SlideShare ist ein Scribd-Unternehmen logo

So whats in a password

Als PPTX, PDF herunterladen
Rob Gillen
Rob Gillen

Talk from CodeMash on Passwords, cracking them, and intelligent approaches to getting past them. Presented at CodeMash, January 8, 2014

Technologie
1 von 38
So, What’s in a Password? Rob Gillen @argodev This work is licensed under a Creative Commons Attribution 3.0 License.
Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
Password Attacks A Year in Review
Pixel Federation In December 2013, a breach of the webbased game community based in Slovakia exposed over 38,000 accounts which were promptly posted online. The breach included email addresses and unsalted MD5 hashed passwords, many of which were easily converted back to plain text. http://haveibeenpwned.com/
Vodafone In November 2013, Vodafone in Iceland suffered an attack attributed to the Turkish hacker collective "Maxn3y". The data was consequently publicly exposed and included user names, email addresses, social security numbers, SMS message, server logs and passwords from a variety of different internal sources. http://haveibeenpwned.com/
Adobe The big one. In October 2013, 153 million accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced. http://haveibeenpwned.com/
Twitter February 2013 - This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users. https://blog.twitter.com/2013/keeping-our-users-secure
More… • cvideo.co.il – 10/15/2013 – 3,339 • http://hackread.com/iranian-hackers-hack-israeli-job-site/ • penangmarathon.gov.my – 10/8/2013 – 1,387 • http://www.cyberwarnews.info/2013/10/07/45000-penang-marathonparticipants-personal-details-leaked/ • tomsawyer.com – 10/6/2013 – 57,462 • http://www.cyberwarnews.info/2013/10/07/software-company-tomsawyer-hacked-61000-vendors-accounts-leaked/ • ahashare.com – 10/3/2013 – 169,874 • http://www.cyberwarnews.info/2013/10/04/ahashare-com-hackedcomplete-database-with-190-000-user-credentials-leaked/ • Unknown Israeli website – 7/30/2013 – 26,064 • http://hackread.com/opizzah-opisrael-phr0zenmyst-claims-to-leaklogin-details-of-33895-israelis/ • UK emails – 7/17/2013 – 8,002 • http://www.techworm.in/2013/07/more-than-15000-emails-usernameand.html https://shouldichangemypassword.com/all-sources.php
More… • UK emails (part 2) – 7/17/2013 – 7,514 • http://www.techworm.in/2013/07/more-than-15000-emails-usernameand.html • http://www.pakistanintelligence.com – 5/27/2013 – 75,942 • http://www.ehackingnews.com/2013/05/pakistan-intelligence-jobboard-website.html • McDonalds Taiwan – 3/27/2013 – 185,620 • http://www.cyberwarnews.info/2013/03/28/official-mcdonaldsaustria-taiwan-korea-hacked-over-200k-credentials-leaked/ • karjera.ktu.lt – 3/14/2013 – 14,133 • http://www.cyberwarnews.info/2013/03/14/14000-student-credentialsleaked-from-ktu-career-center-lithuania/ • avadas.de – 3/9/2013 – 3,344 • http://hackread.com/avast-germany-website-hacked-defaced-20000user-accounts-leaked-by-maxney/ • angloplatinum.co.za – 3/5/2013 – 7,967 • http://thehackernews.com/2013/03/worlds-largest-platinum-producerhacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Fee d%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_ https://shouldichangemypassword.com/all-sources.php
More… • angloplatinum.com – 3/5/2013 – 723 • http://thehackernews.com/2013/03/worlds-largest-platinum-producerhacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Fee d%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_ • Walla.co.il – 2/19/2013 – 531,526 • http://www.haaretz.com/news/national/anonymous-activists-hackinto-600-000-israeli-email-accounts.premium-1.504093 • Bank Executives – 2/4/2013 – 4,596 • http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executivecredentials-7000010740/ • bee-network.co.za – 1/29/2013 – 81 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • omni-id.com – 1/29/2013 – 1,151 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • moolmans.com – 1/29/2013 – 117 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html https://shouldichangemypassword.com/all-sources.php
