110 likes | 151 Vues
Explore the role of brute-force password cracking in penetration testing and its impact on corporate security. Learn about cryptographic hash functions, password vulnerabilities, and effective security measures.
E N D
Andrew Keener and Uche Iheadindu Brute Force Password Cracking and its Role in Penetration Testing
Background • A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value. • Cryptographic hash functions are used to encrypt passwords in many corporations • Password strength can be a key vulnerability in large corporations without proper policies on password security.
Password Security in Relation to Penetration testing • Penetration testing involves trying to take control over systems and obtain data • One of the ways this is accomplished is by exploiting weak password schemes • If password auditing is not a part of penetration testing you leave yourself open to the likelihood of a breach
Password Cracking, What are we trying to prevent? There are several methods for password cracking available. • Brute-force cracking, in which a computer tries every possible key or password until it succeeds. • Dictionary attacks, pattern checking, word list substitution, etc., attempt to reduce the number of trials required and will usually be attempted before brute force.
Focus of this presentation: Brute Force • Http://hashsuite.openwall.net - Hash Suite Demo
Http://www.golubev.com/blog -ighashgpu • Another good open source program: HashCat: HashCat.net
GPU vs CPU hashing comparison Laptop(Amd A8 3400M... 4 cores): Averages about 100 million passwords per second. (6 characters) Desktop(GPU: ATI Radeon HD 5970... 40 cores): Averages about 2.2 billion passwords per second. (7 characters) • This is why recommendations are being made currently to have no less than 12 characters using uppercase, lowercase, digits, and special characters.
Sources: • Wikipedia, Cryptographic Hash Function: http://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification • Wikipedia, Password Cracking: