Password Strength

Download Password Strength

Post on 09-Jul-2015

131 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

<p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN</p> <p>HC VIN CNG NGH BU CHNH VIN THNG C S TI TP.H CH MINH N MN HC:</p> <p>BO MT THNG TIN</p> <p>TM HIU V PASSWORD V CC VN LIN QUAN</p> <p>GVHD:Thy L Phc Nhm sinh vin thc hin: 1. Trng nh Hong 2. Nguyn Th Thanh Minh 3. V Thanh Tho1</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN</p> <p>M u</p> <p> Lc u khi xut hin mng my tnh, ny sinh vn nhiu ngi cng s dng h thng v bo mt thng tin, nn pht sinh ra password. Password lc u ch n gin l ngi ta dng mt chui k t ngn cn s truy cp ca nhng ngi khc. Khi vn password cracking ang ngy mt tng ln, cng vi s tng tc v tc ca my tnh v s r dn ca b nh, kh nng crack password ca hacker ngy cng cao v thi gian ngy cng ngn li. Cng vi l yu cu i vi ngi dng khi s dng password cng ngy cng cao: password phi c thay i theo chu k, phi chn password c mnh theo quy nh, v phi nh password ca mnh cng nh gi b mt n. T cc vn trn,ta thy: password l vn nhy cm trong mt my tnh, trong mt mng nh cho n mng internet rng ln. V vy, ni dung n ny s trnh by tng qut v password v cc vn lin quan nh: xc thc, cracking password, cng nh nh gi mnh ca mt password. T chng ta s rt ra nhng kinh nghim bo v thng tin ca mnh trc cc cuc tn cng.</p> <p>2</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN</p> <p>I.S LC V VN XC THC:Ni mt cch n gin, xc thc l mt qu trnh nhn dng ngi dng. Trong mi trng mng pht trin ngy cng mnh m, vic xc nhn chnh xc quyn truy cp hp l ca ngi dng c ngha rt ln trong bo mt thng tin. Hin nay, c kh nhiu phng php xc thc, hu ht cc phng thc xc thc u da trn: o Nhng g bn bit (Username Password) o Nhng g bn c (Smart Card, Certificate) o Nhng g l bn (Sinh trc hc) A.Xc thc bng username v password:1.HTTP Authentications</p> <p>a.Basic Authentication</p> <p> L mt phng thc xc thc ph thng c trn nn tng ng dng Web.N s xut hin khi Client yu cu nhng thng tin phi c xc thc. Gii hn nhng giao thc, cho php nhng k tn cng khai thc.</p> <p>3</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN S dng SSL m ha d liu Username Password truyn gia Client v Server. b. Degest Authentication</p> <p> c thit k nng cao bo mt hn phng thc Basic Authentication c da trn nn tng xc thc Challenge-Response Nng cao bo bo mt hn phng thc Basic Authentication, h thng s m ha Username Password trc khi truyn i trn mng.2.Kt hp vi phng thc xc thc NTLM ca Windows:</p> <p> S dng cng ngh xc thc NT LAN Manager (NTLM) cho HTTP Ch lm vic vi IE v trn nn tng Web server l IIS. Kt hp vi xc thc trn Windows s thch hp cho mi trng mng cc b ca doanh nghip</p> <p>4</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN N l mt phng thc xc thc m khng phi truyn bt k thng tin no v Username password trn mng.</p> <p>3.Negotiate Authentication Tha thun xc thc:</p> <p> y l mt phng thc xc thc m rng cho NTLM Authentication Cung cp xc thc da trn nn tng Kerberos S dng qu trnh thng lng quyt nh mc bo mt c s dng. N c cu hnh v s dng khng ch cho mng cc b.</p> <p>5</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN B.Xc thc da vo smartcard v cirtificate:1. Xc thc da vo Certificate:</p> <p> S dng Public Key m ha v chng ch s (Digital Certificate) xc thc ngi dng. N c quan tm v kt hp vi phng thc xc thc two-factor. Khi mt ngi dng bit c Username Password ngi cn phi cung cp Certificate na th mi c xc thc. Ngi dng c th b nh cp Certtificate. Rt nhiu phn mm hin nay h tr xc thc qua chng ch s.</p> <p>6</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN2.Xc thc da vo Forms:</p> <p> N khng c h tr trn nn tng HTTP v SSL. N l mt la chn cao cp cho phng thc xc thc s dng mt Form, v thng tch hp dng HTML. L mt phng thc xc thc rt ph bit trn Internet.