Brains Over Brawn: Intelligent Password Recovery
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Automating Security Checks
Mag. iur. Dr. techn. Michael Sonntag Automating security checks Institute for Information Processing and Microprocessor Technology (FIM) Johannes Kepler University Linz, Austria E-Mail: [email protected] http://www.fim.uni-linz.ac.at/staff/sonntag.htm © Michael Sonntag 2010 Agenda Why automatization? What can be automated? Example: Skipfish How reliable are these tools? Practical examples of searching for vulnerabilities: Information collection with NMap Password cracking (John the Ripper, Ophcrack) Exploit scanning with Nessus Michael Sonntag Automating security checks 2 Why automatization? Ensuring security is not that hard for a single system You know it in detail When something is discovered, it is implemented and tested But: Many sites with many configuration options? Do you know them all? » Are they identical everywhere (versions!)? Do you have time to change everything accordingly? » Or do you depend on automatic updates/roll-out? Are you sure you did not miss one option somewhere? » Testing the same thing several times is tedious Solution: Automatic testing whether a problem exists Professionals write tests You just apply them » No need to know exactly how the attack works! Regular re-testing is possible Ad-hoc & patchy testing Systematic & comprehensive Michael Sonntag Automating security checks 3 Overlap with monitoring Some overlap with system monitoring exists Failures are just a “different kind” of attack Some problems may occur accidentally or intentionally » Example: Blacklisting of mail -
PHC: Status Quo
PHC: status quo JP Aumasson @veorq / http://aumasson.jp academic background principal cryptographer at Kudelski Security, .ch applied crypto research and outreach BLAKE, BLAKE2, SipHash, NORX Crypto Coding Standard Password Hashing Competition Open Crypto Audit Project board member do you use passwords? this talk might interest you! Oct 2013 "hash" = 3DES-ECB( static key, password ) users' hint made the guess game easy... (credit Jeremi Gosney / Stricture Group) May 2014; "encrypted passwords" (?) last week that's only the reported/published cases Lesson if Adobe, eBay, and Avast fail to protect their users' passwords, what about others? users using "weak passwords"? ITsec people using "weak defenses"? developers using "weak hashes"? cryptographers, who never bothered? agenda 1. how (not) to protect passwords 2. the Password Hashing Competition (PHC) 3. the 24-2 PHC candidates 4. next steps, and how to contribute WARNING this is NOT about bikeshed topics as: password policies password managers password-strength meters will-technology-X-replace-passwords? 1. how (not) to protect passwords solution of the 60's store "password" or the modern alternative: obviously a bad idea (assuming the server and its DB are compromised) solution of the early 70's store hash("password") "one-way": can't be efficiently inverted vulnerable to: ● efficient dictionary attacks and bruteforce ● time-memory tradeoffs (rainbow tables, etc.) solution of the late 70's store hash("password", salt) "one-way": can't be efficiently inverted immune to time-memory tradeoffs vulnerable to: ● dictionary attacks and bruteforce (but has to be repeated for different hashes) solution of the 2000's store hash("password", salt, cost) "one-way": can't be efficiently inverted immune to time-memory tradeoffs inefficient dictionary attacks and bruteforce main ideas: ● be "slow" ● especially on attackers' hardware (GPU, FPGA) => exploit fast CPU memory access/writes PBKDF2 (Kaliski, 2000) NIST and PKCS standard in Truecrypt, iOS, etc. -
Assignment 3 – Authentication July 2021 Due Thursday, August 12, 2021
CryptoWorks21 Network Security Assignment 3 – Authentication July 2021 due Thursday, August 12, 2021 Assignment 3 – Authentication Assignment reports must be submitted by Thursday, August 12, 2021. Assignment Description In this assignment you will carry out exercises related to the lectures on authentication. You will work on cracking password hashes, as well as investigate two-factor authentication on the Internet. Assignment Requirements and Setup Virtual machines. You will need to use the Kali Linux virtual machines. If you have not downloaded and installed it yet, please check the “Assignment 0” document. John the Ripper. You will need to use a tool called John the Ripper in order to crack password hashes. This tool is pre-installed in the Kali Linux virtual machine. However, John is very computationally intensive, and it might run faster on your main