Network Security
Hacking & Defense 2
From Computer Security: Principles &
Practice
Chapter 3 Authentication
Objectives
The student shall be able to:
 Define these types of attacks: dictionary, rainbow table, eavesdrop, replay, brute
force
 Define purpose of salt and how it works
 Describe features of password complexity and advantages of each
 Show three ways of generating a secure password from a phrase
 Calculate the number of possible combinations when lower case versus lower &
upper case versus alphanumeric versus alphanumeric plus symbols are used.
 Describe how remote user authentication works – packet sequence.
Not in 2012:
Class Time:
The class shall be conducted as follows:

Lecture
1.5 hour

Lab
1.5 hour

Total
3 hours
Authenticated Attacks
Once an attacker gains access:

Escalating privilege: After obtaining a user
account, next goal -> obtain Administrator status
 Installing backdoors: To ensure future access
 Covering tracks: Modifying logs, hiding existence
 Making vulnerability secure, so system isn’t lost
to other hackers.
Privilege Escalation
Hacker methods include:
 Grabbing password hashes
 DLL injection: Modify or replace the DLL with a
Trojan (allowing back door entry)
 Spoofing LPC Port Requests: Using Local
Procedure Call (LPC) to impersonate a client
and access a server
 Install rootkit: includes installing backdoor,
replacing existing utilities: ps, telnet
Many slides by William Stallings and Lawrie Brown: Computer
Security
COMPUTER SECURITY
CHAPTER 3 – USER
AUTHENTICATION
FROM
User Authentication
 fundamental

security building block
basis of access control & user accountability
 is
the process of verifying an identity
claimed by or for a system entity
 has two steps:


identification - specify identifier
verification - bind entity (person) and identifier
Means of User Authentication
 four
means of authenticating user's identity
 based on something the individual




knows - e.g. password, PIN
possesses - e.g. key, token, smartcard
is (static biometrics) - e.g. fingerprint, retina
does (dynamic biometrics) - e.g. voice, sign
 can

use alone or combined
‘two-factor’ or ‘three-factor’ authentication
 all
can provide user authentication
 all have issues
Password Authentication
 widely


used user authentication method
user provides name/login and password
system compares password with that saved
for specified login
 authenticates



ID of user logging and
that the user is authorized to access system
determines the user’s privileges
is used in discretionary access control
Authentication Security
Issues
client attacks: keystroke monitoring
host attacks: capture authentication file
eavesdropping: observe or sniff password,
keystroke monitor
replay: play same password back
trojan horse: captures authentication file
denial-of-service: prevents access via flooding
Password Choices
 users


e.g. 3% were 3 chars or less, easily guessed
system can reject choices that are too short
 users



may pick short passwords
may pick guessable passwords
so crackers use lists of likely passwords
e.g. one study of 14000 encrypted passwords
guessed nearly 1/4 of them
would take about 1 hour on fastest systems to
compute all variants, and only need 1 break!
Password Cracking
 dictionary

try each word then obvious variants in large
dictionary against hash in password file
 rainbow




attacks
table attacks
precompute tables of hash values for all salts
a mammoth table of hash values
e.g. 1.4GB table cracks 99.9% of alphanumeric
Windows passwords in 13.8 secs
not feasible if larger salt values used
Dictionary Attack & Brute Force : How easy it is!
Password Cracking:
Dictionary Attack & Brute Force
Pattern
Calculation
Result
Time to Guess
(2.6x1018/month)
Personal Info: interests, relatives
20
Manual 5 minutes
Social Engineering
1
Manual 2 minutes
80,000
< 1 second
American Dictionary
4 chars: lower case alpha
264
5x105
8 chars: lower case alpha
268
2x1011
8 chars: alpha
528
5x1013
8 chars: alphanumeric
628
2x1014
3.4 min.
8 chars alphanumeric +10
728
7x1014
12 min.
8 chars: all keyboard
958
7x1015
2 hours
12 chars: alphanumeric
6212
3x1021
96 years
12 chars: alphanumeric + 10
7212
2x1022
500 years
12 chars: all keyboard
9512
5x1023
16 chars: alphanumeric
6216
5x1028
Password Vulnerabilities
Single user focus
 specific account attack
 password guessing against known user
 workstation hijacking: unattended console
 exploiting user mistakes: write down passwd
 exploiting same password: different machines
Multi-user
 electronic eavesdropping
 offline dictionary attack
 popular password attack
Password Complexity
CIS Recommendations:
 At least 8 (CIS: preferably 14) chars.
 Password expires in 90 Days
 Lockout after 5 bad login attempts
 Reset count after 15 minutes
 Lockout duration 15 minutes
 Enforce password history (24-count
memory of passwords)
Creating a Good Password
Merry Christmas
Bad
Password
(Lengthen)
Merry Xmas
MerryChrisToYou
(Synonym)
(Intertwine
Letters)
(convert vowels
to numeric)
MerryJul
(Abbreviate)
MaryJul
MerChr2You
(Keypad shift
Right …. Up)
MXemrays
Good
Password
GladJesBirth
,stuzc,sd
M5rryXm1s
Jq46Sjqw
Mary*Jul
mErcHr2yOu
Creating A Good Password
Combine 2 unrelated Mail + phone = m@!lf0n3
words
Abbreviate a phrase My favorite color is blue=
Mfciblue
Music lyric
Happy Birthday to you
Happy Birthday to you
Happy Birthday dear Gene
Happy Birthday to you
HB2yHB2yHBdGHB2y
Password
Recommendations

