[Apachebenchmark-sans-t4] SANS Hacker LMP Weekly Update

[<Rya...@at...>]

Someone asked a question about what is a "salt".  Here is a good description
-

http://packetstormsecurity.nl/docs/hack/hackfaq-99/hackfaq-4.html#ss4.6
4.6 What is a "salt"? 
To increase the overhead in cracking passwords, some algorithms employ salts
to add further complexity and difficulty to the cracking of passwords. These
salts are typically 2 to 8 bytes in length, and algorithmically introduced
to further obfuscate the one-way hash. On the major operating system covered
here, only NT does not use a salt. The specifics for salts for both Unix and
Netware systems are covered in their individual password sections. 
Historically the way cracking has been done is to take a potential password,
encrypt it and produce the hash, and then compare the result to each account
in the password file. By adding a salt, you force the cracker to have to
read the salt in and encrypt the potential password with each salt present
in the password file. This increases the amount of time to break ALL of the
passwords, although it is certainly no guarantee that the passwords can't be
cracked. Because of this most modern password crackers when dealing with
salts do give the option of checking a specific account. 

In addition to password cracking, salts can be used for obfuscating
encrypted network traffic.  Technically, an attacker could capture encrypted
data and compare hashes to try and enumerate data such as
usernames/passwords.  By using salts, you could log into a system twice
using something like SSH and even though you used the exact same
credentials, the resulting encrypted network data would not be identical
because of the salt.

I have also posted the Matrix desktop image for you on the class website
(called matrix3.jpg)

> Most Respectfully,
> Ryan C. Barnett
> SANS: GCFA, GCIH, GCUX, GSEC
> Department of Justice - ATF
> Information Services Division
> Operations Security Team Lead
> 
>