computer rather than inside a virtual machine. If you do decide to install it on your main computer, be sure to use the “jumbo” version, which contains support for many more types of hash algorithms. • For Windows, you can download a jumbo build from the John the Ripper homepage (http://www.openwall.com/john/) • For macOS, you can install John using the command-line package manager “Home- brew”. To install Homebrew, visit https://brew.sh/. Once you’ve installed Home- brew, you can install John using the command brew install john-jumbo . Getting text to and from your virtual machine. During this assignment, you may need to copy text to or from your various virtual machines. This can be somewhat annoying. It is possible to set up shared clipboards in VirtualBox (Settings Ñ General Ñ Advanced Ñ Shared Clipboard Ñ Bidirectional), but these are not always reliable. -
Analysis of Password Cracking Methods & Applications
The University of Akron IdeaExchange@UAkron The Dr. Gary B. and Pamela S. Williams Honors Honors Research Projects College Spring 2015 Analysis of Password Cracking Methods & Applications John A. Chester The University Of Akron, [email protected] Please take a moment to share how this work helps you through this survey. Your feedback will be important as we plan further development of our repository. Follow this and additional works at: http://ideaexchange.uakron.edu/honors_research_projects Part of the Information Security Commons Recommended Citation Chester, John A., "Analysis of Password Cracking Methods & Applications" (2015). Honors Research Projects. 7. http://ideaexchange.uakron.edu/honors_research_projects/7 This Honors Research Project is brought to you for free and open access by The Dr. Gary B. and Pamela S. Williams Honors College at IdeaExchange@UAkron, the institutional repository of The nivU ersity of Akron in Akron, Ohio, USA. It has been accepted for inclusion in Honors Research Projects by an authorized administrator of IdeaExchange@UAkron. For more information, please contact [email protected], [email protected]. Analysis of Password Cracking Methods & Applications John A. Chester The University of Akron Abstract -- This project examines the nature of password cracking and modern applications. Several applications for different platforms are studied. Different methods of cracking are explained, including dictionary attack, brute force, and rainbow tables. Password cracking across different mediums is examined. Hashing and how it affects password cracking is discussed. An implementation of two hash-based password cracking algorithms is developed, along with experimental results of their efficiency. I. Introduction Password cracking is the process of either guessing or recovering a password from stored locations or from a data transmission system [1]. -
Cryptanalytic Tools
Cryptanalytic Tools Authors: Prof. Dr.-Ing. Tim Güneysu Dipl. Ing. Alexander Wild B. Sc. Tobias Schneider Ruhr-Universität Bochum Module Cryptanalytic Tools Chapter 3: Introduction to Cryptanalysis Chapter 4: Computational Complexity and Parallelism Chapter 5: Secret Parameters and Keys Chapter 6: Tools for Symmetric Cryptanalysis Chapter 7: Tools for Asymmetric Cryptanalysis Authors: Prof. Dr.-Ing. Tim Güneysu Dipl. Ing. Alexander Wild B. Sc. Tobias Schneider 1. edition Ruhr-Universität Bochum © 2015 Ruhr-Universität Bochum Universitätsstraße 150 44801 Bochum 1. edition (31. March 2015) Das Werk einschließlich seiner Teile ist urheberrechtlich geschützt. Jede Ver- wendung außerhalb der engen Grenzen des Urheberrechtsgesetzes ist ohne Zustimmung der Verfasser unzulässig und strafbar. Das gilt insbesondere für Vervielfältigungen, Übersetzungen, Mikroverfilmungen und die Einspe- icherung und Verarbeitung in elektronischen Systemen. Um die Lesbarkeit zu vereinfachen, wird auf die zusätzliche Formulierung der weiblichen Form bei Personenbezeichnungen verzichtet. Wir weisen deshalb darauf hin, dass die Verwendung der männlichen Form explizit als geschlechtsunabhängig verstanden werden soll. Das diesem Bericht zugrundeliegende Vorhaben wurde mit Mitteln des Bundesministeriums für Bildung, und Forschung unter dem Förderkennze- ichen 16OH12026 gefördert. Die Verantwortung für den Inhalt dieser Veröf- fentlichung liegt beim Autor. Contents Page3 Contents Introduction to the module books 5 I. Icons and colour codes . 5 Chapter 3 Introduction to Cryptanalysis 7 3.1 Definition of Security . 7 3.1.1 Security of Cryptographic Systems . 7 3.1.2 Categories of Attacks . 8 3.1.3 Categories of Attackers . 9 3.1.4 Secret Key Lengths . 10 3.2 Outline of this Lecture . 11 3.3 Further Reading Materials . 11 Chapter 4 Computational Complexity and Parallelism 13 4.1 Asymptotic Computational Complexity . -
BLAKE2: Simpler, Smaller, Fast As MD5
BLAKE2: simpler, smaller, fast as MD5 Jean-Philippe Aumasson1, Samuel Neves2, Zooko Wilcox-O'Hearn3, and Christian Winnerlein4 1 Kudelski Security, Switzerland [email protected] 2 University of Coimbra, Portugal [email protected] 3 Least Authority Enterprises, USA [email protected] 4 Ludwig Maximilian University of Munich, Germany [email protected] Abstract. We present the hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64- bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3: up to 256-bit collision resistance, immunity to length extension, indifferentiability from a random oracle, etc. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 reduces the RAM requirements of BLAKE down to 168 bytes, making it smaller than any of the five SHA-3 finalists, and 32% smaller than BLAKE. Finally, BLAKE2 provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode). 1 Introduction The SHA-3 Competition succeeded in selecting a hash function that comple- ments SHA-2 and is much faster than SHA-2 in hardware [1]. There is nev- ertheless a demand for fast software hashing for applications such as integrity checking and deduplication in filesystems and cloud storage, host-based intrusion detection, version control systems, or secure boot schemes. -
Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms
Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt. -
Hash Crack: Password Cracking Manual
Hash Crack. Copyright © 2017 Netmux LLC All rights reserved. Without limiting the rights under the copyright reserved above, no part of this publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) without prior written permission. ISBN-10: 1975924584 ISBN-13: 978-1975924584 Netmux and the Netmux logo are registered trademarks of Netmux, LLC. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor Netmux LLC, shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. While every effort has been made to ensure the accuracy and legitimacy of the references, referrals, and links (collectively “Links”) presented in this book/ebook, Netmux is not responsible or liable for broken Links or missing or fallacious information at the Links. Any Links in this book to a specific product, process, website, or service do not constitute or imply an endorsement by Netmux of same, or its producer or provider. The views and opinions contained at any Links do not necessarily express or reflect those of Netmux. -
NCL Password Cracking--Key Getting Started You Can Install a Pre-Built Vmware VM from Here
NCL Password Cracking--Key Getting Started You can install a pre-built VMware VM from here. You just need to open the VM, not install it. The login credentials are kali, kali. https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/ Then read this excellent blog from NCL. https://cryptokait.com/2019/09/24/everything-you-need-to-know-about-password-cracking-for-the- national-cyber-league-games/ A Note about Hashcat Hashcat, and the older John the Ripper, keep a list of hashes they have already cracked. If the hash is in the list, it will not appear in the output. This can be confusing if you are having problems and run the same hash file repeatedly. If you think some cracked hashes are missing, look in .hashcat/hashcat.potfile in your home directory, or perhaps where you ran hashcat from. If you want to start from scratch, just delete .hashcat/hashcat.potfile A Crack to Start With This is from the paragraph in the NCL Blog, “Using a Pre-Made Wordlist on Kali.” Follow the procedure to unzip (actually Gnu unzip or gunzip) the password list from the rockyou.com breach (I moved rockyou.txt to my home directory instead of Downloads.) Then run the hashcat line, hashcat -m 0 {means the hashes are MD5} -a 0 {attack will be wordlist only} -o outputfile {where the output goes} hashlist pwlist Here are the hashes. 8549137cd494c22ae87eef3e18a46986 0f96a320a8c0bf7e3f6d375b0d9d3a4c 1a8cb8d148b513dfa1d285077fc4e3fb 22a313110bf5b84c0a58eecc27deaa30 e4fd50109f0e40e8c1a895d8e5c71199 These are easy and should crack in under a minute. Solution Save the hashes in a file on Kali. -
Chapter 5 Results
