Adventures in Underland: What Passwords Do When No One Is Watching

Download this episode

Download Video

Description

Wherever and whenever you enter your password in the password field, there is at least one mechanism that must know it to use it later for the designed purpose. The common knowledge is that when we set up our password in Windows it is hashed and stored either in SAM or ntds.dit database in Active Directory. This is useful for verification purposes, but if your operating system can re-use the password it means others can decrypt it! In this intensive session, learn the encryption and decryption techniques being used nowadays in systems, networks, and applications. We look at the various technology weaknesses and try to take passwords from the places where they are used by the operating system to perform several operations. Become familiar with some unexpected places for your passwords and learn what you can do to mitigate the risk before somebody else grabs them! Session covers passwords’ internals. Have a cup of coffee before attending!

Day:

4

Session Type:

Breakout

Code:

ATC-B301

Room:

La Nouvelle Ballroom B

Embed

Format

Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • User profile image
      Kenneth​ReynoldsMCT

      Sounds interesting!

    • User profile image
      trekr200

      I am hoping this information will be helpful for our Help Desk and PC Support techs.

    • User profile image
      buckeye254

      My organization uses an identity management system,  I tell my users to log out of all connected systems before changing passwords.  I know why and I try to explain, perhaps this would be helpful.

    • User profile image
      jjb80

      Paula's sessions are always good.

    • User profile image
      panthrpride

      When no one is watching, passwords tease each other about how complicated they are. Also make bets on which password will be forgotten first. Some hate each other because they copied the same password. Tongue Out

    • User profile image
      kriher2

      Smiley

    • User profile image
      joe

      I heard one of the examples being used here was CPAU (joeware.net). If it took longer than 5 minutes to accomplish it I would be surprised. I (the author) indicate on the web site that anyone with a debugger can get the info out of an encoded (not encrypted) JOB file. Also there are at least 3-4 articles on the web that have been out there >year that talk about doing it.

      joe

    • User profile image
      qistech

      Great Sesion!

    • User profile image
      Paula

      joe! Cpau does one thing and does it well. It is why I used it as an example. The session was about password storing and reusing and not about cracking/hacking applications. I hope you do not take it personally! :)

    • User profile image
      adrian

      lmao @ trever. yeah she's SMOKING HOTT!!!! and the fact that she knows IT...win-win!!!

    • User profile image
      joe

      Paula, I didn't take it personally. :) I just wanted to point out that this is well known to me and anyone who searches the internet. Unfortunately the API call being used only accepts clear text. One of the reasons I didn't bother worrying much about encrypting the JOB file (versus encoding) is that I knew how simple it was to break on the API call (or the various and sundry ways you can try to hide the call) and look at the parameters directly or even to just hook the API call and dump every use of it by anything. On the positive side, not many people have a clue on what to do in a debugger and that number seems to get smaller every year.

      I was a little disappointed that only one person raised their hand and said they used CPAU though, I received about 18 or so emails from folks sitting in the room while your presentation was going on letting me know that it was being "hacked" on the big screen. ;)

      Good presentation overall. :)

      Take care,

      joe

    Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to send us feedback you can Contact Us.