Brute Force Password Cracking and its Role in Penetration Testing

Andrew Keener and Uche Iheadindu

Background

A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value.

Cryptographic hash functions are used to encrypt passwords in many corporations

Password strength can be a key vulnerability in large corporations without proper policies on password security.

Password Security in Relation to Penetration testing

Penetration testing involves trying to take control over systems and obtain data

One of the ways this is accomplished is by exploiting weak password schemes

If password auditing is not a part of penetration testing you leave yourself open to the likelihood of a breach

Password Cracking, What are we trying to prevent?

There are several methods for password cracking available.

Brute-force cracking, in which a computer tries every possible key or password until it succeeds.

Dictionary attacks, pattern checking, word list substitution, etc., attempt to reduce the number of trials required and will usually be attempted before brute force.

Password length and relative security

Focus of this presentation: Brute Force

Http://hashsuite.openwall.net

- Hash Suite Demo

Http://www.golubev.com/blog

-ighashgpu

Another good open source program: HashCat: HashCat.net

GPU vs CPU hashing comparison

Laptop(Amd A8 3400M... 4 cores): Averages about 100 million passwords per second. (6 characters)

Desktop(GPU: ATI Radeon HD 5970... 40 cores): Averages about 2.2 billion passwords per second. (7 characters)

This is why recommendations are being made currently to have no less than 12 characters using uppercase, lowercase, digits, and special characters.

Questions?

Sources:

Wikipedia, Cryptographic Hash Function:

http://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification Wikipedia, Password Cracking: