password cracking - in5290 - ethical hacking · password cracking tools kali comes with several...
TRANSCRIPT
Password crackingIN5290 - Ethical Hacking
Bruvoll & Sørby
Department of Informatics
2018
1 / 46
Agenda
I About passwords
I Cracking passwords
2 / 46
About passwords
3 / 46
Passwords as authentication
Providing a user name and a password is still the most common form of logging on tocomputer systems.
This can be seen as a two step process:
1. Identification — who you are (user name)
2. Authentication — proving that you are who you claim to be (password)
4 / 46
Other ways of authenticating
Passwords belong to one of three categories of user authentication:
I knowledge-based authenticationI something you knowI passwords, passphrases
I ownership-based authenticationI something you haveI tokens (bank id OTP calculators, yubikeys)
I inherence-based authenticationI something you are/doI biometrics (fingerprints, iris scan, . . . )
Multi-factor authentication (MFA) requires the use of multiple authenticationmechanisms, typically from two or more of the above categories. Two-factorauthentication (2FA) is the most common type of MFA, combining two differentmechanisms.
5 / 46
Cracking passwords
There are two major approaches for guessing passwords:
I Exhaustive searchI Trying all possible combinationsI Often called brute force
I Intelligent searchI The idea is to reduce the search spaceI Guess based on personal information (names of friends, birthdays. . . )I Try generally popular passwordsI Guess based on words in a dictonary (a dictionary attack)
6 / 46
Password strength
The strength of a truly random password is a function of the size of the set of symbolsallowed in the password, and the length of the password.
Example
How many passwords are possible when the set of symbols are all alphanumericalcharacters (upper and lower case), and the password length is 6?
The size of the set is 62 (A-Za-z0-9), and the possible combinations are:626 = 56800235584
7 / 46
Password strength
The strength of a truly random password is a function of the size of the set of symbolsallowed in the password, and the length of the password.
Example
How many passwords are possible when the set of symbols are all alphanumericalcharacters (upper and lower case), and the password length is 6?
The size of the set is 62 (A-Za-z0-9), and the possible combinations are:626 = 56800235584
7 / 46
Storing passwords
Storing passwords in cleartext is obviously a bad idea.
Storing passwords encrypted might seem like a good idea, but:
I anyone with access to the keys and the encrypted passwords can impersonate anyuser
I the keys must be protected from attackers
Storing the hash value of the password is the preferred method for storing passwords:
I the hash function is one-way, we cannot deduce the password from the hash
I similar passwords have totally different hashes
I the authentication function first computes hash of received password, thencompares against stored hash value
I but there still are issues...
8 / 46
Lookup and Rainbow table attacks
What if the attacker precomputes and stores the hash of probable passwords in alookup table?
I Used to be infeasible due to the storage requirements.
A rainbow table is a precomputed table of passwords and their hashes, using clevermethods for reducing the storage space required.
Using rainbow tables, the attacker can just lookup the stored password hash in thetable and get back the password.
9 / 46
Salting the password
To defend against attacks using precomputed hash tables, we can salt the password.
I Prepend or append random data (salt) to the password before hashing it
I Store the salt together with the password hash
Now two instances of the same password will get different hashes, and the attacker willhave to crack each and every password.
Example
Password Salt Hashing function call What is stored
“secret” None sha1(“secret”) e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4
“secret” “asdf” sha1(“asdfsecret”) (“asdf”, aaba62303a3ec7983406aff8602ffbda9d346424 )
“secret” “qwer” sha1(“qwersecret”) (“qwer”, 038fbd19069cacc6865a66c25c0f39a663f70b8d )
10 / 46
Bruteforcing password hashes
Cryptographic hashes are designed to be fast to compute, and modern day GPUs cancompute billions of hashes per second.
Thus, slowing the attacker down becomes necessary.
This can be done by key stretching — making a weak key more secure against bruteforce attacks by increasing the time it takes to test each candidate key.
Some popular algorithms that uses key stretching are PBKDF2 and bcrypt.
Simplistically, they do several rounds of hashing, using the output of one round as theinput for the next. The number of rounds are given as a parameter, and recommendednumber of rounds are several thousand.
11 / 46
Password policies
Choosing good random passwords is hard, and analyses of password dumps have shownthat people often do choose poor passwords.
Password policies try to mitigate this by setting rules for:I password length and complexity
I requiring at length of 8 or moreI requiring both upper-case and lower-case letters, one or more numeric digitsI requiring special characters, such as #, !, %, ;, . . .
