QUIZ 06
QUIZ 06
Password Cracking
Recap
NMAP is one of the tools to perform active scanning
Supported Scanning Mode:
-sS : TCP SYN scan – do not complete 3-way handshake
-sT TCP Connect – completes 3-way handshake
-sF, -sN, -sX : Malformed TCP scan
-sP : ICMP ping only
-sU: UDP
-sO: IP protocol
-sI: Idle scan, required a ‘proxy’ machine that is idle, and ‘guess’ open ports by IPID
-sA: Ack scan: pretend to be ‘established’ connections, use to identify stateful/stateless firewall
-sV: detect service port product and version (uses NSE script)
-O : Detect OS by ‘decision-tree classifier’
https://nmap.org/bennieston-tutorial/#:~:text=The%20two%20basic%20scan%20types,are%20explained%20in%20detail%20below.
NMAP
Most of the scanning required root permission,
except CONNECT
Need to consider situations if your permission is not sufficient to perform other scanning type (-sS)
By default scans 1-1024 TCP ports
Specify –p to specify range ( -p- = all ports)
Need to consider scanning speed, T4, T5 for lab, T4 or lower for production
SMB (Server Message Block)
Typical service found in Windows environment
Version 1(not used), 2 (win vista, win7) and 3 (win8+)
TCP port 139, 445
Mandatory components for Windows AD domain, windows file share, workgroup
SMB not exposed to interfaces set to public or behind firewall
”net use” command to show mounted drives
“net share” command to show shared drives
SMB scanning may get file share, username, hostname of target
Linux platform need to enable service to work on SMB
Samba
CIFS
SSH (Secure Shell)
Common on linux but NOT necessary turned on
Default TCP port 22, traffic is encrypted
Common customized ports: 8022, 2222
Supports multiple authentication methods
Password, authorized_keys, LDAP
Config file located at /etc/ssh/ssh/sshd_config
Default key file located at ~/.ssh/
Default do not allow root user from ssh (configurable)
OpenSSH is one of the most common server
Common clients: ssh, putty,
SFTP (Secure FTP) works over TCP 22 for file transfer only
RDP (Remote Desktop Protocol)
Typically on windows
Default on TCP port 3389m, traffic is encrypted
Capable to mount drives remotely (via SMB)
Clients environment (win7, win10) supports single active session
RDP will terminate current login users
Server environments (Server 2003, 2008, 2012, 2016) supports multiple active RDP sessions
The service supporting RDP is “Terminal Server”
Supporting files on disk
Last connected screenshot stores at RDP Cache
Windows Even Log (Secure) captures login results : RDP = 4624, Type 10
Windows Event Log(Terminal Server) captures user name and session ID
VNC (Virtual Network Computing)
Default TCP port 5900
Default GUI remote desktop for Mac and Linux
Required X11 server (graphic desktop service)
VPN (Virtual Private Network)
PPTP (1723 TCP)
L2TP (1701 TCP, 500 UDP, 4500 UDP)
IPSec (500 UDP, 4500 UDP)
STP (TCP 443)
OpenVPN (TCP/UDP 1194, TCP 443)
QUIZ 06
Password Cracking
Passphrase
Remember RFC1925
Truth #7: It is always something7a (corollary):
Good, Fast, Cheap: Pick any two (you can’t have all three).
This rule applies to pretty much every IT project there is. It’s probably a good idea to always keep it in mind when setting expectations of security implementation projects. A fast, cheap implementation usually will either lack features you need or its performance might not be at the level you wanted.
Same applied to password
A passphrase is a sequence of words or other text used to control access to a computer system, program or data.
A passphrase is similar to a password in usage, but it is generally longer for added security
Different platform have their own preference of
allowed characters
Not allowed characters
Length
Required characters
ATM PIN
ISO 9564 – personal identification number (PIN) management and security in financial services.
PIN length
The standard specifies that PINs shall be from four to twelve digits long, noting that longer PINs are more secure but harder to use. It also suggests that the issuer should not assign PINs longer than six digits.
