password stealing & enhancing user authentication using opass protocol

Password Hacking And

Enhancing Security Using oPass User Authentication Protocol

Domain:- Computer Hacking

Seminar Coordinator: Guided By: Special Thanks: Prof.K.A.Sultanpure Prof.S.H.Chandak Dr.Emmanuel M

(HOD I.T)

ByPrasad G Pawar

Society for Computer Technology & Research’sPUNE INSTITUTE OF COMPUTER TECHNOLOGY

S. No. 27, Dhankawadi, Pune Satara Road, Pune – 411043

A Seminar On

Academic Year 2012-2013

Password Hacking & Enhancing Security Using oPass UAP

2

# Contents…

• Definition Of Hacking• Hackers & Crackers• Types Of Hackers• Reasons For Hacking• Ethical Hacking – The Concept• Steps In Hacking• About Password Hacking• Hacking Windows Login Passwords• Web-site Phishing• Trojan Horse• oPass User Authentication Protocol

Computer Hacking

Password Hacking(Stealing)

oPass UAP

3/18/2013


3

# Hacking - The Definition

• Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator's original purpose

-- whatishacking.org

• Hacking means finding out weaknesses in a computer or computer network, though the term can also refer to someone with an advanced understanding of computers and computer networks

-- wikipedia.org

• Computer hacking is the practice of modifying computer hardware and software to accomplish a goal

-- wisegeek.com

3/18/2013

4

# Hackers & Crackers…

• Traditionally, a hacker is someone who likes to play with software or electronic systems. Hackers enjoy exploring and learning how computer systems operate. They love discovering new ways to work electronically

• But recently, Hacker has taken on a new meaning — someone who maliciously breaks into systems for personal gain. Technically, these criminals are Crackers or Criminal Hackers. Crackers break into systems with malicious intentions

• Hackers, on the other side, work against the crackers. They find out the vulnerabilities or study the recent attacks & fix those loopholes so as to protect us from Crackers

Hackers LegalCrackers Illegal

3/18/2013 Password Hacking & Enhancing Security Using oPass UAP


5

• Hacking exists in many forms like Cell-Phone hacking, Brain hacking, etc. but Computer Hacking is most popular form of hacking nowadays, specially in the field of computer security

Hackers are classified as :-• White Hat :

A white hat hacker breaks security for non-malicious reasons, perhaps to test their own security system or while working for a security company which makes security software. The term "white hat" in Internet slang refers to an ethical hacker

• Black Hat :A Black Hat Hacker is a hacker who violates computer security for little reason beyond maliciousness or for personal gain

• Grey Hat :A grey hat hacker is a combination of a Black Hat and a White Hat Hacker. A Grey Hat Hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has been hacked, for example. Then they may offer to repair their system for a small fee

# Types Of Hackers…

3/18/2013


6

• Script kiddie :A script kiddie (or skiddie) is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding of the underlying concept

• Neophyte :A neophyte or newbie is someone who is new to hacking or phreaking and has almost no knowledge or experience of the workings of technology and hacking

• Organized criminal gangs : Criminal activity carried on for profit

• Bots :Automated software tools, somefreeware, available for the use of anytype of hacker

continued…

3/18/2013


7

# Why do hackers hack ???• The main reason why Hackers hack is because they can hack. Hacking is a casual hobby for

some Hackers — they just hack to see what they can hack and what they can’t hack, usually by testing their own systems

• Many Hackers are the guys who get kicked out of corporate and government IT and security organizations. They try to bring down the status of the organization by attacking or stealing information

• Some Hackers want to make your life miserable, and others simply want to be famous

• Some common motives of malicious Hackers are revenge, curiosity, boredom, challenge, theft for financial gain, blackmail, extortion and corporate work pressure.

• Many Hackers say they do not hack to harm or profit through their bad activities, which helps them justify their work. They often do not look for money full of pocket. Just proving a point is often a good enough reward for them

3/18/2013


8

# Ethical Hacking-The Concept...• Ethical hacking is where a person hacks to find weaknesses in a system and then usually

patches them.

• For example, a bank may pay a hacker to hack their systems to see if it is hackable. If he gets in, then they know there is potential for other people to hack in, and usually they will work with this ethical hacker to patch these holes. If he doesn't get in, then they pray that nobody is better at hacking than him

• Ethical hacking is performed with the target’s permission

• The intent of Ethical Hacking is to discover vulnerabilities from a Hacker’s viewpoint so systems can be better secured

• Ethical Hacking is part of an overall information Risk Management program that allows for ongoing security improvements.

