Computer Security and Penetration Testing: Encryption and Password Cracking

Computer Security and Penetration
Testing
Chapter 6
Encryption and Password Cracking
Objectives
• Understand basic cryptographic principles
• Understand the fundamentals of encryption
• Describe the most common ciphers in use today
• Identify the most common attacks on passwords
• Use various programs for cracking passwords
Computer Security and Penetration Testing 2

Encryption and Password Cracking
• Strong passwords
– Good defense against unwanted entry
• Guessing, stealing, or cracking passwords
– Foundation of defeating any kind of security

Cryptography
• Cryptography
– Algorithm encrypts a ciphertext document from a
plaintext document
– Algorithm decrypts the ciphertext back into plaintext
• Transposition
– Change in the position or order of letters or words
– Does not rely on length of password
– Transposition is based on probabilities
– Anyone can break a transposition cipher based on
frequency of letters

Cryptography (continued)
• Substitution
– Replacement of a letter or group of letters with
another letter or group of letters
– Enigma
• Possibly the most famous substitution cryptography
machine
• Used by the German Army during World War II
– Turing Bombe
• Machine to crack the “Enigma Code”
• Developed by Alan Turing

Cryptography (continued)
• Substitution (continued)
– Colossus
• Programmable computer (1943 by Max Newman)
• Common terms when dealing with cryptography
– Cleartext
– Cyphertext
– Key
– Algorithm
– Hash

Symmetric and Asymmetric Key
Encryption
• Encryption can be performed with either a symmetric
key or an asymmetric key

Symmetric Key Encryption
• Sometimes called secret key algorithms
• Uses same key to encrypt and to decrypt the data
• Sender and recipient must have a copy of the key
– Inherent vulnerability of secret key algorithms is that
the key must be transmitted
• Faster that asymmetric key algorithms

Symmetric Key Encryption (continued)

• Stream Ciphers
– Use a key stream to encrypt and decrypt a plaintext
message
• Key stream is similar to a one-time pad
– A list of random numbers from 1 to 25
– Numbers in the one-time pad are added to the letters
in the plaintext to encrypt
• And subtracted from the cyphertext to decrypt
– Algorithm XORs key stream with plaintext message

• Block Ciphers
– Operate on blocks of data
• Algorithm breaks the plaintext document into blocks
(usually 8 or 16 bytes long)
– Operates on each block independently
• Plaintext will always be padded
• Block ciphers allow you to reuse keys

Asymmetric Key Algorithms
• Also called public key algorithms
• Two keys for encrypting and decrypting data
• Each user has a public key and a private key
– Public keys can be sent unencrypted over unsecured
media
• Public key encrypts data
– Private key decrypt s data encrypted with public key

(continued)

(continued)
• DSA (Digital Signature Algorithm)
– Digital signature connects documents with the holder
of a specific key
– Considered too slow for general encryption
• Digital Time Stamps
– Connects document with a specific time of origination

Cryptanalysis
• Cryptanalyst decodes messages to make them
readable
• First and most important step in cryptanalysis
– Detecting the key values

Description of Popular Ciphers
• Average user tends to confuse the categories within
the cryptographic taxonomy

Symmetrical Key Ciphers
• DES (Data Encryption Standard)
– A block cipher
– Developed in the early- to mid-1970s
– FIPS-approved cryptographic algorithm
– Uses a 56-bit key to encrypt and decrypt
– Breaks the plaintext into 64-bit blocks
• Applies a series of permutations to each block
– Can use same algorithm for encryption and decryption

Symmetrical Key Ciphers (continued)
• Security of DES
– Dependent upon the chosen key
– Susceptible to brute-force attacks
• 3DES (Triple DES)
– Encrypts text three times with DES using different keys
• Speed of 3DES
– Almost three times slower than DES
• Security of 3DES
– Equivalent to single DES using a 112-bit key

• AES (Advanced Encryption Standard)
– Also known as Rijndael
– Block cipher adopted as an encryption standard by the
U.S. government
– Superseded DES in 2001
– Uses a block size of 128 bits, and can use either 128-,
192-, or 256-bit keys
– Input bit sequence is copied to a 4×4 array of bytes
known as the State array
• Transformed via a series of substitutions/transpositions

