WiFi Sensing: How intelligence services monitor you – and how pentesters use the method to your advantage WiFi Sensing has
You probably have numerous passwords for different digital user accounts. When creating new accounts, you usually have to meet certain requirements for a secure password. In this first of four blog posts, we explain how you can protect yourself from password cracking with a good password policy.
Passwords are the essence of today's IT and all connected systems. They basically define the security of the systems and are often a source of controversy in the company between IT, management and employees.
In addition to the Default Password Policy, there are other options such as the Fine Grained Password Policy. This offers a much more granular protection and only uses the standard if the user is not already in one of the so-called PSO groups. So only in an absolute emergency.
Attention: The default domain password policy is limited to 14 characters, more is not natively possible.
The Microsoft Security Baseline specifies 14 characters as the maximum value. Thus, if 15 characters are required, the policy is overridden and 8 characters can be entered again.
To support your employees, there is the option of using other means such as chip cards, dongles or biometrics in addition to two-factor authentication. Despite the reduced complexity, this makes it possible to keep security high.
Weak or insufficiently complex passwords can come in two forms: plain text and hashed. Of course, complex, long passwords can also be transmitted in this way. We assume here that these are sufficiently secured or that decryption would take too long with the hash variant.
Due to the increased computing power and graphics cards, which even enable virtual realities, a standard password with 8 characters can be decrypted after minutes to hours. Especially when passwords are created from "normal" words with numbers or the so-called leetspeak, it is easy for the attacker due to existing password tables.
Basically every system has to be considered.
Servers, clients, cloud services, printers and software such as an ERP system.
Potential attackers often look for “low privileged users” as a basis for attack, in order to then spread horizontally or vertically in the network from there. Here even the compromise of a simple user with very limited authorizations through weak passwords can be sufficient.
Password cracking is a special field of cryptanalysis, i.e. the science that deals with cracking passwords. Password cracking is used to crack encrypted passwords, i.e. to return them to their unencrypted original form. Numerous techniques, methods and procedures are used for this, some of which are presented in the following article.
Devices, services or entire domains are often compromised as part of penetration tests. However, the passwords stored there are now stored encrypted using cryptographic hash functions. In order to get these passwords in plain text, the encryption must be broken, or “cracked” in technical jargon. If these passwords are “cracked”, access to a variety of services is possible: individual file shares, user accounts or entire ADs can be easily attacked. Because it is often enough to compromise just a few key users to gain widespread access.
In a penetration test, this offers the possibility of gaining large-scale access right from the start with little knowledge of the network and its devices. The attacker only needs the password hashes, which ideally can be obtained via a MitM attack. These password hashes can then be cracked with almost unlimited computing power. Cloud providers, where you can rent computing power for relatively little money, enable attacks on passwords that would have been unthinkable just a few years ago.
Passwords can be cracked in various ways, the best known being brute force, dictionary, hybrid and combinator attacks. What sets these attacks apart is that they are only one possible method for cracking passwords. There is no such thing as the “best” attack because passwords always differ enormously from each other and successful attacks cannot be transferred across the board to other passwords. However, it is important to know all attacks in their basic forms and to be able to use them creatively or reinterpret them. Password cracking is therefore a topic that is easy to get into. However, to achieve mastery requires a lot of time, knowledge and computing power.
The brute force attack is based on trying out every possible combination, which leads to an immense number of possible combinations as the password length increases. Despite greater computing power, which makes it possible to try out several hundred billion passwords per second, passwords over 10 characters cannot be "cracked" in an acceptable amount of time using pure brute force and currently available hardware. However, it must always be considered here that on the one hand the available computing power increases massively, as well as the prices for such powerful hardware continue to fall. The development of graphics cards over the last 10 years shows this very well, so you need less and less money for the same performance or you can buy more performance with the same money. However, bruteforce is far from the only way to crack passwords and can be further supplemented and improved.
Hashcat is software for "cracking" passwords or their hashes. Hashcat is run and operated on the command line. It runs on all operating systems and supports CPUs, GPUs and FPGAs, but using Linux (server variant) with Nvidia graphics cards is recommended. Graphics cards are generally much more effective than processors and are therefore recommended. Ubuntu with the proprietary Nvidia drivers and CUDA is recommended as a Linux distribution. Hashcat should always be compiled yourself, as this will use the latest version and avoid compatibility problems.
hashcat -a (attack mode) -m (hash mode) path/to/hashfile path/to/dictionary
This syntax can be extended with further options, which are explained below.
