Authentication Types Authentication is the procedure of identifying an entity based on a private detail. For example, a human can be identified by his passport, his fingerprint etc. With system, other unique characteristics are needed to prove their identity. Some of the ways and forms for computer systems authentication can be categorized as below: • What the user knows—authentication basing on what the user knows (e.g. PIN, pass code, salutation) • What the user has—authentication based on the something the user possess (e.g. memory card, a key, smart card tokens) • What the user is—authentication based on biometric features : physiological features such as fingerprint or behavior feature like keyboard dynamics. Figure 1. Classification by authentication approaches a. Knowledge based authentication is the most used type of authenticating users Instances of knowledge-based authentication are among others: secrete passwords, pass sentences or pass phrases, PIN (Personal Identification Numbers) or even a graphical image. To prove users and authenticate them over a public (Unsecure) network for instance the Internet, they are used digital signatures and digital certificates which are encrypted using a public and private key to make them secure enough. A secure entity provides the PKI (Public key Infrastructure). b. Possession-based authentication Authentication based on what one owns is also referred as token based authentication and as named, it is built on a secrete device that a user has. It is mainly intended to physical objects a user has as token (a key for a door for example). Need to mention a very important disadvantage of possession-based authentication as a token may have been stolen or copied then presented, so it doesn’t authenticate the user as perfectly. There are other administrative problems and the fact that the user has always to carry his/her token whenever needs access. Tokens are regularlydistributed intwo main sets: memory and smart tokens. On one hand, memory tokens stock information as it is and need not to process it. A largely used memory token is the magnetic card, which is used as a combination of what a user has and what he knows (PIN) ,this adds a layer of security to the token. Memory token are not expensive to make, and with a password they become more secure other than using a pin by itself or a token itself. Smart tokens on the other hand, they possess a circuit in them making them able to process the data in some sort. As memory tokens, smart tokens also are more secure when they are used with a knowledge based authentication like a PIN. The most used smart token is the one embedded with Unlike memory tokens, smart tokens incorporate one or more embedded integrated circuits which enable them to process information. Like memory tokens, most smart tokens are employed to authenticate together side to a knowledge-based authenticatingsystem such as a PIN. One of the many kinds of smart tokens is the one embedded with a chip that contains a microprocessor. The fact that they’re easily portable and secured with high cryptography have led them to be the most used in e-commerce. Obviously, smart tokens are expensive than memory token but they provide better security and greater flexibility. Smart tokens high security level, with a use of an OTN (one time password) from a bank for instance, make it possible to purchase online on public internet without wide insecurity. c. biometric-based authentication Biometric based authentication is an authentication on what the user is. It is the unique humanly features that are used to identify them whether be anatomical, behavioral characteristics and features associated to user or physiological. Biometric authentications rely on the fact that humans are different, and some features exist one person and him only in the world. So it is possible to prove an identity based on who the user claims to be, rather than his knowledge-based or possession-based authenticity. The system involved in biometric is a pattern recognition consisting 3 principal modules: · Sensor module · extraction module · matching module. The users’ individualqualities are recorded and stored in reference documents to be compared for future authentication to define if there is a match. The accurateness of different types of biometric systems can be checked by evaluating the percentage of errors that the system give: · erroneous rejection, which is, false non-match (type I error) · erroneous acceptance, which is, false match (type II error). A biometric system with low level of erroneous results is much more preferred for authentication. B. Password Cracker A password cracking mechanism is an application that is used to figure out what a hidden password is. The use of password crackers can be done illegally by black hat crackers or legally, by a professional testing the robustness of a password or when trying to figure out a forgotten password. Password crackers, to identify hidden passwords, use two main methods: – brute force and dictionary attack Brute force attack consist of running a set of words guessing the correct password until it finds it. It does a good job of finding the correct length then throws guesses until the correct combination is found according to the computer system. through combinations of characters within a predetermined length until it finds the combination accepted by the computer system. When conducting a dictionary Password dictionaries come in various themes, from politic, music, religions to kids names. Password crackers programs are a hybrid of words and numbers, sometimes even symbols. For instance if “ali” doesn’t work as a password, it can throw in “ali90” “ali91”, “ali92” etc. It doesn’t limit the guessing to readable words only because, password crackers can go up to using pre-encrypted words from various cryptographic algorithms. In order to protect your system against todays attack, one should be aware of any new trend in hacking so as to check if his system is secured against it. It is imperative to audit ones system regularly to check if infiltrated(by running cracking tools on your own organization), change the passwords regularly, make passwords longer and including various