• Speed of AES
– Faster than DES, but slower than Blowfish
• Security of AES
– All successful attacks upon AES have been through
side-channel attacks
– Side-channel attacks are based on factors other than
the strength of the algorithm

• IDEA (International Data Encryption Algorithm)
– Algorithm developed at ETH Zurich, in Switzerland
– Uses a 128-bit key, and operates on 64-bit blocks
– Uses series of identical operations applied to the data
for both encryption and decryption
• Speed of IDEA
– Somewhat faster than 3DES, but slower than DES
• Security of IDEA
– Resistant to differential cryptanalysis
– Some weak keys are known
• Skipjack
– NSA-developed encryption algorithm that was
developed for use in the Clipper chip
– Uses an 80-bit key size and operates on 64-bit blocks
– Partially vulnerable to differential cryptanalysis
• RC4
– Designed by RSA Data Security, Inc.
– Main benefit of RC4 is its speed
– Can be useful where moderate security is needed

Asymmetric Key Ciphers
• RSA (Rivest, Shamir, and Adleman)
– Most popular public key encryption standard
– RSA develops keys that are the product of two 1024-
bit prime numbers
– Invented in 1977
– RSA is based on the fact that it is very difficult to factor
large numbers
• Security of RSA
– Some progress has been made in factoring large
(300+ digit) numbers

Asymmetric Key Ciphers (continued)
• Diffie-Hellman
– Allows two parties who do not have prior knowledge of
each other to establish a shared secret key
• Over a public, insecure channel
– Currently considered secure
• DSS (Digital Signature Standard)
– Based on the Digital Signature Algorithm (DSA)
– Used to generate digital signatures for authentication
of electronic documents
– Combination of public key cryptography and a hash
function
• Elliptic Curve Cryptosystems
– Elliptic curves are harder to solve than factoring the
products of large prime numbers
– Elliptic curves, as used in cryptography, are mainly
defined over finite fields
– Shorter keys can be used
• Neo for Java
– Uses a matrix of 251 8-bit numbers
– Said to be the equivalent of RSA-1024

• Lattice-Based Cryptosystems
– Based on NP-complete problems involving geometric
shapes built of lines or vectors
– Lattice-based systems have not proven to be effective
for cryptography
• As they are too slow in practice

Cryptographic Hash Functions
• Hash functions are used in cryptography to
transform variable length into a fixed-size hash value
• Hashes are often referred to as “digital fingerprints”
• One-way hashes
– Easy to create the hash from the input data, but very
difficult to recreate the input data from the hash
• Message Digest Algorithm 5 (MD5)
– Secure hash algorithm developed in 1992 by Rivest
– Operates on input data using 512-bit blocks, and
produces a 128-bit hash value

Cryptographic Hash Functions
(continued)
• SHA, SHS (Secure Hash Algorithm)
– Developed by the U.S. government and adopted as a
FIPS standard
– Several variations of SHA hash functions exist
– Operates on either 512-bit blocks or 1024-bit blocks
– SHA-1 hashes are 160 bits long
– SHA-2, produce larger hashes (224, 256, 384, and
512 bits)
– Considered superior to MD5

Attacks on Passwords
• Password protection is open to many kinds of attack
– From dictionary attacks to sheer guesswork

Dictionary Attacks
• Guessing passwords by using a list of common
words
• Can determine the key necessary to decrypt an
encrypted document
• Usually do not work against complex passwords
• Crackers need the file that contains the passwords
of the target
• Defense: limit the number of guesses allowed before
the user is locked out

Dictionary Attacks (continued)
• Hybridization attacks
– Guess passwords by creating new words
– Add letters or numbers to every word in a dictionary
– Some hybridization methods use a number spread
• Insert numbers into passwords
– Duplication: duplicating a word to form a new word
– Substituting with symbols: replacing letters in words
with symbols that look similar to the missing letters


• Guidelines to protect against dictionary and
hybridization attacks
– Avoid using the same password for everything
– Avoid using one’s own name in a password, as well as
that of a child, spouse, friend, or pet
– Avoid using common words or names for passwords
– Include random letters, numbers, and characters
– Avoid writing down difficult passwords where they
might easily be found