• Ethical hacking can also ensure that vendors’ claims about the security of their products are legitimate

3/18/2013


9

# Steps In Hacking…• Reconnaissance :

The first stage of any attack is "reconnaissance“ - scanning the victims & looking for ways into their systems. The purpose of this stage is to map out the target network and systems. The hacker will try to list all the systems on the network, and then try to list all the holes available on the target systems. Once the hacker has a list of systems, he/she will scan the system looking for possible entry points into the system.

• Scanning :The second step of ethical hacking and penetration testing involve two terms

that is scanning or port scanning and enumeration. During this process you have to find out the alive host, operating systems involved, firewalls, intrusion detection systems, servers/services, perimeter devices, routing and general network topology (physical layout of network), that are part of the target organisation. Enumeration is the first attack on target network, enumeration is the process to gather the information about a target machine by actively connecting to it.

• Gaining Access :In this step, the attacker exploits the discovered vulnerabilities to actually

connect to the target system i.e., gaining complete control of the target system.

• Maintaining Access :The attacker after getting access to the system once, creates some

backdoors so that he/she can get access to the system at any time in the future. For e.g. creating a hidden user account in windows.

• Clearing Tracks :As in the case of crime scenes, forensic analysis in computer can help to

trace the attacker. So, in order to avoid getting caught by the authorities the attacker can use many ways so as to clear his tracks of intrusion into the target system. For e.g. deleting the user account after hacking into a windows operating system.

3/18/2013


10

# Hacking Login Password…Microsoft Windows 95 / 98 / ME :

• In Windows 95/98/ME passwords are stored in password list (.pwl) files.

• All *.pwl files are generally stored in the C:\WINDOWS folder. We can find all the *.pwl files on the system using the operating systems find option.

• These .pwl files are readable in any text editor like Notepad, but they are definitely not understandable. A typical example of the contents of a .pwl file is:

ã‚...- ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿR p u.ÐX+|rÐq"±/2³ Êå¡hCJ‚D × `ÍY¥!íx}(qW¤ãÆ±<!?àÜ6šá˜ôæ4+\3/4õ+%E°ËÔýmÇÔ ÞI»‚ B � � �à×oeøÐ...'@

3/18/2013


11

# Continued…Microsoft Windows 95 / 98 / ME :

• Now these passwords can be easily removed/bypassed using a simple technique.

• Firstly, boot up the system, then press F8 key to invoke a configuration screen.

• On this screen, select MS-DOS Mode. Now you will be sent to a command prompt.

• Here, simply goto “C:\Windows” or “<Root Drive>:\Windows” and type “del *.pwl”.

• This will delete the password files & next time you log in, you will be asked for a new password.

3/18/2013


12

# Hacking Login Password…Microsoft Windows NT / XP / Vista / 7 :

• Majority of the different versions of Windows like Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7 uses Systems Account Manager (SAM) to store users credentials.

• The important part is that these files become inaccessible after windows starts.

• So in order to hack these passwords, all job has to be done without starting windows.

• For this purpose, readymade tools are available over the internet.

• For e.g., Ophcrack is a free open source program that cracks Windows passwords. On most computers, ophcrack can crack most passwords within a few minutes.

3/18/2013


13

# Continued…Microsoft Windows NT / XP / Vista / 7 :

• The process is simple – Boot your system with the live CD of ophcrack in the CD-Drive

• Wait for the live OS to load, and the software will take rest of the care. You will get all the passwords within some minutes.

• The catch is the time required to crack the password is proportional to length and complexity of password.

• Also, if the passwords are too complex the software may fail.

• There are other tools like Offline password cracker, Hiren Multi Boot Disk, ERD Commander, Admin Hack, Active Password Changer are also used for the same purpose.

3/18/2013


14

# Erasing BIOS Password…• Due to the sensitive nature of the system settings controlled by the BIOS, a password

can be set by either the computer manufacturer or the end-user.

• In addition to creating a BIOS password from a hash code, a number of BIOS manufacturers also implement an explicit backdoor password.

• This password will work regardless of the presence of a manually set BIOS password. The primary purpose of a manufacturer’s backdoor BIOS password is for maintenance and testing evolutions.

3/18/2013


15

# Erasing BIOS Password…One of the most common methods to reset the BIOS password is to remove or discharge the battery on the computer’s motherboard. If the power to the battery is lost or drained, the BIOS configuration will be reset to the factory state with no password. System settings made to the BIOS will also be lost.

• Step 1 – Turn off the computer and ensure it has no external power (i.e. unplug the power cable. If it has a battery, remove it).

• Step 2 – Open the computer’s case or box.• Step 3 – Locate the computer’s motherboard and look for the white silver button

battery on the motherboard.• Step 4 – Remove the battery carefully and wait for approximately 30 seconds.• Step 5 – Put the computer case back together and boot the computer.• Step 6 – If the “CMOS Checksum Error-Defaults Loaded” error message is displayed,

the BIOS password has been reset.