Change the default passwords on firewalls, services, servers, etc.
 Never use ‘admin’ or ‘root’ or ‘administrator’ as a login for the admin

Use a software firewall on each computer system, with antivirus &
antispyware.
 A good password is:








private: it is used and known by one person only
secret: it does not appear in clear text in any file or program or on a piece of
paper pinned to the terminal
changed regularly: periodically change your password.
easily remembered: so there is no need to write it down
at least 8 characters but preferably 12-14
a mixture of at least 3 of the following: upper case letters, lower case
letters, digits and punctuation
not guessable by any program in a reasonable time, for instance less than one
week. Why you must change passwords
Even if you choose a good password, it can still be discovered:


someone may see you typing it or snoop network.
If you accidentally type your password instead of your login name, it can be in
system log files
Using Better Passwords
 clearly
there are problems with passwords
 goal is to eliminate guessable passwords
 while still easy for user to remember
 techniques:




user education
computer-generated passwords
reactive password checking
proactive password checking
Proactive Password Checking
 rule


enforcement plus user advice, e.g.
8+ chars, upper/lower/numeric/punctuation
may not suffice
 password

time and space issues
 Bloom


cracker
Filter
use to build table based on dictionary using
hashes
check proposed password against this table
Use of
Hashed
Passwords
Salt + Password
Salt :
 prevents identical passwords from giving
the same encrypted value.
 increases length of password without
requiring user to remember additional
characters
UNIX Implementation
 original




8 character password form 56-bit key
12-bit salt used to modify DES encryption into
a one-way hash function
0 value repeatedly encrypted 25 times
output translated to 11 character sequence
 now

scheme
regarded as woefully insecure
e.g. supercomputer, 50 million tests, 80 min
 sometimes
still used for compatibility
Improved Implementations
 have
other, stronger, hash/salt variants
 many systems now use MD5




with 48-bit salt
password length is unlimited
is hashed with 1000 times inner loop
produces 128-bit hash
 OpenBSD
uses Blowfish block cipher
based hash algorithm called Bcrypt

uses 128-bit salt to create 192-bit hash value
Password File Access Control

can block offline guessing attacks by denying
access to encrypted passwords



make available only to privileged users
often using a separate shadow password file
still have vulnerabilities






exploit O/S bug
keystroke logger
accident with permissions making it readable
users with same password on other systems
access from unprotected backup media
sniff passwords in unprotected network traffic
Token Authentication
 object




user possesses to authenticate, e.g.
embossed card
magnetic stripe card
memory card
smartcard
Memory Card
 store
but do not process data
 magnetic stripe card, e.g. bank card
 electronic memory card
 used alone for physical access
 with password/PIN for computer use
 drawbacks of memory cards include:



need special reader
loss of token issues
user dissatisfaction
Smartcard

credit-card like
 has own processor, memory, I/O ports



wired or wireless access by reader
may have crypto co-processor
executes protocol to authenticate with reader/computer
 also have USB dongles
Remote User Authentication

authentication over
network more
complex

User
Identity
problems of
eavesdropping, replay
Random
Challenge
(nonce)

generally use
challenge-response
 protects against a
number of attacks
System
[Calculate]
[Calculate]
Reply
Accept or
reject
Biometric Authentication
 authenticate
user based on one of their
physical characteristics
Biometric Accuracy
 never
get identical templates
 problems of false match / false non-match
Countermeasures - Admin






Establish the Administrator account as having no
or few privileges
Use admin (root) account only when necessary
(e.g., not to read email)
Use longer passwords for admin accounts
For any system, never retain default passwords!
Name Administrator account something else
Set an account lockout threshold

ensure it applies to Administrator particularly for
remote access
Countermeasures - User
 Check
for and remove invalid accounts
(e.g., accounts not used in 30 days)
 Enforce strong password policy
 Enable audit account logon failures and
review event logs regularly
 Implement training & enforcement of
policies
 Enable automatic workstation lockout or
logoff
Countermeasures –
User Access
Apply Principle of Least Privilege:
 Grant minimum Permissions necessary
 Provide access to files and database segments
only as necessary
 Specify as limited permissions (rwx) as possible
 Limit use of admin accounts – no email
 Separation of Duties in System Administration –
the Administrator and separate log reader
Countermeasures - Computer
 Do
not allow boots from floppy or CDs
 Lock up servers to prevent physical
access
 Do not use the same password from one
machine to the next. (Minimally
compartmentalize passwords)
 Stop unauthorized access to password file
Countermeasures - Network

Restrict access or disable SMB services on TCP port
139 & 445 at firewalls
 Monitor with intrusion detection
 Counter sniffing with encrypted network links: e.g., IPSec
 Avoid software which sends passwords or operate in the
clear: rlogin, telnet, POP3, alerter, clipbook, …
 Limit permission on Windows shares (from Everyone –
Full Control or Read)
 Eliminate or reduce anonymous or guest access
 Use mail packages that check for viruses.
Summary:
Security in Layers
When one layer fails, other layers
work
• Logging
Good Security • Lockout
Settings
• Multi-factor
Minimal
Permissions
Good
Password
• Avoid Root
• Auto lockout
• Valid accounts
• Complex
• Long
• Memorable