Recomendados
Recomendados
Más contenido relacionado
Similar a ITCamp 2011 - Paula Januszkiewicz - Password secrets revealed
Similar a ITCamp 2011 - Paula Januszkiewicz - Password secrets revealed (20)
Más de ITCamp
Más de ITCamp (20)
Último
Último (20)
ITCamp 2011 - Paula Januszkiewicz - Password secrets revealed
- 1. …or had no time to check it! Password Secrets Revealed! Everything you want to know but are afraid to ask… Paula Januszkiewicz CQURE: IT Security Auditor, MVP, MCT http://blogs.technet.com/plwit/ paula@cqure.pl Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 2. IT Camp 2011 • Thanks for coming! • ITCamp is made possible by our sponsors: Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 3. MVP-Press Training Course Planning, Deploying and Managing Microsoft Forefront Threat Management Gateway 2010 Available for online purchase: http://www.mvp-press.com Follow us on: http://facebook.com/MVPpress http://twitter.com/MVPpress 3 Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 4. Agenda Summary What are passwords for… nothing! (Things you should remember) 1 2 3 Passwords – some examples Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 5. What to expect? Life without passwords… Passwords in the Web Protected Storage VNC Wireless (In) Security Passwords in the Operating System Rainbow tables Cracking toolkit Summary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 6. Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 7. … would be beautiful, but it is not • Strong passwords or / and user awareness Complexity Letters Letters (Upper Letters (All) & Letters & Characters (Lower) & Lower) Digits Digits & Special 6 308,915,776 19,770,609,664 56,800,235,584 304,006,671,42 4 8 208,827,064,57 53,459,728,531 218,340,105,58 2,044,140,858, 6 ,456 4,896 654,976 10 141,167,095,65 144,555,105,94 839,299,365,86 13,744,803,133 3,376 9,057,024 8,340,224 ,596,058,624 12 95,428,956,661 390,877,006,48 3,226,266,762, 92,420,056,270 ,682,176 6,250,192,896 397,899,821,05 ,299,898,187,7 6 76 Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 8. Time to crack passwords Complexity Letters Letters (Upper Letters (All) Letters & Digits Characters (Lower) & Lower) & Digits & Special 6 154,4 seconds 164,7 hours 8 29 hours … … … 10 816 days … … … 12 51152123 years … … 87918622783,7 years Avg. password cracking: 2 millions per second Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 9. 3 cryptograpgy basis Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 10. What to expect? Life without passwords… Passwords in the Web Protected Storage VNC Wireless (In) Security Passwords in the Operating System Rainbow tables Cracking toolkit Summary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 11. Passwords in the Web: Null Byte Injection, Inside the SSL Tunnel DEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 12. What to expect? Life without passwords… Passwords in the Web Protected Storage VNC Wireless (In) Security Passwords in the Operating System Rainbow tables Cracking toolkit Summary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 13. Protected Storage • Now: Read-Only • DPAPI – Data Blob + Entropy – Master Key – User Password Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 14. What to expect? Life without passwords… Passwords in the Web Protected Storage VNC Wireless (In) Security Passwords in the Operating System Rainbow tables Cracking toolkit Summary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 15. VNC DEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 16. What to expect? Life without passwords… Passwords in the Web Protected Storage VNC Wireless (In) Security Passwords in the Operating System Rainbow tables Cracking toolkit Summary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 17. Wireless (In) Security DEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 18. What to expect? Life without passwords… Passwords in the Web Protected Storage VNC Wireless (In) Security Passwords in the Operating System Rainbow tables Cracking toolkit Summary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 19. Crack Basics: Windows • Locally: Security Accounts Manager • Domain: NTLS • Direct reading? Why not? – SAMInside, Cain, ERD Commander, pwdump + LC5, john the ripper • PSTORE Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 20. SAM (Tools), DefineDosDevice, System Privileges, SAPD, Notification Package, GINA.DLL DEMO Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 21. What to expect? Life without passwords… Passwords in the Web Protected Storage VNC Wireless (In) Security Passwords in the Operating System Rainbow tables Cracking toolkit Summary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 22. Rainbow Tables • OphCrack • RainbowCrack • http://www.insidepro.com/tables.php • http://www.freerainbowtables.com/en/tables/ntlm/ • https://www.objectif- securite.ch/en/products.php?hash=EE84987FE4DC6997 ABD2655ED5D5C144&drgn=2 Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 23. What to expect? Life without passwords… Passwords in the Web Protected Storage VNC Wireless (In) Security Passwords in the Operating System Rainbow tables Cracking toolkit Summary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 24. Password Cracking Tools • Linux – John the Ripper (http://www.openwall.com/john/) • Windows – John the Ripper – SamInside / Passwords Pro (http://www.insidepro.com) – Cain (http://www.oxid.it/cain.html ) – LC5 / pwdump – Top 10 Tools: http://sectools.org/crackers.html Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 25. What to expect? Life without passwords… Passwords in the Web Protected Storage VNC Wireless (In) Security Passwords in the Operating System Rainbow tables Cracking toolkit Summary Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 26. Summary • Have your own dictionary file • Use well-designed password policies • Train users – show them what may happen if their password is revealed • Test your users’ passwords Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 27. Q&A Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro
- 28. Don’t forget! Get your free Azure pass! We want your feedback! • 30+15 days, no CC req’d • Win a WP7 smartphone – http://bit.ly/ITCAMP11 – Fill in your feedback forms – Promo code: ITCAMP11 – Raffle: end of the day Premium conference on Microsoft’s Dev and ITPro technologies @itcampro / #itcampro