Password Cracking with Rainbow Tables
-
Upload
korhan-bircan -
Category
Engineering
-
view
81 -
download
2
Transcript of Password Cracking with Rainbow Tables
1
Password Cracking with Rainbow Tables
Korhan BircanApril 23rd, 2008
Introduction to Computer System Security
Password Cracking with Rainbow Tables 2
OutlineIntroductionSecure passwordsDemoHellman’s original methodRainbow tablesCracking Windows PasswordsPassword crackersProtection mechanismsConclusion
Password Cracking with Rainbow Tables 3
Introduction
How passwords are storedWhere passwords are stored
Windows: C:\WINDOWS\system32\config\SAMLinux: /etc/passwdMacOS: /var/db/shadow/hash/
Shadow passwords/etc/shadow only readable by root/etc/passwd file shows a character such as '*', or x' instead of the hashed password
Password Cracking with Rainbow Tables 5
Introduction
LanManager Hashpassword converted to uppercase, null-padded or truncated to 14Bpassword split into two 7B halves, a zero bit is inserted after every 7th bit, the resulting 8B halves are used to create two DES keyseach of these keys is used to DES-encrypt “KGS!@#$%”, resulting in two 8B ciphertext valuesconcatenation the two to get 16B LM Hash.
supported by all versions of Windows for backwards compatibility
Password Cracking with Rainbow Tables 6
Introduction
NTLM Hash: challenge-response sequence
Client sends supported or requested features (eg. encryption key size, mutual authentication etc.)Server replies with similar flags plus a random challengeClient uses challenge and its credentials to calculate the response
Password Cracking with Rainbow Tables 7
Introduction
Salted hashes: For each password, generate a random number (a nonce). Hash the password with the nonce, and store both the hash and the nonce.
usual approachhash = md5(“deliciously salty” + password)
• MD5 is broken• Its modern competitors, like SHA1 and SHA256 are fast, which is a
problem.
With 16b hash, there are 2^16 = 65,536 variations to the same passwordSpeed is exactly what you don’t want in a password hash function. Using raw hash functions to authenticate passwords is as naive as using unsalted hash functions. Don’t.
Password Cracking with Rainbow Tables 8
IntroductionHow passwords are cracked
brute force: online vs offline attack. Given enough time and CPU power password eventually gets crackeddictionary: list of words, encrypt them one at a time and check if hashes are equalhybrid: dictionary with mutation filters
Password Cracking with Rainbow Tables 9
Secure Passwords
Password Strengthbit-strength
[a-z][A-Z][0-9] and symbols = 95 variations per character = log(95) ~ 6.6b8 character password x 6.6b = 53b
cracking 72b key using current equipment is estimated to take about 1,453 yearsno digital computer is capable of breaking 128b or 256b encryptionNIST recommends 80b for most secure passwords ~ 12 character random password from 95 character domain
Password Cracking with Rainbow Tables 10
Secure PasswordsA strong Windows password includes characters from at least three of the following groups:
Use pass phrases eg. "I re@lly want to buy 11 Dogs!"
Password Cracking with Rainbow Tables 11
Secure Passwords
Use >14 charactersit is the limit that DOS network boot disks, Microsoft Remote Installation Services (RIS) Pre eXecutable Environment (PXE) boot disks, and older LAN Manager clients (Win9x) utilizes
Use Alt characters eg. Alt+0709 = ÅChange passwords often
Password Cracking with Rainbow Tables 12
Secure Passwords
Intel Pentium M 1.60GHz, 512MB RAM
hash/secalgorithm1,300,728LM2,623,294NTLM
924,898SHA13,401,360MD5
Password Cracking with Rainbow Tables 13
Secure Passwords
key space, N, plain dictionary attack26 chars, passwd length <= 7
36 chars, passwd length <= 7
256 chars, passwd length <= 7
26 chars, passwd length <=14
∑=
=7
1
6.8036i
i G
∑=
=7
13.83526
i
i M
∑=
==14
1
10 67107.626i
i EGx
PGxi
i 72102.72567
1
7 ==∑=
15.1min4.1min5.3min10.7min
SHA1MD5NTLMLM
2468.5 years671.2 years870.3 years1755.3 years
SHA1MD5NTLMLM
2,297,070.7 years624,619.6 years809,881.0 years1,633,359.2 years
SHA1MD5NTLMLM
1.0 day6.6 hr8.5 hr17.2 hr
SHA1MD5NTLMLM
Password Cracking with Rainbow Tables 15
Secure Passwords
don’t use personal information use any word in any language spelled forward
or backward tie passwords to the month create new passwords that are substantially
similar to ones you've previously useduse the same password for different systems
Password Cracking with Rainbow Tables 17
Demo Setup
Create guest account for each studentPasswords need to be alphanumeric and <15 characters longCrack them!
Password Cracking with Rainbow Tables 18
Classical Tables
1980 Martin Hellman: N keys, operations&memoryciphertexts are organised in chains, only first and last element stored; k:key, S:cipher, C:ciphertext P:plaintext, R:reductionfunction
= and generates a key from another key to form a chain:
m chains of length t are created, first and last elements are stored in a table.