More… • servicedesk.ufs.ac.za – 1/29/2013 – 3,952 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • servicedesk.ufs.ac.za (part 2) – 1/29/2013 – 355 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • westcol.co.za – 1/29/2013 – 99 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • digital.postnet.co.za – 1/29/2013 – 45,245 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • French Chamber of Commerce – 1/29/2013 – 515 • http://news.softpedia.com/news/French-Chamber-of-Commerceand-Industry-Portal-Hacked-by-Tunisian-Cyber-Army324716.shtml https://shouldichangemypassword.com/all-sources.php
Types of Attacks • Algorithm Weaknesses • Implementation Weaknesses • Dictionary Attacks • Brute-Force Attacks • Mask Attacks
Algorithmic Weaknesses • Collision, Second Pre-Image, Pre-Image • Confirmed: • GOST, HAVAL, MD2, MD4, MD5, PANAMA, RadioGatun, RIPEMD, RIPEMD-160, SHA-0, SHA-1, Tiger(2) – 192/160/128, WHIRLPOOL • Theoretical: • SHA-256/224 • SHA-512/384 http://en.wikipedia.org/wiki/Cryptographic_hash_function
Account Hashes • Windows Hash • EAD0CC57DDAAE50D876B7DD6386FA9C7 • Linux Hash • $6$OeKR9qBnzym.Q.VO$hM3uL03hmR4ZqAME/8Ol. xWGYAmVdpi3S4hWGLeugaKNj/HLzQPTz7FhjATYO/ KXCNHZ8P7zJDi2HHb1K.xfE.
File Encryption • MS Office • PDFs • Zip/7z/rar • TrueCrypt
http://www.truecrypt.org/docs/volume-format-specification
How do they work? • Known file-format/implementation weakness • Header data to indicate encryption • Type, keylength, etc. • Often some small portion to decrypt/validate • How is it that changing encryption keys is fast? • Your key encrypts “real” key
Is it really cracking?
Password Guessing char string1[maxPassLength + 1]; char alphanum[63] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; for 0  maxLength for each char in alphanum…
Slightly Better… int min = 8; int max = 12; char[] valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; # # # # known rules first & last must be char no consecutive-ordered chars/nums no repeated chars/nums
DEMO: Cracking a Windows Hash With oclHashCat
Image courtesy of xkcd.com (http://imgs.xkcd.com/comics/password_strength.png)
(more) Intelligent Password Guessing • What do people usually use? • What can we do to reduce the set of possibilities? • Cull terms/domain knowledge from relevant data • Dating sites, religious sites, others Best: Already used/real-world passwords
Determine your goals • Cracking a single, specific pwd? • Cracking a large % of an “acquired set”?
• Mark Burnett, author of Perfect Passwords • List of 6,000,000, culled down to 10,000 most frequently used • Top 10,000 passwords are used by 98.8% of all users • 2,342,603 (that’s 99.6%) unique passwords remaining that are in use by only .18% of users! https://xato.net/passwords/more-top-worst-passwords/
• Lots of lists…
https://www.grc.com/haystack.htm
PACK • Password Analysis and Cracking Toolkit • Peter Kacherginsky, PasswordCon, 7/30-7/31 • Intelligent cycle of cracking, analysis, rule generation http://thesprawl.org/projects/pack/
Statistical Analysis • Password Length Analysis • Character Set Analysis • Word Mangling Analysis
Example: Length https://thesprawl.org/media/research/passwords13-smarter-password-cracking-with-pack.pdf
DEMO: Statistics on Real PWs
Advanced Analytics • Levenshtein Edit Distance http://en.wikipedia.org/wiki/Levenshtein_distance
Levenshtein Edit Distance • Minimum number of changes required to change one string into another • Measure distance b/t actual words and cracked list to optimize the word mangling rules • i.e. XX% of words can be achieved with Levenshtein edit distance of <=2 • Only gen rules that match http://www.let.rug.nl/~kleiweg/lev/ http://www.kurzhals.info/static/samples/levenshtein_distance/
What if I don’t have your Password? • Pass the Hash • Demo • But We use Smart Cards!?
Avoidance Techniques • Don’t use “monkey” • Don’t reuse “monkey” • If you must use monkey, require something else as well • Salt is good • Your own salt is better • Utilize memory-hard algorithms • Utilize multiple iterations (a lot) • Your username is half of the equation
References • http://haveibeenpwned.com/ • https://lastpass.com/adobe/ • https://lastpass.com/linkedin/ • https://lastpass.com/lastfm/ • https://shouldichangemypassword.com/al l-sources.php
Questions/Contact Rob Gillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev

Empfohlen

After the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsAfter the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsSBWebinars
 
Enterprise Password Worst Practices
Enterprise Password Worst PracticesEnterprise Password Worst Practices
Enterprise Password Worst PracticesImperva
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force toolszeus7856
 
Cyber attacks
Cyber attacksCyber attacks
Cyber attacksr_rahulsingh1988
 
5 SEO trends that won’t quit in 2017!
5 SEO trends that won’t quit in 2017!5 SEO trends that won’t quit in 2017!
5 SEO trends that won’t quit in 2017!Tyler Rundle
 
Google Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsGoogle Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsDr. Emin İslam Tatlı
 
The Ins, Outs, and Nuances of Internet Privacy
The Ins, Outs, and Nuances of Internet PrivacyThe Ins, Outs, and Nuances of Internet Privacy
The Ins, Outs, and Nuances of Internet PrivacyeBoost Consulting
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossmanguestdb261a
 

Empfohlen

After the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsAfter the Data Breach: Stolen Credentials
After the Data Breach: Stolen CredentialsSBWebinars
 
Enterprise Password Worst Practices
Enterprise Password Worst PracticesEnterprise Password Worst Practices
Enterprise Password Worst PracticesImperva
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force toolszeus7856
 
Cyber attacks
Cyber attacksCyber attacks
Cyber attacksr_rahulsingh1988
 
5 SEO trends that won’t quit in 2017!
5 SEO trends that won’t quit in 2017!5 SEO trends that won’t quit in 2017!
5 SEO trends that won’t quit in 2017!Tyler Rundle
 
Google Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsGoogle Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsDr. Emin İslam Tatlı
 
The Ins, Outs, and Nuances of Internet Privacy
The Ins, Outs, and Nuances of Internet PrivacyThe Ins, Outs, and Nuances of Internet Privacy
The Ins, Outs, and Nuances of Internet PrivacyeBoost Consulting
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossmanguestdb261a
 
Portland Winter2010
Portland Winter2010Portland Winter2010
Portland Winter2010rcostic
 
Girl junior lounge lic line
Girl junior lounge lic lineGirl junior lounge lic line
Girl junior lounge lic lineceeram9
 
Panty programs license
Panty programs licensePanty programs license
Panty programs licenseceeram9
 
Boys yng mens license skate
Boys yng mens license skateBoys yng mens license skate
Boys yng mens license skateceeram9
 
Windows Azure: Lessons From The Field
Windows Azure: Lessons From The FieldWindows Azure: Lessons From The Field
Windows Azure: Lessons From The FieldRob Gillen
 
the best cars
the best carsthe best cars
the best carsjhonshito
 
Girls junior prints
Girls junior printsGirls junior prints
Girls junior printsceeram9
 
Junior missy lounge packaging
Junior missy lounge packagingJunior missy lounge packaging
Junior missy lounge packagingceeram9
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Correcthorsebatterystaple dwsg 07 09-13
Correcthorsebatterystaple dwsg 07 09-13Correcthorsebatterystaple dwsg 07 09-13
Correcthorsebatterystaple dwsg 07 09-13Dallas Web Security Group
 
Cybersecurity for Marketing
Cybersecurity for Marketing Cybersecurity for Marketing
Cybersecurity for Marketing Alert Logic
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_pptNarayanan
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepalICT Frame Magazine Pvt. Ltd.
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyGabor Szathmari
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
 
How To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayHow To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayMichele Chubirka
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An IntroductionJayaseelan Vejayon
 
Cyber Safety 101
Cyber Safety 101Cyber Safety 101
Cyber Safety 101Jeff Niebaum, M.A
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!InnoTech
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hackingbaabtra.com - No. 1 supplier of quality freshers
 
Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )Monique Jones
 
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02amiinaaa
 

Weitere ähnliche Inhalte

Andere mochten auch

Portland Winter2010
Portland Winter2010Portland Winter2010
Portland Winter2010rcostic
 
Girl junior lounge lic line
Girl junior lounge lic lineGirl junior lounge lic line
Girl junior lounge lic lineceeram9
 
Panty programs license
Panty programs licensePanty programs license
Panty programs licenseceeram9
 
Boys yng mens license skate
Boys yng mens license skateBoys yng mens license skate
Boys yng mens license skateceeram9
 
Windows Azure: Lessons From The Field
Windows Azure: Lessons From The FieldWindows Azure: Lessons From The Field
Windows Azure: Lessons From The FieldRob Gillen
 
the best cars
the best carsthe best cars
the best carsjhonshito
 
Girls junior prints
Girls junior printsGirls junior prints
Girls junior printsceeram9
 
Junior missy lounge packaging
Junior missy lounge packagingJunior missy lounge packaging
Junior missy lounge packagingceeram9
 

Andere mochten auch (8)

Portland Winter2010
Portland Winter2010Portland Winter2010
Portland Winter2010
 
Girl junior lounge lic line
Girl junior lounge lic lineGirl junior lounge lic line
Girl junior lounge lic line
 
Panty programs license
Panty programs licensePanty programs license
Panty programs license
 
Boys yng mens license skate
Boys yng mens license skateBoys yng mens license skate
Boys yng mens license skate
 
Windows Azure: Lessons From The Field
Windows Azure: Lessons From The FieldWindows Azure: Lessons From The Field
Windows Azure: Lessons From The Field
 
the best cars
the best carsthe best cars
the best cars
 
Girls junior prints
Girls junior printsGirls junior prints
Girls junior prints
 
Junior missy lounge packaging
Junior missy lounge packagingJunior missy lounge packaging
Junior missy lounge packaging
 

Ähnlich wie So whats in a password

Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Cybersecurity for Marketing
Cybersecurity for Marketing Cybersecurity for Marketing
Cybersecurity for Marketing Alert Logic
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_pptNarayanan
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyGabor Szathmari
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
 
How To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayHow To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayMichele Chubirka
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An IntroductionJayaseelan Vejayon
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!InnoTech
 
Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )Monique Jones
 
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02amiinaaa
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security Lokender Yadav
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
Source Code and Admin Password Shared on Public Site by Developer
Source Code and Admin Password Shared on Public Site by DeveloperSource Code and Admin Password Shared on Public Site by Developer
Source Code and Admin Password Shared on Public Site by DeveloperDigital Shadows
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 

Ähnlich wie So whats in a password (20)

Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Correcthorsebatterystaple dwsg 07 09-13
Correcthorsebatterystaple dwsg 07 09-13Correcthorsebatterystaple dwsg 07 09-13
Correcthorsebatterystaple dwsg 07 09-13
 
Cybersecurity for Marketing
Cybersecurity for Marketing Cybersecurity for Marketing
Cybersecurity for Marketing
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data Responsibly
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study Jams
 
How To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayHow To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber Monday
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
 
Cyber Safety 101
Cyber Safety 101Cyber Safety 101
Cyber Safety 101
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )Ipsec And Ssl Protocols ( Vpn )
Ipsec And Ssl Protocols ( Vpn )
 
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
Source Code and Admin Password Shared on Public Site by Developer
Source Code and Admin Password Shared on Public Site by DeveloperSource Code and Admin Password Shared on Public Site by Developer
Source Code and Admin Password Shared on Public Site by Developer
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
 
An Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & AnywhereAn Introduction To IT Security And Privacy In Libraries & Anywhere
An Introduction To IT Security And Privacy In Libraries & Anywhere
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 

Mehr von Rob Gillen

CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain SightCodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain SightRob Gillen
 
What's in a password
What's in a password What's in a password
What's in a password Rob Gillen
 
How well do you know your runtime
How well do you know your runtimeHow well do you know your runtime
How well do you know your runtimeRob Gillen
 
Software defined radio and the hacker
Software defined radio and the hackerSoftware defined radio and the hacker
Software defined radio and the hackerRob Gillen
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerRob Gillen
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?Rob Gillen
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?Rob Gillen
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Rob Gillen
 
