Hands-On Network Security: Practical Tools & Methods Security - PowerPoint PPT Presentation

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012

Hands-On Network Security Module 4 Password Strength & Cracking

Roadmap • Password Authentication • How Passwords are Cracked • Countermeasures 04/12 cja 2012 3

Password Authentication

Password Representations • UNIX  DES “ Hashes ”  Old technology, but still around • Linux  Hashes  Salted SHA-512, SHA-256, MD5, Blowfish • Mac OS X  Hashes  Salted SHA-1 04/12 cja 2012 5

UNIX “ Hash ” Generation • Password length 8 characters or less • 7 bits of each character used to generate 56-bit key • Key used to encrypt a constant using a variation of the DES algorithm MGoBlue1 Key DES ’ Constant (0x00000000) UNIX Hash zvktPWeeFzCVA 04/12 cja 2012 6

UNIX “ Hash ” Considerations • It’s not a hash • Keyboard character set  Common alphanumeric set only  Character variations ≈ 126 • Maximum entropy ≈ 6.3*10 16 passwords • Salted 04/12 cja 2012 7

Linux Hash Generation • Hash the password • Store it MGoBlue1 SHA-512 SHA-512 Hash $6$dmk52gd$TWOWIDs1q6/uZ.t49s.YkFQr3zeTGzrYwN33Ep2pdTKw � HekN/O2hK0QuSTtUYNmS5Homqtp9lA/jf0hWRE7Bb/ � 04/12 cja 2012 8

Linux Hash Considerations • Keyboard character set  Common alphanumeric set only  Character variations ≈ 126 • Maximum length = 256 characters • Entropy for 256-character password ≈ 4.9*10 538 • Entropy for 20-character password from 126 character set ≈ 1.0*10 42 • Entropy for 20-character password from 69 “ keyboard ” character set ≈ 6.0*10 36 • Salted 04/12 cja 2012 9

Linux Passwords • Passwords stored in  /etc/shadow readable only by root • Other per-user information stored in  /etc/passwd world readable • UNIX stored both in /etc/passwd ! 04/12 cja 2012 10

Linux Hashes • Several hashes available • Use SHA-512! ID Method $1$ MD5 $2a$ Blowfish (some distros) $5$ SHA-256 $6$ SHA-512 (default) 04/12 cja 2012 11

SHA-3 Hash Contest Update • MD5 broken, SHA-1&2 suspect • NIST competition for a SHA-3  Timeframe 2008-2012  51 candidates submitted for Round 1  14 candidates in Round 2  BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein  Final candidates announced December 10, 2010  BLAKE, Grøstl, JH, Keccak, and Skein  Final SHA-3 candidate conference held March 2012  http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/March2012/index.html  SHA-3 standard to be published 2012 04/12 cja 2012 12

Choosing A Password • Good • Bad  Pass phrases (much  people ’ s names longer than 8  dictionary/technical characters) words or phrases  miX cAsE  birth dates  places  digits/punctuation  common acronyms  control characters  backwards spelling  easy to remember  simple permutations  no words in any  8 characters or less language 04/12 cja 2012 13

Choosing A Password 2012 • Good • Bad  Pass phrases (much  Everything else longer than 8 characters) 04/12 cja 2012 14

How Passwords are Cracked

Passive Online Attacks Man-in-the-Middle and Replay Attacks • Somehow get access to communications channel • Wait for authentication sequence • Proxy authentication-traffic • No need to brute-force • Considerations  Relatively hard to perpetrate  Must be trusted by one or both sides  Some tools widely available  Anyone remember MarketScore? 04/12 cja 2012 16

Active Online Attacks Password guessing • Try different passwords until one works • Made easier by Bad passwords  Excessive information from server  Lack of password guessing controls  • Considerations Assuming good passwords, is this even feasible?   Common 8 character password space (69^8)  Password Expires in 90 days  Need to guess 3,964,493,629 pwds/sec  Need throughput of 253,727,592,310 bits/sec  Gigabit Ethernet = 1B bits/sec Easily detected and stopped  Core problem: Bad passwords  04/12 cja 2012 17

Offline Attacks • Attacker has password database  Not that hard: Need to be admin (or steal the box) • Can attack at leisure – Attack types:  Dictionary attack  Very Fast  Core Problem: Bad Passwords  Brute Force attack  AlphaNumerics then AlphaNumerics + Upper Row Symbol, etc  Slow, but will eventually find all passwords  Hybrid  Start with Dictionary, Insert Entropy  Pre-computed Hashes  Rainbow tables  Time-space tradeoff • Considerations  Moore ’ s law 04/12 cja 2012 18