This determines the attack type. You can choose between the following variants.
-a 0 Wörterbuch
-a 1 Kombinator
-a 3 Bruteforce
-a 6 Hybrid + Masken
-a 7 Maske + Hybrid
-a 9 Association
Dictionary Attack is the default attack and is a good choice most of the time. The other attacks are tailored to different situations and develop their strengths there.
The hash mode specifies which hash type should be cracked and is specified using -m (number). NTLM e.g. B. is numbered 1000 while SHA1 is numbered 100. All numbers can best be found in the Hashcat Wiki look up.
The brute force can be specified using character sets, so passwords can be mapped in the following formats.
?d = Zahlen von 0-9
?s = Sonderzeichen
?l = Kleinbuchstaben
?u = Großbuchstaben
?a = alle Vorherigen
You can use these character sets to create your own masks, which can be used to search for passwords in a more targeted manner.
You can also define your own character sets to display special letters (Chinese, Arabic, Russian, ...). This is done with the option -1 (own character set). The -i option can be used to specify that the length of the bruteforce attack is increased, i.e. it starts with a character and then increases further.
Brute force on a password consisting of an unknown set of numbers.
hashcat -a 3 -m (hash mode) hashfile.txt -i ?d?d?d?d?d?d?d?d?d
Bruteforce on a password consisting of 5 letters and and 4 unknown characters at the end.
hashcat -a 3 -m (hash mode) hashfile.txt ?u?l?l?l?l?a?a?a?a
Brutforce on a password with partially known content.
hashcat -a 3 -m (hash mode) hashfile.txt ?u?l?l?lword
Brute force on a password with your own character set.
hashcat -a 3 -m (hash mode) hashfile.txt -1 ?d?s ?1?1?1?1?1?1?1?1
Brute force a password with German umlauts and automatic renewal.
hashcat -a 3 -m (hash mode) hashfile.txt -1 charsets/German.hcchr -i ?1?1?1?1
The key to success is the implementation of a complex password policy. This can be done via the "Default Password Policy" or via a "Fine grained password policy".
For the default password policy without additional tools (biometrics, cards, etc.), at least 12 characters including complexity should be selected. We also recommend changing your password regularly, at least once a year. According to the current BSI recommendation, a regular password change can be dispensed with, but this is explicitly linked to the condition that compromised passwords are recognized promptly. However, experience has shown that in the majority of the existing infrastructures, this is possible without SIEM or extensive monitoring, combined with a connection to common sites such as https://haveibeenpwned.com is hardly possible.
Quote:
BSI document "ORP_4_Identitaets_und_Authorization_Management_Editon_2020"
Recommendations for regulating password use – see ORP.4.A__.
ORP.4.A23 Regulation for password-processing applications and IT systems [IT operations] (B) IT systems or applications SHOULD ONLY request a password change with a valid reason. Purely time-controlled changes SHOULD be avoided. Action MUST be taken to detect password compromise. If this is not possible, it SHOULD be checked whether the disadvantages of a time-controlled password change can be accepted and whether passwords are changed at certain intervals.
The password should contain at least three of the four possible complexity requirements. A history of 24 passwords is recommended and blocked if incorrect entries are made too often.
Important: This does not apply to administrators. In addition to the size, there must be no so-called threshold here, otherwise there is a possibility of denial of service.
If all accounts were attacked at the same time, with the same policy, everyone would no longer be able to be unlocked and the company would be at a standstill. The threshold is one of the most useful settings to prevent brute force attacks.
In addition to the default policy, a significantly higher level of granularity can be created with the Fine Grained Password Policy. It allows permissions to be grouped together, increasing complexity as needed.
To do this, several steps must be carried out.
The PSO groups must be created under the user and computer administration
The creation of three groups can be seen here as a suggestion. Of course, it can be made even more granular by power users, for example.
