Password Security: Techniques and Best Practices
undefined
Passwords
Offensive Security
Passwords
•
No need for an exploit if you already have away in
•
Gathering them
•
Using them
Offensive Security
2
Cracking Passwords
•
If you gain a hash it isn’t always useful
Sometimes a hash is
Pass the hash attacks
•
Using a tool to “reverse” the hashes
•
Different types of hashes make for more difficult
Offensive Security
3
Cracking Strategies
•
Brute force
Could take a very long time
•
Dictionary
Online
•
Rainbow table
Offline
•
So which do you use?
Offensive Security
4
Cracking Tools
•
John the Ripper (JtR)
•
Hashcat
•
Online Tools
Never use with real customer data
Offensive Security
5
Generated lists
•
Dictionary
Default lists
•
Rainbow Tables
Rainbow Crack
rtgen – generate tables
rtsort – Sorts the tables
rcrack – Lookup process
Offensive Security
6
Types of Passwords
•
Encrypted
Hopefully not
•
Hashed
One way and not reversible
Many different types
•
Windows Hashed
LM
NTLM
Offensive Security
7
Hashes
•
Any amount of data into a fixed length “fingerprint”
If even a single bit of data changes the entire hash changes
•
SHA1
•
SHA256/SHA512
•
MD2, MD4, MD5, MD6
•
https://en.wikipedia.org/wiki/List_of_hash_functions
Offensive Security
8
Salting Hashes
•
Causes lookup tables and rainbow tables to fail
In a table the salt is always the same
•
A
p
p
e
n
d
o
r
p
r
e
p
e
n
d
a
r
a
n
d
o
m
s
t
r
i
n
g
b
e
f
o
r
e
h
a
s
h
i
n
g
•
Salting Fails
Salt Reuse
Short Salt
Offensive Security
9
Better Hashes
•
Salt generated using a CSPRNG
•
Keyed hashes
•
Slower hashing functions
•
PBKDF2, bcrypt, scrypt, argon
Offensive Security
10
Identifying Hashes
•
Sometimes easily identifiable
/etc/shadow
Windows Hashes
•
Automatically
John the Ripper
HashID
Offensive Security
11
Hashing & Cracking Demo
Sample Hashes:
http://openwall.info/wiki/john/sample-hashes
Offensive Security
12
Default Credentials
•
Web Applications
•
Services
Tomcat
•
Organization default credentials
If the organization publishes new hire documentation?
Offensive Security
13
Finding Them
•
Scripts
•
Enough access on the host
Get root on a system through other means
Check /etc/shadow /etc/passwd
•
Text document on desktop with the master password to the
Keepass database that stores all other admin passwords for
the network
Offensive Security
14
Linux Passwords
•
/etc/passwd
Stores data about user
User ID, group ID, home directory, login shell
Not the password, but why is this important?