CHAPTER 5 RESULTS 5.1 Results This chapter will discuss the results of the testing and comparison of the password cracking tools used. This chapter can be summarized as follows: • Research Data and Result Analysis (Locally) • Research Data and Result Analysis (Remotely) • Research Data and Result Analysis (Alphabets only) • Research Data and Result Analysis (Alphabets and a special character) 5.2 Research Data and Result Analysis (Locally) In Figure 16, Ophcrack was used to crack the local users' password with different combinations of password, alphabets, alphanumeric, alphanumeric special characters, english and non-english words. In Figure 17, Ophcrack was used to crack the same password, but excluding the 3 password that were not cracked in the previous attempt. In Figure 18, Cain was used to crack the local users' password. 35 36 Figure 16 - Ophcrack cracked 7 of 10 passwords Figure 17 - Ophcrack cracked 7 of 7 passwords 37 Figure 18 - Cain cracked 5 of 10 passwords 5.3 Research Data and Result Analysis (Remotely) First, the author scans the network for active IP address with NMAP (Figure 19). He used the command of "nmap -O 192.168.1.1-254" to scan the network, it would scan each IP address for active computer. The command -O enabled operating system detection. From the result of the scanning, there were few ports in the state of open and the services that were using those ports, 135/TCP, 139/TCP, 445/TCP and 1984/TCP. Another important detail was the OS details; it showed that the computer was running under Microsoft Windows XP Professional SP2 or Windows Server 2003. -
Key Derivation Functions and Their GPU Implementation
MASARYK UNIVERSITY FACULTY}w¡¢£¤¥¦§¨ OF I !"#$%&'()+,-./012345<yA|NFORMATICS Key derivation functions and their GPU implementation BACHELOR’S THESIS Ondrej Mosnáˇcek Brno, Spring 2015 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-nc-sa/4.0/ cbna ii Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáˇcek Advisor: Ing. Milan Brož iii Acknowledgement I would like to thank my supervisor for his guidance and support, and also for his extensive contributions to the Cryptsetup open- source project. Next, I would like to thank my family for their support and pa- tience and also to my friends who were falling behind schedule just like me and thus helped me not to panic. Last but not least, access to computing and storage facilities owned by parties and projects contributing to the National Grid In- frastructure MetaCentrum, provided under the programme “Projects of Large Infrastructure for Research, Development, and Innovations” (LM2010005), is also greatly appreciated. v Abstract Key derivation functions are a key element of many cryptographic applications. Password-based key derivation functions are designed specifically to derive cryptographic keys from low-entropy sources (such as passwords or passphrases) and to counter brute-force and dictionary attacks. However, the most widely adopted standard for password-based key derivation, PBKDF2, as implemented in most applications, is highly susceptible to attacks using Graphics Process- ing Units (GPUs). -
Password Security - When Passwords Are There for the World to See
Password Security - When Passwords are there for the World to see Eleanore Young Marc Ruef (Editor) Offense Department, scip AG Research Department, scip AG [email protected] [email protected] https://www.scip.ch https://www.scip.ch Keywords: Bitcoin, Exchange, GitHub, Hashcat, Leak, OWASP, Password, Policy, Rapid, Storage 1. Preface password from a hash without having to attempt a reversal of the hashing algorithm. This paper was written in 2017 as part of a research project at scip AG, Switzerland. It was initially published online at Furthermore, if passwords are fed through hashing https://www.scip.ch/en/?labs.20170112 and is available in algorithms as is, two persons who happen to use the same English and German. Providing our clients with innovative password, will also have the same hash value. As a research for the information technology of the future is an countermeasure, developers have started adding random essential part of our company culture. user-specific values (the salt) to the password before calculating the hash. The salt will then be stored alongside 2. Introduction the password hash in the user account database. As such, even if two persons use the same password, their resulting The year 2016 has seen many reveals of successful attacks hash value will be different due to the added salt. on user account databases; the most notable cases being the attacks on Yahoo [1] and Dropbox [2]. Thanks to recent Modern GPU architectures are designed for large scale advances not only in graphics processing hardware (GPUs), parallelism. Currently, a decent consumer-grade graphics but also in password cracking software, it has become card is capable of performing on the order of 1000 dangerously cheap to determine the actual passwords from calculations simultaneously.