Understanding Password Security: Techniques and Best Practices

Slide Note
Embed
Share

Delve into the world of password security with this comprehensive guide, covering topics such as password gathering, cracking strategies, tools, types of passwords, hashes, salting, better hashes, and hash identification. Learn how to enhance security measures and protect against malicious attacks.

mnis
mnis Follow

Uploaded on Oct 09, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Passwords Offensive Security

  2. Passwords No need for an exploit if you already have away in Gathering them Using them Offensive Security 2

  3. Cracking Passwords If you gain a hash it isn t always useful Sometimes a hash is Pass the hash attacks Using a tool to reverse the hashes Different types of hashes make for more difficult Offensive Security 3

  4. Cracking Strategies Brute force Could take a very long time Dictionary Online Rainbow table Offline Offensive Security So which do you use? 4

  5. Cracking Tools John the Ripper (JtR) Hashcat Online Tools Never use with real customer data Offensive Security 5

  6. Generated lists Dictionary Default lists Rainbow Tables Rainbow Crack rtgen generate tables rtsort Sorts the tables rcrack Lookup process Offensive Security 6

  7. Types of Passwords Encrypted Hopefully not Hashed One way and not reversible Many different types Windows Hashed LM NTLM Offensive Security 7

  8. Hashes Any amount of data into a fixed length fingerprint If even a single bit of data changes the entire hash changes SHA1 SHA256/SHA512 MD2, MD4, MD5, MD6 Offensive Security https://en.wikipedia.org/wiki/List_of_hash_functions 8

  9. Salting Hashes Causes lookup tables and rainbow tables to fail In a table the salt is always the same Append or prepend a random string before hashing Salting Fails Salt Reuse Short Salt Offensive Security 9

  10. Better Hashes Salt generated using a CSPRNG Keyed hashes Slower hashing functions PBKDF2, bcrypt, scrypt, argon Offensive Security 10

  11. Identifying Hashes Sometimes easily identifiable /etc/shadow Windows Hashes Automatically John the Ripper HashID Offensive Security 11

  12. Hashing & Cracking Demo Sample Hashes: http://openwall.info/wiki/john/sample-hashes Offensive Security 12

  13. Default Credentials Web Applications Services Tomcat Organization default credentials If the organization publishes new hire documentation? Offensive Security 13

  14. Finding Them Scripts Enough access on the host Get root on a system through other means Check /etc/shadow /etc/passwd Text document on desktop with the master password to the Keepass database that stores all other admin passwords for the network Offensive Security 14

  15. Linux Passwords /etc/passwd Stores data about user User ID, group ID, home directory, login shell Not the password, but why is this important? /etc/shadow Hashed form of the password, if there is one Type of Hash Salt Password expiration data Offensive Security Take a look in Kali Unshadowing 15

  16. Windows Passwords Passwords are stored in the SAM file Security accounts Manager %SYSTEMROOT%\System32\config\SAM Typically C:\Windows Protection Use good passwords Separate admin/user passwords Change the password somewhat frequently Offensive Security 16

  17. LM Hashes LAN Manager Used in older versions of Windows Step 1: Convert to uppercase Password1 = PASSWORD1 Step 2: Pad the plaintext with null chars to make it 14 bytes long PASSWORD1 = PASSWORD1\0\0\0\0\0 Step 3: Split the password into two 7 byte/char chunks PASSWOR D1\0\0\0\0\0 Step 4: Hash each chunk and concatenate Step 5: Store in the SAM file Offensive Security 17

  18. NTLM/NTLMv2 NTLM Take unicode, mixed case password Utilize MD4 to hash the password NTLMv2 Cryptographically strengthened version of NTLM Offensive Security 18

