Protecting Passwords Against Offline Attacks

 Offline Password Attacks & Preventive Measures

Rainbow table attack

The best protection against this attack type is adding salt (random data) to the password before hashing.

Brute Force & Dictionary

The best method for slowing down the attacker from discovering the password is to use key stretching. This method uses thousands of rounds of hashing. This does not make the key stronger, but the attacker has to do a lot of processing to check each possible key to find the correct one. There are 2 methods on the exam:

PBKDF2 & bcrypt

Port Numbers to know for the exam

 Port Numbers - Associated Protocol

Port Number                      Protocol

21        TCP                 FTP (File Transfer Protocol)

22        TCP                 SSH (Secure Shell)

22        TCP                 SCP  (Secure Copy Protocol)

22        TCP                 SFTP (Secure File Transfer Protocol) 

23        TCP                 Telnet

25        TCP                 SMTP (Simple Mail Transfer Protocol)

53        TCP / UDP      DNS (Domain Name System)

67        UDP                DHCP (Dynamic Host Configuration Protocol - server) 

68        UDP                DHCP (Dynamic Host Configuration Protocol - client)    

69        UDP / TCP      TFTP (Trivial File Transfer Protocol)

80        TCP                 HTTP (Hypertext Transfer Protocol)

110      TCP                 POP (Post Office Protocol)

135      TCP /UDP       RPC (Remote Procedure Call)

139      TCP                 NetBIOS (MS file sharing port - legacy)

143      TCP                 IMAP (Internet Message Access Protocol)

161      UDP                SNMP (Simple Network Management Protocol)

443      TCP                 HTTPS (Hypertext Transfer Protocol Secure)

445      TCP                 SMB (Server Message Block)

587      TCP                 SMTPS (Simple Mail Transfer Protocol Secure)

1812    UDP                RADIUS (Remote Authentication Dial-in User Service)

3389    TCP                 RDP (Remote Desktop Protocol)

Brute Force, Dictionary, Spraying Attacks

 Password Discovery Methods

All of these attacks covered in the section are online attacks. 

BRUTE-FORCE:

• Uses an exhaustive list trying to guess the passwords.
• Password guessing programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second. 
• Brute force attacks are run against a single username with multiple password guesses.

EXAMPLE:
cbgto1gpy

cbgto2gpy

cbgto3gpy

cbgto4gpy

cbgto5gpy

cbgto6gpy

In this example, the sixth character changes when the program has completed all possible combinations with the sixth character and has not discovered the password. Then, the fifth character changes to the letter "p" and continues the process. 

DICTIONARY:

• A dictionary attack will go through common words out of the dictionary and does not use complexity.
• Dictionary attacks are run against a single username with multiple password guesses. This is also an automated program.

SPRAYING ATTACK:

• A spraying attack is one password, normally simple or commonly used against multiple accounts (2 or more usernames). 
• The attacker waits a period such as 30 minutes or longer. 
• This is done to bypass account lockout. 
• Most account lockouts reset the failed login counter back to "0" at that point.

There are two primary ways to prevent brute-force or dictionary attacks:

• Account lockout after 3 to 5 failed login attempts
• The other is to use MFA (Multi-Factor Authentication)

Access Protocol by Network Type

 Kerberos, RADIUS, & SAML

Kerberos

• Inside a network such as an office
• Domain environment

RADIUS (AAA)

• VPNs
• Wireless (Enterprise mode)
• Keywords: AAA, PKI, 802.1x

SAML (Security Assertion Markup Language)

• Accessing a third-party website, web domain, webpage, CSP
• Uses federation for authentication
• Provides SSO (Single Sign-on)
• Uses username & password from a popular website such as Google as the identity provider

Pass the Hash Attack

 PtH (Pass the Hash Attack)

Attackers and penetration testers use the pass-the-hash attack. This allows them to achieve lateral movement or pivot to other systems in the network.

You do not have to crack the password, as the hash is the password.

One way to prevent this attack is to use group policy to prevent the caching of administrator passwords.

The other is to use the password-salting method. That way, the hashes will be completely different even if the admin uses the same local password for each system.

SSL Stripping Attack & Prevention

 SSL Stripping - SSL/TLS Downgrade

This type of attack can be called either of the above names. Pay attention to the question. The question may have stated that the user went to his financial organization's website, https://www.bank.com, but when you look at the logs, the user actually went to http://www.bank.com. 

HTTPS would have used port 443, whereas HTTP will use port 80. That could be another hint that the attack was SSL Stripping or an SSL/TLS downgrade attack.

The ways of preventing these attacks (has to be configured on the server):

• HSTS (HTTP Strict Transport Security)
• HTTP security header

CVE & CVSS the differences

 CVE and CVSS

CVE (Common Vulnerabilities and Exposures)

CVE deals with the platform, which is known to have a vulnerability.

Operating System

Applications

Hardware such as a switch, router, firewall, etc.

IoT (Internet of Things)

CVSS (Common Vulnerability Scoring System)

This lets us know the criticality of the vulnerability.

This is a calculated value based on several elements.