Network Security Fundamentals

Security Training Course

Dr. Charles J. Antonelli The University of Michigan

2013

Network Security Fundamentals

Module 4 Password Strength & Cracking

Roadmap

•  Password Authentication •  How Passwords are Cracked •  Countermeasures

04/13 cja 2013 3

Password Authentication

Password Representations

•  UNIX   DES “Hashes”

 Old technology, but still around

•  Linux   Hashes

 Salted SHA-512, SHA-256, MD5, Blowfish

•  Mac OS X   Hashes

 Salted SHA-1

04/13 cja 2013 5

UNIX “Hash” Generation •  Password length 8 characters or less •  7 bits of each character used to generate 56-bit key •  Key used to encrypt a constant using a variation of the

DES algorithm

Key

MGoBlue1

Constant (0x00000000)

DES’

UNIX Hash zvktPWeeFzCVA

04/13 cja 2013 6

UNIX “Hash” Considerations

•  It’s not a hash •  Keyboard character set

 Common alphanumeric set only  Character variations ≈ 126

•  Maximum entropy ≈ 6.3*1016 passwords •  Salted

04/13 cja 2013 7

Linux Hash Generation

•  Hash the password •  Store it

SHA-512 Hash $6$dmk52gd$TWOWIDs1q6/uZ.t49s.YkFQr3zeTGzrYwN33Ep2pdTKw!HekN/O2hK0QuSTtUYNmS5Homqtp9lA/jf0hWRE7Bb/!

MGoBlue1

SHA-512

04/13 cja 2013 8

Linux Hash Considerations

•  Keyboard character set   Common alphanumeric set only   Character variations ≈ 126

•  Maximum length = 256 characters •  Entropy for 256-character password ≈ 4.9*10538

•  Entropy for 20-character password from 126 character set ≈ 1.0*1042

•  Entropy for 20-character password from 69 “keyboard” character set ≈ 6.0*1036

•  Salted

04/13 cja 2013 9

Linux Passwords

•  Passwords stored in   /etc/shadow readable only by root

•  Other per-user information stored in   /etc/passwd world readable

•  UNIX stored both in /etc/passwd !

04/13 cja 2013 10

Linux Hashes

•  Several hashes available •  Use SHA-512!

04/13 cja 2013

ID Method

$1$ MD5

$2a$ Blowfish (some distros)

$5$ SHA-256

$6$ SHA-512 (default)

11

SHA-3 Hash Contest Update

•  MD5 broken, SHA-1&2 suspect •  NIST competition for a SHA-3

  Timeframe 2008-2012   51 candidates submitted for Round 1   14 candidates in Round 2

 BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein

  Final candidates announced December 10, 2010  BLAKE, Grøstl, JH, Keccak, and Skein

  SHA-3 standard to be published 2012 2013? 10/12 cja 2012 12

Choosing A Password

•  Good   Pass phrases (much

longer than 8 characters)

  miX cAsE   digits/punctuation   control characters   easy to remember   no words in any

language

•  Bad   people’s names   dictionary/technical

words or phrases   birth dates   places   common acronyms   backwards spelling   simple permutations   8 characters or less

04/13 cja 2013 13

Choosing A Password 2013

•  Good   Pass phrases (much

longer than 8 characters)

•  Bad   Everything else

04/13 cja 2013 14

How Passwords are Cracked

Passive Online Attacks Man-in-the-Middle and Replay Attacks

•  Somehow get access to communications channel

•  Wait for authentication sequence •  Proxy authentication-traffic •  No need to brute-force •  Considerations

  Relatively hard to perpetrate   Must be trusted by one or both sides   Some tools widely available   Anyone remember MarketScore?

04/13 cja 2013 16

Active Online Attacks Password guessing

•  Try different passwords until one works •  Made easier by

  Bad passwords   Excessive information from server   Lack of password guessing controls

•  Considerations   Assuming good passwords, is this even feasible?

  Common 8 character password space (69^8)   Password Expires in 90 days   Need to guess 3,964,493,629 pwds/sec   Need throughput of 253,727,592,310 bits/sec   Gigabit Ethernet = 1B bits/sec

  Easily detected and stopped   Core problem: Bad passwords

04/13 cja 2013 17

Offline Attacks

•  Attacker has password database   Not that hard: Need to be admin (or steal the box)

•  Can attack at leisure – Attack types:   Dictionary attack

 Very Fast  Core Problem: Bad Passwords

  Brute Force attack  AlphaNumerics then AlphaNumerics + Upper Row Symbol, etc  Slow, but will eventually find all passwords

  Hybrid  Start with Dictionary, Insert Entropy

  Pre-computed Hashes  Rainbow tables  Time-space tradeoff

•  Considerations   Moore’s law

04/13 cja 2013 18

John the Ripper

•  http://www.openwall.com/john/ •  Fast, open-source password cracker

  Created by Solar Designer   Active development group

•  Runs on Linux, Mac OS X, Solaris, Android, … •  Handles DES, BSDI DES, FreeBSD MD5, OpenBSD Blowfish,

Kerberos AFS DES, and LM DES hashes •  Runs well on HPC clusters using Open MP •  Jumbo patch for 1.7.9, revision 7 adds GPU support