</p> <p>7</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN3.Xc thc da vo RSA Secure Token:</p> <p> Phng thc xc thc SecureID s dng mt "token V, card). C mt thit b phn cng s sinh ra cc m xc thc sau mi 60 giy v s dng mt tm Card gii m key. Mt ngi dng thc hin qu trnh xc thc v ti nguyn mng s phi in m PIN v s hin th cho SecureID cho mi thi gian .</p> <p>8</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN C.Xc thc da vo Sinh trc hc:</p> <p> Mt h thng xc thc da vo Sinh trc hc s phi c nhng thit b nhn din c ngi dng da vo cc yu t sinh hc nh: Vn tay, mt, mt, bn tay. y l mt phng thc xc thc c tnh bo mt rt cao v thun tin cho ngi s dng khng phi nh mt khu hay mang theo mt tm Card. T nhng iu va trnh by trn, ta c th nhn thy, cc phng php xc thc bng sinh trc hc hay s dng smart card c u im l c tnh bo mt rt cao, hacker kh c th tn cng c h thng v hacker kh c th c c smartcard v cng khng th c c c im sinh hc ging vi users. Th nhng trin khai iu ny ta cn mt chi ph rt ln c bit l chi ph lp t h thng xc thc ny ti cc thit b ca h thng thng tin. T s phn tch trn cho ta thy rng gii php s dng password lun l mt gii php hiu qu khi chi ph thp v d dng s dng vi bo mt chp nhn c, c th n s rt hiu qu nu chng ta c nhng chnh sch hp l. Do vy, chng ta s tp trung tho lun v nghin cu v password v nhng vn bo mt lin quan.9</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN</p> <p>II. PASSWORD v VN CRACKING PASSWORD:Ngy nay, vi s pht trin khng ngng ca k thut my tnh, nguy c b hacker tn cng vo h thng thng tin ngy cng gia tng, vn password ngy cng tr nn phc tp, gi y password khng ch n thun l mt chui k t b mt ca ring users, m n lun trong nguy c b cracking cao , do i hi ngi dng cn c nhng kin thc mi v password. Vy password l g? Password ( tm dch l m xc nhn), l mt t hoc mt chui k t b mt, c s dng xc thc, chng minh hoc nhn dng ngi s dng truy cp ti nguyn. Ti sao password li cn thit? o Password gip ta ngn chn vic xm nhp tri php vo h thng, bo v thng tin, v gip ta xc nhn duy nht c nhn ng nhp h thng cng nh ghi vt li nhng hnh ng ca h trn d liu. o Bt c h thng no, mt vi ngi dng nht nh c nhng c quyn m nhng ngi khc khng c. Bng cch nhn dng chnh bn trn chnh my tnh ca bn hoc cc website, bn c tip cn mi trng lm vic ca ring bn v cc d liu cc nhn ca bn, nhng ti liu ny l cc d liu nhy cm v khng mun cng khai. Cc him ha n t password: o Trong khi phn ln cc t chc v 99% ngi dng ti gia vn ph thuc vo passwords nh l mt hnh thc nhn dng c bn i vi cc d liu nhy cm v ring t, th cc mng c c ch bo</p> <p>10</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN mt thp v hnh chung to ra cc l hng cho hacker tip cn ti nguyn ca cng ty v ti sn ngi dng. o Mc d passwords l phng tin cn thit, thn thin vi ngi dng nht nhn dng ngi dng khi tip cn mng hoc c s d liu ca h, nhng s tht ngi dng rt l l vi nhng yu cu l h cn thay i password, cn to ra mt password c tnh bo mt v lm theo nhng ch dn gi n cng b mt cng tt. Kt qu l mt s lng ln cc password c th d c, cc passwords ging nhau trn nhiu h thng, v ngi dng phi ghi ch ng nhp gm password v c tn ng nhp. Nhng nguy him khi password bi l: o Identity theft (trm thng tin nhn dng): identity theft xy ra khi d liu ti khon ca bn b mt ngi no khc s dng. iu ny a n nhng tn hi v ti chnh, cng nh l tn hi c nhn (dng ti khon ca bn rt tin, v.v.) o Sensitive data exposure (l d liu nhy cm): ni dung ca th in t , cc d n, ti liu, nh b phi by trc cc hacker, hay cc c nhn nhm n bn vi mc ch xu. o Company data exposure (l d liu cng ty): cc hot ng gin ip ly cc thng tin nhy cm ni b thng qua d liu ti khon c duy tr v gi gn thiu cn thn dn n s nh hng v cng to ln n cng ty bn ang lm vic. o S dng cho cc hot ng ti phm: ti khon ca bn s b s dng cho mc ch ti phm nu khng gi n cn thn. ng qun rng du vt s ln li ti khon ca bn v do bn khng trnh khi lin quan.