Password Attacks

Mike

Guessing Default Passwords

• Many applications and operating systems include built-in default passwords.

• Lazy administrators

• Database of default passwords is publicly available at http://www.phenoelit.de/dpl/dpl.html

Let’s Crack Those Passwords

• Stealing the encrypted passwords and trying to recover the clear-text password.

•Create a password guess

•Encrypt the guess

•Compare encrypted guess with encrypted value from the stolen password file

•If match,you’ve got the password!

•Else,loop back.

Dictionary

Brute-force cracking

Hybrid password cracking

Loop

Cracking Windows NT/2000 Passwords Using LC5

• One of the most hyped security/attack tools.

• Focuses only on cracking Windows passwords.

• Available at: http://www.atstake.com/products/lc/download_thanks.html

Get Encrypted Passwords

Local machine

Remote machine

Choose Auditing Method

Simple checks

Normal checks

Strong checks

Pick Reporting Style

The types of report.

Auditing Options

• Import

Character type

Import

AuditStart

Got the passwords

Report

Remote machine

Remotemachine

Checktype

Remote machine

The types of report

Remote machine

Administrator

Passwords

Remote machine

Start

Got it!

John the Ripper

• Focues on cracking UNIX passwords.

• Available at:– http://www.openwall.com/john/b/john-1.6.

tar.gz

• Current version 1.6

John the Ripper

Download John the Ripper

Download complete

Unzip

John the Ripper

compiler

Start

John the Ripper

Cracking the

password

Got the password

Try the password

Defenses against Password-Cracking Attacks

• Strong Password Policy• User Awareness• Password-Filtering Software

– UNIX • Npasswd• Passwd+

– Windows• Strongpass…

Defenses against Password-Cracking Attacks(cont.)

Conduct Your Own Regular Password-Cracking Tests.

• Protect Your Encrypted/Hashed Password Files.

Web Application Attacks

Account Harvesting

• Targeting the authentication process when an application requests a userID and password.

Invalid userID

Correct userID

Incorrect password

Account Harvesting Defenses

• When userID or password was incorrect,all accompanying information sent back to the browser must be completely consistent.

• Includes:– HTML– URL– Cookies– Hidden form elements

Correct userID

Incorrect password(123456789)

Invalid userID

Undermining Web Application Session Tracking

• Web applications generate a session ID to track user actions.

• Session ID– Application-level data– Generated by the application

Attacking Session Tracking Mechanisms

• Establish a session,get assigned a session ID,and alter the session ID.

• The attacker usurps the legitimate user’s session ID to do anything.

Achilles

• Achilles available at http://www.mavensecurity.com/achilles

• Current version 0.27

Web browser Achilles(proxy)

Internet

Achilles Start

Intercept Modes

Intercept information

Defending against Web Application Session-Tracking Attacks

• Ensure the integrity of all session-tracking elements– Digitally sign or session-tracking information

using a cryptographic algorithm.

– Encrypt the information in the URL,

– Hidden form element,or cookie.

– Long session IDs.

– Dynamic session IDs .

– Apply a timestamp .

Conclusions

• Attacker can use to gain access

to a target machine by attacking applications.