password attacks mike. guessing default passwords many applications and operating systems include...
Post on 20-Dec-2015
224 views
TRANSCRIPT
Guessing Default Passwords
• Many applications and operating systems include built-in default passwords.
• Lazy administrators
• Database of default passwords is publicly available at http://www.phenoelit.de/dpl/dpl.html
Let’s Crack Those Passwords
• Stealing the encrypted passwords and trying to recover the clear-text password.
•Create a password guess
•Encrypt the guess
•Compare encrypted guess with encrypted value from the stolen password file
•If match,you’ve got the password!
•Else,loop back.
Dictionary
Brute-force cracking
Hybrid password cracking
Loop
Cracking Windows NT/2000 Passwords Using LC5
• One of the most hyped security/attack tools.
• Focuses only on cracking Windows passwords.
• Available at: http://www.atstake.com/products/lc/download_thanks.html
John the Ripper
• Focues on cracking UNIX passwords.
• Available at:– http://www.openwall.com/john/b/john-1.6.
tar.gz
• Current version 1.6
Defenses against Password-Cracking Attacks
• Strong Password Policy• User Awareness• Password-Filtering Software
– UNIX • Npasswd• Passwd+
– Windows• Strongpass…
Defenses against Password-Cracking Attacks(cont.)
Conduct Your Own Regular Password-Cracking Tests.
• Protect Your Encrypted/Hashed Password Files.
Account Harvesting
• Targeting the authentication process when an application requests a userID and password.
Invalid userID
Correct userID
Incorrect password
Account Harvesting Defenses
• When userID or password was incorrect,all accompanying information sent back to the browser must be completely consistent.
• Includes:– HTML– URL– Cookies– Hidden form elements
Undermining Web Application Session Tracking
• Web applications generate a session ID to track user actions.
• Session ID– Application-level data– Generated by the application
Attacking Session Tracking Mechanisms
• Establish a session,get assigned a session ID,and alter the session ID.
• The attacker usurps the legitimate user’s session ID to do anything.
Achilles
• Achilles available at http://www.mavensecurity.com/achilles
• Current version 0.27
Web browser Achilles(proxy)
Internet
Defending against Web Application Session-Tracking Attacks
• Ensure the integrity of all session-tracking elements– Digitally sign or session-tracking information
using a cryptographic algorithm.
– Encrypt the information in the URL,
– Hidden form element,or cookie.
– Long session IDs.
– Dynamic session IDs .
– Apply a timestamp .