3/2N
Password Cracking with Rainbow Tables 19
Classical Tables
To find a key, generate a chain of keys starting with R(C) and up to length tIf C was indeed obtained with a key used while creating the table then we will eventually generate the key that matches the last key of the corresponding chainUsing the first key of the chain, whole chain is regeneratedThe key right before R(C) is the key we are looking for
Password Cracking with Rainbow Tables 20
Classical Tables
There is a chance that chains starting at different keys collide and mergeProbability of finding a key, m rows and t keys:
Probability of finding a key, l tables with different reduction functions:
Password Cracking with Rainbow Tables 21
Classical Tables
False alarms:key may be a part of a chain which has the same endpoint but is not in the tablekey is in a chain that is part of the table but which merges with other chains of the table
Merges correspond to same endpoint, detected during sort. They are replaced with new chains
Password Cracking with Rainbow Tables 22
Bounds and Parameters
0mlmM ××= 0m
0tltT ××=M: bounds on memory
T: cryptanalysis time
m: number of chains per table
l: number of tables : starting point + end point = 8B
t: average chain length : time to encrypt a plaintext0m0t0mlmM ××=
Memory
Time
Password Cracking with Rainbow Tables 24
Rainbow Tables
A rainbow table is a compact representation of related plaintext password chains
Password Cracking with Rainbow Tables 26
Rainbow Tables
Probability of success in an m x t size table:start with m1 = m distinct keys in the first columnin the second column the m1 keys are randomly distributed over the key space of size N, generating m2 keys:
each column i has mi distinct keys. Success rate of table:
Password Cracking with Rainbow Tables 27
Rainbow Tables
Advantages over classical tables:t(t-1)/2 look-ups as opposed to t^2merges result in identical endpoints and are thus detectableno loops since each reduction function appears onceconstant length rainbow chains
Password Cracking with Rainbow Tables 28
Rainbow TablesAdvantages over classical tables:
When two chains collide in a single table they mergeInstead use successive reduction functions 1 to tIf two chains can collide they merge iff collision appears at the same position in both chains (probability is 1/t)If key is found early, gain can be up to a factor of t because while the rainbow table is searched, the amount of calculation increases quadriticallyto (t^2-1)/2 whereas in classical tables it increases linearly to t^2.
Password Cracking with Rainbow Tables 29
Rainbow Tables: Parameter Optimization
0.9990 success probability
610 MB table size
8353082582 keyspace
[ABCDEFGHIJKLMNOPQRSTUVWXYZ] charset
0.9904 success probability
3 GBtable size
80603140212 keyspace
[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] charset
0.99909 success probability
24 GB table size
915358891407 (2^39.7) keyspace
[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+= ] charset
0.999 success probability
64 GB table size
7555858447479 (2^42.8) keyspace
[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ] charset
Last table would take 41.3 years to generate on my laptop.
Password Cracking with Rainbow Tables 30
Rainbow Tables: Parameter Optimization
2100
len_chain
0:4
table index
8000000,40000000
71alpha[numeric]lm
num_chainslen_maxlen_mincharsethash
Password Cracking with Rainbow Tables 31
Password Crackers: RainbowCrack
extract password hashes using pwdump or fgdump
Password Cracking with Rainbow Tables 32
Password Crackers: RainbowCrackcreate rainbow tables
sort the tables
Password Cracking with Rainbow Tables 34
Password Crackers: Cain&Abel
Go to “Cracker”, right click to import hashes from pwdump file
Password Cracking with Rainbow Tables 36
Password Crackers: OphcrackLive CD: dumps the hashes from the SAM and SYSTEM files and you don’t need to be admin
Password Cracking with Rainbow Tables 37
Limitations of Rainbow Tables
table generation takes a long timefalse alarms occur oftensimple salting algorithm nullifies rainbow tables
Password Cracking with Rainbow Tables 38
Limiting physical access Continue to force the use of special characters Keep up with updates Use Multi-factor authentication salted hashesUse NTLMUse secure passwords
Protection Mechanisms
Password Cracking with Rainbow Tables 39
Use state of the art password schemesUse what your operating system gives you (eg. PHK’s FreeBSD MD5)Stanford Secure Remote PasswordAdaptive hashing: bcrypt
uses pessimized Blowfish
Protection Mechanisms
Password Cracking with Rainbow Tables 40
Conclusion
Rainbow tables reduce the number of table look-ups by length of chainsComputations reduced by 2, average case performance even greaterSome cryptographic systems believed to be secure when implemented can be cracked by anyone todayBe smart about choosing passwords and storing them
Password Cracking with Rainbow Tables 41
References“Making a Faster Cryptanalytic Time-Memory Trade-Off”, PhilipppeOechslin, CRYPTO 2003: pp617–630“Top 10 Password Crackers”, http://sectools.org/crackers.html“Cain&Abel”, http://www.oxid.it/cain.html“PWDump”, http://www.foofus.net/fizzgig/pwdump/“RainbowCrack”, http://www.antsight.com/zsl/rainbowcrack/“Ophcrack”, http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/“Winrtgen”, http://www.oxid.it/projects.html“Hacking dei Sistemi: Password”, Cardinale, Giacchetti, Giovannetti“Mac OS X password hashes”, http://www.macshadows.com/kb/index.php?title=Mac_OS_X_password_hashes“Shadow Password”, http://en.wikipedia.org/wiki/Shadow_password“Password Cracking”,http://en.wikipedia.org/wiki/Password_cracking“Selecting Secure Passwords”, http://www.microsoft.com/smallbusiness/support/articles/select_sec_passwords.mspx