</p> <p>Vy tn cng password l gi? Tn cng password l ta tm cch c c password ca mt userID no xm nhp vo h thng ca h. Mt password c th b tn cng vi rt nhiu hnh thc khc nhau:</p> <p>11</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN o L hng bo mt vt l: mt l hng vt l ca my tnh s hon ton b khai thc ngay c khi phng php nhn dng phc tp nht, phng php m ha bo mt nht. V d: mt chng trnh theo di cc thao tc trn bn phm (keylogger), c phn mm ln phn cng c ci t,kha ca bn s b l, do mi d liu m ha v ti khon b tn hi. Bt chp password ca bn di v bo mt n u th l hng bo mt vt l l mt trong nhng trng hp nguy him nht. o Packet sniffers: bt mt khu trn mi trng khng m ha tt, t bit trong mi trng mng Lan khi cc my ra Net bt buc phi i ra default gateway. Cc h thng truyn t thng tin qua mng i khi khng chc chn lm v li dng iu ny, hacker c th truy cp vo data paths nghe trm hoc c trm lung d liu truyn qua.Hacker nghe trm s truyn t thng tin, d liu s chuyn n sniffing hoc snooping. N s thu thp nhng thng tin qu gi v h thng nh mt packet cha password v username ca mt ai . Cc chng trnh nghe trm cn c gi l cc sniffing. Cc sniffing ny c nhim v lng nghe cc cng ca mt h thng m hacker mun nghe trm. N s thu thp d liu trn cc cng ny v chuyn v cho hacker. o Trojan horse programs: xut hin nh dng link trn cc trang web lm chi ngi dng tin tng click vo, bt ci activex khi ngi dng mun logon vo mt trang web, trong cc phn mm ci t, emailSau khi Trojan v my ngi dng th n c th ly password khi ngi dng nhp v gi v kh ch. o Tn cng dng Cookies :Cookie l nhng phn t d liu nh c cu trc c chia s gia website v trnh duyt ca ngi dng. Cookies c lu tr di nhng file d liu nh dng text (size di 4KB). Chng c cc site to ra lu tr, truy tm, nhn bit cc thng tin v ngi dng gh thm site v nhng vng m h i qua trong site. Nhng thng tin ny c th bao gm tn, nh danh ngi dng, mt khu, s thch, thi quen, Cookies c Browser ca ngi dng chp nhn lu trn a cng ca my tnh, khng phi Browser no cng h tr cookies.</p> <p>12</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN o B kha: c hai phng php l b kha bng tay v b kha t ng B kha bng tay: s dng mt userID hp l ( hacker c th d dng tm c bng cch s dng war dailer ), d on mt khu m user c th s dng. Sau th tng mt khu cho n khi thnh cng. B kha t ng: tm file m ha password, sau tin hnh gii m c c file password dng plantext.</p> <p> tm hiu v vn ny, trc ht ta phi tm hiu v c ch m ha v xc nhn password. M ha password: hin nay, a s password c bm mt chiu bng cc hm bm v d nh SHA hoc MD5. Do d trn cc ng dng tt, password ch c lu di dng chui k t c bm ch khng bao gi c lu di dng plaintext. Xc nhn password: Gi s user A c password l a, password ny c application "hash" n thnh 0cc175b9c0f1b6a831c399e269772661 ri cha vo CSDL. Khi user A login v dng password a ng nhp, application s hash a v so snh gi tr va hash xong vi gi tr lu trong CSDL. Nu chng trng nhau, user A c vo. Khi cc h thng bi nhn nhng, cc hacker ch c th c c file m ha password, khng th c c file password dng plaintext, do c tnh mt chiu ca hm bm, cc hacker mun c c password dang plaintext ch c th brute force n. Brute-force attack: Dng t in: Tn cng t in l to ra mt file cha hu ht cc t c ngha trong t in, sau bm ra v so snh vi mt khu ngi dng, s dng n on ra password ca user. Trn thc t cc users thng dng nhng t c ngha t cho password ca mnh, do phng php tn cng bng t in l mt phng php n gin m mc thnh cng li cao. Trn hu</p> <p>13</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN ht cc h thng, tn cng t in c th hon thnh trong thi gian ngn so snh vi cc t hp t c th. Vic lp file t in kh n gin, nht l khi bn bit kh r v user ny. V d: mt thut ng thng xuyn c s dng trong cng vic ca user, hoc tn mt ngi quan trng i vi user cng c th c a vo t in. Dng brute-force: y l phng php b password bng cch vt cn tt c cc trng hp ghp ni cc k t c th c, bt u t nhng k t n gin thng thng cho n nhng k t c bit, sau bm ra so snh vi password ngi dng. Do , vi mt my tnh mnh c kh nng ghp ni cc k t li vi nhau, hacker c th b c tt c nhng password nu c thi gian. Dng tng hp: L s kt hp gia tn cng bng t in v brute force. Tn cng bng t in s qut cc t c ngha, tn cng brute force s qut cc k t cn li nh k t c bit, k t s V d: user s dng password l