•
/etc/shadow
Hashed form of the password, if there is one
Type of Hash
Salt
Password expiration data
•
Take a look in Kali
•
Unshadowing
Offensive Security
15
Windows Passwords
•
Passwords are stored in the SAM file
Security accounts Manager
%SYSTEMROOT%\System32\config\SAM
Typically C:\Windows
•
Protection
Use good passwords
Separate admin/user passwords
Change the password somewhat frequently
Offensive Security
16
LM Hashes
•
LAN Manager
Used in older versions of Windows
Step 1: Convert to uppercase
Password1 = PASSWORD1
Step 2: Pad the plaintext with null chars to make it 14 bytes long
PASSWORD1 = PASSWORD1\0\0\0\0\0
Step 3: Split the password into two 7 byte/char chunks
PASSWOR D1\0\0\0\0\0
Step 4: Hash each chunk and concatenate
Step 5: Store in the SAM file
Offensive Security
17
NTLM/NTLMv2
•
NTLM
Take unicode, mixed case password
Utilize MD4 to hash the password
•
NTLMv2
Cryptographically strengthened version of NTLM
Offensive Security
18
Stealing Passwords
•
Mimikatz
•
Benjamin Delpy
•
LSASS Process
•
Defended by Windows Credential Guard
Offensive Security
19
Other Tools
•
Mimikatz
Dcsync
•
Responder
•
Internal Monologue
•
Linux SSH
Offensive Security
20
Delve into the world of password security with this comprehensive guide, covering topics such as password gathering, cracking strategies, tools, types of passwords, hashes, salting, better hashes, and hash identification. Learn how to enhance security measures and protect against malicious attacks.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Passwords Offensive Security
Passwords No need for an exploit if you already have away in Gathering them Using them Offensive Security 2
Cracking Passwords If you gain a hash it isn t always useful Sometimes a hash is Pass the hash attacks Using a tool to reverse the hashes Different types of hashes make for more difficult Offensive Security 3
Cracking Strategies Brute force Could take a very long time Dictionary Online Rainbow table Offline Offensive Security So which do you use? 4
Cracking Tools John the Ripper (JtR) Hashcat Online Tools Never use with real customer data Offensive Security 5
Generated lists Dictionary Default lists Rainbow Tables Rainbow Crack rtgen generate tables rtsort Sorts the tables rcrack Lookup process Offensive Security 6
Types of Passwords Encrypted Hopefully not Hashed One way and not reversible Many different types Windows Hashed LM NTLM Offensive Security 7
Hashes Any amount of data into a fixed length fingerprint If even a single bit of data changes the entire hash changes SHA1 SHA256/SHA512 MD2, MD4, MD5, MD6 Offensive Security https://en.wikipedia.org/wiki/List_of_hash_functions 8
Salting Hashes Causes lookup tables and rainbow tables to fail In a table the salt is always the same Append or prepend a random string before hashing Salting Fails Salt Reuse Short Salt Offensive Security 9
Better Hashes Salt generated using a CSPRNG Keyed hashes Slower hashing functions PBKDF2, bcrypt, scrypt, argon Offensive Security 10
Identifying Hashes Sometimes easily identifiable /etc/shadow Windows Hashes Automatically John the Ripper HashID Offensive Security 11
Hashing & Cracking Demo Sample Hashes: http://openwall.info/wiki/john/sample-hashes Offensive Security 12
Default Credentials Web Applications Services Tomcat Organization default credentials If the organization publishes new hire documentation? Offensive Security 13
Finding Them Scripts Enough access on the host Get root on a system through other means Check /etc/shadow /etc/passwd Text document on desktop with the master password to the Keepass database that stores all other admin passwords for the network Offensive Security 14
Linux Passwords /etc/passwd Stores data about user User ID, group ID, home directory, login shell Not the password, but why is this important? /etc/shadow Hashed form of the password, if there is one Type of Hash Salt Password expiration data Offensive Security Take a look in Kali Unshadowing 15
Windows Passwords Passwords are stored in the SAM file Security accounts Manager %SYSTEMROOT%\System32\config\SAM Typically C:\Windows Protection Use good passwords Separate admin/user passwords Change the password somewhat frequently Offensive Security 16
LM Hashes LAN Manager Used in older versions of Windows Step 1: Convert to uppercase Password1 = PASSWORD1 Step 2: Pad the plaintext with null chars to make it 14 bytes long PASSWORD1 = PASSWORD1\0\0\0\0\0 Step 3: Split the password into two 7 byte/char chunks PASSWOR D1\0\0\0\0\0 Step 4: Hash each chunk and concatenate Step 5: Store in the SAM file Offensive Security 17
NTLM/NTLMv2 NTLM Take unicode, mixed case password Utilize MD4 to hash the password NTLMv2 Cryptographically strengthened version of NTLM Offensive Security 18
Stealing Passwords Mimikatz Benjamin Delpy LSASS Process Defended by Windows Credential Guard Offensive Security 19
Other Tools Mimikatz Dcsync Responder Internal Monologue Offensive Security Linux SSH 20