  19. Stealing Passwords Mimikatz Benjamin Delpy LSASS Process Defended by Windows Credential Guard Offensive Security 19

  20. Other Tools Mimikatz Dcsync Responder Internal Monologue Offensive Security Linux SSH 20

Related


Best Practices for Secure Password Storage - OWASP Foundation Guidelines

Best Practices for Secure Password Storage - OWASP Foundation Guidelines

jmull
Cybersecurity Best Practices for Password Protection and Incident Response

Cybersecurity Best Practices for Password Protection and Incident Response

aarav
Understanding Fine-Grained Password Policies in Active Directory

Understanding Fine-Grained Password Policies in Active Directory

jasmarie
Interactive Password Security Activity for Children

Interactive Password Security Activity for Children

rdoll
Best Practices for Securing Linux Systems

Best Practices for Securing Linux Systems

kaelonca
Techniques and Tools for Offline Password Cracking

Techniques and Tools for Offline Password Cracking

gemm
Understanding Device Settings and Strong Passwords for Digital Citizenship

Understanding Device Settings and Strong Passwords for Digital Citizenship

urban
Strengthen Your Digital Literacy with Strong Password Strategies

Strengthen Your Digital Literacy with Strong Password Strategies

eleonora
Safely Logging Password-Derived Measurements for Web Login Systems

Safely Logging Password-Derived Measurements for Web Login Systems

mar_ech
Promote Feature Adoption with Self-Service Password Reset Posters

Promote Feature Adoption with Self-Service Password Reset Posters

aster
Improving DNS Security with KINDNS Best Practices

Improving DNS Security with KINDNS Best Practices

ceis
Windows Security Overview and Best Practices

Windows Security Overview and Best Practices

graisynpu
Guide to Logging in and Setting Up Core-CT for the First Time

Guide to Logging in and Setting Up Core-CT for the First Time

alligood_l
Managing Application Security in Large Organizations: Insights and Best Practices

Managing Application Security in Large Organizations: Insights and Best Practices

joli_38
Best Practices for Protecting Sensitive Data

Best Practices for Protecting Sensitive Data

jas_r
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Mastering Strong Passwords: A Practical Guide

Mastering Strong Passwords: A Practical Guide

darl_359
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
Digital Wellness and Password Security Lesson for Students

Digital Wellness and Password Security Lesson for Students

paolo
Enhancing WiFi Security and Password Protection for IoT Devices

Enhancing WiFi Security and Password Protection for IoT Devices

sul_ma
Tools and Techniques for Extracting Password Hashes and Credentials from Windows Systems

Tools and Techniques for Extracting Password Hashes and Credentials from Windows Systems

aztz961
Enhancing Security with Windows Hello for Business

Enhancing Security with Windows Hello for Business

truett
Understanding HTTP Security Headers for Web Apps

Understanding HTTP Security Headers for Web Apps

pembroke_l
Password Cracking Techniques and Remote Desktop Access Setup

Password Cracking Techniques and Remote Desktop Access Setup

wmck

More Related Content

Evolution of TLS Security Profiles and Best Practices
Evolution of TLS Security Profiles and Best Practices
Evolving Security Practices in DevOps: A Holistic Approach
Evolving Security Practices in DevOps: A Holistic Approach
Understanding Security in World Politics
Understanding Security in World Politics
BCA 601(N): Computer Network Security
BCA 601(N): Computer Network Security
Accessing NC Fast Subsidized Child Care Data in Data Warehouse
Accessing NC Fast Subsidized Child Care Data in Data Warehouse
Evolution of Password Security in Modern Computing
Evolution of Password Security in Modern Computing
UIC Security Division Overview and International Activities
UIC Security Division Overview and International Activities
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Modern Solution for Enhanced Security - Face Lock Technology
Modern Solution for Enhanced Security - Face Lock Technology
Enhancing Web Security with U2F Authentication
Enhancing Web Security with U2F Authentication
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University
Automating Security Operations Using Phantom
Automating Security Operations Using Phantom
Understanding Scrypt: Maximally Memory-Hard Functions
Understanding Scrypt: Maximally Memory-Hard Functions
Understanding Security Practices in Laserfiche
Understanding Security Practices in Laserfiche
Understanding Computer Security Principles and Practices
Understanding Computer Security Principles and Practices
Understanding Man-in-the-Middle Attacks and Network Security Threats
Understanding Man-in-the-Middle Attacks and Network Security Threats
Understanding Wireless Security Audits and Best Practices
Understanding Wireless Security Audits and Best Practices
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Data Storage, Backup, and Security Essentials
Data Storage, Backup, and Security Essentials
Data Protection Best Practices for Secure Storage and File Encryption
Data Protection Best Practices for Secure Storage and File Encryption
Agile Security Practices and Collaboration Insights
Agile Security Practices and Collaboration Insights
Understanding PeopleSoft Security: A Comprehensive Guide
Understanding PeopleSoft Security: A Comprehensive Guide
International Approaches to Enhance Nuclear Safety and Security
International Approaches to Enhance Nuclear Safety and Security
Understanding Data Security Tools and Techniques
Understanding Data Security Tools and Techniques