Figure 2-2: Server Password Cracking:
description
Transcript of Figure 2-2: Server Password Cracking:
1
Figure 2-2: Server Password Cracking:
Reusable Passwords
A password you use repeatedly to get access to a resource on multiple occasions
Bad because attacker will have time to learn it; then can use it
Difficulty of Cracking Passwords by Guessing Remotely
Usually cut off after a few attempts
2
Figure 2-2: Server Password Cracking
Hacking Root
Super accounts (can take any action in any directory)
Hacking root in UNIX
Super accounts in Windows (administrator) and NetWare (supervisor)
Hacking root is rare; usually can only hack an ordinary user account
May be able to elevate the privileges of the user account to take root action
3
Figure 2-2: Server Password Cracking
Physical Access Password Cracking Brute-force password guessing
Try all possible character combinations Longer passwords take longer to crack Using more characters also takes longer
Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric (letters and numbers) (62) All keyboard characters (~80)
Slow with passwords of reasonable length
4
Figure 2-2: Password Length
PasswordLength In
Characters
1
2 (N2)
4 (N4)
6
8
10
Alphanumeric:Letters &
Digits (N=62)
62
3,844
14,776,336
56,800,235,584
2.1834E+14
8.39299E+17
All KeyboardCharacters
(N=~80)
80
6,400
40,960,000
2.62144E+11
1.67772E+15
1.07374E+19
Alphabetic,Case
(N=52)
52
2,704
7,311,616
19,770,609,664
5.34597E+13
1.44555E+17
Alphabetic,No
Case (N=26)
26
676
456,976
308,915,776
2.08827E+11
1.41167E+14
5
Figure 2-2: Server Password Cracking Physical Access Password Cracking
Dictionary attacks Try common words There are only a few thousand of these Very rapidly cracked
Hybrid attacks Common word with single digit at end, etc.
l0phtcrack
Lower-case L, zero, phtcrack
Password cracking program
Run on a server (need physical access)
Or copy password file and run l0phtcrack on another machine.
6
Figure 2-2: Server Password Cracking Password Policies
Good passwords At least 8 characters long
Change of case not at beginning
Digit (0 through 9) not at end
Other keyboard character not at end
Example: triV6#ial
Testing and enforcing password policies
Run password cracking program against own servers (Caution: requires approval! SysAdmins have been fired for doing this without permission—and should be)
Password duration policies: How often passwords must be changed
7
Figure 2-2: Server Password Cracking
Password Policies
Password sharing policies: Generally, forbid shared passwords
Removes ability to learn who took actions; loses accountability
Usually is not changed often or at all because of need to inform all sharers
Disabling passwords that are no longer valid
As soon as an employee leaves the firm, etc.
As soon as contractors, consultants leave
In many firms, a large percentage of all accounts are for people no longer with the firm
8
Figure 2-2: Server Password Cracking
Password Policies
Lost passwords
Password resets: Help desk gives new password for the account
Opportunities for social engineering attacks
Leave changed password on answering machine
Biometrics: voice print identification for requestor (but considerable false rejection rate)
New: NotIn Book
9
Figure 2-2: Server Password Cracking
Password Policies
Lost passwords Automated password resets
Employee goes to website
Must answer a question, such as “In what city were you born?”
Problem of easily-guessed questions that can be answered with research
10
Figure 2-2: Server Password Cracking
Password Policies
Encrypted (hashed) password files (Figure 2-4)
Passwords not stored in readable form
Encrypted with DES or hashed with MD5
In UNIX, etc/passwd puts x in place of password
Encrypted or hashed passwords are stored in a different (shadow) file to which only high-level accounts have access
11
Figure 2-4: Password Hashing
Client PCUser Lee
Server
1.User = Lee
Password = My4Bad
2.Hash
My4Bad=
11110000
3.Hashes Match
Hashed Password FileBrown 11001100Lee 11110000Chun 00110011Hatori 11100010
4. Hashes Match,
So User isAuthenticated
12
Figure 2-5: UNIX/etc/passwd File Entries
Plee:x:47:3:Pat Lee:/usr/plee/:/bin/csh
plee:6babc345d7256:47:3:Pat Lee:/usr/plee/:/bin/cshPassword Group ID Home Directory
User Name User ID GCOS Shell
Without Shadow Password File
With Shadow Password File
Asterisk instead of x indicates that the password is stored in a separate shadow password file
13
Figure 2-2: Server Password Cracking
Password Policies
Windows passwords
Obsolete LAN manager passwords (7 characters maximum) should not be used
Windows NTLM passwords are better
Option (not default) to enforce strong passwords
14
Figure 2-2: Server Password Cracking
Shoulder Surfing Watch someone as they type their password
Keystroke Capture Software
Professional versions of windows protect RAM during password typing
Consumer versions do not
Trojan horse throws up a login screen later, reports its finding to attackers
15
Figure 2-2: Server Password Cracking
Windows Client PC Software Consumer version login screen is not for security
Windows professional and server versions provide good security with the login password
BIOS passwords allow boot-up security Can be disabled by removing battery But during a battery removal, the attacker will
be very visible
Screen savers with passwords allow away-from-desk security after boot-up