A Comparison of AWS and Azure - Part2
A Comparison of AWS and Azure - Part2A Comparison of AWS and Azure - Part2
A Comparison of AWS and Azure - Part2Rob Gillen
 
A Comparison of AWS and Azure - Part 1
A Comparison of AWS and Azure - Part 1A Comparison of AWS and Azure - Part 1
A Comparison of AWS and Azure - Part 1Rob Gillen
 
Intro to GPGPU Programming with Cuda
Intro to GPGPU Programming with CudaIntro to GPGPU Programming with Cuda
Intro to GPGPU Programming with CudaRob Gillen
 
Scaling Document Clustering in the Cloud
Scaling Document Clustering in the CloudScaling Document Clustering in the Cloud
Scaling Document Clustering in the CloudRob Gillen
 
Hands On with Amazon Web Services (StirTrek)
Hands On with Amazon Web Services (StirTrek)Hands On with Amazon Web Services (StirTrek)
Hands On with Amazon Web Services (StirTrek)Rob Gillen
 
Amazon Web Services for the .NET Developer
Amazon Web Services for the .NET DeveloperAmazon Web Services for the .NET Developer
Amazon Web Services for the .NET DeveloperRob Gillen
 
05561 Xfer Research 02
05561 Xfer Research 0205561 Xfer Research 02
05561 Xfer Research 02Rob Gillen
 
05561 Xfer Research 01
05561 Xfer Research 0105561 Xfer Research 01
05561 Xfer Research 01Rob Gillen
 
05561 Xfer Consumer 01
05561 Xfer Consumer 0105561 Xfer Consumer 01
05561 Xfer Consumer 01Rob Gillen
 

Mehr von Rob Gillen (20)

CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain SightCodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain Sight
 
What's in a password
What's in a password What's in a password
What's in a password
 
How well do you know your runtime
How well do you know your runtimeHow well do you know your runtime
How well do you know your runtime
 
Software defined radio and the hacker
Software defined radio and the hackerSoftware defined radio and the hacker
Software defined radio and the hacker
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a Hacker
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
 
Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)
 
AWS vs. Azure
AWS vs. AzureAWS vs. Azure
AWS vs. Azure
 
A Comparison of AWS and Azure - Part2
A Comparison of AWS and Azure - Part2A Comparison of AWS and Azure - Part2
A Comparison of AWS and Azure - Part2
 
A Comparison of AWS and Azure - Part 1
A Comparison of AWS and Azure - Part 1A Comparison of AWS and Azure - Part 1
A Comparison of AWS and Azure - Part 1
 
Intro to GPGPU Programming with Cuda
Intro to GPGPU Programming with CudaIntro to GPGPU Programming with Cuda
Intro to GPGPU Programming with Cuda
 
Scaling Document Clustering in the Cloud
Scaling Document Clustering in the CloudScaling Document Clustering in the Cloud
Scaling Document Clustering in the Cloud
 
Hands On with Amazon Web Services (StirTrek)
Hands On with Amazon Web Services (StirTrek)Hands On with Amazon Web Services (StirTrek)
Hands On with Amazon Web Services (StirTrek)
 
Amazon Web Services for the .NET Developer
Amazon Web Services for the .NET DeveloperAmazon Web Services for the .NET Developer
Amazon Web Services for the .NET Developer
 
05561 Xfer Research 02
05561 Xfer Research 0205561 Xfer Research 02
05561 Xfer Research 02
 
05561 Xfer Research 01
05561 Xfer Research 0105561 Xfer Research 01
05561 Xfer Research 01
 
05561 Xfer Consumer 01
05561 Xfer Consumer 0105561 Xfer Consumer 01
05561 Xfer Consumer 01
 

Kürzlich hochgeladen

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

So whats in a password

  • 1. So, What’s in a Password? Rob Gillen @argodev This work is licensed under a Creative Commons Attribution 3.0 License.
  • 2. Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
  • 3. Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
  • 5. Pixel Federation In December 2013, a breach of the webbased game community based in Slovakia exposed over 38,000 accounts which were promptly posted online. The breach included email addresses and unsalted MD5 hashed passwords, many of which were easily converted back to plain text. http://haveibeenpwned.com/
  • 6. Vodafone In November 2013, Vodafone in Iceland suffered an attack attributed to the Turkish hacker collective "Maxn3y". The data was consequently publicly exposed and included user names, email addresses, social security numbers, SMS message, server logs and passwords from a variety of different internal sources. http://haveibeenpwned.com/
  • 7. Adobe The big one. In October 2013, 153 million accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced. http://haveibeenpwned.com/
  • 8. Twitter February 2013 - This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users. https://blog.twitter.com/2013/keeping-our-users-secure
  • 9. More… • cvideo.co.il – 10/15/2013 – 3,339 • http://hackread.com/iranian-hackers-hack-israeli-job-site/ • penangmarathon.gov.my – 10/8/2013 – 1,387 • http://www.cyberwarnews.info/2013/10/07/45000-penang-marathonparticipants-personal-details-leaked/ • tomsawyer.com – 10/6/2013 – 57,462 • http://www.cyberwarnews.info/2013/10/07/software-company-tomsawyer-hacked-61000-vendors-accounts-leaked/ • ahashare.com – 10/3/2013 – 169,874 • http://www.cyberwarnews.info/2013/10/04/ahashare-com-hackedcomplete-database-with-190-000-user-credentials-leaked/ • Unknown Israeli website – 7/30/2013 – 26,064 • http://hackread.com/opizzah-opisrael-phr0zenmyst-claims-to-leaklogin-details-of-33895-israelis/ • UK emails – 7/17/2013 – 8,002 • http://www.techworm.in/2013/07/more-than-15000-emails-usernameand.html https://shouldichangemypassword.com/all-sources.php
  • 10. More… • UK emails (part 2) – 7/17/2013 – 7,514 • http://www.techworm.in/2013/07/more-than-15000-emails-usernameand.html • http://www.pakistanintelligence.com – 5/27/2013 – 75,942 • http://www.ehackingnews.com/2013/05/pakistan-intelligence-jobboard-website.html • McDonalds Taiwan – 3/27/2013 – 185,620 • http://www.cyberwarnews.info/2013/03/28/official-mcdonaldsaustria-taiwan-korea-hacked-over-200k-credentials-leaked/ • karjera.ktu.lt – 3/14/2013 – 14,133 • http://www.cyberwarnews.info/2013/03/14/14000-student-credentialsleaked-from-ktu-career-center-lithuania/ • avadas.de – 3/9/2013 – 3,344 • http://hackread.com/avast-germany-website-hacked-defaced-20000user-accounts-leaked-by-maxney/ • angloplatinum.co.za – 3/5/2013 – 7,967 • http://thehackernews.com/2013/03/worlds-largest-platinum-producerhacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Fee d%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_ https://shouldichangemypassword.com/all-sources.php
  • 11. More… • angloplatinum.com – 3/5/2013 – 723 • http://thehackernews.com/2013/03/worlds-largest-platinum-producerhacked.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Fee d%3A+TheHackersNews+(The+Hackers+News+-+Security+Blog)#_ • Walla.co.il – 2/19/2013 – 531,526 • http://www.haaretz.com/news/national/anonymous-activists-hackinto-600-000-israeli-email-accounts.premium-1.504093 • Bank Executives – 2/4/2013 – 4,596 • http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executivecredentials-7000010740/ • bee-network.co.za – 1/29/2013 – 81 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • omni-id.com – 1/29/2013 – 1,151 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • moolmans.com – 1/29/2013 – 117 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html https://shouldichangemypassword.com/all-sources.php
