O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Introduction to LavaPasswordFactory

823 visualizações

Publicada em

Christopher Grayson discusses authentication, passwords, how to break password-based authentication schemes, and lastly introduces LavaPasswordFactory.

LavaPasswordFactory is a password list generation tool that also contains functionality for cleaning password lists based on password policies.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Introduction to LavaPasswordFactory

  1. 1. LAVA.PASSWORD.FACT ORY PASSWORDS ARE BAD AND YOU CAN TOO!!
  2. 2. A BRIEF INTRODUCTION
  3. 3. AGENDA 1. What is authentication? 2. Why do passwords exist? 3. Why attack authentication mechanisms? 1. Password-based attacks 4. LavaPasswordFactory 1. Demonstration 5. Conclusion / Questions
  4. 4. WHO AM I? • Christopher Grayson • cegrayson3@gmail.com • @_lavalamp • Senior Security Analyst at Bishop Fox (Pen-Testing FTW) • MSCS, BSCM from GT • Former Research Scientist from GT • Former president, GT hacking club That guy in the front…
  5. 5. WHAT IS AUTHENTICATION?
  6. 6. THE BASICS • It’s all about identity baby • Something you know • Something you have • Something you are
  7. 7. SOMETHING YOU KNOW • Passwords • Personal knowledge (security questions) • Only those that know X should have access.
  8. 8. SOMETHING YOU HAVE • RSA SecurID • Google Authenticator • Only those that have X should be allowed access.
  9. 9. SOMETHING YOU ARE • Most nebulous of the three • Commonly refers to biometrics (iris scans for instance) • Only those who are X should be allowed access.
  10. 10. TAKEAWAYS • Authentication mechanisms aim to identify who you are for the purpose of establishing the correct level of authority. • Without accurately identifying someone, how can one hope to apply any meaningful identity-based security controls?
  11. 11. PESKY PESKY PASSWORDS
  12. 12. WHYYYYYYY?! • Easy to implement • Usually easy to remember • Requires the lowest amount of technical overhead • Many other reasons…
  13. 13. PASSWORDS ARE BAD, M’KAY? • When used properly, passwords can provide a decent level of security. • Passwords are largely used improperly, even within the security community.
  14. 14. COMMON PASSWORD PROBLEMS • Low complexity • Password re-use • Writing passwords down
  15. 15. SOME TANGIBLE DATA Credit to Karl Sigler, The Register http://www.theregister.co.uk/2014/08/15/hundreds_of_thousands_of_corporate_passwords_cracke
  16. 16. ATTACKING PASSWORDS
  17. 17. WHY ATTACK AUTHENTICATION? • Automated systems typically have different roles meant for different users. • Correctly identifying a user supplies that user with the intended level of authority. • Even in an incredibly secure system, if you can trick the system into thinking you’re an admin, many security controls fall away.
  18. 18. ONLINE PASSWORD ATTACKS • Logging into a Web site • Logging into network services • Don’t have access to hashed representation of passwords
  19. 19. OFFLINE PASSWORD ATTACKS • Typically a data store has been compromised • Have direct access to hashed representation of passwords • Can break passwords at much larger scale
  20. 20. LAVA.PASSWORD.FACTORY
  21. 21. SHINY NEW TOOL • Generates passwords for offline and online attacks • Cleans existing password lists • Uses a set of seed words • Has functionality for matching password policies
  22. 22. DEMONSTRATION
  23. 23. GETTING IT • https://github.com/lavalamp- /LavaPasswordFactory • Still a work-in-progress, but current work is only to add more functionality. • Comments and feature requests welcome!
  24. 24. QUESTIONS?
  25. 25. THANK YOU! @_LAVALAMP

×