symbols. Password Guessing The most common type of attack is password guessing. Attackers can guess passwords locally or remotely using either a manual or automated approach. Password guessing isn’t always as difficult as you’d expect. Most networks aren’t configured to require long and complex passwords, and an attacker needs to find only one weak password to gain access to a network. Not all authentication protocols are equally effective against guessing attacks. For example, because LAN Manager authentication is case-insensitive, a password guessing attack against it doesn’t need to consider whether letters in the password are uppercase or lowercase. Many tools can automate the process of typing password after password. Some common password guessing tools are Hydra, for guessing all sorts of passwords, including HTTP, Telnet, and Windows logons; TSGrinder, for brute-force attacks against Terminal Services and RDP connections; and SQLRecon, for brute-force attacks against SQL authentication. Automated password guessing programs and crackers useseveral different approaches. The most time consuming—and most successful—attack method is the brute-force attack, in which the attacker tries every possible combination of characters for a password, given a character set and a maximum password length. Dictionary attacks work on the assumption that most passwords consist of whole words, dates, or numbers taken from a dictionary. Dictionary attack tools require a dictionary input list. You can download varying databases with specific vocabularies (e.g., English dictionary, sports, even Star Wars trivia) free or commercially off the Internet. Hybrid password guessing attacks assume that network administrators push users to make their passwords at least slightly different from a word that appears in a dictionary. Hybrid guessing rules vary from tool to tool, but most mix uppercase and lowercase characters, add numbers at the end of the password, spell the password backward or slightly misspell it, andinclude characters such as @!# in the mix. Both John the Ripper and Cain & Abel can do hybrid guessing. Password Resetting Attackers often find it much easier to reset passwords than to guess them. Many password cracking programs are actually password resetters. In most cases, the attacker boots from a floppy disk or CD-ROM to get around the typical Windows protections. Most password resetters contain a bootable version of Linux that can mount NTFS volumes and can help you locate and reset the Administrator’s password. A widely used password reset tool is the free PetterNordahl-Hagen program. Winternals ERD Commander 2005, one of the tools in Winternals Administrator’s Pak is a popular commercial choice. Be aware that most password reset tools can reset local Administrator passwords residing only on local SAM databases and can’t reset passwords in Active Directory (AD). Password Cracking Although password resetting is a good approach when all you need is access to a locked computer, resetting passwords attracts unwelcome attention. Attackers usually prefer to learn passwords without resetting them. Password cracking is the process of taking a captured password hash (or some otherobscured form of the plaintext password or challenge-response packets) and converting it to its plaintext original. To crack a password, an attacker needs tools such as extractors for hash guessing, rainbow tables for looking up plaintext passwords, and password sniffers to extract authentication information. Hash guessing. Some password cracking tools can both extract and crack password hashes, but most password crackers need to have the LM password hash before they can begin the cracking process. (A few tools can work on NT hashes.) The most popular Windows password hash extractor is the Pwdump family of programs. Pwdump has gone through many versions since its release years ago, but Pwdump4 is the current version. To extract password hashes using Pwdump, you must have administrative access to the local or remote machine you’re attacking, and you must be able to use NetBIOS to connect to the admin$ share. There are ways around the latter requirement, but the tool alone requires it. When you run Pwdump4 successfully, it extracts LM and NT password hashes and, if Windows’ password history tracking is active, all hashes for older passwords. By default, Pwdump saves password hashes to the screen, but you can also output them to a file, then feed them to a password cracker. Many password cracking tools accept Pwdump-formatted hashes for cracking. Such tools usually begin the cracking process by generating some guesses for the password, then hashing the guesses and comparing those hashes with the extracted hash. Common password crackers are John the Ripper and Cain & Abel. John the Ripper, which comes in both Unix and Windows flavors, is a very fast command-line tool and comes with a distributed-computing add-on. Cain & Abel can break more than 20 kinds of password hashes, such as LM, NT, Cisco, and RDP. Rainbow tables. These days, password crackers are computing all possible passwords and their hashes in a given system and putting the results into a lookup table called a rainbow table. When an attacker extracts a hash from a target system, he or she can simply go to the rainbow table and look up the plaintext password. Some crackers (and Web sites) can use rainbow tables to crack any LM hashes in a couple of seconds. You can purchase very large rainbow tables, which vary in size from hundreds of megabytes to hundreds of gigabytes, or generate your own using Rainbow Crack. Rainbow tables can be defeated by disabling LM hashes and using long, complex passwords. Password sniffing. Some password crackers can sniff authentication traffic between a client and server and extract password hashes or enough authentication information to begin the cracking process. Cain & Abel both sniffs authentication traffic and cracks the hashes it retrieves. Other sniffing password crackers are ScoopLM and KerbCrack, a sniffer and cracker for cracking Kerberos authentication traffic. None of these can crack NTLNv2 authentication traffic. Password Capturing Many attackers capture passwords simply by installing