Adventures in Underland: What Passwords Do When No One Is Watching

Sign in to queue

Description

Wherever and whenever you enter your password in the password field, there is at least one mechanism that must know it to use it later for the designed purpose. The common knowledge is that when we set up our password in Windows it is hashed and stored either in SAM or ntds.dit database in Active Directory. This is useful for verification purposes, but if your operating system can re-use the password it means others can decrypt it! In this intensive session, learn the encryption and decryption techniques being used nowadays in systems, networks, and applications. We look at the various technology weaknesses and try to take passwords from the places where they are used by the operating system to perform several operations. Become familiar with some unexpected places for your passwords and learn what you can do to mitigate the risk before somebody else grabs them! Session covers passwords’ internals. Have a cup of coffee before attending!

Day:

4

Session Type:

Breakout

Code:

ATC-B301

Room:

La Nouvelle Ballroom B

Embed

Download

Download this episode

The Discussion

  • User profile image
    Kenneth​ReynoldsMCT

    Sounds interesting!

  • User profile image
    trekr200

    I am hoping this information will be helpful for our Help Desk and PC Support techs.

  • User profile image
    buckeye254

    My organization uses an identity management system,  I tell my users to log out of all connected systems before changing passwords.  I know why and I try to explain, perhaps this would be helpful.

  • User profile image
    jjb80

    Paula's sessions are always good.

  • User profile image
    panthrpride

    When no one is watching, passwords tease each other about how complicated they are. Also make bets on which password will be forgotten first. Some hate each other because they copied the same password. Tongue Out

  • User profile image
    kriher2

    Smiley

  • User profile image
    joe

    I heard one of the examples being used here was CPAU (joeware.net). If it took longer than 5 minutes to accomplish it I would be surprised. I (the author) indicate on the web site that anyone with a debugger can get the info out of an encoded (not encrypted) JOB file. Also there are at least 3-4 articles on the web that have been out there >year that talk about doing it.

    joe

  • User profile image
    qistech

    Great Sesion!

  • User profile image
    Paula

    joe! Cpau does one thing and does it well. It is why I used it as an example. The session was about password storing and reusing and not about cracking/hacking applications. I hope you do not take it personally! :)

  • User profile image
    adrian

    lmao @ trever. yeah she's SMOKING HOTT!!!! and the fact that she knows IT...win-win!!!

  • User profile image
    joe

    Paula, I didn't take it personally. :) I just wanted to point out that this is well known to me and anyone who searches the internet. Unfortunately the API call being used only accepts clear text. One of the reasons I didn't bother worrying much about encrypting the JOB file (versus encoding) is that I knew how simple it was to break on the API call (or the various and sundry ways you can try to hide the call) and look at the parameters directly or even to just hook the API call and dump every use of it by anything. On the positive side, not many people have a clue on what to do in a debugger and that number seems to get smaller every year.

    I was a little disappointed that only one person raised their hand and said they used CPAU though, I received about 18 or so emails from folks sitting in the room while your presentation was going on letting me know that it was being "hacked" on the big screen. ;)

    Good presentation overall. :)

    Take care,

    joe

Add Your 2 Cents