Post on 09-Jun-2015
description
So, What’s in a Password?
Presented by / Rob Gillen @argodev
This work is licensed under a .
This talk and related resources are available online:
Creative Commons Attribution 4.0 International License
https://github.com/argodev/talks/
Don't be StupidThe following presentation describes real attacks on realsystems. Please note that most of the attacks described wouldbe considered ILLEGAL if attempted on machines that you do nothave explicit permission to test and attack. I assume noresponsibility for any actions you perform based on the contentof this presentation or subsequent conversations.
Please remember this basic guideline: With knowledge comesresponsibility.
DisclaimerThe content of this presentation represents my personal viewsand thoughts at the present time. I reserve the right to changemy views and opinions at any time. This content is not endorsedby, or representative in any way of my employer nor is itintended to be a view into my work or a reflection on the typeof work that I or my group performs. It is simply a hobby andpersonal interest and should be considered as such.
Password AttacksA Year in Review
Pixel FederationIn December 2013, a breach of the web-based game communitybased in Slovakia exposed over 38,000 accounts which werepromptly posted online. The breach included email addresses andunsalted MD5 hashed passwords, many of which were easilyconverted back to plain text.
http://haveibeenpwned.com/
VodafoneIn November 2013, Vodafone in Iceland suffered an attackattributed to the Turkish hacker collective "Maxn3y". The datawas consequently publicly exposed and included user names,email addresses, social security numbers, SMS message, serverlogs and passwords from a variety of different internalsources.
http://haveibeenpwned.com/
AdobeThe big one. In October 2013, 153 million accounts werebreached with each containing an internal ID, username, email,encrypted password and a password hint in plain text. Thepassword cryptography was poorly done and many were quicklyresolved back to plain text. The unencrypted hints alsodisclosed much about the passwords adding further to the riskthat hundreds of millions of Adobe customers already faced.
http://haveibeenpwned.com/
TwitterFebruary 2013 - This week, we detected unusual access patternsthat led to us identifying unauthorized access attempts toTwitter user data. We discovered one live attack and were ableto shut it down in process moments later. However, ourinvestigation has thus far indicated that the attackers mayhave had access to limited user information – usernames, emailaddresses, session tokens and encrypted/salted versions ofpasswords – for approximately 250,000 users.
https://blog.twitter.com/2013/keeping-our-users-secure
More...cvideo.co.il – 10/15/2013 – 3,339
penangmarathon.gov.my – 10/8/2013 – 1,387
tomsawyer.com – 10/6/2013 – 57,462
ahashare.com – 10/3/2013 – 169,874
http://hackread.com/iranian-hackers-hack-israeli-job-site/
http://www.cyberwarnews.info/2013/10/07/45000-penang-marathon-participants-personal-details-leaked/
http://www.cyberwarnews.info/2013/10/07/software-company-tom-sawyer-hacked-61000-vendors-accounts-leaked/
http://www.cyberwarnews.info/2013/10/04/ahashare-com-hacked-complete-database-with-190-000-user-credentials-leaked/
https://shouldichangemypassword.com/all-sources.php
More...Unknown Israeli website – 7/30/2013 – 26,064
UK emails – 7/17/2013 – 8,002
UK emails (part 2) – 7/17/2013 – 7,514
http://www.pakistanintelligence.com – 5/27/2013 – 75,942
http://hackread.com/opizzah-opisrael-phr0zenmyst-claims-to-leak-login-details-of-33895-israelis/
http://www.techworm.in/2013/07/more-than-15000-emails-username-and.html
http://www.techworm.in/2013/07/more-than-15000-emails-username-and.html
http://www.ehackingnews.com/2013/05/pakistan-intelligence-job-board-website.html
https://shouldichangemypassword.com/all-sources.php
More...McDonalds Taiwan – 3/27/2013 – 185,620
karjera.ktu.lt – 3/14/2013 – 14,133
avadas.de – 3/9/2013 – 3,344
angloplatinum.co.za – 3/5/2013 – 7,967
http://www.cyberwarnews.info/2013/03/28/official-mcdonalds-austria-taiwan-korea-hacked-over-200k-credentials-leaked/
http://www.cyberwarnews.info/2013/03/14/14000-student-credentials-leaked-from-ktu-career-center-lithuania/
http://hackread.com/avast-germany-website-hacked-defaced-20000-user-accounts-leaked-by-maxney/
http://thehackernews.com/2013/03/worlds-largest-platinum-producer-hacked.html
https://shouldichangemypassword.com/all-sources.php
More...angloplatinum.com – 3/5/2013 – 723
Walla.co.il – 2/19/2013 – 531,526
Bank Executives – 2/4/2013 – 4,596
bee-network.co.za – 1/29/2013 – 81
http://thehackernews.com/2013/03/worlds-largest-platinum-producer-hacked.html
