Unit 2: Password Cracking 2.1 Password Cracking Introduction to Password Cracking

>> A past IBM cybersecurity intelligence index report concluded that 95%
of security breaches are caused by human error.

IBM过去的一份网络安全情报指数报告得出结论，95%的安全漏洞是人为错误造成的。

Human error definitely includes password choices by users.

人为错误肯定包括用户的密码选择。

It also includes password requirements and password storage by systems administrators.

它还包括系统管理员的密码要求和密码存储。

We can that without any hesitation passwords are a large part of network security.

我们可以毫不犹豫地说，密码是网络安全的重要组成部分。

Hackers can use a technique called "password guessing" in which they manually enter passwords
at a login prompt to gain access to an account when they have a valid user name.

黑客可以使用一种名为“密码猜测”的技术，即在登录提示时手动输入密码，以便在拥有有效用户名的情况下访问帐户。

In fact, this is exactly what happened in 2013
when a St. Louis Cardinals executive guessed the password of a former co-worker who used to work
for the Cardinals but moved on to the Houston Astros.

事实上，这正是2013年发生的事情。当时，圣路易斯红衣主教队(St. Louis Cardinals)的一名高管猜出了一名前同事的密码。

This led to lots of confidential information about players, potential trades,
and scouting reports getting into the hands of a rival executive.

这导致许多关于球员、潜在交易和球探报告的机密信息落入竞争对手的高管手中。

The information was publicly dumped and wound up embarrassing numerous players and teams.

这些信息被公开泄露，让许多球员和球队感到尴尬。

There are tools to automate this guessing process, known as an online attack,
including Medusa, Ncrack, and Hydra.

包括Medusa、Ncrack和Hydra在内的一些工具可以自动完成这种被称为在线攻击的猜测过程。

These tools were built to help companies secure their networks,
as security specialists can test hosts and networking devices for poor passwords.

由于安全专家可以测试主机和网络设备的糟糕密码，因此这些工具是用来帮助公司保护其网络安全的。

These tools are used to audit devices as well.

这些工具也用于审计设备。

Online attacks can also be used to check that your firewalls, IDSs,
and IPSs detect when a server gets bombarded with unsuccessful login attempts
and that accounts lock in a short period when this happens.

在线攻击还可以用于检查您的防火墙、IDSs和IPSs在服务器受到不成功登录尝试的攻击时是否能够检测到，并且在发生这种情况时帐户会在短时间内锁定。

Password guessing through manual or automated means is obviously very noisy,
so hackers need a better way to do it.

通过人工或自动的方式猜测密码显然是非常嘈杂的，所以黑客需要一种更好的方法来做到这一点。

Passwords should never be stored in plain text in databases.

Storing passwords in plain text allows them to be used immediately after they're stolen.

Passwords should be stored in a strong hashed format since hashing is a one-way function.

In many of the data breaches of recent years, stolen password databases contain passwords
that were either stored in plain text or hashed with weak algorithms, like MD5 or SHA-1.

On Linux systems, password hashes are stored in the etc/shadow file.

Most Linux distros use SHA-512 with something called "salt" that we'll discuss later.

On Windows systems, password hashes are stored
in the SAM file located at c:windowssystem32configsam.

Some Microsoft documentation expands SAM
to Security Account Manager while other Microsoft documentation expands SAM
to Security Accounts Manager.

On Windows domain controllers running Active Directory, password hashes are stored
in the NTDS.dit file located at c:windowsntdsntds.dit.

The Windows NTLM, Lan Manager Protocol Suite,
actually uses MD4 without salt for storing Windows hashes.

Websites that we log into store passwords
in a backend database likely using the MYSQL relational database morning system.

If a hacker enters the stolen hash into the password field,
the hash itself would be hashed, so the attacker won't do that.

In this unit, we'll explore what happens when a database containing hashed passwords is stolen.

The hackers have three attack options after they steal the hashed password database.

The first is called a "brute force attack."

The second is a "dictionary attack."

The third is a "rainbow table attack."

Current hashing standards, SHA-2's SHA-256 and SHA-512
and even SHA-3 variants are not appropriate for passwords because they're too quick
for hackers attempting brute force attacks with today's graphics processing units,
application-specific integrated circuits, and field-programmable gate arrays.

 

PBKDF2, Bcrypt, and Scrypt which use SHA functions as part of their algorithms as well
as newcomer Argon2 should be the only functions used for hashing passwords
because these key stretching functions are significantly slower with tens
or hundreds of thousands additional rounds.

The longer calculation time won't be noticeable by a user logging in but will be great
for reducing the rate of brute force attacks.

 

转载于:https://www.cnblogs.com/sec875/articles/10015908.html