The tree view must then be selected under the Active Directory administration center and then the item Domain -> System -> Password Settings Container
This is followed by the actual creation of the PSO objects (Password Security Objects), which can be configured as follows, for example.
Important: As already described in the Default Password Policy, it is very important that administrators do not receive an account lockout, otherwise access will no longer be possible in the event of a brute force attack.
First the Administrative PSO with the assignment of the corresponding group.
The ranking decides on the processing of the groups.
Password length should be at least 16 characters
Saved passwords 36
Then management / power users
Starting with this group, we recommend implementing the account lockout policy at the unlock level. A time-based setting is also common, but can be leveraged by modern attacks due to delays when attempting to enter a password.
If a user has ten or 15 incorrect entries, a reset is often necessary in general.
And finally the standard user.
For all groups, accidental deletion must be ruled out. A clear description of who is subject to which password policy is also recommended.
After successful creation, the processing of the password policy is as follows.
1 Domain Default Policy
2 PSO group > by rank order
3 PSO users > by ranking
When ranking the PSO, the lower value applies. Therefore, an administrative user can exist as a PSO User and PSO Administrator, but must always comply with the PSO Administrator guidelines.
Basically: Do not apply to individual users, as it becomes difficult and confusing to manage.
The default domain policy should also be configured as a fallback. If a user is not in a PSO group, the default domain policy still applies.
Support your employees here with all the means at your disposal so that no easy passwords (pet, partner, etc.) are chosen. At least for the administrators should be a Password manager be available. Helpful instructions and user awareness training are up-to-date and gladly seen as support.
In addition, two-factor authentication (2FA) should always be used whenever possible. This increases the effort for attackers enormously, since it means that a mobile device, a mobile phone number or apps have to be additionally compromised.
In modern AD environments, there are several ways to counteract weak passwords. In addition to the well-known password policies, this can also be supplemented with block lists. In this way, weak passwords that meet the password policies but are still insecure can be filtered out. Typical examples of this would be combinations of company name, location or product name and numbers and/or special characters. Due to their low complexity, these passwords endanger the security of the entire company, since often only individual users are sufficient to compromise the entire domain.
Microsoft offers two options for this: In Azure AD environments, Microsoft's own block lists are applied to all passwords by default to prevent the use of weak passwords. These lists are developed by Microsoft and contain weak passwords used worldwide. You can also specify your own lists of blocked passwords in order to better reflect local peculiarities. In the case of the user-defined block lists, it is advisable to use the root words of the passwords, i.e. instead of company name!*'#02 only use company name, since the permutation is carried out automatically by the AD. These two types of password block lists can only be implemented in Azure AD/ mixed deployments, this is not possible with on-premise AD. The appropriate license is also required (Azure AD Premium P1)
Offline cracking with Hashcat is not possible, since this is usually done on other systems. Brutforce attacks against your own systems can be recognized very well. Above all, this requires good monitoring of e.g. B. Incorrect entries, which could indicate brute force attacks. Intune can also be relevant here for cloud services, which recognizes impossible travel activity or unknown IP addresses and, if necessary, blocks them directly from using the password.
The basic question is: What can the attacker do with the data he has access to and what is the internal handling like? Simply logging in may not contain enough information for criminal prosecution. For internal security, an immediate blocking of the user and blocking of the attacker's IP address would be desirable.
Here's the next part of our Password series: Hashcat - Password cracking part 2
https://www.prosec-networks.com/blog/passwortmanager-im-unternehmen-einsetzen/
When dealing with the following ISMS framework controls, the vulnerability and its elimination play a role:
ISO 27001:
A.9.4.3 Password Management System
BSI Baseline Protection:
NET.1.1.A7
PSN ID:
PS-TN-2020-0055
WiFi Sensing: How intelligence services monitor you – and how pentesters use the method to your advantage WiFi Sensing has
Critical vulnerability at Palo Alto Networks: Patches and CISA warnings The latest serious security vulnerability in Palo Alto Networks products has
Chinese hackers use T-Mobile and other US telecommunications systems for larger espionage campaign The giant US telecommunications company T-Mobile has confirmed that it is one of the
We use cookies, and Google reCAPTCHA, which loads Google Fonts and communicates with Google servers. By continuing to use our website, you agree to the use of cookies and our privacy policy.