You've all heard me complain/stress out about writing my dissertation, so now that it's done of course I'm going to post it online. My PhD. dissertation, "Using Probabilistic Techniques to Aid in Password Cracking Attacks" is available for download from my tools page here.
A lot of it is going to look fairly familiar if you've seen my talks or been reading this blog, which makes sense since my dissertation is a summary of what I've been up to for the last three years. Here's a quick breakdown of what's in it:
- Overview + background info
- The need for password cracking
- General terms and techniques
- Obtaining the datasets, and basic statistics about the datasets
- A quick survey of common password hashes and popular password cracking tools
- Brute Force Attacks
- 95% of it I've talked about on this blog before
- The remaining 5%, which I really should post an entry on, is a comparison of a targeted brute force attack against a pure Markov attack. The targeted attack uses the tool I previously released, MiddleChild.
- Dictionary Based Attacks
- Summary of some of the custom dictionaries I've created plus tools. Most of the tools are available in various places on my tools webpage.
- Mostly this chapter focuses on the use of a customized edit distance metric for evaluating the effectiveness of input dictionaries, which is something that I've found incredibly useful.
- Being a total of nine pages long, this is the chapter I feel is the most incomplete. It's also why I'm glad I have a blog so I can rectify that shortcoming over the next couple of months with additional posts ;)
- Dictionary based Rainbow Tables
- For the complete AV experience, a video of me talking about this at Shmoocon is available here.
- Quick note: I've since figured out that the higher number of collisions caused by the dictionary tables was due to the fact that I was comparing them to "perfect tables", aka ones where all of the merging chains had been removed. If I remove merging chains from the dictionary tables, they perform just as well, collision wise. The fact that I didn't realize this when I was running the tests is a bit embarrassing. #facepalm
- I have a bunch of ideas on how to further improve my tables, such as adding targeted brute force support, (with Markov Models!!), and enhancing the basic dictionary attacks with more advanced word mangling rules and multiple dictionaries. Implementing those is very high on my todo list.
- Using probabilistic context free grammars for password cracking
- Instead of focusing on the word mangling rules, focus on the probabilities instead
- The result is a password cracker that can be trained on previously disclosed passwords and generates highly targeted guesses
- This is the heart and soul of my dissertation and the reason why I graduated. If you only read one chapter this should be it.
- Why should you care: It cracks more passwords with fewer guesses. What's not to like?
- A critique of NIST's use of entropy as a password strength measurement
- Essentially a very rough draft of the paper I submitted to the ACM CCS conference on the effectiveness of different password creation policies. I started running the tests/writing this section about two weeks before I defended, so I've collected a lot of data since this chapter was finished.
Sot that's about it for three years worth of work. It's a bit humbling I have to admit, since there's still a ton of stuff I still want to look into/implement. Luckily, just because I graduated doesn't mean I have to stop my research. Here's looking forward to the future.