JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

1 of 28

Password Cracking

AKA how to be a real hackerman

Husnain

2 of 28

Have you ever gotten an email like this?

3 of 28

How did they get the password in the first place?

Password dumps.

https://haveibeenpwned.com/Passwords

4 of 28

How do hackers get these dumps?

5 of 28

How do websites store passwords?

Website

Database

requests password

sends back if password is in database

6 of 28

How do websites store passwords?

7 of 28

How do websites store passwords?

{“username” : “user”,

“password”: “password”}

8 of 28

How do websites store passwords?

{“username” : “user”,

“password”: “password”}

Database

SELECT * FROM users WHERE username == “user” AND password == “password”

9 of 28

How do websites store passwords?

Database

user found!

10 of 28

How do websites store passwords?

Database

user found!

redirect to actual page

11 of 28

SQL - language that databases speak

SELECT

username, bio FROM users

WHERE username LIKE "%a%"

input

12 of 28

SQL Injection

we don’t sanitize user input...

SELECT

username, bio FROM users

WHERE username LIKE "%%%"

matches any string

13 of 28

SQL Injection

so we can get arbitrary code execution!

SELECT

username, bio FROM users

WHERE username LIKE "%" UNION SELECT 1,2;--%"

14 of 28

Table Enumeration

so we can get arbitrary code execution!

SELECT

username, bio FROM users

WHERE username LIKE "%" UNION

SELECT 1,sql FROM sqlite_master WHERE type='table'

;--%"

15 of 28

CREATE TABLE users (

username text primary key not null,

password_hash text not null,

hint text not null,

bio text not null)

table name

column names

16 of 28

How to leak passwords?

Left as exercise

17 of 28

Hashing

If things go wrong, an attacker can leak all passwords on a server

Therefore, most websites don’t store raw passwords, but hashed ones

From Wikipedia: “A hash function is any function that can be used to map data of arbitrary size to fixed-size values.”

Basically, a function that is easy to calculate one way but hard to go back the other way*

18 of 28

Example: MD5

md5(“password”) = 5f4dcc3b5aa765d61d8327deb882cf99

md5(“Password”) = dc647eb65e6711e155375218212b3964

19 of 28

Don’t use MD5

Hashcat - open source software designed to crack hashes
To use Hashcat, it’s best to have a faster computer with a GPU, or just use Google Colab and use their free GPUs ¯\_(ツ)_/¯

https://github.com/mxrch/penglab

20 of 28

* Computers are very fast

We can crack 21 billion hashes per second!

21 of 28

Brute-force attack

Assuming your password contains just uppercase characters, lowercase characters, and numbers ([A-Z],[a-z],[0-9]), we have:

Number of Characters	Number of Possible Passwords	Time to Crack
3	238328	nearly instantly
4	~14 million	nearly instantly
5	~900 million	43 milliseconds
6	~56 billion	2.7 seconds
7	~3.5*10^12	2 minutes
8	~2.2*10^14	3 hours
9	~1.4*10^16	7.5 days

22 of 28

Live demo (brute force)

23 of 28

Dictionary attack

If people use a password on a compromised site, they probably have used it on another website

24 of 28

Live demo (dictionary attack)

25 of 28

Rule attack

password

password123

password00

p@ssword

pa$$word

Password

P@$$word

Pa$$w0rd

P@$$w0rd

123Password123

123password123

...

26 of 28

Live demo (rule attack)

27 of 28

How to protect yourself

Sanitize input in web apps
Make good passwords
Don’t reuse passwords
Use a password manager

Obligatory XKCD reference

28 of 28

Questions?