If the CMOS battery is soldered to the computer’s motherboard, some brands will have a jumper located on the board that can be used to reset or clear the BIOS password.

3/18/2013


16

# Website Phishing…Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by misleading as a trustworthy entity in an electronic communication.

3/18/2013


17

# Website Phishing…The Process…• The attacker calls you or send you an email. The email or call will give you some exciting

offers or will in some way try to lure you so as to open the link provided or disclose some confidential information

• For e.g., there was a scam recently over Facebook where they claimed to give you Free Facebook Tshirt or Free Facebook Shoes.

• Users were required to fill in a form which required to give your user id & passwords for facebook account.

• Then users had to like a page in order to avail the offer.• After that, users were asked to share that link in 10 different groups so as to spread the

scam.• Also the process never completed because the page always said You havent shared the

link yet.

3/18/2013


18

# Website Phishing…• Phishing is the most common & efficient password stealing attack.

• According to APWG (Anti-phishing Working Group)’s report, the number of unique phishing websites detected in the second half of 2010 was 97,388.

• RSA, formerly RSA Security, Inc., is an American computer and network security company. Phishing attacks increased 24% in November 2012 with 41,834 attacks identified by RSA. To date, the RSA Anti-Fraud Command Center has shut down 7,67,442 cyber attacks.

• The U.S. and UK were targeted by the most volume of phishing attacks in November, but India emerged as the third most targeted, enduring 7% of phishing attack volume last month.

3/18/2013


19

# Identifying Phishing Mails…Attackers might email you, call you on the phone, or convince you to download something off of a website.Here is an example of what a phishing scam in an email message might look like:

3/18/2013

20

# Trojan Horse…• A Trojan horse, or Trojan, is a non-self-replicating type of malware which appears to

perform a desirable function but instead facilitates unauthorized access to the users computer system.

• Trojans do not attempt to inject themselves into other files like a computer virus. • Trojan horses may steal information, or harm their host computer systems.



21

# Trojan Horse…Purpose & Uses…A Trojan may give a hacker remote access to a targeted computer system. Operations that could be performed by a hacker on a targeted computer system may include:

• Crashing the computer• Blue screen of death• Electronic money theft• Data theft (e.g. retrieving passwords or credit card information)• Installation of software, including third-party malware and ransomware• Downloading or uploading of files on the user's computer• Modification or deletion of files• Keystroke logging• Watching the user's screen• Viewing the user's webcam• Controlling the computer system remotely

3/18/2013


22

# Trojan Horse…Prevention…• Prevention against Trojan horses depends on the skills of the attacker or the ability of

Trojan.

• Most of the Trojans available over internet have been already marked in almost all anti-virus databases & even in windows defender database.

• Use an anti-virus software before you use internet on your computer. Also keep its virus definitions updated.

• Frequently check for Windows Defender Updates & download them if available. Defender is an inbuilt software in Windows OS to keep track of malwares & spywares.

• If you feel your computer is behaving abnormally, disconnect from internet & contact some security experts.

3/18/2013


23

# All About Passwords…• Over the past few decades, text passwords have been adopted as primary means of user

authentication for websites.

• Users select username & passwords while registering on websites. But to log onto that site next time, user has to recall that password.

• If the user selects complex password, it can resist brute force & dictionary attacks.

• But because humans are not good at memorizing strings, most users would choose easy to remember passwords.

• Another crucial problem is that many users reuse the same password for many sites.

• Password reuse can cause a great loss because a hacker can compromise a weak site & use the password for other websites. This is password reuse attack.

3/18/2013


24

# All About Passwords…

• Various schemes have been suggested till date for User Authentication.

• It included some Graphical Password Schemes as well.

• Although it’s a great idea, it is not mature enough & is vulnerable to some attacks like guessing, shoulder surfing & spywares.

• Keylogging or keylistening cannot crack them but we are not sure about mouse tracking spywares.

3/18/2013


25

# All About Passwords…• Another alternative to password security is to use Password Management Tools.

• These tools suggest long complex passwords while registering over websites & store them so that when you login next time, it can fill them automatically.

• The user just need to remember one Master Password & all other passwords are managed by the software.

• Some managers even facilitate carrying a copy in flash drives so as to use them on other computers.

• But users doubt its security & thus feel uncomfortable about using it.

• Some researches focus on three factor authentication rather than password based to provide more reliable user authentication. Three factor authentication depends on what you know(e.g.password), What you have(e.g.ID cards) & Who you are(e.g.fingerprint or iris).

• This requires comparatively high cost.

3/18/2013


# What is oPass ??…• oPass is an User Authentication Protocol which leverages a user’s cell phone & SMS

service to prevent password reuse & password stealing attacks.

