We are in the process of writing a CEH exam review guide book. While writting or reading the chapter that deals with password cracking inevitable philosophies and puzzles arise. A topic that is at some times stale and routine is forever renewed once you really dive into it and demonstrate the possible situations.
Credentials are a balance between usability, invasivness, risk, and cost. Every time a "perfect" solution is presented there is always a "yeah, but....." that follows.
Being that passwords are the easiest and cheapest way to impliment credentials they are the most popular. In some systems, passwords are tied into asymetric keys that protect the symmetric key that protects the data. In some respects one could argue that having a password be the primary access point defeats the purpose and introduces risk itself (1)
Password cracking is a whole industry(2). DNA attacks (Distributed Networking Attacks), parallel processing and advances in collision detection are ongoing effort with big money behind them.
I ran across this spreadsheet that helps calculate the password cracking time measured against enforced policies.(3)
(1) http://searchwinit.techtarget.com/news/article/0,289142,sid1_gci850470,00.html
(2) http://www.infoworld.com/d/security-central/vendors-release-password-cracking-management-tools-737
(3) http://infoworld.com/d/security-central/test-strength-your-password-policy-437
Friday, May 29, 2009
Friday, May 22, 2009
Botnets succeed with the basics
An April 1st we thought the Conficker botnet would unload a maelstrom on us. It didn't.
Although many countries recognize this as a day of pranks, Conficker is a worldwide infection and most of its victims couldn't care less about April fool's day. The prank however is starting to become clear to researchers.
Turns out, some of the major variants of the malware are selling people fake security software.(1). Basic social engineering meets a vulnerability that has a patch (MS08-067). In fairness, the vulnerability was once a 0-day (Day zero of vendor awareness), but as of January 2009 many systems remained unpatched(2). For more information please take a moment to read the links below, and visit CVE(3) and working group(4) pages for the infection.
These are the fundamentals we discuss in the CEH class. The variables of any attack will change; the exploit, the access, and the vulnerability. The fundamentals are like a musician learning to play scales. They are basics, they work, and they are still the tune played in every attack.
To scan for conficker, download the latest version of nmap and run the following command:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 IP
(Where IP is the address of the target being scanned.)
Links:
(1) http://www.darknet.org.uk/2009/04/conficker-finally-awakes-dumps-payload/
(2) http://en.wikipedia.org/wiki/Conficker
(3) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
(4) http://www.confickerworkinggroup.org/wiki/
Although many countries recognize this as a day of pranks, Conficker is a worldwide infection and most of its victims couldn't care less about April fool's day. The prank however is starting to become clear to researchers.
Turns out, some of the major variants of the malware are selling people fake security software.(1). Basic social engineering meets a vulnerability that has a patch (MS08-067). In fairness, the vulnerability was once a 0-day (Day zero of vendor awareness), but as of January 2009 many systems remained unpatched(2). For more information please take a moment to read the links below, and visit CVE(3) and working group(4) pages for the infection.
These are the fundamentals we discuss in the CEH class. The variables of any attack will change; the exploit, the access, and the vulnerability. The fundamentals are like a musician learning to play scales. They are basics, they work, and they are still the tune played in every attack.
To scan for conficker, download the latest version of nmap and run the following command:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 IP
(Where IP is the address of the target being scanned.)
Links:
(1) http://www.darknet.org.uk/2009/04/conficker-finally-awakes-dumps-payload/
(2) http://en.wikipedia.org/wiki/Conficker
(3) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
(4) http://www.confickerworkinggroup.org/wiki/
Wednesday, May 20, 2009
Everyone it seems, is "tweeting".
CNN has a tweeter board where zebranuts47 can share with us political incite in less than 140 characters. NBA players are tweetering at half time during the playoffs. Politicians are letting us know where they are and what they are doing much to the chagrin of their security details.
I am fascinated by this process and wondered if I am being left out.
In the last six months I have been taking informal polls during class and asking students what they think of twitter. About half to be fair have no idea what it is. The other half looks at me with a strange expression.
