Upload File

Download - Modern Network Security Prac3ces: Using Rainbow Tables to ...rainbow tables to crack passwords/ensure password compliance is discussed and specific examples are provided within this

Transcript
Page 1: Modern Network Security Prac3ces: Using Rainbow Tables to ...rainbow tables to crack passwords/ensure password compliance is discussed and specific examples are provided within this

ModernNetworkSecurityPrac3ces:UsingRainbowTablestoSolveanOrganiza3onalIssueChristopherMcMahonandXiaowenZhang,Ph.D.DepartmentofComputerScience,CollegeofStatenIsland,CityUniversityofNewYork

TheAbstractThepurposeofthiscasestudyanalysisistoexamineanon-tradiDonalmethodofidenDfyingweakpasswordswithinalargehospitalorganizaDon.Theprocessofusingrainbowtablestocrackpasswords/ensurepasswordcomplianceisdiscussedandspecificexamplesareprovidedwithinthispaper.ThisprocessemphasizesthenoDonthatnetworksecurity-relatedproblemstendtobeorganizaDon-specificandrequirecreaDveapproaches.ThegoalistoestablishapracDcaluseforrainbowtableswithinanorganizaDonasameansofenhancingnetworksecurity.

WhatareRainbowTables? TheResults

TheProblemArecentproblemofalargeNorthAmericanhospital:•  Theirnetworksecurityteamisunabletomandate

regularpasswordchangesbecauseofthelarge,diversepopulaDonofcloseto12,000users.

•  ManyusersinpaDentcareneverdirectlylogintoacomputer,onlyloggingintotheirapplicaDons,rarelycheckingtheire-mailaccounts,andwouldnotknowiftheirpasswordhadexpired..

•  PasswordcomplexitywasnotarequirementaddedunDl2010.Thismeantthatpasswordssetbefore2010hadnorestricDonsonlengthorcharactertypes.

•  SincepasswordsarestoredashasheswithaconstantlengthinAcDveDirectory,itisimpossibletoeasilydeterminewhetherapasswordmeetsthecurrentcomplexityrequirements.

Thisresultedinanunknownamount,possiblythousands,ofpasswordsthatwerenotcomplianttocurrentcomplexityrequirements.Toaddressthisissue,theideawasproposedtouseRainbowTablestoidenDfywhichpasswordswerenoncompliant.

TheMethod

18.77%

81.23%

Totalnumberofpasswordhashes:11980·Numberofpasswordscracked:2249·Numberofpasswordsuncracked:9731

PasswordlengthofcrackedhashesLength Count7characters 1961

6characters 136

5characters 131

4characters 20

3characters 1

Theresultsoftheprojectledtothefollowingchanges:•  ThehelpdeskwasnoDfiedtoresetnon-compliant

passwordsandcontactoffendingusers.•  KerberosbecametherequiredauthenDcaDonprotocol.•  LM(AnoutdatedhashingfuncDon)passwordhashesareno

longerstoredinAcDveDirectory.•  Fine-grainpasswordpolicieswereputinplacetoensure

strongerpasswordcomplexityforAdministratoraccounts.

ArainbowtableisatypeofhashlookuptableuDlizingTMTO(Time-MemoryTrade-Offaback)generatedtoreversecryptographichashfuncDonsasameanstocrackpasswordhashes.Itiscompromisedofrainbowchains,whichstartswithaplaintextpasswordandusesalternaDnghashandreducDonfuncDons.Everythingisthenthrownawayexceptforthefirstinputandthelasthash.

Whencrackingapassword,thesechainsarethenregeneratedunDlthehashisfound.ThisgreatlyimprovesstorageefficiencyoveraregularpasswordandhashtablebutrequiresmoreDmetoperformthehashlookup.

RainbowChainExample

TheproductusediscalledRainbowCrack(hbp://project-rainbowcrack.com).ItisafullsuiteoftoolsforgeneraDon,sorDng,andmergingofrainbowtables,aswellasalookuptoolforpasswordsinsideofthetables.Theprocessforthisprojectwasasfollows:•  GeneraDngthetableswithrtgen.Forthisproject,we

generated50tablesofallpasswords7charactersorless.•  SorDngthetablesusingrtsort.Thissortseachtableby

endpointofeachrainbowchaintomakebinarysearchpossible.

•  ExtractalluseraccountsandpasswordhashesfromAcDveDirectory.ThiswasaccomplishedbyusingaPowerShellscriptuDlizingDSInternalsPowerShellmodule.(hbps://github.com/MichaelGrafneber/DSInternals)

•  Runacomparisonofextractedpasswordhashesagainstthegeneratedrainbowtablesusingrcrack.

Top Related

Mastering the Medium: Best Prac3ces in Immersive Mobile Qual
Mastering the Medium: Best Prac3ces in Immersive Mobile Qual
Rainbow Tables para revisiones de seguridad - owasp.org · PDF fileQuien soy? Consultor en Seguridad Informática. Integrante del OWASP capítulo Uruguay. malonzo@tib.com.uy Maximiliano
Rainbow Tables para revisiones de seguridad - owasp.org · PDF fileQuien soy? Consultor en Seguridad Informática. Integrante del OWASP capítulo Uruguay. [email protected] Maximiliano
Microsoft Azureflipbooks.azurewebsites.net/flipbooks/kw7feb.pdf · RAINBOW RAINBOW RAINBOW RAINBOW RAINBOW RAINBOW RAINBOW RAINBOW RAINBOW PCS KD. 69 RAINBOW RAINBOW RAINBOW KD. Original
Microsoft Azureflipbooks.azurewebsites.net/flipbooks/kw7feb.pdf · RAINBOW RAINBOW RAINBOW RAINBOW RAINBOW RAINBOW RAINBOW RAINBOW RAINBOW PCS KD. 69 RAINBOW RAINBOW RAINBOW KD. Original
How to Handle Rainbow Tables with External Memorypeople.irisa.fr/Barbara.Kordy/papers/ACISP17.pdf · How to Handle Rainbow Tables with External Memory Gildas Avoine 1 ;2 5, Xavier
How to Handle Rainbow Tables with External Memorypeople.irisa.fr/Barbara.Kordy/papers/ACISP17.pdf · How to Handle Rainbow Tables with External Memory Gildas Avoine 1 ;2 5, Xavier
Rainbow Tables - Barcamp Indonesia - Panggi Libersa
Rainbow Tables - Barcamp Indonesia - Panggi Libersa
Family!Caregiver! Community!of!Interest WebinarSeries ... · Promising)and)established) prac3ces)for)family)caregiver) engagement 1 Family!Caregiver! Community!of!Interest WebinarSeries!
Family!Caregiver! Community!of!Interest WebinarSeries ... · Promising)and)established) prac3ces)for)family)caregiver) engagement 1 Family!Caregiver! Community!of!Interest WebinarSeries!
FAHRGESCHÄFT »RAINBOW MILLENIUM« - Faller€¦ · FAHRGESCHÄFT »RAINBOW MILLENIUM« »RAINBOW MILLENIUM« AMUSEMENT PARK RIDE MANÈGE »RAINBOW MILLENIUM« KERMISATTRACTIE »RAINBOW
FAHRGESCHÄFT »RAINBOW MILLENIUM« - Faller€¦ · FAHRGESCHÄFT »RAINBOW MILLENIUM« »RAINBOW MILLENIUM« AMUSEMENT PARK RIDE MANÈGE »RAINBOW MILLENIUM« KERMISATTRACTIE »RAINBOW
Final rainbow june 2011 rainbow
Final rainbow june 2011 rainbow