a keyboard-sniffing Trojan horse or one of the many physical keyboard-logging hardware devices for sale on the Internet. Symantec reports that 82 percent of the most commonly used malware programs steal confidential information. Most steal passwords. For $99, anyone can buy a keyboard keystroke logger that can log more than 2 million keystrokes. Physical keyboard logging devices less than an inch long can easily be slipped between the keyboard cord and the computer’s keyboard port. And let’s not forget how easy it is to sniff passwords from wireless keyboards even from a city block away. Password Cracking Countermeasures STORAGE OF PASSWORDS If you have to choose between weak passwords that your users can memorize and strong passwords that your users must write down, have readers write down passwords and store the information securely. Train users to store their written passwords in a secure place — not on keyboards or in easily cracked password-protected computer files. Users should store a written password in either of these locations: A locked file cabinet or office safe Full (whole) disk encryption which can prevent anintruder from ever accessing the OS and passwords stored on the system. A secure password management tool such as LastPass Password Safe, an open source software originally developed by Counterpane PASSWORD POLICIES As an ethical hacker, you should show users the importance of securing their passwords. Here are some tips on how to do that: Demonstrate how to create secure passwords. Refer to them as passphrases because people tend to take passwords literally and use only words, which can be less secure. Show what can happen when weak passwords are used or passwords are shared. Diligently build user awareness of social engineering attacks. Enforce (or at least encourage the use of) a strong password-creation policy that includes the following criteria: Use upper- and lowercase letters, special characters, and numbers.Never use only numbers. Such passwords can be cracked quickly. Misspell words or create acronyms from a quote or a sentence. For example, ASCII is an acronym for American Standard Code for Information Interchange that can also be used as part of a password. Use punctuation characters to separate words or acronyms. Change passwords every 6 to 12 months or immediately if they’re suspected of being compromised. Anything more frequent introduces an inconvenience that serves only to create more vulnerabilities. Use different passwords for each system. This is especially important for network infrastructure hosts, such as servers, firewalls, and routers. It’s okay to use similar passwords — just make them slightly different for each type of system, such as SummerInTheSouth-Win7 for Windows systems and Linux+SummerInTheSouth for Linux systems. Use variable-length passwords. This trick can throw off attackers because they won’t know the required minimum or maximum length of passwords and must try all password length combinations. Don’t use common slang words or words that are in a dictionary. Don’t rely completely on similar-looking characters, such as 3 instead of E, 5 instead of S, or ! instead of 1. Password-cracking programs can check for this. Don’t reuse the same password within at least four to five password changes. Use password-protected screen savers. Unlocked screens are a great way for systems to be compromised even if their hard drives are encrypted. Don’t share passwords. To each his or her own! Avoid storing user passwords in an unsecured central location, such as an unprotected spreadsheet on a hard drive. This is an invitation for disaster. Use Password Safe or a similar program to store user passwords. OTHER COUNTERMEASURES Here are some other password-hacking countermeasures: Enable security auditing to help monitor and track password attacks. Test your applications to make sure they aren’t storing passwords indefinitely in memory or writing them to disk. A good tool for this is WinHex. Keep your systems patched. Passwords are reset or compromised during buffer overflows or other denial of service (DoS) conditions. Know your user IDs. If an account has never been used, delete or disable the account until it’s needed. You can determine unused accounts by manual inspection or by using a tool such as DumpSec, a tool that can enumerate the Windows operating system and gather user IDs and other information. As the security administrator in your organization, you can enable account lockoutto prevent password-cracking attempts. Account lockout is the ability to lock user accounts for a certain time after a certain number of failed login attempts has occurred. Most operating systems have this capability. Don’t set it too low, and don’t set it too high to give a malicious user a greater chance of breaking in. Somewhere between 5 and 50 might work for you. Consider the following when configuring account lockout on your systems: To use account lockout to prevent any possibilities of a user DoS condition, require two different passwords, and don’t set a lockout time for the first one if that feature is available in your operating system. If you permit autoreset of the account after a certain period — often referred to as intruder lockout — don’t set a short time period. Thirty minutes often works well. A failed login counter can increase password security and minimize the overall effects of account lockout if the account experiences an automated attack. A login counter can force a password change after a number of failed attempts. If the number of failed login attempts is high and occurred over a short period, the account has likely experienced an automated password attack. Other password-protection countermeasures include Stronger authentication methods. Examples of these are challenge/response, smart cards, tokens, biometrics, or digital certificates. Automated password reset. This functionality lets users manage most of their password problems without getting others involved. Otherwise, this support issue becomes expensive, especially for larger organizations. Password-protect the system BIOS. This is especially important on servers and laptops that are susceptible to physical security threats and vulnerabilities.