cracking passwords
types of password attacks:
online attacks(線上破解方式)
passive online attacks(被動式線上破解方法)
被動的監聽網路上的資料分析密碼
若網路上沒有人送出密碼則無法取得分析,若密碼在網路上加密也無法分析
active online attacks(主動式線上破解方法)
最傳統破解方式,需直接與目標接觸
會不斷嘗試密碼或利用認證漏洞猜測密碼
因不斷在線上猜測密碼所以容易被偵測到
解決方案:限制密碼錯誤次數
offline attacks(離線破解方法)
將密碼檔偷回去做分析
猜測密碼時不在線上,所以不容易被偵測到
non-electronic attacks
password attacks實做有以下:
passive online attacks
wire sniffing:監聽網路資料
man-in-the-middle:假裝成gateway監聽網路資料
replay attacks
active online attacks
password guessing
offline attacks
dictionary attack:使用字典檔中的字串來嘗試正確的密碼
brute-force attack:把所有可能字元組合起來嘗試正確的密碼
hybrid attack:dictionary+brute-force attack:先用dictionary attack在用brute-force attack
pre-computed hashes:預先算出hash值放進工具裡嘗試密碼
non-electronic attacks
shoulder surfing:在後面偷看密碼的輸入
keyboard sniffing:鍵盤側錄
social engineering:社交工程
syllable attack:音節攻擊
rule-base attack:用某種己知的規則嘗試密碼
distributed network attack:使用多台機器嘗試密碼
rainbow attack:用rainbow table嘗試密碼
ps:
rainbow table是一个庞大的、针对各种可能的字符组合预先计算好的哈希值的集合
ps:
預設密碼網站
www.defaultpassword.com
www.cirt.net/cgi-bin/passwd.pl
www.virus.org/default-password
ps:
文件破解
破解pdf工具與破解word,excel…等之類的工具不太一樣
word,excel破解是將密碼解開
pdf破解是將密碼移掉
pdf tool有abcom pdf password cracker
….
password risks mitigation方法
biometrics:使用生物技術
smart card:
administrator password guessing
1assuming that netbios tcp139 is open
2attempting to connect to an enumerated share and trying user name/password
3default admin$,c$,%systemdrive% shares are good starting points
manual password cracking algorithm
automatic password cracking algorithm
bruteforce password寫法
for %%i in net use c$ %i /u:
ex:破解192.168.1.1的administrator的密碼
for %%i in net use 192.168.1.1c$ %i /u:administrator
tool
nat(netbios auditing tool)
smbbf(smb passive brute force tool):需在win2000下
smbcrack tool
l0phtcrack:也稱為lc4或lc5,強項在brute-force
……………………………………………………………………………………………………………………………………..
lm,ntlm v1,ntlm v2
lm弱點
a password of less than 8 characters的hash會如下
<………………………>AAD3B435B51404EE
…
hash tool
pwdump2:只能針對local的nt sam database,使用dll injection
pwdump3: 支援2000,remote
rainbowcrack:可用本身的或用別人的rainbow table
kerbcrack:破解kerberos,分為kerbsniff and kerbcrack,運作方式是先偷聽在做offline破解
john the ripper:unix經典工具,速度快執行程式小
hashcat:free password cracker https://systw.net/note/af/sblog/more.php?id=325
……………………………………………………………………………………………………………………………………..
sniffer password
ps:需設定網卡為promicous mode才可sniffer
sniff smb credentials
ex:
windump -nes 0 -w C:cehfile tcp[28]=0x72 or tcp[28]=0x73 or tcp[40]=0x72 or tcp[40]=0x73
sniffer password tool
l0phtcrack
scooplm
password hacking tool
lcp:可讀sam,lc,lcs,sniff file,pwdump file資料,可使用dictionary,brute-force,hybrid attack
sid&user:圖形 sid2user,可用在winnt/2000/xp/2003
ophcrack2:使用rainbow table做比對
crack
access passview
asterisk logger:非密碼破解,而是將asterisk移除
chaos generator:可算出密碼的hash做參考
asterisk key
ms access database password decoder
……………………………………………………………………………………………………………………………………..
protect password建議
never leave a default password
never use a password that can be found in a dictionary
never use a password relate to the hostname,domain name,or anything else that can be found with whois
never use a password related to your hobbies,pets,relatives,or date of birth
countermeasures
password 使用8-12 character
每30天換password
physically isolate and protect the server
use syskey utility to store hashes on disk
監控log是否有brute force attack
使用stanford srp或kerberos
不要使用數字密碼
數字密碼最簡單,最好記,最多人用
因為簡單所以較好破解,因為多人用所以成功率高
因sam database容易被取出,建議disable lm hash
method a:
by using group policy
1 in group policy:computer configuration > windows settings > security settings > local policies > security options
2 network security:do not store lan manager hash value on next password change > ok
method b:
by editing the registry
1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
2 add key,type NoLMHash
method c:
use a password that is at least 15 characters long
ps
sam file is located at %systemroot%\system32\config
tool:
password brute-force estimate tool:測試brute-force時間
lastbit.com/passwordestimation.asp:online tool,計算密碼強度
syskey utility:microsoft 建議使用
accountaudit:在網路上檢查帳號database之間的資料