  CUDA and OpenCL •  Openwall community wiki

  http://openwall.info/wiki/john

10/12 cja 2012 19

Hashcat

•  http://hashcat.net/hashcat/ •  Fast password cracker •  Runs on Windows, Linux, Mac OS X •  Command line & GUI versions •  Supports a large number of hash types •  Multiple attack modes (dictionary, rule-based, combinator, …) •  GPU support •  https://hashcat.net/wiki/doku.php?id=hashcat

10/12 cja 2012 20

Lab: Crack Passwords

1.  Install John the Ripper   cd; tar zxf /usr/local/lab/john/john-1.7.9.tar.gz; cd ~/john-1.7.9/doc

  Follow directions in INSTALL & README

2.  Create test account with a weak password using MD5 hashing   sudo vi /etc/pam.d/system-auth

  Change string sha512 to md5 in third paragraph

  sudo useradd sucker

  sudo passwd sucker

3.  Undo the change to system-auth you made in step 2. 4.  Create test account with a weak password using SHA-512 hashing

  sudo useradd trout

  sudo passwd trout 5.  Obtain password hashes

  cd ~/john-1.7.9/run; sudo ./unshadow /etc/passwd /etc/shadow >passwd.1

6.  Crack   ./john passwd.1

04/13 cja 2013 21

Lab: Crack Passwords

•  You can interrupt at any time, and restart with   ./john –restore

•  If you want to start over   rm john.pot restore

•  To display all passwords found so far   ./john –show passwd.1

•  To see how fast John is on your machine   ./john --test

•  When done, delete the test accounts and the local password and crack files!   sudo userdel sucker; sudo userdel trout   /bin/rm ~/john-1.7.9/run/{john.pot,passwd.1}

04/13 cja 2013 22

Rainbow Tables •  What if you precomputed the password hashes?

  All Windows LM Hashes: 166 Terabytes   All Windows NT Hashes < 15 chars: 140,959,235,198 Exabytes

•  This would result in faster cracking, at the cost of storing all those hashes   This is the Time-Memory tradeoff   Implemented using hash chains

 Clever way to link the hashes into chains  Only store 1 in 10,000 hashes

•  Rainbow tables improve on hash chains   Reduce collisions (overlapping chains)

•  Ineffective against salted hashes   Unix, Linux, and Mac OS X hashes are salted   Windows NT hashes are not

04/13 23 cja 2013

Rainbow Tables •  http://ophcrack.sourceforge.net/

  Windows password cracker that uses rainbow tables   Cracks LM and NT hashes   Live CD support   Free tables for Windows XP and Vista (dictionary based)   For-fee tables for Vista (NTLM)   Seems to be moribund

•  http://www.freerainbowtables.com/   “Folding@home” distributed cracking model   Terabytes of tables   Free tables   For-fee tables   Seems to be quite active

04/13 24 cja 2013

Countermeasures

Policy-Based Mitigation

•  Develop a password policy   Require pass phrases   Greater than 15 mixed characters   Password expiration for all accounts   No password reuse (temporal and spatial)   Account lockout (where appropriate)

•  Physical security policy   Cornerstone for any security   No physical security = no security

•  No policy = no enforcement 04/13 cja 2013 26

Pass Phrases v. Passwords

•  Pass phrases are long strings   “I wish we’d use 2Factor authentication instead of passwords”   Very strong protection against attacks   Easy to remember, a bit longer to type

•  Passwords are short complex strings   “@Rag0Rnrul3z”   Hard to remember   Often difficult to type   Not resistant against current attacks

 Obvious substitutions are quickly broken •  Take-away: Long easily-remembered phrases are better

than short complex passwords

04/13 cja 2013 27

http://xkcd.com/936/

Technology-Based Mitigation Multi-factor authentication

•  Why use only passwords? •  Two-factor authentication

  Very difficult to thwart   Higher cost of initial deployment  Long-term cost benefit

  Idea: use your smartphone as your token  http://www.duosecurity.com/  Google Authenticator

04/13 28 cja 2013

Technology-Based Mitigation Multi-factor authentication

•  Biometrics   Measure some physical characteristic  Fingerprint, iris color distribution, retinal pattern, …

  Usually defeated with non-technical attacks   Historically unreliable  False positives - bad guy authenticated  False negatives - legitimate user refused

  Can be stolen   Iris scanners popular

Courtesy WIkipedia

04/13 29 cja 2013

Summary

•  Bad passwords get broken, even when using good storage and authentication methods!

•  Solutions 1.  Use better passwords 2.  Don’t let bad guys get the hashes

•  Combination of policy and technology

04/13 cja 2013 30

References

•  http://en.wikipedia.org/wiki/NIST_hash_function_competition •  http://keccak.noekeon.org/ •  http://csrc.nist.gov/groups/ST/hash/sha-3/ •  http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7896.pdf •  http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/submissions_rnd2.html •  http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/

presentations/BURR_SHA-3Conf-day_1_wrapup.pdf •  http://en.wikipedia.org/wiki/Rainbow_tables •  http://ophcrack.sourceforge.net/ •  http://www.freerainbowtables.com/ •  man 3 shadow •  man 3 crypt

04/13 cja 2013 31

04/13 32 http://threatpost.com/en_us/blogs/social-engineering-attacks-prove-failure-user-education-042110

cja 2013