Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012
Hands-On Network Security Module 4 Password Strength & Cracking
Roadmap • Password Authentication • How Passwords are Cracked • Countermeasures 04/12 cja 2012 3
Password Authentication
Password Representations • UNIX DES “ Hashes ” Old technology, but still around • Linux Hashes Salted SHA-512, SHA-256, MD5, Blowfish • Mac OS X Hashes Salted SHA-1 04/12 cja 2012 5
UNIX “ Hash ” Generation • Password length 8 characters or less • 7 bits of each character used to generate 56-bit key • Key used to encrypt a constant using a variation of the DES algorithm MGoBlue1 Key DES ’ Constant (0x00000000) UNIX Hash zvktPWeeFzCVA 04/12 cja 2012 6
UNIX “ Hash ” Considerations • It’s not a hash • Keyboard character set Common alphanumeric set only Character variations ≈ 126 • Maximum entropy ≈ 6.3*10 16 passwords • Salted 04/12 cja 2012 7
Linux Hash Generation • Hash the password • Store it MGoBlue1 SHA-512 SHA-512 Hash $6$dmk52gd$TWOWIDs1q6/uZ.t49s.YkFQr3zeTGzrYwN33Ep2pdTKw � HekN/O2hK0QuSTtUYNmS5Homqtp9lA/jf0hWRE7Bb/ � 04/12 cja 2012 8
Linux Hash Considerations • Keyboard character set Common alphanumeric set only Character variations ≈ 126 • Maximum length = 256 characters • Entropy for 256-character password ≈ 4.9*10 538 • Entropy for 20-character password from 126 character set ≈ 1.0*10 42 • Entropy for 20-character password from 69 “ keyboard ” character set ≈ 6.0*10 36 • Salted 04/12 cja 2012 9
Linux Passwords • Passwords stored in /etc/shadow readable only by root • Other per-user information stored in /etc/passwd world readable • UNIX stored both in /etc/passwd ! 04/12 cja 2012 10
Linux Hashes • Several hashes available • Use SHA-512! ID Method $1$ MD5 $2a$ Blowfish (some distros) $5$ SHA-256 $6$ SHA-512 (default) 04/12 cja 2012 11
SHA-3 Hash Contest Update • MD5 broken, SHA-1&2 suspect • NIST competition for a SHA-3 Timeframe 2008-2012 51 candidates submitted for Round 1 14 candidates in Round 2 BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein Final candidates announced December 10, 2010 BLAKE, Grøstl, JH, Keccak, and Skein Final SHA-3 candidate conference held March 2012 http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/March2012/index.html SHA-3 standard to be published 2012 04/12 cja 2012 12
Choosing A Password • Good • Bad Pass phrases (much people ’ s names longer than 8 dictionary/technical characters) words or phrases miX cAsE birth dates places digits/punctuation common acronyms control characters backwards spelling easy to remember simple permutations no words in any 8 characters or less language 04/12 cja 2012 13
Choosing A Password 2012 • Good • Bad Pass phrases (much Everything else longer than 8 characters) 04/12 cja 2012 14
How Passwords are Cracked
Passive Online Attacks Man-in-the-Middle and Replay Attacks • Somehow get access to communications channel • Wait for authentication sequence • Proxy authentication-traffic • No need to brute-force • Considerations Relatively hard to perpetrate Must be trusted by one or both sides Some tools widely available Anyone remember MarketScore? 04/12 cja 2012 16
Active Online Attacks Password guessing • Try different passwords until one works • Made easier by Bad passwords Excessive information from server Lack of password guessing controls • Considerations Assuming good passwords, is this even feasible? Common 8 character password space (69^8) Password Expires in 90 days Need to guess 3,964,493,629 pwds/sec Need throughput of 253,727,592,310 bits/sec Gigabit Ethernet = 1B bits/sec Easily detected and stopped Core problem: Bad passwords 04/12 cja 2012 17
Offline Attacks • Attacker has password database Not that hard: Need to be admin (or steal the box) • Can attack at leisure – Attack types: Dictionary attack Very Fast Core Problem: Bad Passwords Brute Force attack AlphaNumerics then AlphaNumerics + Upper Row Symbol, etc Slow, but will eventually find all passwords Hybrid Start with Dictionary, Insert Entropy Pre-computed Hashes Rainbow tables Time-space tradeoff • Considerations Moore ’ s law 04/12 cja 2012 18
John the Ripper • http://www.openwall.com/john/ • Fast, open-source password cracker Created by Solar Designer Active development group • Runs on Linux, Mac OS X, Solaris, Android, … • Handles DES, BSDI DES, FreeBSD MD5, OpenBSD Blowfish, Kerberos AFS DES, and LM DES hashes • Runs well on HPC clusters using Open MP • No GPU support yet But see http://www.elcomsoft.com/edpr.html?r1=Openwall 04/12 cja 2012 19
Lab: Crack Passwords 1. Install John the Ripper cd; tar zxf /usr/local/lab/john/john-1.7.9.tar.gz; cd ~/john-1.7.9/doc Follow directions in INSTALL & README 2. Create test account with a weak password using MD5 hashing sudo vi /etc/pam.d/system-auth Change string sha512 to md5 in third paragraph sudo useradd sucker sudo passwd sucker 3. Undo the change to system-auth you made in step 2. 4. Create test account with a weak password using SHA-512 hashing sudo useradd trout sudo passwd trout 5. Obtain password hashes cd ~/john-1.7.9/run; sudo ./unshadow /etc/passwd /etc/shadow >passwd.1 6. Crack ./john passwd.1 04/12 cja 2012 20
Lab: Crack Passwords • You can interrupt at any time, and restart with ./john –restore • If you want to start over rm john.pot restore • To display all passwords found so far ./john --show /tmp/passwd.1 • To see how fast John is on your machine ./john --test • When done, delete the test accounts and the local password and crack files! sudo userdel sucker; sudo userdel trout /bin/rm ~/john-1.7.9/run/{john.pot,passwd.1} 04/12 cja 2012 21
Rainbow Tables • What if you precomputed the password hashes? All Windows LM Hashes: 166 Terabytes All Windows NT Hashes < 15 chars: 140,959,235,198 Exabytes • This would result in faster cracking, at the cost of storing all those hashes This is the Time-Memory tradeoff Implemented using hash chains Clever way to link the hashes into chains Only store 1 in 10,000 hashes • Rainbow tables improve on hash chains Reduce collisions (overlapping chains) • Ineffective against salted hashes Unix, Linux, and Mac OS X hashes are salted Windows NT hashes are not 04/12 cja 2012 22
Rainbow Tables • http://ophcrack.sourceforge.net/ Windows password cracker that uses rainbow tables Cracks LM and NT hashes Live CD support Free tables for Windows XP and Vista (dictionary based) For-fee tables for Vista (NTLM) Seems to be moribund • http://www.freerainbowtables.com/ “Folding@home” distributed cracking model Terabytes of tables Free tables For-fee tables Seems to be quite active 04/12 cja 2012 23
Countermeasures
Policy-Based Mitigation • Develop a password policy Require pass phrases Greater than 15 mixed characters Password expiration for all accounts No password reuse (temporal and spatial) Account lockout (where appropriate) • Physical security policy Cornerstone for any security No physical security = no security • No policy = no enforcement 04/12 cja 2012 25
Pass Phrases v. Passwords • Pass phrases are long strings “ I wish we’d use 2Factor authentication instead of passwords ” Very strong protection against attacks Easy to remember, a bit longer to type • Passwords are short complex strings “ @Rag0Rnrul3z ” Hard to remember Often difficult to type Not resistant against current attacks Obvious substitutions are quickly broken • Take-away: Long easily-remembered phrases are better than short complex passwords http://xkcd.com/936/ 04/12 cja 2012 26
Technology-Based Mitigation Multi-factor authentication • Why use passwords at all? • Smart cards Two-factor authentication Very difficult to thwart High cost of initial deployment Smart cards, tokens, readers, software, … Long-term cost benefit Idea: use your smartphone as your token http://www.duosecurity.com/ 04/12 cja 2012 27
Technology-Based Mitigation Multi-factor authentication • Biometrics Measure some physical characteristic Fingerprint, iris color distribution, retinal pattern, … Usually defeated with non-technical attacks Historically unreliable False positives - bad guy authenticated False negatives - legitimate user refused Can be stolen Iris scanners popular Courtesy WIkipedia 04/12 cja 2012 28
Summary • Bad passwords get broken, even when using good storage and authentication methods! • Solutions 1. Use better passwords 2. Don ’ t let bad guys get the hashes • Combination of policy and technology 04/12 cja 2012 29
Recommend
More recommend