Forearmed.Phishing Attacks and Password Cracking.
Prof. Dr. Andreas Aßmuth
Technical University of Applied SciencesOTH Amberg-Weiden
Department of Electrical Engineering, Media andComputer Science
2021-05-29
About me
Professor of Computer Networks and Mathematics
Dean of Studies
Teaching:Mathematics, Computer Networks, Cryptography, Coding Theory,Information Security
Research:Applied Cryptography, Information Security, Ethical Hacking
IARIA Fellow
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 2
Anatomy of a Hacked Smartphone
Surveillance
+ Audio+ Camera+ Call logs+ Position+ SMS
Surveillance
Data Theft
+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)
Surveillance
Data Theft
Money
+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls
Surveillance
Data Theft
Money
Faked Identity
+ Re-routing of SMS+ Sending emails+ Posts on social media
Surveillance
Data Theft
Money
Faked Identity
“Zombie Smartphone”+ DDoS attacks+ Clickbait
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3
Anatomy of a Hacked Smartphone
Surveillance
+ Audio+ Camera+ Call logs+ Position+ SMS
Surveillance
Data Theft
+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)
Surveillance
Data Theft
Money
+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls
Surveillance
Data Theft
Money
Faked Identity
+ Re-routing of SMS+ Sending emails+ Posts on social media
Surveillance
Data Theft
Money
Faked Identity
“Zombie Smartphone”+ DDoS attacks+ Clickbait
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3
Anatomy of a Hacked Smartphone
Surveillance
+ Audio+ Camera+ Call logs+ Position+ SMS
Surveillance
Data Theft
+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)
Surveillance
Data Theft
Money
+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls
Surveillance
Data Theft
Money
Faked Identity
+ Re-routing of SMS+ Sending emails+ Posts on social media
Surveillance
Data Theft
Money
Faked Identity
“Zombie Smartphone”+ DDoS attacks+ Clickbait
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3
Anatomy of a Hacked Smartphone
Surveillance
+ Audio+ Camera+ Call logs+ Position+ SMS
Surveillance
Data Theft
+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)
Surveillance
Data Theft
Money
+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls
Surveillance
Data Theft
Money
Faked Identity
+ Re-routing of SMS+ Sending emails+ Posts on social media
Surveillance
Data Theft
Money
Faked Identity
“Zombie Smartphone”+ DDoS attacks+ Clickbait
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3
Anatomy of a Hacked Smartphone
Surveillance
+ Audio+ Camera+ Call logs+ Position+ SMS
Surveillance
Data Theft
+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)
Surveillance
Data Theft
Money
+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls
Surveillance
Data Theft
Money
Faked Identity
+ Re-routing of SMS+ Sending emails+ Posts on social media
Surveillance
Data Theft
Money
Faked Identity
“Zombie Smartphone”+ DDoS attacks+ Clickbait
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3
Anatomy of a Hacked Smartphone
Surveillance
+ Audio+ Camera+ Call logs+ Position+ SMS
Surveillance
Data Theft
+ Account infos+ Contacts+ Call logs+ Theft through apps+ Device infos (IMEI)
Surveillance
Data Theft
Money
+ Premium SMS+ Theft of TANs+ Ransomware+ Fake Antivirus+ Overpriced calls
Surveillance
Data Theft
Money
Faked Identity
+ Re-routing of SMS+ Sending emails+ Posts on social media
Surveillance
Data Theft
Money
Faked Identity
“Zombie Smartphone”+ DDoS attacks+ Clickbait
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 3
Cryptographic Hash Functions
Cryptographic hash functions must have certain properties:
(i) Fast and easy computation of hashes.
(ii) One-way function: Given a hash, it must be infeasible to find an input that generates exactly thathash.
(iii) Collision resistance: It must not be possible to find any two inputs that generate the same hash.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 4
Cryptographic Hash Functions
Cryptographic hash functions must have certain properties:
(i) Fast and easy computation of hashes.
(ii) One-way function: Given a hash, it must be infeasible to find an input that generates exactly thathash.
(iii) Collision resistance: It must not be possible to find any two inputs that generate the same hash.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 4
Cryptographic Hash Functions
Cryptographic hash functions must have certain properties:
(i) Fast and easy computation of hashes.
(ii) One-way function: Given a hash, it must be infeasible to find an input that generates exactly thathash.
(iii) Collision resistance: It must not be possible to find any two inputs that generate the same hash.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 4
How Does a Login Procedure Work?
