research1 IBRUT: Automating Intelligent Guessing Techniques. Pattern Analysis, Extraction, Reuse. "...
-
Upload
vanessa-horton -
Category
Documents
-
view
216 -
download
1
Transcript of research1 IBRUT: Automating Intelligent Guessing Techniques. Pattern Analysis, Extraction, Reuse. "...
www.notlsd.net research 1
IBRUT: Automating Intelligent IBRUT: Automating Intelligent Guessing Techniques. Guessing Techniques. Pattern Analysis, Extraction, Pattern Analysis, Extraction, Reuse.Reuse.
"全自動智慧型密碼猜測技術 , 字串分析、萃取、再用“
Fyodor [email protected] today is a race between software engineers striving
to build bigger and better idiot-proof programs, and the Universetrying to produce bigger and better idiots
- Altered quite by John Dryden
www.notlsd.net research 2
AgendaAgenda
“Bigger and better idiots” problem Traditional methods Analysis GA theory quickly Problem model design Implementation Demo Questions throughout and at the end
www.notlsd.net research 3
Problem Concepts:Problem Concepts:
What we know about
Password based
Authentication schemes
• Weak random seeds (rarely are random)• Often predicable environment, which affects
the password which user selects
www.notlsd.net research 4
Why?Why?
“Human factor” based network security: passwords, hidden folders, hidden interfaces – always there
Exploiting ‘weakest link’’: vulnerabilities come and go: “human” mistakes remain
“bruteforce” methodology: a need for some brain
www.notlsd.net research 5
Current MethodologiesCurrent Methodologies
Blind bruteforce (static dictionary based)“Intelligent” guessing: some
mechanisms available – specific dictionaries, checks for no passwords, same as username passwords
www.notlsd.net research 6
IssuesIssues
Extremely unproductiveOften – ineffective (time constraints)
www.notlsd.net research 7
How?How?
We need to learn how typical users pick up their passwords
Need to learn how policies affect itDetection of specific dictionary files
could be automaticAnalyze password selection patterns
and reuse the knowledge
www.notlsd.net research 8
If…If…
.. sample material is available…
www.notlsd.net research 9
How a typical user head works..How a typical user head works..
Environment
Background
Personal information
Oracle12
Oracle system administrator
www.notlsd.net research 10
What we can doWhat we can do
Use available environment and background information to make intelligent guess
… but we are not psychologists, so lets spot the basics
And let machine try to estimate the rest…
….using AI methods
www.notlsd.net research 11
AI: Why Genetic AlgorithmsAI: Why Genetic Algorithms
Adaptive algorithmsOur problem is not well understood Difficult to describe mathematicallyLarge search space
www.notlsd.net research 12
Where It Will Work?Where It Will Work?
Compromise internal networks of large organizations (same group of users across multiple systems, same security policies, training/background)
Large group of similar background/cultural level users (I.E. Dial-up users in Kyrgyzstan :p)
www.notlsd.net research 13
GA theory shortly * GA theory shortly * (not mine!!)(not mine!!)
The theory part is from „Genetic Algorithms and Evolution Strategies” presentation.
