Defending

Against
Password
Attacks In
Windows
 Defending Against
Password Guessing
1. Resistance Mechanisms :
.Regularly run a standard password cracking program
.Iptables blacklists- Guessing attacks generally come
from one site at a time, believed to be zombies in a bot-
net. the zombie is recognized on one host and all hosts
blacklist it. The Iptables rule set must use the filter chain
to dispose of packets even in on going connections.
.Iptables whitelists-all connections (except to public
services) are blocked unless the client site is on the
whitelist. it protects all present and future services
automatically; there is no need to modify software or
configurations to become protected or to recognize
attacks
2. Getting On the Blacklist:
.Something looks for frequent login failures from
the same host.

.Two easy sources of failure information:-

a. A daemon reads syslog, watching for messages
about authentication failure.
b. A PAM module reports failures.

.Attackers can try only one or two login ID-

password combinations at a time, presumably
trying them on every host on its list before
revisiting our host. A rate-based attack spotter
cannot recognize such an attack.
3. Getting On the Whitelist:
The client needs to send something to the server that
induces the server to trust the client and add it to the
whitelist.
Authorization expires after a certain time, either time after
authentication or after a period of non-use.
Portknock and friends: The client sends UDP packets to
several ports in sequence. This technique requires special
software on the (Windows) client, and the knocking
sequence is publicly visible and can be re-played by an
attacker.
Portbang and friends: A shared secret is used to create a
UDP packet that the server will trust. A RSA key pair is
used; the client has the secret key and the server has the
public key. This method operates in secret and resists
replay attacks, but it still requires special software on the
client, plus the server must be pre-configured with the
shared secret, a problem in our environment.
 Web form: The client connects to a public SSL-
enabled port on the server and gives his login ID
and password. every credible client machine can
be expected to be able to do the interaction. But it
has two disadvantages: First, the server needs a
webserver. Second, if the method becomes
popular enough, password guessing attacks could
be directed against it.
Security by obscurity is a rather weak protection.
Another alternative is a second, independent
password , which also could be stolen, and if the
two passwords are used on a client with a
keystroke logger, correlated theft is likely.
 Defending Against Pass-
the-Hash Attacks
Fundamental security technique : the use of
cryptographic hash functions to encode credentials for
storage and transmission.
Using a hash function as part of the authentication
process means that the authenticating server never has
to store unencrypted passwords, which is a serious
security weakness.
In Microsoft Windows, hashes are stored in one of two
places: a local Security Accounts Manager (SAM)
database and/or a networked Active Directory database
(which is stored as a physical file called NTDS.DIT on
each participating domain controller). Password hashes
can be stored in one of four forms: LAN Manager (LM),
NT, AES key, or Digest.
 Even though authentication protocols dont directly
communicate the hash, the originating client always has
the hash and oftentimes the authenticating or host
target must create or have access to the involved hash
for successful authentication to occur.
Password hashes can be found in memory during active
logon sessions, as well as stored more permanently
within the relevant authentication databases.
Deleted from memory when their associated logon
sessions are terminated, but such deletion depends on
the particulars of involved applications and does not
always occur.
Removing all hashes from memory may require a
reboot.
 Rainbow Tables
When a password is "tried" against a system it is
"hashed" using encryption so that the actual password
is never sent in clear text across the communications
line.
Hashing a password is a 1-way function, meaning that
you can't decrypt the hash to see what the clear text
of the password is.
The cracking program starts by taking plaintext
passwords, running them through a hash algorithm
and then compares the hash output with the hashes in
the stolen password file.
This takes a very long time.enters rainbow tables.
 Rainbow Tables are basically huge sets of pre-
computed tables filled with hash values that are pre-
matched to possible plaintext passwords.
Allow hackers to reverse the hashing function to
determine what the plaintext password might be.
Two different passwords may result in the same hash
so it's not important to find out what the original
password was, just as long as it has the same hash.
It takes a lot of storage (sometimes Terabytes) to hold
the Rainbow Tables themselves, but storage is not an
issue now a days.
Hackers can purchase pre-computed Rainbow Tables
for cracking passwords of vulnerable operating
systems such as Windows XP, Vista, Windows 7, and
applications using MD5 and SHA1 as their password
hashing mechanism
 Protect Against Rainbow
Tables-based Password Attacks
The problem is the weakness associated with the
hashing function being used to encrypt a password.
stay away from web applications that restrict your
password length to a short number of characters.
Don't use MD5 or SHA1 in your password hashing
function. Out dated password hashing algorithms and
most rainbow tables used to crack passwords are built
to target applications and systems using these hashing
methods. Use more modern hashing methods like SHA2.
Use a cryptographic "Salt" in your password hashing
routine. Adding a cryptographic Salt to your password
hashing function will help defend against the use of
Rainbow Tables used to crack passwords in your
application.
 Password Safe
Many computer users today have to keep track of
dozens of passwords: for network accounts, online
services, premium web sites.
With Password Safe, a free Windows 9x/2000 utility from
Counterpane Labs, users can keep their passwords
securely encrypted on their computers. A single Safe
Combination--just one thing to remember--unlocks them
all.
Password Safe features a simple, intuitive interface that
lets users set up their password database in minutes.
Best of all, Password Safe is completely free: no license
requirements, shareware fees, or other strings attached.
 Defend Against Login
Spoofing: Trusted Path
Login Spoofing Attacks:
write a program showing a login window on screen and
record the passwords
put su in current directory
Defense: Trusted Path
Mechanism that provides confidence that the user is
communicating with the real intended server
1. attackers can't intercept or modify whatever
information is being communicated.
2. defends attacks such as fake login programs
Example: Ctrl+Alt+Del for log in on Windows
1. Causes a non-maskable interrupt that can only be
intercepted by the operating system, guaranteeing that the
login window cannot be spoofed
 Brute Force Attack
0 A brute-force attack is an attempt to discover
a password by systematically trying every
possible combination of letters, numbers, and
symbols until you discover the one correct
combination that works.
0 An attacker can always discover a password
through a brute-force attack, but the
downside is that it could take years to find it.
0 Although such attacks are easy to detect,
they are not so easy to prevent.
 Dictionary attack
0 The attacker makes the dictionary of words
that might have been be used as a password.