Crea
tionof
ane
wac
coun
t
username
password
alice
*************
4 7
hash password
store usernameand hash
Loginto
acco
unt
username
password
alice
*************
4 7
hash password
?compare hashes
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 5
How Does a Login Procedure Work?
Crea
tionof
ane
wac
coun
t
username
password
alice
*************
4 7
hash password
store usernameand hash
Loginto
acco
unt
username
password
alice
*************
4 7
hash password
?compare hashes
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 5
How Does a Login Procedure Work?
Crea
tionof
ane
wac
coun
t
username
password
alice
*************
4 7
hash password
store usernameand hash
Loginto
acco
unt
username
password
alice
*************
4 7
hash password
?compare hashes
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 5
Password Cracking Offline Attack
Markov chains
Dictionary + rules
Dictionary (words)
Brute-Force (length limit)
List of worstpasswords
Password space → Brute-Force Attack (no length limit)
Human-chosenpasswords
Strengthtrivialnon-trivial
Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6
Password Cracking Offline Attack
Markov chains
Dictionary + rules
Dictionary (words)
Brute-Force (length limit)
List of worstpasswords
Password space → Brute-Force Attack (no length limit)
Human-chosenpasswords
Strengthtrivialnon-trivial
Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6
Password Cracking Offline Attack
Markov chains
Dictionary + rules
Dictionary (words)
Brute-Force (length limit)
List of worstpasswords
Password space → Brute-Force Attack (no length limit)
Human-chosenpasswords
Strengthtrivialnon-trivial
Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6
Password Cracking Offline Attack
Markov chains
Dictionary + rules
Dictionary (words)
Brute-Force (length limit)
List of worstpasswords
Password space → Brute-Force Attack (no length limit)
Human-chosenpasswords
Strengthtrivialnon-trivial
Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6
Password Cracking Offline Attack
Markov chains
Dictionary + rules
Dictionary (words)
Brute-Force (length limit)
List of worstpasswords
Password space → Brute-Force Attack (no length limit)
Human-chosenpasswords
Strengthtrivialnon-trivial
Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6
Password Cracking Offline Attack
Markov chains
Dictionary + rules
Dictionary (words)
Brute-Force (length limit)
List of worstpasswords
Password space → Brute-Force Attack (no length limit)
Human-chosenpasswords
Strengthtrivialnon-trivial
Cf. Javier Galbally, Iwen Coisel and Ignacio Sanchez, “A New Multimodal Approach for Password Strength Estimation—Part I: Theory and Algorithms”,IEEE Trans. on Information Forensics and Security, Vol. 12, No. 12, pp. 2829-2844, doi: 10.1109/TIFS.2016.2636092, IEEE, 2017.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 6
Grapucino Graphic Processing Unit Cluster in a Box
Graphics CardsGeForce GTX 1080
Riser Adapter Boards1x → 16x
Temperature Sensors
Fan ControlArduino Uno
MainboardAsus Mining Expert
Power Supply1600W
256 GB SSD
Figure created by Tobias Nickl, M.Sc.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 7
Grapucino Graphic Processing Unit Cluster in a Box
Graphics CardsGeForce GTX 1080
Riser Adapter Boards1x → 16x
Temperature Sensors
Fan ControlArduino Uno
MainboardAsus Mining Expert
Power Supply1600W
256 GB SSD
Figure created by Tobias Nickl, M.Sc.
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 7
Password Cracking
Demonstration
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 8
Secure Passwords Summary
Source: Randall Munroe, https://xkcd.com/936/
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 9
Phishing Example 1
+ https://gglks.com/8i43k
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 10
Phishing Example 1
+ https://gglks.com/8i43k
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 10
Phishing Example 2
+ https://thewhiteroomcreative.com/it-service.oth-aw.de/
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 11
Phishing Example 2
+ https://thewhiteroomcreative.com/it-service.oth-aw.de/
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 11
Phishing Example 3
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 12
Phishing Example 4
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 13
Malicious COVID-19 Apps
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 14
Phishing Attack
Demonstration
© A. Aßmuth: “Forearmed. Phishing Attacks and Password Cracking.” 15
Prof. Dr. Andreas AßmuthProfessor für Rechnernetze und MathematikOTH Amberg-WeidenFakultät Elektrotechnik, Medien und InformatikKaiser-Wilhelm-Ring 23, 92224 AmbergTel.: +49 9621 482 3604Fax: +49 9621 482 4604Email: [email protected]: 0x93E4D0FAWeb: https://www.andreas-assmuth.de
https://www.oth-aw.de
Wor
dcloud
crea
tedby
Asha
shyo
u,CC
BY-SA
4.0