Presented by: Julie Leung Keith Kern Jeremy Dawson
www.notlsd.net research 14
Genetic AlgorithmsGenetic Algorithms
Closely follows a biological approach to problem solving
A simulated population of randomly selected individuals is generated then allowed to evolve
www.notlsd.net research 15
Encoding the ProblemEncoding the Problem
Express the problem in terms of a bit string
x = (1001010101011100)
where the first 8 bits of the string represent the X-coordinate and the second 8 bits represent the Y-coordinate
www.notlsd.net research 16
Basic Genetic AlgorithmBasic Genetic Algorithm
Step 1. Generate a random population of n chromosomes
Step 2. Assign a fitness to each individual
Step 3. Repeat until n children have been produced
– Choose 2 parents based on fitness proportional selection
– Apply genetic operators to copies of the parents– Produce new chromosomes
www.notlsd.net research 17
Fitness FunctionFitness Function
For each individual in the population, evaluate its relative fitness
For a problem with m parameters, the fitness can be plotted in an m+1 dimensional space
www.notlsd.net research 18
Sample Search SpaceSample Search Space
A randomly generated population of individuals will be randomly distributed throughout the search space
Image from http://www2.informatik.uni-erlangen.de/~jacob/Evolvica/Java/MultiModalSearch/rats.017/Surface.gif
www.notlsd.net research 19
Natural SelectionNatural Selection
The likelihood of any individual becoming a parent is directly proportional to its relative fitness
Image from http://www.genetic-programming.org
www.notlsd.net research 20
Genetic OperatorsGenetic Operators
Cross-over
Mutation
www.notlsd.net research 21
Production of New Production of New ChromosomesChromosomes2 parents give rise to 2 children
www.notlsd.net research 22
GenerationsGenerations
As each new generation of n individuals is generated, they replace their parent generation
To achieve the desired results, 500 to 5000 generations are required
www.notlsd.net research 23
Ultimate GoalUltimate Goal
Each subsequent generation will evolve toward the global maximum
After sufficient generations a near optimal solution will be present in the population of chromosomes
www.notlsd.net research 24
That’s it in short….That’s it in short….
If something isn’t clear, ask now..
www.notlsd.net research 25
Methodology BreakdownMethodology Breakdown
Analyze users habits (manual)Formalize (manual)Generate population, train on the
“known” data (automatic) until desired fitness achieved
Use generated “population” to create “user brain” (run-time AI dictionary)
www.notlsd.net research 26
How it will work:How it will work:
Extract common
“patterns
Formalize &
Encode so
GA can workGenerate
Random population
Train on “known data”
Use produced “pattern”
Population to create ‘real-time’ AI
dictionary Repeat until guess-rate(fitness) is high
www.notlsd.net research 27
User habits:User habits:
Environment based (hostname, company, domain, platform, application, business purpose)
host
Company nameBusiness profile
User brain
‘mutation’ password
www.notlsd.net research 28
User habits:User habits:
Personal ID based (user id, name, dates)
Cultural (language specific dictionary, business profile specific dictionary)
host
Company nameBusiness profile
User brain
‘mutation’ password
www.notlsd.net research 29
User habitsUser habits
“shuffle” the base (character swap, capitalisation, “l33t” language etc)
Combine “bases”
www.notlsd.net research 30
Problem model designProblem model design
Represent our problem as genome:
GGENOME vector:
Gene:
Base
“Shuffle” method
Gene:
Base
“Shuffle” method
www.notlsd.net research 31
Problem model designProblem model design
Crossover:
Gene exchange (AA + BB = AB BA
Gene drop (AA + BB = AA AB)
Gene combination AA + BB = AABBMutation:
Random change of “base” or “shuffle” methods within Gene(s)
www.notlsd.net research 32
Fitness functionFitness function
• Pr(hi) = fitness(hi)/{j=1..P fitness(hj).
Fitness function measures how the produced ‘string’ match the password (on number of characters).
www.notlsd.net research 33
Practical ImplementationPractical Implementation
IBRUT: a toolkit and a library
www.notlsd.net research 34
PrinciplesPrinciples
Uses “Evolving objects” library for GA and evultional algorithms
Implemented as a set of tools to gather “knowlegde” and as a library which will use “patterns” to patch your favourite brute-forcing tool
www.notlsd.net research 35
DEMODEMO
No laughs!..
www.notlsd.net research 36
Effectiveness compared with Effectiveness compared with standard bruteforce toolsstandard bruteforce toolsStandard dictionary of frequently
used passwordsHydra checksJohn the ripper
www.notlsd.net research 37
Future of “Intelligent guessing”Future of “Intelligent guessing”
SNMP community stringsWeb folders “blind” mappingIntelligent fuzzers…
www.notlsd.net research 38
Potential problems Potential problems
Representation of the problemTrained data & computational time Hard to avoid redundancy in
produced data
www.notlsd.net research 39
ConclusionConclusion
“new tool” -> “new knowledge”Fresh look on old problem
www.notlsd.net research 40
Thanks !
That’s about it…That’s about it…
Last chance to ask your questions ;)