Brute-Force Attacks
• Use all possible combination of letters, numbers, and
special characters to determine the target password
• Very time consuming and requires patience
• Slow compared to dictionary attacks
• Need a large amount of RAM and a fast processor
• Most effective when the encrypted document or
password hash file
– Can be extracted from the target system and tested on
an anonymous offline location

Observation
• “Snooping,” “eavesdropping,” or “shoulder-surfing”
• Used whenever an attacker has physical proximity
– And can literally watch the victim type in their
username and password

Keyloggers
• Records every key pressed on the target’s computer
• Can easily be installed on any computer
• Keyloggers are generally invisible to the victim

Social Engineering
• Cracker can pretend to be a legitimate user of the
target system
– And extract information simply by asking
• People behave naively when a so-called computer
expert questions them
• Another form of social engineering is called phishing

Sniffing Methods
• Crackers use packet sniffers
– To catch cleartext passwords from protocols such as
Telnet, FTP, and POP3

Password File Stealing
• Cracker can steal or copy the files where the
password hashes are stored
– From the victim’s computer
• Cracker can take all the time necessary to perform a
brute-force attack
• Sometimes passwords are not stored in the main
system but in a shadow file
– Readable only by users with administrative privileges

Password Crackers
• Some widely used cracker programs are:
– Cain and Abel
– Crack
– John the Ripper
– Telnet_crack
– THC Hydra
– L0phtCrack

Crack
• Alec Muffet designed Crack for UNIX-based systems
in 1991
• Scans UNIX password files and then extracts weak
logon passwords
• Can also detect encrypted ciphertext by using the
Crypt (3) algorithm

John the Ripper
• A fast password cracker
• Currently available for many versions of UNIX, DOS,
Win32, BeOS, and OpenVMS
• Primary purpose is to detect weak UNIX passwords
• Can edit its dictionary to add more common words
• Modes
– Wordlist mode, single-crack mode, incremental mode,
and external mode

THC Hydra
• Useful network authentication cracker which
supports many different services

L0phtcrack and Lc5
• Developed to help system administrators and
security professionals
– Check password weaknesses of the Windows NT
operating system
• The company that owned L0phtCrack, the @Stake
company, was purchased by Symantec
• Symantec has discontinued support

Summary
• Requiring the use of effective, strong passwords is
one of the best ways to secure a network against
attackers
• Basic types of cryptography include transposition and
substitution ciphers
• Encryption can be performed using either symmetric
key algorithms or asymmetric key algorithms
• Popular symmetric key ciphers include DES, 3DES,
AES (Rijndael), IDEA, Skipjack, and RC4

Summary (continued)
• Popular asymmetric key ciphers include RSA, Diffie-
Hellman, DSS, and elliptic curve cryptography
• Cryptographic hash functions generate a fixed-size
hash value from a message of any length
• Effective password security depends on choosing
strong passwords
• Common attacks on passwords include technical
measures and physical techniques
• Password-cracking programs are readily available

Computer Security and Penetration
Testing
Chapter 7
Spoofing
Objectives

Understand the mechanics of spoofing

Describe the consequences of spoofing

Define various types of spoofing

List and describe some spoofing tools

Learn how to defend against spoofing

Spoofing

Spoofing

A sophisticated way to authenticate one machine to another
by using forged packets

Misrepresenting the sender of a message to cause the human
recipient to behave a certain way

Two critical issues for internetworked systems

Trust

Authentication

Spoofing (continued)

Spoofing (continued)

Authentication is less critical when there is more trust

A computer can be authenticated by its IP address, IP host
address, or MAC address

TCP/IP has a basic flaw that allows IP spoofing

Trust and authentication have an inverse relationship

Initial authentication is based on the source address in trust
relationships

Most fields in a TCP header can be changed (forged)

The Process of an IP Spoofing Attack

A successful attack requires more than simply forging a single
header

Requires sustained dialogue between the machines for a
minimum of three packets

IP takes care of the transport between machines

But IP is unreliable

TCP is more reliable and has features for checking received
packets

TCP uses an indexing system to keep track of packets and put
them in the right order

(continued)

(continued)

To spoof a trusted machine relationship, the attacker must:

Identify the target pair of trusted machines

Anesthetize the host the attacker intends to impersonate

Forge the address of the host the attacker is pretending to be

Connect to the target as the assumed identity

Accurately guess the correct sequence

(continued)

You can use any network protocol analyzer to monitor your
LAN

You can anesthetize, or stun, the host that you want to
impersonate

By performing a SYN flood (or SYN attack), Ping of Death,
or some other denial-of-service attack

(continued)

(continued)

(continued)

Forging the address of the stunned host could be done with the
same utility

Used to stun the trusted machine

Big problem is guessing something close to the correct
incremented victim-side sequence number

ISNs are not random, so the guess is not random

Sequence numbers start at 1 when the machine is booted up and
incremented by fixed values

See Table 7-2

(continued)

(continued)

(continued)

Once the hacker has put the trusted machine to sleep with a
SYN attack

Sends a SYN packet to the victim machine

Hacker should connect to the victim machine several times on
port 23 or 25

To get an idea of how quickly the ISN advances

Attacker also needs to deduce the packet’s round-trip time
(RTT)

When the attack is done, the trusted machine must be released
and returned to normal

Costs of Spoofing

Costs to the victims of successful spoofing attacks

Are tied to the amount of information that was copied and the
sensitivity of the data

Tangible and intangible losses

Successful spoof attacker usually leaves back door

To get back in later

Kinds of Tangible Costs

Economic Loss

May occur when valuable data is lost or duplicated

Surreptitious nature of a successful spoofing attack

Company might not know what happened or when

Strategic Loss

Loss of strategic data that outlines events planned for the
future

Could lead to loss of both money and goodwill for the
spoofed company

Kinds of Tangible Costs (continued)

General Data Loss

Usually has less of an impact than the first two categories of
losses

Comes from unsecured documents used by employees

Working on various projects or engaged in the day-to-day
business of the company

Types of Spoofing

Main categories of spoofing include the following:

Blind spoofing

Active spoofing

IP spoofing

ARP (Address Resolution Protocol) spoofing

Web spoofing

DNS (Domain Name System) spoofing

Blind Spoofing

Any kind of spoofing where only one side of the relationship
under attack is in view

Hacker is not aware of all network conditions

But uses various means to gain access to the network

Active Spoofing

Hacker can see both parties, observe the responses from the
target computer, and respond accordingly

Hacker can perform various exploits, such as

Sniffing data, corrupting data, changing the contents of a
packet, and even deleting some packets

IP Spoofing

Consists of a hacker accessing a target disguised as a trusted
third party

Can be performed by hackers through either blind or active
methods of spoofing

ARP Spoofing

Modifying the Address Resolution Protocol (ARP) table for
hacking purposes

ARP table stores the IP address and the corresponding Media
Access Control (MAC) address

Router searches the ARP table for the destination computer’s
MAC address

ARP spoofing attack involves detecting broadcasts, faking the
IP address

And then responding with the MAC address of the hacker’s
computer

ARP Spoofing (continued)

Web Spoofing

Hacker spoofs an IP address through a Web site

Hacker can transfer information or get information

Hacker can spoof using a strategy

That ensures that all communication between the Web site and
the user is directed to the hacker’s computer

Hacker may also falsely acquire a certificate used by a Web site

DNS Spoofing

Hacker changes a Web site’s IP address to the IP address of the
hacker’s computer

Altering the IP address directs the user to the hacker’s computer

User is accessing the hacker’s computer

Under the impression that he or she is accessing a different,
legitimate, site

Spoofing Tools

This section covers the following spoofing tools and their uses:

Apsend

Ettercap

Arpspoof

Ettercap

Provides a list of options that can be used to perform various
spoofing operations

See Table 7-3

Hacker selects the action to perform from multiple options,
including

ARP poisoning

Viewing interface

Packet filtering/dropping

Ettercap (continued)

Ettercap (continued)

Ettercap works on the following platforms:

Linux 2.0.x - 2.4.x

FreeBSD 4.x

OpenBSD 2. [789] 3.0

NetBSD 1.5

Mac OS X (Darwin 1.3. 1.4 5.1)

