Password Assessment and Management

This module will address password security. Although user names and passwords are a familiartechnology, most people are not aware of the inherent weaknesses in many of the different passwordbasedauthentication schemes in use today. These weaknesses are important to understand since manynetworks would be compromised if passwords on just a few key machines (such as firewalls, DNSservers, or Windows domain controllers) were known to an attacker.
Nội dung trích xuất từ tài liệu:
Password Assessment and Management Password Assessment and Management Security Essentials The SANS Institute Information Assurance Foundations - SANS ©2001 1This module will address password security. Although user names and passwords are a familiartechnology, most people are not aware of the inherent weaknesses in many of the different password-based authentication schemes in use today. These weaknesses are important to understand since manynetworks would be compromised if passwords on just a few key machines (such as firewalls, DNSservers, or Windows domain controllers) were known to an attacker.Many of us remember how, in the movie Wargames, a teenager breaks into the governments super-secret WOPR computer by guessing the username and password of the scientist who created WOPRssoftware. The teen researched information publicly available about the scientist, and guessed that themans password was the name of his young son -- Joshua. That familiar example illustrates exactly whyit is important not to use words or names that might be associated with a person as passwords. Thesevalues can be guessed by an attacker.Further, most of us are aware that we shouldnt use passwords that are too short (because all charactercombinations can be easily tried) or write passwords on a sticky note and put the note under thekeyboard. But beyond this basic understanding, can we quantify what makes a password difficult toguess when a computer is used as the guessing engine? It turns out that the (sometimes non-intuitive)answer depends on the particular method used to protect the sensitive information.In this module we will explore how and why we strive to protect passwords on the following two levels:• The password files should be protected from reading or theft.• It should be computationally infeasible (ideally) for an attacker to guess the password values evengiven the password files. If an attacker does manage to obtain a copy of a password file, we do not wanthim to be able to use the information contained therein to recover the password values.We will see that the methods used to achieve password protection differ between operating systems,vary in effectiveness, and in some cases have undergone recent evolution. This module will explorecommon password strategies in use today, how these schemes are attacked, and how administrators canmaximize the strength of the password scheme they employ. 3-1 Agenda • What password cracking is • Why it is important • Methods of password cracking • Password cracking in Unix - Crack • Password cracking in Windows - LC3 (L0phtCrack) • Password cracking with John the Ripper Password Assessment and Management - SANS ©2001 2Typically OS file permission schemes are employed to ensure that only privileged users (if any) canaccess password file information. However, attacks exist to circumvent file access restrictions and anattacker may be able to read or obtain a copy of the file. Further, an attacker may have alreadygained sufficient privileges to read the file and wants to harvest other username/passwordcombinations to try on neighboring systems. Because it is possible for an attacker to get a copy ofthe password file, our discussion today will focus most strongly on the process of crackingpasswords. Cracking is the process of attempting to guess passwords given password file information. Wewill start with a discussion of what password cracking is, why it is important, and methods ofpassword cracking. We will then move on to Unix password cracking and concentrate on Crack.Then we will jump to the Microsoft side of the house and cover L0phtCrack (the newest version iscalled LC3). For both packages we will cover how to install and run the program, how to view theresults, how to protect against password cracking, and features of a strong password.At the end of the module we will explore a more recent addition to the cracking toolbox called Johnthe Ripper. John is important due to the tools speed advantages and ability to crack passwordsencoded with a wide range of encryption algorithms. We will see how Crack, LC3, and John evolvedto meet the increased cracking challenges posed by recent upgrades to the Unix and Windowspassword protection mechanisms. 3-2 Why Are Passwords So Important? • First line of defense • Control access • Get additional access • Create back door for future access Password Assessment and Management - SANS ©2001 3Lets back up for a moment and think about why passwords are so important. Passwords are often thefirst line of defense against interactive attacks on a system. Since it is fairly easy for someone tofigure out a user ID, the only thing protecting the system is a user’s password. If an attacker cangather no helpful information to aid in the attack (such as password file contents or sniffed networktraffic) he must resort to either creative or brute force password guessing.If an attacker can at least read the password file or obtain a copy, his chances of successfullyobtaining an actual password increase significantly. Even if the attacker only obtains a lowly user-level password, it is fair to assume that he will log on to the target system as the user and then breakinto root via an operating system hole.Consider this brief example. Most companies have dial-up access for ...