http://www.haaretz.com/news/national/anonymous-activists-hack-into-600-000-israeli-email-accounts.premium-1.504093
http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executive-credentials-7000010740/
http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
https://shouldichangemypassword.com/all-sources.php
More...omni-id.com – 1/29/2013 – 1,151
moolmans.com – 1/29/2013 – 117
servicedesk.ufs.ac.za – 1/29/2013 – 3,952
servicedesk.ufs.ac.za (part 2) – 1/29/2013 – 355
http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
https://shouldichangemypassword.com/all-sources.php
More...westcol.co.za – 1/29/2013 – 99
digital.postnet.co.za – 1/29/2013 – 45,245
French Chamber of Commerce – 1/29/2013 – 515
http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
http://www.ehackingnews.com/2013/01/projectsunrise-team-ghostshell-leaked.html
http://news.softpedia.com/news/French-Chamber-of-Commerce-and-Industry-Portal-Hacked-by-Tunisian-Cyber-Army-324716.shtml
https://shouldichangemypassword.com/all-sources.php
Types of AttacksAlgorithm WeaknessImplementation WeaknessesDictionary AttacksBrute-Force AttacksMask Attacks
Algorithmic WeaknessesCollision, Second Pre-Image, Pre-ImageConfirmed:GOST, HAVAL, MD2, MD4, MD5, PANAMA, RadioGatun, RIPEMD,RIPEMD-160, SHA-0, SHA-1, Tiger(2) – 192/160/128,WHIRLPOOL
Theoretical:SHA-256/224SHA-512/384
http://en.wikipedia.org/wiki/Cryptographic_hash_function
Account HashesWindows HashEAD0CC57DDAAE50D876B7DD6386FA9C7
Linux Hash$6$OeKR9qBnzym.Q.VO$hM3uL03hmR4ZqAME/8Ol.xWGYAmVdpi3S4hWGLeugaKNj/HLzQPTz7FhjATYO/KXCNHZ8P7zJDi2HHb1K.xfE.
File EncryptionMS OfficePDFsZip/7z/rarTrueCrypt
How do they work?Known file-format/implementation weaknessHeader data to indicate encryptionType, keylength, etc.Often some small portion to decrypt/validate
How is it that changing encryption keys is fast?Your key encrypts “real” key
Is it really cracking?
Password Guessing
char string1[maxPassLength + 1];char alphanum[63] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789";
for 0 --> maxLength for each char in alphanum…
Slightly Better...
int min = 8;int max = 12;char[] valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789";
// known rules// first & last must be char// no consecutive-ordered chars/nums// no repeated chars/nums
DEMO: Cracking aWindows HashWith oclHashCat
(more) Intelligent PasswordGuessing
What do people usually use?What can we do to reduce the set of possibilities?Cull terms/domain knowledge from relevant dataDating sites, religious sites, others
Best: Already used/real-world passwords
Determine Your GoalsCracking a single, specific pwd?Cracking a large % of an “acquired set”?
Mark Burnett, author of Perfect PasswordsList of 6,000,000, culled down to 10,000 most frequently usedTop 10,000 passwords represent by 99.8% of all passwords
More Password Stats...Overview4.7% of users have the password password8.5% have the passwords password or 1234569.8% have the passwords password, 123456 or 1234567814% have a password from the top 10 passwords40% have a password from the top 100 passwords79% have a password from the top 500 passwords91% have a password from the top 1000 passwords
From a uniqueness standpoint...99.6% of the unique passwords are used by only 0.18% ofusers
https://xato.net/passwords/more-top-worst-passwords/
Lists....
PACKPassword Analysis and Cracking ToolkitPeter Kacherginsky, PasswordCon, 7/30-7/31
Intelligent cycle of cracking, analysis, rule generation
http://thesprawl.org/projects/pack/
Statistical AnalysisPassword Length AnalysisCharacter Set AnalysisWord Mangling Analysis
Example: Length
https://thesprawl.org/media/research/passwords13-smarter-password-cracking-with-pack.pdf
DEMO: Statisticson Real PWs
Advanced AnalyticsLevenshtein Edit Distance
http://en.wikipedia.org/wiki/Levenshtein_distance
Levenshtein Edit DistanceMinimum number of changes required to change one string into anotherMeasure distance b/t actual words and cracked list to optimize the word mangling rulesi.e. XX% of words can be achieved with Levenshtein edit distance of <=2Only gen rules that match
http://www.let.rug.nl/~kleiweg/lev/
http://www.kurzhals.info/static/samples/levenshtein_distance/
What if I don't have yourPassword?Pass the HashBut We use SmartCards!?
Avoidance TechniquesDon’t use "monkey"Don’t reuse "monkey"If you must use "monkey", require something else as wellSalt is goodYour own salt is betterUtilize memory-hard algorithmsUtilize multiple iterations (a lot)Your username is half of the equation
Referenceshttp://haveibeenpwned.com/https://lastpass.com/adobe/https://lastpass.com/linkedin/https://lastpass.com/lastfm/https://shouldichangemypassword.com/all-sources.php
Questions/ContactRob Gillenrob@gillenfamily.nethttp://rob.gillenfamily.net@argodev
This talk and related resources are available online:https://github.com/argodev/talks/