Arpspoof

Part of the dsniff suite

Can be used to spoof ARP tables

General syntax
– arpspoof [-i interface] [-t target] host

Changes the MAC address specified for the IP address of the
destination computer

In the ARP table of the source computer

Prevention and Mitigation

To avoid or defend against IP spoofing:

Wherever possible, avoid trust relationships that rely upon IP
address only

On Windows systems—If you cannot remove it, change the
permissions on the $systemroot$\hosts file to allow read only
access

On Linux systems—Use TCP wrappers to allow access only
from certain systems

Install a firewall or filtering rules

Use encrypted and secured protocols like IPSec

Use random ISNs
Prevention and Mitigation (continued)

To avoid or defend against ARP poisoning:

Use methods to deny changes without proper authorization to
the ARP table

Employ static ARP tables

Log changes to the ARP table

Summary

Spoofing definitions

Trust and authentication are at the heart of internetworking

A successful IP spoofing attack requires a complete, sustained
dialogue between the machines for a minimum of three packets

Steps to spoof a trusted machine relationship

The costs to the victims of successful spoofing attacks are tied to
the amount of information that was copied and the sensitivity of
the data

Summary (continued)

Types of spoofing: blind spoofing, active spoofing, IP spoofing,
ARP spoofing, Web spoofing, and DNS spoofing

Apsend, Ettercap, and Arpspoof are three common spoofing tools

To avoid or defend against IP spoofing, avoid IP-address-based
trust relationships, install a firewall, use encrypted protocols, and
use random ISNs

Summary (continued)

To avoid or defend against ARP poisoning, use methods to deny
changes without proper authorization to the ARP table, employ
static ARP tables, and log changes to the ARP table

Computer Security and Penetration Testing: Encryption and Password Cracking

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer Security and Penetration Testing: Encryption and Password Cracking

Uploaded by

Copyright:

Available Formats

Computer Security and Penetration

Computer Security and Penetration Testing 2

Computer Security and Penetration Testing 3

Computer Security and Penetration Testing 4

Computer Security and Penetration Testing 5

Computer Security and Penetration Testing 6

Computer Security and Penetration Testing 7

Computer Security and Penetration Testing 8

Computer Security and Penetration Testing 9

Computer Security and Penetration Testing 10

Computer Security and Penetration Testing 11

Computer Security and Penetration Testing 12

Computer Security and Penetration Testing 13

Computer Security and Penetration Testing 14

Computer Security and Penetration Testing 15

Computer Security and Penetration Testing 16

Computer Security and Penetration Testing 17

Computer Security and Penetration Testing 18

Computer Security and Penetration Testing 19

Computer Security and Penetration Testing 20

Computer Security and Penetration Testing 22

Computer Security and Penetration Testing 23

Computer Security and Penetration Testing 25

Computer Security and Penetration Testing 26

Computer Security and Penetration Testing 27

Computer Security and Penetration Testing 28

Computer Security and Penetration Testing 29

Computer Security and Penetration Testing 30

Computer Security and Penetration Testing 31

Computer Security and Penetration Testing 32

Computer Security and Penetration Testing 33

Computer Security and Penetration Testing 34

Computer Security and Penetration Testing 35

Computer Security and Penetration Testing 36

Computer Security and Penetration Testing 37

Computer Security and Penetration Testing 38

Computer Security and Penetration Testing 39

Computer Security and Penetration Testing 40

Computer Security and Penetration Testing 41

Computer Security and Penetration Testing 42

Computer Security and Penetration Testing 43

Computer Security and Penetration Testing 44

Computer Security and Penetration Testing 45

Computer Security and Penetration Testing 46

Computer Security and Penetration Testing 48

Computer Security and Penetration Testing 49

Computer Security and Penetration Testing 50

Computer Security and Penetration Testing 51

Computer Security and Penetration Testing 52

Computer Security and Penetration Testing 53

Computer Security and Penetration Testing 54

Computer Security and Penetration Testing 55

Computer Security and Penetration Testing 56

Computer Security and Penetration Testing 57

Computer Security and Penetration Testing 59

Computer Security and Penetration Testing 60

Computer Security and Penetration Testing 61

Computer Security and Penetration Testing 62

Computer Security and Penetration Testing 65

Computer Security and Penetration Testing 66

Computer Security and Penetration Testing 67

Computer Security and Penetration Testing 68