I pull up the website on the overhead projector and it says "Twitter is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?"
The class is silent and it is as if I can hear them thinking, "isn't the problem obvious?"
Curious as a hacker, I looked into the topic a bit further. I wondered that if someone wanted to let "followers" know exactly what they were doing how granular this could be. In a tech support forum they state:
What are the limits?
We're starting with a few limits based on various parameters, and we'll be adding more as time goes on. We reveal some limits only when you reach them, and tell you about others in advance. Twitter applies limits to any person who reaches:
Is twitter narcissism, extreme voyeurism or spam on steroids? Email is a necessity for business, but twittering is not (yet). People will volunteer their junk to extremes on twittter because the 140 character limit invites cleverness. Email can't imagine the ways people will embarrass themselves using the twitter service.
Regretful tweets are searchable by anyone with an account. To err is human. but to err on tweeter is archived forever. A service called Tweleted allows the search of deleted tweets.
On accessing the site (http://tweleted.com) the following error was given:
" Twitter's losing some messages from public view at the minute. It's not our fault! The results here might be temporarily vanished, not deleted. Click "check »" to be sure."
What data are we missing! (sarcasm)
I am fascinated by this process and wondered if I am being left out.
In the last six months I have been taking informal polls during class and asking students what they think of twitter. About half to be fair have no idea what it is. The other half looks at me with a strange expression.
I pull up the website on the overhead projector and it says "Twitter is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?"
The class is silent and it is as if I can hear them thinking, "isn't the problem obvious?"
Curious as a hacker, I looked into the topic a bit further. I wondered that if someone wanted to let "followers" know exactly what they were doing how granular this could be. In a tech support forum they state:
What are the limits?
We're starting with a few limits based on various parameters, and we'll be adding more as time goes on. We reveal some limits only when you reach them, and tell you about others in advance. Twitter applies limits to any person who reaches:
- 1,000 total updates per day, on any and all devices
- 250 total direct messages per day, on any and devices
- 70 API requests per hour
- Maximum number of follow attempts in a day
Is twitter narcissism, extreme voyeurism or spam on steroids? Email is a necessity for business, but twittering is not (yet). People will volunteer their junk to extremes on twittter because the 140 character limit invites cleverness. Email can't imagine the ways people will embarrass themselves using the twitter service.
Regretful tweets are searchable by anyone with an account. To err is human. but to err on tweeter is archived forever. A service called Tweleted allows the search of deleted tweets.
On accessing the site (http://tweleted.com) the following error was given:
" Twitter's losing some messages from public view at the minute. It's not our fault! The results here might be temporarily vanished, not deleted. Click "check »" to be sure."
What data are we missing! (sarcasm)
Last night at the office, my wife calls me in a panic: our daughter's bunny (Whiskers) jumped out of her hands, and was playing "you can't get me" by dodging in and out from beneath a car in the driveway. They were still there trying to wait it out when I got home, and the sun was setting soon. I worked like a fiend trying to outsmart that bunny for 20 minutes, doing everything possible to out smart it. I had the 3 of us with brooms, down on our bellies trying to spook it out without killing it, but it just hopped over all of our attempts. We tried to set up a honeypot to lure it in (a pile of lettuce and carrots), and no luck. I tried to feign kindness, Come here Whiskers, thatta girl!" and of course, no luck. We tried several other tactics. The ladies were laughing at me as I turned the whole thing into a kind of military exercise: "get to the bunnies flank", "raise the brooms", "close in on the left". The bunny effortlessly evaded us each time, and it seemed to be tireless.
What finally worked was we let it alone and take a break. It moved away from the car, and started to clean its genitals. That's when I swooped down like a vulture and snatched it.
Some problems require you to try several, several, several different approaches, and then step away from the problem. Its a part of the learning process. A lot of students go through the same pattern in class, banging away at a problem, enlisting the help of the instructor to shine a light on it from a different perspective, and then finally grappling and succeeding.
"Happy Wabbit hunting"
-Elmer J. Fudd, MCSE
Subscribe to:
Posts (Atom)
Posts