John the Ripper • http://www.openwall.com/john/ • Fast, open-source password cracker  Created by Solar Designer  Active development group • Runs on Linux, Mac OS X, Solaris, Android, … • Handles DES, BSDI DES, FreeBSD MD5, OpenBSD Blowfish, Kerberos AFS DES, and LM DES hashes • Runs well on HPC clusters using Open MP • No GPU support yet  But see http://www.elcomsoft.com/edpr.html?r1=Openwall 04/12 cja 2012 19

Lab: Crack Passwords 1. Install John the Ripper  cd; tar zxf /usr/local/lab/john/john-1.7.9.tar.gz; cd ~/john-1.7.9/doc Follow directions in INSTALL & README  2. Create test account with a weak password using MD5 hashing  sudo vi /etc/pam.d/system-auth  Change string sha512 to md5 in third paragraph  sudo useradd sucker sudo passwd sucker  3. Undo the change to system-auth you made in step 2. 4. Create test account with a weak password using SHA-512 hashing  sudo useradd trout sudo passwd trout  5. Obtain password hashes  cd ~/john-1.7.9/run; sudo ./unshadow /etc/passwd /etc/shadow >passwd.1 6. Crack  ./john passwd.1 04/12 cja 2012 20

Lab: Crack Passwords • You can interrupt at any time, and restart with  ./john –restore • If you want to start over  rm john.pot restore • To display all passwords found so far  ./john --show /tmp/passwd.1 • To see how fast John is on your machine  ./john --test • When done, delete the test accounts and the local password and crack files!  sudo userdel sucker; sudo userdel trout  /bin/rm ~/john-1.7.9/run/{john.pot,passwd.1} 04/12 cja 2012 21

Rainbow Tables • What if you precomputed the password hashes?  All Windows LM Hashes: 166 Terabytes  All Windows NT Hashes < 15 chars: 140,959,235,198 Exabytes • This would result in faster cracking, at the cost of storing all those hashes  This is the Time-Memory tradeoff  Implemented using hash chains  Clever way to link the hashes into chains  Only store 1 in 10,000 hashes • Rainbow tables improve on hash chains  Reduce collisions (overlapping chains) • Ineffective against salted hashes  Unix, Linux, and Mac OS X hashes are salted  Windows NT hashes are not 04/12 cja 2012 22

Rainbow Tables • http://ophcrack.sourceforge.net/  Windows password cracker that uses rainbow tables  Cracks LM and NT hashes  Live CD support  Free tables for Windows XP and Vista (dictionary based)  For-fee tables for Vista (NTLM)  Seems to be moribund • http://www.freerainbowtables.com/  “Folding@home” distributed cracking model  Terabytes of tables  Free tables  For-fee tables  Seems to be quite active 04/12 cja 2012 23

Countermeasures

Policy-Based Mitigation • Develop a password policy  Require pass phrases  Greater than 15 mixed characters  Password expiration for all accounts  No password reuse (temporal and spatial)  Account lockout (where appropriate) • Physical security policy  Cornerstone for any security  No physical security = no security • No policy = no enforcement 04/12 cja 2012 25

Pass Phrases v. Passwords • Pass phrases are long strings  “ I wish we’d use 2Factor authentication instead of passwords ”  Very strong protection against attacks  Easy to remember, a bit longer to type • Passwords are short complex strings  “ @Rag0Rnrul3z ”  Hard to remember  Often difficult to type  Not resistant against current attacks  Obvious substitutions are quickly broken • Take-away: Long easily-remembered phrases are better than short complex passwords http://xkcd.com/936/ 04/12 cja 2012 26

Technology-Based Mitigation Multi-factor authentication • Why use passwords at all? • Smart cards  Two-factor authentication  Very difficult to thwart  High cost of initial deployment  Smart cards, tokens, readers, software, …  Long-term cost benefit  Idea: use your smartphone as your token  http://www.duosecurity.com/ 04/12 cja 2012 27

Technology-Based Mitigation Multi-factor authentication • Biometrics  Measure some physical characteristic  Fingerprint, iris color distribution, retinal pattern, …  Usually defeated with non-technical attacks  Historically unreliable  False positives - bad guy authenticated  False negatives - legitimate user refused  Can be stolen  Iris scanners popular Courtesy WIkipedia 04/12 cja 2012 28

Summary • Bad passwords get broken, even when using good storage and authentication methods! • Solutions 1. Use better passwords 2. Don ’ t let bad guys get the hashes • Combination of policy and technology 04/12 cja 2012 29