I password durationI changing every 180 days
I password historyI remembering and denying the use of old passwords
I password blacklistingI passwords containing patterns as “qwerty”, “password” etc. . .I passwords containing the user’s personal information
12 / 46
Password policies
Helping the user choose strong passwords is a good thing, but:
I remembering dozens of strong, random passwords doesn’t scale
I users will be tempted to reuse their password on other systems
I users will be tempted to write down the password on a piece of paperI the use of password managers can be problematic
I does the password leave the organization?I what if the password manager gets compromised?
I users might create simple rules that technically follow the password policy, butmake future passwords highly predictable given knowledge of the current one
13 / 46
PassphrasesPassphrases can be a good alternative to traditional passwords, provided the wordsreally are chosen randomly.
14 / 46
Cracking passwords
15 / 46
Password cracking tools
Kali comes with several tools for password cracking:
I John the Ripper – multiple modes, customizable, easy to get running
I hashcat – multiple modes, can use GPUs for cracking
I Johnny – a GUI for John the Ripper
I RainbowCrack – for creating and using rainbow tables
16 / 46
Cracking with John the Ripper
We will be cracking passwords from a Linux system. On modern systems, the relevantinformation is stored in two files:
I /etc/passwd – stores user account information, but not the password hashes. Isworld-readable as many programs require data from user accounts.
I /etc/shadow – stores the password hashes, and password meta-information. Canonly be accessed by root.
17 / 46
/etc/passwd
$ cat /etc/passwd
Ole:x:502:502::/ home/Ole:/bin/bash
Dole:x:504:504::/ home/Dole:/bin/bash
Contents of the file:I User name: up to eight characters long
I Password: x means a shadow file is used for storing the password hash
I User ID (UID): user identifier for access control
I Group ID (GID): user’s primary group
I ID string: user’s full name
I Home directory: location of the user’s home directory
I Login shell: program started after successful log in
18 / 46
/etc/shadow
$ cat /etc/shadow
Ole:$1$zPawRL.R$l8n1emmkWk2QJB5FEPzxI1 :14152:0:99999:7:::
Dole:$1$.L9uWK48$nwAScuNaqpNuicVdwGHx10 :14152:0:99999:7:::
Contents of the file:I username
I encrypted password, really a hash
I days since password was changed
I days left before user may change password
I days left before user is forced to change password
I days to change password warning
I days left before password is disabled
I days since the account has been disabled
I reserved19 / 46
/etc/shadow
Ole:$1$zPawRL.R$l8n1emmkWk2QJB5FEPzxI1:14152:0:99999:7:::
The password is stored on the form $id$salt$hash, where id is the hashingalgorithm used (1: MD5, 5: SHA-256, 6: SHA512)
20 / 46
unshadow
John provides the unshadow command for combining passwd and shadow files so Johncan use them.
$ unshadow passwd shadow > workfile
$ cat workfile
Ole:$1$zPawRL.R$l8n1emmkWk2QJB5FEPzxI1 :502:502::/ home/Ole:/bin/bash
Dole:$1$.L9uWK48$nwAScuNaqpNuicVdwGHx10 :504:504::/ home/Dole:/bin/bash
21 / 46
Single mode
In single mode, John will try to crack the password using the login information aspasswords.
$ john --single workfile
Using default input encoding: UTF -8
Loaded 8 password hashes with 8 different salts (md5crypt , crypt (3) $1$ [MD5 128/128 AVX 4x3])
Press ’q’ or Ctrl -C to abort , almost any other key for status
Borgund (linebo)
langbein12 (Langbein)
2g 0:00:00:00 DONE (2018 -11 -17 10:25) 11.11g/s 30983p/s 31055c/s 31055C/s dole1905 .. dole1900
Use the "--show" option to display all of the cracked passwords reliably
Session completed
22 / 46
Wordlist mode
In wordlist mode, John will use a file with a list of words to crack the passwords. If theoption --rules is specified, John will modify or “mangle” word according to specifiedrules.
$ john --wordlist --rules workfile
Using default input encoding: UTF -8
Loaded 8 password hashes with 8 different salts (md5crypt , crypt (3) $1$ [MD5 128/128 AVX 4x3])
Remaining 6 password hashes with 6 different salts
Press ’q’ or Ctrl -C to abort , almost any other key for status
coffee (Ole)
eeffoc (Doffen)
coffee6 (Dole)
3g 0:00:00:14 DONE (2018 -11 -17 10:32) 0.2042g/s 10662p/s 36788c/s 36788C/s Qwerting .. Sssing
Use the "--show" option to display all of the cracked passwords reliably
23 / 46
Incremental mode
I Incremental mode is the most powerful cracking mode, as John will try allpossible character combinations as passwords.