  • 12. More… • servicedesk.ufs.ac.za – 1/29/2013 – 3,952 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • servicedesk.ufs.ac.za (part 2) – 1/29/2013 – 355 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • westcol.co.za – 1/29/2013 – 99 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • digital.postnet.co.za – 1/29/2013 – 45,245 • http://www.ehackingnews.com/2013/01/projectsunrise-teamghostshell-leaked.html • French Chamber of Commerce – 1/29/2013 – 515 • http://news.softpedia.com/news/French-Chamber-of-Commerceand-Industry-Portal-Hacked-by-Tunisian-Cyber-Army324716.shtml https://shouldichangemypassword.com/all-sources.php
  • 13. Types of Attacks • Algorithm Weaknesses • Implementation Weaknesses • Dictionary Attacks • Brute-Force Attacks • Mask Attacks
  • 14. Algorithmic Weaknesses • Collision, Second Pre-Image, Pre-Image • Confirmed: • GOST, HAVAL, MD2, MD4, MD5, PANAMA, RadioGatun, RIPEMD, RIPEMD-160, SHA-0, SHA-1, Tiger(2) – 192/160/128, WHIRLPOOL • Theoretical: • SHA-256/224 • SHA-512/384 http://en.wikipedia.org/wiki/Cryptographic_hash_function
  • 15. Account Hashes • Windows Hash • EAD0CC57DDAAE50D876B7DD6386FA9C7 • Linux Hash • $6$OeKR9qBnzym.Q.VO$hM3uL03hmR4ZqAME/8Ol. xWGYAmVdpi3S4hWGLeugaKNj/HLzQPTz7FhjATYO/ KXCNHZ8P7zJDi2HHb1K.xfE.
  • 16. File Encryption • MS Office • PDFs • Zip/7z/rar • TrueCrypt
  • 18. How do they work? • Known file-format/implementation weakness • Header data to indicate encryption • Type, keylength, etc. • Often some small portion to decrypt/validate • How is it that changing encryption keys is fast? • Your key encrypts “real” key
  • 20. Password Guessing char string1[maxPassLength + 1]; char alphanum[63] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; for 0  maxLength for each char in alphanum…
  • 21. Slightly Better… int min = 8; int max = 12; char[] valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; # # # # known rules first & last must be char no consecutive-ordered chars/nums no repeated chars/nums
  • 22. DEMO: Cracking a Windows Hash With oclHashCat
  • 23. Image courtesy of xkcd.com (http://imgs.xkcd.com/comics/password_strength.png)
  • 24. (more) Intelligent Password Guessing • What do people usually use? • What can we do to reduce the set of possibilities? • Cull terms/domain knowledge from relevant data • Dating sites, religious sites, others Best: Already used/real-world passwords
  • 25. Determine your goals • Cracking a single, specific pwd? • Cracking a large % of an “acquired set”?
  • 26. • Mark Burnett, author of Perfect Passwords • List of 6,000,000, culled down to 10,000 most frequently used • Top 10,000 passwords are used by 98.8% of all users • 2,342,603 (that’s 99.6%) unique passwords remaining that are in use by only .18% of users! https://xato.net/passwords/more-top-worst-passwords/
  • 27. • Lots of lists…
  • 29. PACK • Password Analysis and Cracking Toolkit • Peter Kacherginsky, PasswordCon, 7/30-7/31 • Intelligent cycle of cracking, analysis, rule generation http://thesprawl.org/projects/pack/
  • 30. Statistical Analysis • Password Length Analysis • Character Set Analysis • Word Mangling Analysis
  • 33. Advanced Analytics • Levenshtein Edit Distance http://en.wikipedia.org/wiki/Levenshtein_distance
  • 34. Levenshtein Edit Distance • Minimum number of changes required to change one string into another • Measure distance b/t actual words and cracked list to optimize the word mangling rules • i.e. XX% of words can be achieved with Levenshtein edit distance of <=2 • Only gen rules that match http://www.let.rug.nl/~kleiweg/lev/ http://www.kurzhals.info/static/samples/levenshtein_distance/
  • 35. What if I don’t have your Password? • Pass the Hash • Demo • But We use Smart Cards!?
  • 36. Avoidance Techniques • Don’t use “monkey” • Don’t reuse “monkey” • If you must use monkey, require something else as well • Salt is good • Your own salt is better • Utilize memory-hard algorithms • Utilize multiple iterations (a lot) • Your username is half of the equation
  • 37. References • http://haveibeenpwned.com/ • https://lastpass.com/adobe/ • https://lastpass.com/linkedin/ • https://lastpass.com/lastfm/ • https://shouldichangemypassword.com/al l-sources.php