the truth about protecting passwords coen 150: intro to information security mary le carol reiley
TRANSCRIPT
The Truth About The Truth About Protecting Protecting PasswordsPasswords
COEN 150: Intro to Information COEN 150: Intro to Information SecuritySecurity
Mary LeMary Le
Carol ReileyCarol Reiley
OutlineOutline
Trojan HorsesTrojan Horses Buffer OverflowBuffer Overflow Login ScriptingLogin Scripting Password CrackingPassword Cracking
LC4 (L0phtCrack)LC4 (L0phtCrack)
Types of AttacksTypes of Attacks Dictionary Attack: Guessing every single word Dictionary Attack: Guessing every single word
from an electronic dictionaryfrom an electronic dictionary Syllable Attack: Used when a password is Syllable Attack: Used when a password is
transformed into a nonexistent word and the transformed into a nonexistent word and the cracker can combine the syllables to get such a cracker can combine the syllables to get such a word. word.
Rule-based Attack: Used in any case when the Rule-based Attack: Used in any case when the cracker obtains some information about the cracker obtains some information about the password he wants to crack. This information password he wants to crack. This information can decrease the number of possible passwords can decrease the number of possible passwords by 20-30 times. This method includes all - brute by 20-30 times. This method includes all - brute force, dictionary and syllable attacks. force, dictionary and syllable attacks.
Protecting Your Protecting Your PasswordPassword
Choose software that uses strong Choose software that uses strong cryptography and implements it cryptography and implements it correctly.correctly.
Choose non-words, mixed-case letters Choose non-words, mixed-case letters and digitsand digits
Do not use the same password for Do not use the same password for different systems or for different internet different systems or for different internet sites. sites.
Do not write down your password and Do not write down your password and leave it near your desktop.leave it near your desktop.
Trojan HorsesTrojan Horses The name comes from a story in The name comes from a story in Homer’s Homer’s
IliadIliad Trojan horse is Trojan horse is defineddefined as a "malicious, as a "malicious,
security-breaking program that is disguised security-breaking program that is disguised as something benign."as something benign."
Rely on users to install them, or they can be Rely on users to install them, or they can be installed by intruders who have gained installed by intruders who have gained unauthorized access by other means unauthorized access by other means
They hook themselves into the victim’s They hook themselves into the victim’s operating system and always come packaged operating system and always come packaged with two files – the client file and the server with two files – the client file and the server file file
Well Known Trojan Well Known Trojan FunctionsFunctions
Managing files on the victim Managing files on the victim computercomputer
Managing processesManaging processes Remote activation of commandsRemote activation of commands Intercepting keystrokesIntercepting keystrokes Restarting and closing down Restarting and closing down
infected hosts infected hosts
Protecting Against Protecting Against TrojansTrojans
System administrators should verify software System administrators should verify software installedinstalled
Use cryptographically strong validation for all Use cryptographically strong validation for all software software
Use lowest priorityUse lowest priority Install and configure a tool such as Tripwire Install and configure a tool such as Tripwire Bring awareness Bring awareness Use firewalls and virus products that are aware Use firewalls and virus products that are aware
of popular Trojan horses of popular Trojan horses Do not rely on timestamps, file sizes, or other Do not rely on timestamps, file sizes, or other
file attributes when trying to determine if a file file attributes when trying to determine if a file contains a Trojan horse contains a Trojan horse
Buffer OverflowBuffer Overflow
A buffer is a contiguous allocated chunk A buffer is a contiguous allocated chunk of memory, such as an array or a pointer of memory, such as an array or a pointer in C. In C and C++, there are no in C. In C and C++, there are no automatic bounds checking on the automatic bounds checking on the buffer, which means a user can write buffer, which means a user can write past a buffer. past a buffer.
Malicious programs attempt to write Malicious programs attempt to write beyond the allocated memory for the beyond the allocated memory for the buffer, which might result in unexpected buffer, which might result in unexpected behavior. behavior.
Login ScriptingLogin Scripting
Guess passwords by using brute force Guess passwords by using brute force methods. methods.
These programs attempt to guess the These programs attempt to guess the correct password by running some form correct password by running some form of text file, such as an online dictionary of text file, such as an online dictionary file, as the password, and using the file, as the password, and using the guess in combination with a username to guess in combination with a username to log in log in
Simple, can be written in as few as 40 Simple, can be written in as few as 40 lines of PERL code.lines of PERL code.
Drawbacks Drawbacks
Login timeoutsLogin timeouts Very time consumingVery time consuming Locks on accountsLocks on accounts
Password CrackingPassword Cracking Password files would have to be obtained Password files would have to be obtained
beforehand in order for this method to beforehand in order for this method to work work
A password cracking program takes a A password cracking program takes a dictionary text file, and performs the dictionary text file, and performs the hash on all of the words in the file. hash on all of the words in the file. These hashed words are then compared These hashed words are then compared with the values in the encrypted with the values in the encrypted password file. password file.
Can be run on the hacker’s local machineCan be run on the hacker’s local machine Efficient, no login has to take place.Efficient, no login has to take place.
