM password with
    any type of special character it still takes a
    large amount of time (1-2 years) to generate
    them 
  • In LC4 we go from 9-11 hours to brute force
    alpha-numeric password to 91 days to brute force
    passwords with the possibility of all special
    characters (not including ALT-XXX passwords).

86
Use ALT-XXX characters in your passwords
  • ALT characters are produced by holding down the
    ALT key and pressing a three or four digit number
    sequence on your keypad. 
  • Most password crackers cannot crack passwords
    with ALT characters. 
  • Most ALT characters also have the added benefit
    that passwords that have ALT characters in them
    cannot be stored as LM hashes.
  • It causes password hashes to disappear

87
ALT-XXX Characters
88
Use Passphrases
  • Easiest and simplest way to protect you network
    from password cracking. 
  • Use of pass phrases that are greater than 14
    characters AND use special characters you can
    protect yourself from all but the determined
    attackers. 
  • If your network is Windows 2000 and above you
    have a maximum length of 127 characters on your
    password/pass phrase so skys the limit. 
  • A pass phrase like This is my Stupid Pass
    Phrase! is long enough to be stored as NTLM or
    NTLMv2, has Uppercase, Lowercase, Spaces, and
    Special Characters, and is easy to remember. 
  • This is a much more secure password than even
    _at_w3cjdBeumDr. 

89
Question?
  • Next week
  • Presentation Layer Security
About PowerShow.com