Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

How I'd Hack Your Password...

No description
by

Jason Thatcher

on 20 April 2011

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of How I'd Hack Your Password...

Cracking
Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system.
Why?
Legitimate:

"help" a user recover a forgotten password (though installing an entirely new password is less of a security risk, but involves system administration privileges),

as a preventive measure by system administrators to check for easily crackable passwords.

Illegitimate:to gain unauthorized access to a system
Digital Forensics:

On a file-by file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file's access is restricted.
How passwords are stored
The Anonymous Attack!
Weak encryption
Guessing
Dictionary
Brute Force
Database that verifies who you are..
Data stored as a one way function i.e., difficult to extract ...
can be encrypted ... some are picture based ...
Identifiable Attacks
Social engineering
Dumpster Diving
Wiretapping
Shoulder Surfing
when the manner passwords are saved is simple to crack ...
The POP3 Passwords are kept in the \mail\USER\pmail.ini. So 'c:\pmail\mail\g00f\pmail.ini' would give the user g00f's configuration file.
The file looks something like this:

[Pegasus Mail for Windows - built-in TCP/IP Mail]
Host where POP3 mail account is located = example.com
POP3 mail account (username on host) = g00f
V2 Password for POP3 mail account = $moL
Delete downloaded mail from host = Y
Largest message size to retrieve = 0
Directory to place incoming POP3 mail = C:\PMAIL\MAIL\g00f
Transport control word = 66308
SMTP relay host for outgoing mail = example.com
Search mask to locate outgoing messages = C:\PMAIL\MAIL\g00f\*.PMX
Alternative From: field for message = galldor@microhack.com

Since this text file is world read/writable, any user can easily edit the file to route messages to a new directory, or choose not to delete POP3 mail from host.
But the main problem is the weak encryption on the V2 Password.
The password is encrypted using a very weak encryption algorithm:

V2 encrypts so that there is the same amount of letters/numbers as the original password, and their position corresponds to their position in the plaintext password.

Cracking It:
First you have to Ignore the $ completely. The letters and numbers after the $ are the encrypted values of the password, so anything after the $ is also the size of the password. Here are a few examples of how to crack it and how the encryption works.

a = $m # Just testing....
aa = $mo
aaa = $moL

b = $R
bb = $R?
bbb = ?R?8

# As you can see the weak encryption is already showing as the encryption doesn't even encrypt by the number of letters.

# The Encryption works like this

1st Letter placement of a = m
2nd Letter placement of a = o
3rd Letter placement of a = L

Etc, etc.
So finding aab would be as followed:

aab = 1st a + 2nd a + 3rd b (which) = mo8 # so in the ini the pass will be $mo8
abb = 1st a + 2nd b + 3rd b = $m?8

So you could now find out:

bab = $Ro8
Guessing
Personal data about individuals are now available from various sources, many on-line, and can often be obtained by someone using social engineering techniques, such as posing as an opinion surveyor or a security control checker. Attackers who know the user may have information as well.
In September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband.
Dictionary and Bruteforce Attacks
A dictionary attack tries only those possible passwords which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phase dictionary attack) or a bible etc. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.
Users choose weak passwords. Examples of insecure choices include the above list, plus single words found in dictionaries, given and family names, any too short password (usually thought to be 6 or 7 characters or less), or any password meeting a too restrictive and so predictable, pattern (eg, alternating vowels and consonants).

Around 40% of user-chosen passwords are readily guessable by sophisticated cracking programs armed with dictionaries and, perhaps, the user's personal information
a brute force attack is a strategy used to break the encryption of data. It involves entering all possible passwords until the correct one is found.
The act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques (essentially a fancier, more technical way of lying). While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.
Kevin Mitnick - One Hacker to Rule them All
At 12, Mitnick used social engineering to bypass the punchcard system used in the Los Angeles bus system. After a friendly bus driver told him where he could buy his own ticket punch, he could ride any bus in the greater LA area using unused transfer slips he found in the trash. Social engineering became his primary method of obtaining information, including user names and passwords and modem phone numbers
According to the U.S. Department of Justice, Mitnick gained unauthorized access to dozens of computer networks while he was a fugitive.

He used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the country's largest cellular telephone and computer companies.

Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail. Mitnick was apprehended in February 1995 in North Carolina. He was found with cloned cellular phones, more than 100 clone cellular phone codes, and multiple pieces of false identification
Confirmed criminal acts
Using the Los Angeles bus transfer system to get free rides
Evading the FBIHacking into DEC system(s) to view VMS source code (DEC reportedly spent $160,000 in cleanup costs)
Gaining full administrator privileges to an IBM minicomputer at the Computer Learning Center in Los Angeles in order to win a bet
Hacking Motorola, NEC, Nokia, Sun Microsystems and Fujitsu Siemens systems

Alleged criminal acts
Stole computer manuals from a Pacific Bell telephone switching center in Los Angeles
Read the e-mail of computer security officials at MCI Communications and Digital
Wiretapped the California DMV
Made free cell phone calls
Hacked Santa Cruz Operation, Pacific Bell, FBI, Pentagon, Novell, California Department of Motor Vehicles, University of Southern California and Los Angeles Unified School District systems.
Wiretapped FBI agents, according to John Markoff
The Law Prevails?
Mitnick served five years in prison four and a half years pre-trial and eight months in solitary confinement because law enforcement officials convinced a judge that he had the ability to "start a nuclear war by whistling into a pay phone".

He was released on January 21, 2000. During his supervised release, which ended on January 21, 2003, he was initially forbidden to use any communications technology other than a landline telephone. Mitnick fought this decision in court, eventually winning a ruling in his favor, allowing him to access the Internet.
He now runs Mitnick Security Consulting...
http://mitnicksecurity.com/
Pretexting
Phishing
Baiting
The act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. It is more than a simple lie, as it most often involves some prior research or setup and the use of apriori information for impersonation (e.g., date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
A technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business a bank, or credit card company requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate with company logos and content and has a form requesting everything from a home address to an ATM card's PIN.

Typically, spam LOTS of people to get a few respondents.
The attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.

the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network.
Telephone tapping (or wire tapping/wiretapping in the USA) is the monitoring of telephone and Internet conversations by a third party, often by covert means. The telephone or wire tap received its name because, historically, the monitoring connection was an actual electrical tap on the telephone line. Legal wiretapping by a government agency is also called lawful interception. Passive wiretapping monitors or records the traffic, while
active wiretapping alters or otherwise affects it.
The practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful to the dumpster diver.

From a security point of view, it's referred to as "information diving" ... you can find files, letters, memos, manuals, credit cards, id's, passwords etc.
Using direct observation techniques, such as looking over someone's shoulder, to get information.

Shoulder surfing is particularly effective in crowded places ...

watch out for it when ... filling out forms, entering a PIN on an ATM, or typing in passwords in public places
I would do a little research
20% will use one of the following ...

Your partner, child, or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?)
The last 4 digits of your social security number.
123 or 1234 or 123456.
"password"
Your city, or college, football team name.
Date of birth yours, your partner's or your child's.
"god"
"letmein"
"money"
"love"
Turn to brute force ...
http://sectools.org/crackers.html
Here is the logic of a hack ...
You probably use the same password for lots of stuff right?
How quickly will I get to your data?

3 factors
1. length/complexity of password
2. speed of PC
3. speed of Internet connection
How do I keep my stuff secure?
Randomly substitute numbers for letters that look similar. The letter ‘o' becomes the number ‘0, or even better an ‘@' or ‘*'. (i.e. – m0d3ltf0rd… like modelTford)
Randomly throw in capital letters (i.e. Mod3lTF0rd)
Think of something you were attached to when you were younger, but DON'T CHOOSE A PERSON'S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn't work if you don't use the same password everywhere.
If you use a lot of passowords, use robform.
Once you've thought of a password, try Microsoft's password strength tester to find out how secure it is.
If I wanted to steal your Password...
Social Engineering
14.6 million paid to settle pretexting lawsuit
Trust No One!
Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.
So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 whatever makes you happy) different usernames and passwords as fast as possible.
But wait… How do I know which bank you use and what your login ID is for the sites you frequent?

All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache ...
Weak Encryption
Guessed by knowing someone's personal information
Social Engineering
Pretexting
Phishing
Baiting
Dumpster Diving
Wiretapping
Shoulder Surfing
THC-Hydra
Do as I say ... Not as I do ...
However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.
Once we've got several login+password pairings we can then go back and test them on targeted sites.
Or a security breach ...
Use a third party provider to secure passwords
Full transcript