reasoning analytically about password-cracking software ... outline state of the art how software...

Download Reasoning Analytically About Password-Cracking Software ... Outline State of the art How software password-cracking

Post on 03-Aug-2021

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

Reasoning Analytically About Password-Cracking Software
Enze “Alex” Liu, Amanda Nakanishi, Maximilian Golla, David Cash, Blase Ur
Chic4go
2
5
6
7
8
9
Chic4go
10
18
Outline
Our efficient techniques for guess numbers
Our techniques for systematic configuration
19
Neural Networks [Melicher et al., Usenix Security 2016]
Guess #
Neural Networks [Melicher et al., Usenix Security 2016]
Guess #
Neural Networks [Melicher et al., Usenix Security 2016]
Guess #
Neural Networks [Melicher et al., Usenix Security 2016]
Guess #
Neural Networks [Melicher et al., Usenix Security 2016]
Guess-Efficient
24
Guess-Efficient
Neural Networks [Melicher et al., Usenix Security 2016]
25
Our efficient techniques for guess numbers
Our techniques for systematic configuration
31
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
34
Rulelist
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
35
Super1
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Guesses
36
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Super1 Password1 Chicago1
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Super1 Password1 Chicago1 Super P4ssword Chic4go
38
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Super1 Password1 Chicago1 Super P4ssword Chic4go super password chicago
39
Outline
Our efficient techniques for guess numbers
Our techniques for systematic configuration
44
Guesses Super1 Password1 Chicago1 Super P4ssword Chic4go super password chicago
Is This Password in the Guesses?
45
Chic4go
Wordlist Rulelist Super Password Chicago
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Guesses Super1 Password1 Chicago1 Super P4ssword Chic4go super password chicago
46
Insight: Invert Rules
Rulelist 1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Password
49
Chic4go
Insight: Invert Rules
Rulelist 1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Password
50
Chic4go
Preimages Chicago Chic4go
Insight: Invert Rules
Rulelist 1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Password Chic4go
51
52
*05 O03 d '7 Switch the first and the sixth char;
Delete the first three chars;
Duplicate the whole word;
53
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Guesses Super1 Password1 Chicago1 Super P4ssword Chic4go
54
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Guesses Super1 Password1 Chicago1 Super P4ssword Chic4go
55
Super Password Chicago
Wordlist Rule Guesses Reject if no “a”; Replace a→ 4
2
56
Linkedin + SpiderLab Guesses
Linkedin + SpiderLab Guesses
Mean Lookup ??? < 1 second
Our efficient techniques for guess numbers
Our techniques for systematic configuration
63
Rule Ordering
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
1. Replace “a” → “4” 2. Lowercase all 3. Append “1”
68
Key idea: Order by # cracks per guess
Rule Ordering
1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
1. Replace “a” → “4” 2. Lowercase all 3. Append “1”
69
72
Should other words be in the wordlist? Key idea: Add frequent preimage “misses”
Word Completeness
Preimages Rulelist 1. Append “1” 2. Replace “a” → “4” 3. Lowercase all
Oakland1 O@kl@nd oakland
75
Short strings a2; a23; 7a; b2; q2
76
Takeaway
77
Takeaway
Reasoning Analytically About Password-Cracking Software

View more >