I This mode does not terminate on itself (unless you configure a small searchspace), but will continue cracking until interrupted.
I We can define mode definitions for Incremental mode in John’s configuration file1
I what symbols to useI minimum and maximum lengths
1On Kali: /etc/john/john.conf24 / 46
Managing the search space
Successful password cracking is mostly about managing and reducing the search space.
I Knowledge of your targetsI username, full nameI language and cultureI password requirements/policy
I Relevant dictionariesI customized with target specific information
I Good rulesI customized with target specific information
25 / 46
Additional resources
John comes with extensive documentation:
I on Kali it is located under /usr/share/doc/john/ (use zless to read)
I online documentation: https://www.openwall.com/john/doc/
The John wiki:
I https://openwall.info/wiki/john
A nice John cheat sheet:
I https://countuponsecurity.files.wordpress.com/2016/09/
jtr-cheat-sheet.pdf
26 / 46
Passwords in Windows
27 / 46
How are passwords stored in Windows?
Passwords are stored in the SAM:
I The registry: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users
I SAM in file on disk: C:\Windows\System32\config
28 / 46
Passwords in the registry
Command line to open regedit as SYSTEM: Psexec.exe –s –i regedit.exePsexec is part of the SysInternals suite.
29 / 46
Passwords in the registry
30 / 46
Extract password hashes from the file on disk
I The SAM in file on disk, C:\Windows\System32\config, is not readable whileWindows is running
I To extract the file, boot the machine from Linux on USB (or CD), if possible
I Linux USB and physical access
31 / 46
Extract the password hashes from the registry
I Use a tool to extract the hashes. Possible if you are admin user.
I Extract them manually by learning the format of the registry values.
I Read more:http://www.beginningtoseethelight.org/ntsecurity/index.htm
32 / 46
Possible tool: fgdump
33 / 46
Possible tool: fgdump
34 / 46
Extracted password hashes
User name:Number:LM hash:NTLM hash
35 / 46
LM hash
LM hashes are insecure and out of date.
I Capitalize
I Pad with zeros to length of 14
I Divide into two parts of length 7
I Each part used as DES key to encrypt ”KGS!@#$%”
I Concatenate
https://en.wikipedia.org/wiki/LAN_Manager#LM_hash_details
36 / 46
NTLM hash
I MD4 of the little endian UTF-16 Unicode password
I More secure than LM hash
I Not of much use as long as LM hashes were stored as well
I Now normally only NTLM hashes are stored
37 / 46
Why crack passwords if you are already admin?
I Passwords may be reused.
I Access to other files.
I Step by step towards more access.
38 / 46
Which users are present on the machine?
wmic useraccount
39 / 46
Recommended reading
A good article on salted password hashing:
I https://crackstation.net/hashing-security.htm
A series of articles from Ars Technica:
I https://arstechnica.com/information-technology/2012/08/
passwords-under-assault/
I https://arstechnica.com/information-technology/2013/03/
how-i-became-a-password-cracker/
I https://arstechnica.com/information-technology/2013/05/
how-crackers-make-minced-meat-out-of-your-passwords/
40 / 46
Exercise Task
Part 1: Password lengthAssume that a password can only contain the 26 characters from the alphabet.
I How many different passwords are possible if a password is at most n, n = 4,6,8,characters long and there is no distinction between upper case and lower casecharacters?
I How many different passwords are possible if a password is at most n, n = 4,6,8,characters long and passwords are case sensitive?
41 / 46
Exercise Task
Part 2: Brute forceAssume that passwords have length six and all alphanumerical characters, upper andlower case, can be used in their construction. How long will a brute force attack takeon average if:
I it takes one tenth of a second to check a password?
I it takes a microsecond to check a password?
42 / 46
Exercise Task
Part 3: Hashes and salts
1. What is the advantage of storing password databases as hash values instead of inplaintext?
2. What is the advantage of storing passwords as salted hash values instead of justas hash values?
43 / 46
Exercise Task
Part 4: More hashes and salts
I Create a text file (c:\pw.txt) on your Windows 7 VM, and write a random string(without any linebreaks).
I Open a command prompt and use the command certutil to hash the file:certutil -hashfile c:\pw.txt SHA1.
I Make note of the hash value.
I Add a single character to the text file.
I Hash the file again, and note the hash value. Is it similar to the previous hash?
I Substitute the string with the word secret, and rehash the file. Do you get thesame result as in the lecture slides?
I Try rehashing after appending the salt used in the slides.
44 / 46
Exercise Task
Part 5: Crack passwordsCrack the passwords
45 / 46
Questions?
46 / 46