intertainment111. Khi khng th dng phng php t in v khng c t no cha s, nu dng phng php brute force th qu lu. Ta s dng phng php tn cng tng hp, bng cch s dng phng php t in ly ra mt t c ngha, sau dng phng php brute force ghp thm 2 con s vo sau t v d tm password. Phng php ny s hiu qu hn nhiu. Di y ta s kho st mt vi chng trnh minh ha tiu biu: 1. Tn cng brute_force: Windows l h iu hnh ph bin nht trn th gii, n lun tim n nhng li bo mt. Trong phn ny ti s trnh by phng thc tn cng mt my tnh ci h iu hnh Windows. T nhng kin thc v kh nng tn cng vo my tnh ci h iu hnh Windows ti s a ra cc gii php bo mt cho h thng. Tn cng Password ca ti khon trong Windows.</p> <p>14</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN</p> <p>a. Trn my Local</p> <p>Gi s bn khng bit mt khu ca mt my tnh trong h thng, nhng bn li nh ngi g mt khu ca h v cho bn mn my tnh dng tm. V bn gi y l lm th no bit c Password trn my bn ang logon. Rt nhiu phn mm c th Exports on m ho ca Password ra thnh mt File in hnh l PasswordDump, WinPasswordPro, trong bi vit ny ti trnh by vi cc bn s dng WinPasswordPro. Bt chng trnh WinPasswordPro ln Import Password t my Local</p> <p>Sau Khi Import Password t file SAM vo s c</p> <p>15</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN</p> <p>Sau ta Export danh sch User v Password c m ho ra mt file .txt v gi vo Mail ca chng ta, sang my chng ta cng dung phn mm ny gii m ngc li.</p> <p>M file TXT exports ra ta c d liu password c m ho</p> <p>16</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN</p> <p>Sau khi ly c d liu User Password m ho ta Uninstall chng trnh ny trn my nn nhn khi l - ri gi file vo Mail v my ca ta Gii m y l cng on tn thi gian. i vi mt khu di 10 k t mt khong 1 ting. Bt chng trnh WinPasswordPro trn my ca chng ta chn File -&gt; Import PWDUMP file ri chn ng dn ti file password c m ho. Sau khi Import t file PWDUMP ta c - Nhn vo Start ta s c 3 phng thc tn cng Password + Brute Force + Dictionary + Smart Table</p> <p>17</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN Ti chn phng thc tn cng Brute Force</p> <p>i khong 15 pht (y l password do ti khng t k t c bit, khng s, khng hoa v 9 k t) Kt thc qu trnh ti gii m c file Password c m ho vi: user administrator v Password l vnexperts</p> <p>18</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUANb. Tn cng my t xa.</p> <p>- Khi chng ta c ngi trn my nn nhn Exports Password c m ho l n gin nhng thc t s rt t khi thc hin c phng thc ny. - Dng Password Dump chng ta s ly c d liu c m ho t mt my t xa. - y ti dng PasswordDump Version 6.1.6</p> <p> trn ti s ly d liu m ho Username v Password t my tnh 192.168.1.156 dung PWDump v out d liu ra file: vnehack.txt ti C: dng lnh Type xem d li ca file . Sau Khi c d liu ny ta li s dng WinPasswordPro gii m. V sau khi ta c ti khon User Administrator v Password ca n th vic lm g l tu thuc vo chng ta. Gii php phng chng hnh thc tn cng ny: + phng nhng ngi truy cp vo my tnh ca chng ta.</p> <p>19</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN + t Password di trn 14 k t v c y cc k t: c bit, hoa, s, thng + Enable Firewall ln chng PasswordDUMP, Ci t v cp nht cc bn v li mi nht t nh sn xut + Ci t ti thiu mt chng trnh dit Virus mnh.</p> <p>V hiu ho PWdump nhng lu khi k tn cng c mt ti khon trong h thng th li hon ton khc chng s vt qua hu ht cc phng chng bo mt: trong trng hp ny ti c mt User bnh thng vi tn vne ti c th Exports ton b d liu Username Password c m ho my ch.</p> <p>2.Tm Password bng phng php gii m Cookies: Chng trnh CT cookie Spy 2.0. Cookies thng lu li rt nhiu thng tin quan trng ca ngi dng khi truy cp vo Internet nh Username v Password truy cp vo mt</p> <p>20</p> <p>Thng 11-2009</p> <p>PASSWORD V CC VN LIN QUAN Website.Vi phn mm ny bn c th tm kim cc Cookies c lu d trong h thng v gii m chng tm Username Password.</p> <p>T nhng phng thc tn cng c trnh by trn, ta c th rt ra nhng nguyn tc thit lp v s dng...</p>