The inventor of the ATM, John Shepherd-Barron, had at first envisioned a six-digit numeric code, but his wife could only remember four digits, and that has become the most commonly used length in many places
IBM Mainframe
Powering up mainframe
5:00 start up, 8:40 POST screen, 17:30: OS screen
RSA Token
TOTP: Time-Based One-Time Password Algorithm
The RSA SecurID authentication mechanism consists of a “token” — either hardware (e.g. a key fob) or software (a soft token) — which is assigned to a computer user and which creates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card’s factory-encoded almost random key (known as the “seed”)
The algorithm used in RSA tokens (SecurID) is TOTP(Time-Based One-Time Password Algorithm), a hash algorithm. The seed(may generated by a variant of AES-128) was already saved in the token before we using it.
Ref source code:
https://github.com/cernekee/stoken
It offers the factor “Something you have” in authentication
In addition to something you have, you may required to enter Token-PIN (something you known)
Token PIN will NOT be verified
Token have expiring date for battery, technology refreshment requirement
Event_id 4625
4625: An account failed to log on
Identifies the account that requested the logon – NOT the user who just attempted logged on. Subject is usually Null or one of the Service principals and not usually useful information. See New Logon for who just logged on to the system.
Security ID
Account Name
Account Domain
Logon ID
Error code
Status and Sub Status Codes Description (not checked against “Failure Reason:”)
0xC0000064 user name does not exist
0xC000006A user name is correct but the password is wrong
0xC0000234 user is currently locked out
0xC0000072 account is currently disabled
0xC000006F user tried to logon outside his day of week or time of day restrictions
0xC0000070 workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
0xC0000193 account expiration
0xC0000071 expired password
0xC0000133 clocks between DC and other computer too far out of sync
0xC0000224 user is required to change password at next logon
0xC0000225 evidently a bug in Windows and not a risk
0xc000015b The user has not been granted the requested logon type (aka logon right) at this machine
Mirai 未来
Mirai, Inside of an IoT Botnet
8:30: Lab
9:10: IP range
10:40: start scan
15:30: loged in
List of default passwords from Mirai
root xc3511
root vizxv
root admin
admin admin
root 888888
root xmhdipc
root default
root jauntech
root klv1234
root Zte521
root hi3518
root jvbzd
root anko
root zlxx.
root 7ujMko0vizxv
root 7ujMko0admin
root system
root ikwb
root dreambox
root user
root realtek
root 000000
admin 1111111
admin 1234
admin 12345
admin 54321
admin 123456
admin 7ujMko0admin
admin pass
admin meinsm
tech tech
mother fucker
root 123456
root 54321
support support
root (none)
admin password
root root
root 12345
user user
admin (none)
root pass
admin admin1234
Ashley Madison
Ashley Madison Password leak
Passwords on the live site were hashed using the bcrypt algorithm
A bcrypt hash string is of the form:
$2b$[cost]$[22 character salt][31 character hash] For example:
$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
\__/\/ \____________________/\_____________________________/
$2a$: The hash algorithm identifier (bcrypt)
10: Cost factor (210 ==> 1,024 rounds)
N9qo8uLOickgx2ZMRZoMye: 16-byte (128-bit) salt, base64-encoded to 22 characters
IjZAgcfl7p92ldGxad68LJZdL17lhWy: 24-byte (192-bit) hash, base64-encoded to 31 characters
Password Salt
Read the S/N and MDL
Fuzzy Match
A rice cooker with FUZZY Logic
The machine uses its senses to observe the rice as it cooks, adjusting for it type and volume, and intervene–by changing the temperature–when necessary.
It’s feedback based algorithm
FUZZY match in password – due to misread
i / 1 / l
U / V
k / K
Fuzzing
Randomness
Emulated random key typed / mouse clicks
Counter-Anti-VM malware
Software automation testing
Targeted
With defined boundaries and test focuses on boundaries
If you know the pattern of partial string, you can FUZZ the string by applying certain permutations / substitutions
It’ used widely to discovery bugs / vulnerabilities
Block Cipher Feedback
Summary of modes
Mode Formulas Ciphertext
Electronic codebook (ECB) Yi = F(PlainTexti, Key) Yi
Cipher block chaining (CBC) Yi = PlainTexti XOR Ciphertexti−1 F(Y, Key); Ciphertext0 = IV
Propagating CBC (PCBC) Yi = PlainTexti XOR (Ciphertexti−1 XOR PlainTexti−1) F(Y, Key); Ciphertext0 = IV
Cipher feedback (CFB) Yi = Ciphertexti−1 Plaintext XOR F(Y, Key); Ciphertext0 = IV
Output feedback (OFB) Yi = F(Yi−1, Key); Y0 = F(IV, Key) Plaintext XOR Yi
Counter (CTR) Yi = F(IV + g(i), Key); IV = token() Plaintext XOR Yi
Levenshtein Distance
Levenshtein distance is a string metric for measuring the difference between two sequences. Informally, the Levenshtein distance between two words is the minimum number of single-character edits (insertions, deletions or substitutions) required to change one word into the other. It is named after the Soviet mathematician Vladimir Levenshtein
also be referred to as edit distance
Determinates how similar two string is
Edit Distance Between 2 Strings – The Levenshtein Distance (“Edit Distance” on LeetCode)
0:30 Definition
Map-Reduce
MapReduce
Used to processing data in parallel
Map – a function to project an input to a function (e.g. Password hash)
Reduce – perform summarization function (process to next password, count basket)
Rainbow Table
Map
Reduce
Salts, Passwords and Rainbow Table Attacks (ITS335, L9, Y14)
15:40: pre-calculated hash
https://www.youtube.com./watch?v=GT_qgImaUS4
XP special (7.5GB)
formerly known as WS-20k
Success rate: 96%
Charset: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~ (including the space character)
XP german (7.4GB)
formerly known as german
Success rate: 99%
Only for passwords that contain at least one german character (äöüÄÖÜß)
Charset: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~ äöüÄÖÜß
Rainbow table size
What is the x mean ?
root:x:0:0:admin:/var/root:/bin/sh
root:bJz7PcC1rCRJQ:Root User,,,/bin/sh
Username: It is used when user logs in. It should be between 1 and 32 characters in length.
Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to computes the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file.
User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
Group ID (GID): The primary group ID (stored in /etc/group file)
User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell. For example, sysadmin can use the nologin shell, which acts as a replacement shell for the user accounts. If shell set to /sbin/nologin and the user tries to log in to the Linux system directly, the /sbin/nologin shell closes the connection.
If no ”x” or “*” in passwd
crypt() is the password encryption function.
It is based on the Data Encryption Standard algorithm with variations intended (among other things) to discourage use of hardware implementations of a key search.
key is a user’s typed password.
salt is a two-character string chosen from the set [a-zA-Z0-9./].
This string is used to perturb the algorithm in one of 4096 different ways.
By taking the lowest 7 bits of each of the first eight characters of the key, a 56-bit key is obtained.
This 56-bit key is used to encrypt repeatedly a constant string (usually a string consisting of all zeros).
The returned value points to the encrypted password, a series of 13 printable ASCII characters (the first two characters represent the salt itself). The return value points to static data whose content is overwritten by each call.
Username : It is your login name.
Password : It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows:
$1$ is MD5
$2a$ is Blowfish
$2y$ is Blowfish
$5$ is SHA-256
$6$ is SHA-512
Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed
Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
Warn : The number of days before password is to expire that user is warned that his/her password must be changed
Inactive : The number of days after password expires that account is disabled
Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
Recall – LM hash
Used in old version of Windows
All inputs are converted to UPPER CASE, and null padding to 14-bytes
Max of 7 + 7 = 14 characters
Each 7 bytes was used as Key to encrypt fixed string “KGS!@#$%” using DES
Join two encrypted strings as hash
(SID) Security Identifier
S 1 5 21-3623811015-3361044348-30300820 1013
The string is a SID. The revision level (the version of the SID specification). The identifier authority value. Subauthority value
In this case, a domain (21) with a unique identifier.There may be more than one subauthority,
especially if the account exists on a domain
and belongs to different groups.[1] A Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.
The format of a SID can be illustrated using the following example: “S-1-5-21-3623811015-3361044348-30300820-1013”;
Discussion:
Random = Strong ?
DEFINE:
Random
Crack SSH Private Key Passwords with John the Ripper [Tutorial]
6:30 SSH2John
10:20 run with pw list
11:30 login with key
DGA
https://github.com/baderj/domain_generation_algorithms
Chinad
8f6bacmw30xxv6sc.cn
486txu3yjly0xcmz.ru
xmi6x8zg9rkanmyo.info
spy1jhdbmvt2ueva.net
evybt5gtf2tprvbi.info
7qbys97e3pcw262c.inf
Kraken/v2
nwpegpjtx.com
smmyuhxlt.net
xjvyvnzivvt.net
lvctmusxcyz.tv
lvctmusxcyz.tv
DGA domain classifier
/docProps/thumbnail.jpeg