• The main cause why password stealing attacks succeed is because users have to type them in untrusted computers.

• Therefore, the main concept of oPass is to free users from having to remember or type any passwords into conventional computers for authentication.

• The users cell phone is used to generate one time passwords & a new communication channel – SMS is used to transmit authentication messages.

• Because of one time passwords(OTP) the user is not required to memorize any passwords & there is no problem if the attacker knows this password as the password expires after one login session.

3/18/2013

26

27

# oPass Architecture…• In oPass, a user is required to only memorize one long-term password to access his cell

phone.

• For users to perform secure login on an untrusted computer(kiosk), oPass consists of a trusted cell phone, a browser on kiosk & the server he wishes to log into.

• The communication between cell phone & web server is through SMS channel.

• The browser interacts with web server via the internet.

• In our protocol, we require cell phone to interact directly with the kiosk. The general approach is to select available interfaces like Wi-Fi or Bluetooth.



28

# Assumptions in oPass…

• Each web server posses a unique phone number.

• Users cell phone is malware free.

• The telecommunication service provider (TSP) will participate in registration & recovery phases.

• Users connect to the TSP via 3G connection to protect transmission.

• The TSP & web server establish a secure socket layer (SSL) tunnel to prevent phishing attacks.

• If the user loses his cell phone, he will get a new sim card from TSP having the same number.

3/18/2013


29

# The Registration Phase…

3/18/2013


30

# The Registration Phase…Step 1 :

The user begins by opening the oPass program on her cell phone.

Step 2 :She enters IDu (account id she prefers) & IDs (web site URL) to the program.

The TSP plays the role to distribute a shared key Ksd between the user & the server. The key is used to encrypt the SMS with AES-CBC.

AES-CBC : Advanced Encryption Standard Cipher Block Chaining

Step 3 :TSP forwards user id (IDu) , user number (Tu) & shared key (Ksd) to the server (s).

3/18/2013


31

# The Registration Phase…Step 4 :

Server generates corresponding information about the account & replies with server ID (IDs), a random seed ф & servers phone number (Ts).

TSPStep 5 :

TSP then forwards server ID (IDs), a random seed ф, servers phone number (Ts) & a shred key Ksd to users cell phone.

TSP3/18/2013


32

Step 6 :The user will now set up a long-term password Pu for her cell phone. The phone

computes a secret credential c using Pu, IDs & ф.

The cell phone then encrypts the credential c with key Ksd & generates corresponding MAC i.e. HMAC1 .

# The Registration Phase…

Step 7 :The cell phone now sends an encrypted registration SMS to server phone number

Ts which consists of user ID, c, ф, IV & HMAC1.

Step 8 :Server decrypts this SMS to obtain c, key Ksd & sends an acknowledgement to user

cell phone. In the end, cell phone stores server ID, server number, ф & i. ‘i’ is current index of OTP.

Step 9 :After SMS from above step, server stores user ID, user number, c, ф & i. This

completes registration.

3/18/2013


33

# The Login Phase…

3/18/2013


34

# The Recovery Phase…

3/18/2013


35

# oPass Security Analysis…• An attacker can target user or server side.

• At user side, he can install malwares or use phishing sites to fetch the passwords.

• But in oPass, passwords are not entered into browsers. So, oPass resists phishing & malware attacks.

• At server side, attacker can intercept & manipulate messages to launch SMS spoofing attacks.

• But as ciphertext cannot be decrypted without corresponding secret key & hash function is irreversible, this attack will fail.

• Also the attacker doesn’t know the session key of 3G connection & SSL tunnel. So he cannot derive the secret credential c.

• If someone steals the cell phone, he cant login as he doesn’t know the long-term password setup by user.

3/18/2013


36

# Something Important…• The TSP & server communicate via a SSL tunnel which guarantees confidentiality. TSP

can verify websites certificate to prevent phishing attacks.

• To analyze effectiveness of oPass a study was conducted with 24 participants having avg. computer experience 11.9 years.

• The average time of registering is 21.8 s and SMS delay is 9.1 s.

• For login, average time was 21.62 s & SMS delay was 8.9 s.

• Many people preferred oPass over present authentication protocols.

• Also many suggested that such high level of security is good for applications like net banking & not simple websites like emails.

3/18/2013


37

# Conclusion…• Crackers are always onto developing something new. All we can do is fix the already

discovered vulnerabilities so as to remain safe.

• oPass protocol has a very high level of security which is not feasible for everyday login purposes. For usage like login, this protocol wont be acceptable. But for applications like net banking, the protocol is highly recommended.

• Similar protocols have been implemented by some websites for e.g. Google. So we can say that security is improving day by day.

3/18/2013

38Thank You

Questions Are Welcome!!