Hands-On Network Security: Practical Tools & Methods Security - - PowerPoint PPT Presentation

Hands-On Network Security: Practical Tools & Methods

Security Training Course

• Dr. Charles J. Antonelli

The University of Michigan 2012

Hands-On Network Security

Module 4 Password Strength & Cracking

Roadmap

• Password Authentication
• How Passwords are Cracked
• Countermeasures

04/12 cja 2012 3

Password Authentication

Password Representations

• UNIX
• DES “Hashes”

 Old technology, but still around

• Linux
• Hashes

 Salted SHA-512, SHA-256, MD5, Blowfish

• Mac OS X
• Hashes

 Salted SHA-1

04/12

cja 2012

5

UNIX “Hash” Generation

• Password length 8 characters or less
• 7 bits of each character used to generate 56-bit key
• Key used to encrypt a constant using a variation of the

DES algorithm

Key MGoBlue1

Constant

(0x00000000)

DES’

UNIX Hash

zvktPWeeFzCVA 04/12

cja 2012

6

UNIX “Hash” Considerations

• It’s not a hash
• Keyboard character set
• Common alphanumeric set only
• Character variations ≈ 126
• Maximum entropy ≈ 6.3*1016 passwords
• Salted

04/12

cja 2012

7

Linux Hash Generation

• Hash the password
• Store it

SHA-512 Hash

$6$dmk52gd$TWOWIDs1q6/uZ.t49s.YkFQr3zeTGzrYwN33Ep2pdTKw HekN/O2hK0QuSTtUYNmS5Homqtp9lA/jf0hWRE7Bb/

MGoBlue1

SHA-512

04/12

cja 2012

8

Linux Hash Considerations

• Keyboard character set
• Common alphanumeric set only
• Character variations ≈ 126
• Maximum length = 256 characters
• Entropy for 256-character password ≈ 4.9*10538
• Entropy for 20-character password from 126 character set

≈ 1.0*1042

• Entropy for 20-character password from 69 “keyboard”

character set ≈ 6.0*1036

• Salted

04/12

cja 2012

9

Linux Passwords

• Passwords stored in
• /etc/shadow readable only by root
• Other per-user information stored in
• /etc/passwd world readable
• UNIX stored both in /etc/passwd !

04/12

cja 2012

10

Linux Hashes

• Several hashes available
• Use SHA-512!

04/12

cja 2012

ID Method $1$ MD5 $2a$ Blowfish (some distros) $5$ SHA-256 $6$ SHA-512 (default) 11

SHA-3 Hash Contest Update

• MD5 broken, SHA-1&2 suspect
• NIST competition for a SHA-3
• Timeframe 2008-2012
• 51 candidates submitted for Round 1
• 14 candidates in Round 2

 BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein

• Final candidates announced December 10, 2010

 BLAKE, Grøstl, JH, Keccak, and Skein

• Final SHA-3 candidate conference held March 2012

 http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/March2012/index.html

• SHA-3 standard to be published 2012

04/12

cja 2012

12

Choosing A Password

• Good
• Pass phrases (much

longer than 8 characters)

• miX cAsE
• digits/punctuation
• control characters
• easy to remember
• no words in any

language

• Bad
• people’s names
• dictionary/technical

words or phrases

• birth dates
• places
• common acronyms
• backwards spelling
• simple permutations
• 8 characters or less

04/12

cja 2012

13

Choosing A Password 2012

• Good
• Pass phrases (much

longer than 8 characters)

• Bad
• Everything else

04/12

cja 2012

14

How Passwords are Cracked

Passive Online Attacks

Man-in-the-Middle and Replay Attacks

• Somehow get access to communications

channel

• Wait for authentication sequence
• Proxy authentication-traffic
• No need to brute-force
• Considerations
• Relatively hard to perpetrate
• Must be trusted by one or both sides
• Some tools widely available

 Anyone remember MarketScore?

04/12

cja 2012

16

Active Online Attacks

Password guessing

• Try different passwords until one works
• Made easier by
• Bad passwords
• Excessive information from server
• Lack of password guessing controls
• Considerations
• Assuming good passwords, is this even feasible?

 Common 8 character password space (69^8)  Password Expires in 90 days  Need to guess 3,964,493,629 pwds/sec  Need throughput of 253,727,592,310 bits/sec  Gigabit Ethernet = 1B bits/sec

• Easily detected and stopped
• Core problem: Bad passwords

04/12

cja 2012

17

Offline Attacks

• Attacker has password database
• Not that hard: Need to be admin (or steal the box)
• Can attack at leisure – Attack types:
• Dictionary attack

 Very Fast  Core Problem: Bad Passwords

• Brute Force attack

 AlphaNumerics then AlphaNumerics + Upper Row Symbol, etc  Slow, but will eventually find all passwords

• Hybrid

 Start with Dictionary, Insert Entropy

• Pre-computed Hashes

 Rainbow tables  Time-space tradeoff

• Considerations
• Moore’s law

04/12

cja 2012

18

John the Ripper

• http://www.openwall.com/john/
• Fast, open-source password cracker
• Created by Solar Designer
• Active development group
• Runs on Linux, Mac OS X, Solaris, Android, …
• Handles DES, BSDI DES, FreeBSD MD5, OpenBSD

Blowfish, Kerberos AFS DES, and LM DES hashes

• Runs well on HPC clusters using Open MP
• No GPU support yet
• But see http://www.elcomsoft.com/edpr.html?r1=Openwall

04/12

cja 2012

19

Lab: Crack Passwords

1. Install John the Ripper

• cd; tar zxf /usr/local/lab/john/john-1.7.9.tar.gz; cd ~/john-1.7.9/doc
• Follow directions in INSTALL & README

2. Create test account with a weak password using MD5 hashing

• sudo vi /etc/pam.d/system-auth

 Change string sha512 to md5 in third paragraph

• sudo useradd sucker
• sudo passwd sucker

3. Undo the change to system-auth you made in step 2. 4. Create test account with a weak password using SHA-512 hashing

• sudo useradd trout
• sudo passwd trout

5. Obtain password hashes

• cd ~/john-1.7.9/run; sudo ./unshadow /etc/passwd /etc/shadow >passwd.1

6. Crack

• ./john passwd.1

04/12

cja 2012

20

Lab: Crack Passwords

• You can interrupt at any time, and restart with
• ./john –restore
• If you want to start over
• rm john.pot restore
• To display all passwords found so far
• ./john --show /tmp/passwd.1
• To see how fast John is on your machine
• ./john --test
• When done, delete the test accounts and the local password and

crack files!

• sudo userdel sucker; sudo userdel trout
• /bin/rm ~/john-1.7.9/run/{john.pot,passwd.1}

04/12

cja 2012

21

Rainbow Tables

• What if you precomputed the password hashes?
• All Windows LM Hashes: 166 Terabytes
• All Windows NT Hashes < 15 chars: 140,959,235,198 Exabytes
• This would result in faster cracking, at the cost of storing

all those hashes

• This is the Time-Memory tradeoff
• Implemented using hash chains

 Clever way to link the hashes into chains  Only store 1 in 10,000 hashes

• Rainbow tables improve on hash chains
• Reduce collisions (overlapping chains)
• Ineffective against salted hashes
• Unix, Linux, and Mac OS X hashes are salted
• Windows NT hashes are not

04/12 22 cja 2012

Rainbow Tables

• http://ophcrack.sourceforge.net/
• Windows password cracker that uses rainbow tables
• Cracks LM and NT hashes
• Live CD support
• Free tables for Windows XP and Vista (dictionary based)
• For-fee tables for Vista (NTLM)
• Seems to be moribund
• http://www.freerainbowtables.com/
• “Folding@home” distributed cracking model
• Terabytes of tables
• Free tables
• For-fee tables
• Seems to be quite active

04/12 23 cja 2012

Countermeasures

Policy-Based Mitigation

• Develop a password policy
• Require pass phrases
• Greater than 15 mixed characters
• Password expiration for all accounts
• No password reuse (temporal and spatial)
• Account lockout (where appropriate)
• Physical security policy
• Cornerstone for any security
• No physical security = no security
• No policy = no enforcement

04/12

cja 2012

25

Pass Phrases v. Passwords

• Pass phrases are long strings
• “I wish we’d use 2Factor authentication instead of passwords”
• Very strong protection against attacks
• Easy to remember, a bit longer to type
• Passwords are short complex strings
• “@Rag0Rnrul3z”
• Hard to remember
• Often difficult to type
• Not resistant against current attacks

 Obvious substitutions are quickly broken

• Take-away: Long easily-remembered phrases are better

than short complex passwords

04/12

cja 2012

26

http://xkcd.com/936/

Technology-Based Mitigation

Multi-factor authentication

• Why use passwords at all?
• Smart cards
• Two-factor authentication
• Very difficult to thwart
• High cost of initial deployment

 Smart cards, tokens, readers, software, …  Long-term cost benefit

• Idea: use your smartphone as your token

 http://www.duosecurity.com/

04/12 27 cja 2012

Technology-Based Mitigation

Multi-factor authentication

• Biometrics
• Measure some physical characteristic

 Fingerprint, iris color distribution, retinal pattern, …

• Usually defeated with non-technical attacks
• Historically unreliable

 False positives - bad guy authenticated  False negatives - legitimate user refused

• Can be stolen
• Iris scanners popular

Courtesy WIkipedia

04/12 28 cja 2012

Summary

• Bad passwords get broken, even when

using good storage and authentication methods!

• Solutions
• 1. Use better passwords
• 2. Don’t let bad guys get the hashes
• Combination of policy and technology

04/12

cja 2012

29

References

• http://en.wikipedia.org/wiki/NIST_hash_function_competition
• http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/submissions_rnd2.html
• http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/

presentations/BURR_SHA-3Conf-day_1_wrapup.pdf

• http://en.wikipedia.org/wiki/Rainbow_tables
• http://ophcrack.sourceforge.net/
• man 3 shadow
• man 3 crypt

04/12

cja 2012

30

04/12 31

http://threatpost.com/en_us/blogs/social-engineering-attacks-prove-failure-user-education-042110

cja 2012