Hands-On Network Security: Practical Tools & Methods. Hands-On Network Security. Roadmap. Security Training Course

Transcription

1 Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap Password Authentication How Passwords are Cracked Countermeasures 3 1

2 Password Authentication Password Representations UNIX DES Hashes Old technology, but still around Linux Hashes Salted SHA-512, SHA-256, MD5, Blowfish Mac OS X Hashes Salted SHA-1 5 UNIX Hash Generation Password length 8 characters or less 7 bits of each character used to generate 56-bit key Key used to encrypt a constant using a variation of the DES algorithm MGoBlue1 Constant (0x ) Key DES UNIX Hash zvktpweefzcva 6 2

3 It s not a hash Keyboard character set Common alphanumeric set only Character variations 126 UNIX Hash Considerations Maximum entropy 6.3*10 16 passwords Salted 7 Linux Hash Generation Hash the password Store it MGoBlue1 SHA-512 SHA-512 Hash $6$dmk52gd$TWOWIDs1q6/uZ.t49s.YkFQr3zeTGzrYwN33Ep2pdTKw! HekN/O2hK0QuSTtUYNmS5Homqtp9lA/jf0hWRE7Bb/! 8 Linux Hash Considerations Keyboard character set Common alphanumeric set only Character variations 126 Maximum length = 256 characters Entropy for 256-character password 4.9* Entropy for 20-character password from 126 character set 1.0*10 42 Entropy for 20-character password from 69 keyboard character set 6.0*10 36 Salted 9 3

4 Linux Passwords Passwords stored in /etc/shadow readable only by root Other per-user information stored in /etc/passwd world readable UNIX stored both in /etc/passwd! 10 Linux Hashes Several hashes available Use SHA-512! ID Method $1$ MD5 $2a$ Blowfish (some distros) $5$ SHA-256 $6$ SHA-512 (default) 11 SHA-3 Hash Contest Update MD5 broken, SHA-1&2 suspect NIST competition for a SHA-3 Timeframe candidates submitted for Round 1 14 candidates in Round 2 BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein Final candidates announced December 10, 2010 BLAKE, Grøstl, JH, Keccak, and Skein Final SHA-3 candidate conference held March SHA-3 standard to be published

5 Choosing A Password Good Pass phrases (much longer than 8 characters) mix case digits/punctuation control characters easy to remember no words in any language Bad people s names dictionary/technical words or phrases birth dates places common acronyms backwards spelling simple permutations 8 characters or less 13 Good Pass phrases (much longer than 8 characters) Choosing A Password 2012 Bad Everything else 14 How Passwords are Cracked 5

6 Passive Online Attacks Man-in-the-Middle and Replay Attacks Somehow get access to communications channel Wait for authentication sequence Proxy authentication-traffic No need to brute-force Considerations Relatively hard to perpetrate Must be trusted by one or both sides Some tools widely available Anyone remember MarketScore? 16 Active Online Attacks Password guessing Try different passwords until one works Made easier by Bad passwords Excessive information from server Lack of password guessing controls Considerations Assuming good passwords, is this even feasible? Common 8 character password space (69^8) Password Expires in 90 days Need to guess 3,964,493,629 pwds/sec Need throughput of 253,727,592,310 bits/sec Gigabit Ethernet = 1B bits/sec Easily detected and stopped Core problem: Bad passwords 17 Offline Attacks Attacker has password database Not that hard: Need to be admin (or steal the box) Can attack at leisure Attack types: Dictionary attack Very Fast Core Problem: Bad Passwords Brute Force attack AlphaNumerics then AlphaNumerics + Upper Row Symbol, etc Slow, but will eventually find all passwords Hybrid Start with Dictionary, Insert Entropy Pre-computed Hashes Rainbow tables Time-space tradeoff Considerations Moore s law 18 6

7 John the Ripper Fast, open-source password cracker Created by Solar Designer Active development group Runs on Linux, Mac OS X, Solaris, Android, Handles DES, BSDI DES, FreeBSD MD5, OpenBSD Blowfish, Kerberos AFS DES, and LM DES hashes Runs well on HPC clusters using Open MP No GPU support yet But see 19 Lab: Crack Passwords 1. Install John the Ripper cd; tar zxf /usr/local/lab/john/john tar.gz; cd ~/john-1.7.9/doc Follow directions in INSTALL & README 2. Create test account with a weak password using MD5 hashing sudo vi /etc/pam.d/system-auth Change string sha512 to md5 in third paragraph sudo useradd sucker sudo passwd sucker 3. Undo the change to system-auth you made in step Create test account with a weak password using SHA-512 hashing sudo useradd trout sudo passwd trout 5. Obtain password hashes cd ~/john-1.7.9/run; sudo./unshadow /etc/passwd /etc/shadow >passwd.1 6. Crack./john passwd.1 20 Lab: Crack Passwords You can interrupt at any time, and restart with./john restore If you want to start over rm john.pot restore To display all passwords found so far./john --show /tmp/passwd.1 To see how fast John is on your machine./john --test When done, delete the test accounts and the local password and crack files! sudo userdel sucker; sudo userdel trout /bin/rm ~/john-1.7.9/run/{john.pot,passwd.1} 21 7

8 Rainbow Tables What if you precomputed the password hashes? All Windows LM Hashes: 166 Terabytes All Windows NT Hashes < 15 chars: 140,959,235,198 Exabytes This would result in faster cracking, at the cost of storing all those hashes This is the Time-Memory tradeoff Implemented using hash chains Clever way to link the hashes into chains Only store 1 in 10,000 hashes Rainbow tables improve on hash chains Reduce collisions (overlapping chains) Ineffective against salted hashes Unix, Linux, and Mac OS X hashes are salted Windows NT hashes are not 22 Rainbow Tables Windows password cracker that uses rainbow tables Cracks LM and NT hashes Live CD support Free tables for Windows XP and Vista (dictionary based) For-fee tables for Vista (NTLM) Seems to be moribund Folding@home distributed cracking model Terabytes of tables Free tables For-fee tables Seems to be quite active 23 Countermeasures 8

9 Policy-Based Mitigation Develop a password policy Require pass phrases Greater than 15 mixed characters Password expiration for all accounts No password reuse (temporal and spatial) Account lockout (where appropriate) Physical security policy Cornerstone for any security No physical security = no security No policy = no enforcement 25 Pass Phrases v. Passwords Pass phrases are long strings I wish we d use 2Factor authentication instead of passwords Very strong protection against attacks Easy to remember, a bit longer to type Passwords are short complex Hard to remember Often difficult to type Not resistant against current attacks Obvious substitutions are quickly broken Take-away: Long easily-remembered phrases are better than short complex passwords 26 Technology-Based Mitigation Multi-factor authentication Why use passwords at all? Smart cards Two-factor authentication Very difficult to thwart High cost of initial deployment Smart cards, tokens, readers, software, Long-term cost benefit Idea: use your smartphone as your token

10 Technology-Based Mitigation Multi-factor authentication Biometrics Measure some physical characteristic Fingerprint, iris color distribution, retinal pattern, Usually defeated with non-technical attacks Historically unreliable False positives - bad guy authenticated False negatives - legitimate user refused Can be stolen Iris scanners popular Courtesy WIkipedia 28 Summary Bad passwords get broken, even when using good storage and authentication methods! Solutions 1. Use better passwords 2. Don t let bad guys get the hashes Combination of policy and technology 29 References presentations/burr_sha-3conf-day_1_wrapup.pdf man 3 shadow man 3 crypt 30 10

11