0 The attacker then applies all these words to

break the password.

0 sometimes it is unable to crack the password

because it remains a possibility that password
to be cracked may not be present in the
dictionary itself.
Defenses against brute
force and dictionary
attack
0 Locking Accounts: The most obvious way to
block brute-force attacks is to simply lock out
accounts after a defined number of incorrect
password attempts.
0 Account lockouts can last a specific duration,
such as one hour, or the accounts could remain
locked until manually unlocked by an
administrator
0 An attacker can cause a denial of service (DoS)
by locking out large numbers of accounts.
0 It is ineffective against attacks that try one
password against a large list of usernames
 Incremental delay
0 A better strategy for blocking any brute force attack
is to incrementally delay the page response after
failed login attempts.
0 After first failed login attempt the response would be
delayed by 1sec. After second failed login attempt
the response would be delayed by two seconds.
0 Assuming the tool could normally make ten requests
per second, the time it would take to make one
thousand requests would jump from two minutes to
five days.
0 An incrementing delay can completely defeat an
automated tool being used for a brute force attack.
0 A legitimate user do not have to wait 30
minutes for his account to reactivate in case
he accidentally left his caps lock key on.

0 It also solves the problem of the attacker

holding the password constant and varying
the username.

0 Since the system tracks failed login attempts

on a user session basis and not an
authentication credential basis, the delay
logic cannot be bypassed this way.
 CAPTCHA
0 Use a CAPTCHA to prevent automated attacks.
0 Completely Automated Public Turing test to
tell Computers and Humans Apart
0 It is a computer program or system intended to
distinguish human from machine input.
0 It is very hard for a computer program to read
twisted words.
0 The waviness and horizontal strokes are usually
added to increase the difficulty of breaking the
CAPTCHA with a computer program.
CAPTCHA
 Passwords Versus
"Passphrases"
0 Passphrases are far more resistant to attack.

0 Instead of using a single-word entry system,

consider a multiple-word scenario.

0 Not only are they relatively easy to

remember (at least compared to something
like "8>'G:4/w?q" but they allow for a fairly
large search space.
Other countermeasures
0 For advanced users who want to protect their
accounts from attack, give them the option to
allow login only from certain IP addresses.

0 Consider blocking IP addresses that attempt

multiple failed logins.

0 Finally, be sure to display nondescript,

ambiguous login failure messages such as
"Invalid username or password".