@stake’s LC4@stake’s LC4 Formerly known as L0phtCrackFormerly known as L0phtCrack LC4 is available free to the public for a 15-LC4 is available free to the public for a 15-
day trial period day trial period Cracks Windows NT/2000 passwords Cracks Windows NT/2000 passwords LC4 uses brute force, dictionary cracking, LC4 uses brute force, dictionary cracking,
and hybrid cracking features to guess and hybrid cracking features to guess passwords passwords
LC4 offers the option of cracking the newer LC4 offers the option of cracking the newer NT hashes, or the older LanManager hashes, NT hashes, or the older LanManager hashes, which can be done much quicker because which can be done much quicker because the algorithm has been reverse engineered the algorithm has been reverse engineered
@stake’s LC4@stake’s LC4
According to @stake, in a technology According to @stake, in a technology corporation where password policy required corporation where password policy required that users passwords contained a minimum of 8 that users passwords contained a minimum of 8 characters, including both lower and upper characters, including both lower and upper cases, and either numbers or special symbols. cases, and either numbers or special symbols. Running LC4 on a Pentium II/300 system, 18% Running LC4 on a Pentium II/300 system, 18% of the company’s passwords were gathered in of the company’s passwords were gathered in as little as 18 minutes, and 90% of the as little as 18 minutes, and 90% of the passwords were obtained within 48 hours. passwords were obtained within 48 hours. Even the system administrator and most Even the system administrator and most domain administrator passwords were cracked. domain administrator passwords were cracked.
How LC4 worksHow LC4 works
User must gain access to the NT Security User must gain access to the NT Security Accounts Manager (SAM), which contains Accounts Manager (SAM), which contains the usernames and encrypted passwords the usernames and encrypted passwords of all users on the system of all users on the system
The passwords in the SAM file are The passwords in the SAM file are encrypted using a one way hash encrypted using a one way hash cryptographic function cryptographic function
LanManagerLanManager NT hashingNT hashing
Ways to obtain the SAMWays to obtain the SAM
The SAM is locked and protected by The SAM is locked and protected by the operating system; however, the operating system; however, there are vulnerabilities in the NT there are vulnerabilities in the NT system that will allow access to the system that will allow access to the file file
Boot the system to an alternate OS, Boot the system to an alternate OS, such as DOSsuch as DOS
The SAM file will then be open for The SAM file will then be open for anyone to access.anyone to access.
Ways to obtain the SAMWays to obtain the SAM
Whenever the NT repair disk utility Whenever the NT repair disk utility is executed, a compressed version of is executed, a compressed version of the SAM is stored in the system root the SAM is stored in the system root repair directory repair directory
This backup copy of the SAM is left This backup copy of the SAM is left in the open.in the open.
LC4 can extract and uncompress LC4 can extract and uncompress this backup copy.this backup copy.
Ways to Obtain the SAMWays to Obtain the SAM
If a user has administrative access to a If a user has administrative access to a system, he can extract the hashes from system, he can extract the hashes from the SAMthe SAM
Force another process with system Force another process with system administrator privileges to load and administrator privileges to load and execute the malicious DLL code into its execute the malicious DLL code into its own address space own address space
Gain access to the password hashes Gain access to the password hashes without having to do decrypt any of the without having to do decrypt any of the passwords passwords
Protecting Against LC4Protecting Against LC4
Maintain a strong password!Maintain a strong password! LanManager hash – passwords are LanManager hash – passwords are
stored into two seven character stored into two seven character segments.segments.
Keep your password either 7 Keep your password either 7 characters, or 14 characterscharacters, or 14 characters
John the RipperJohn the Ripper
Popular UNIX password cracking Popular UNIX password cracking programprogram
Similar to LC4, uses brute force, Similar to LC4, uses brute force, dictionary cracking, and hybrid dictionary cracking, and hybrid cracking techniquescracking techniques
Can configure itself to detect the Can configure itself to detect the kind of encryption function used in kind of encryption function used in hashing for that particular version of hashing for that particular version of UNIXUNIX
Password SniffingPassword Sniffing
Work across networksWork across networks Can obtain any information passed Can obtain any information passed
across the data link layeracross the data link layer Majority of popular applications pass Majority of popular applications pass
cleartext passwords across the cleartext passwords across the network, such as FTP, telnet, HTTPnetwork, such as FTP, telnet, HTTP
DsniffDsniff
A free popular sniffing programA free popular sniffing program Runs on UNIX platformsRuns on UNIX platforms Can sniff data by:Can sniff data by:
Overloading the LANOverloading the LAN Manipulate the Address Resolution Manipulate the Address Resolution
Protocol (ARP)Protocol (ARP) Spoofing fake DNS responsesSpoofing fake DNS responses ““Monkey in the middle” attacksMonkey in the middle” attacks
Dniff: Overloading the Dniff: Overloading the LANLAN
Method 1:Method 1: Overloading the LAN with random Overloading the LAN with random
MAC addressesMAC addresses The network switch will try to store all The network switch will try to store all
of the incoming MAC addresses of the incoming MAC addresses Since it won’t be able to, it will Since it won’t be able to, it will
forward data onto all the links forward data onto all the links connected to the switchconnected to the switch
Dsniff can then gather the data as it is Dsniff can then gather the data as it is being forwarded out from the linksbeing forwarded out from the links
Dsniff: ARP Dsniff: ARP manipulationmanipulation
The Address Resolution Protocol The Address Resolution Protocol (ARP) maps IP addresses to MAC (ARP) maps IP addresses to MAC addresses. addresses.
Dsniff: ARP Dsniff: ARP manipulationmanipulation
Dsniff tool: ArpspoofDsniff tool: Arpspoof Change the mappings associated with Change the mappings associated with
IP and MAC addresses to reroute dataIP and MAC addresses to reroute data DnsspoofDnsspoof
Generates fake DNS responses to track Generates fake DNS responses to track people into entering information into people into entering information into what they believe is a legitimate what they believe is a legitimate website.website.
DsniffDsniff
WebmitmWebmitm Used in conjunction with Dnsspoof to Used in conjunction with Dnsspoof to
send the user to another websitesend the user to another website Can generate fake digital certificates to Can generate fake digital certificates to
trick the victim into creating an SSL or trick the victim into creating an SSL or SSH connectionSSH connection
Make sure you read the digital Make sure you read the digital certificates before you accept!certificates before you accept!
The EndThe End