ยถ User Authentication
- User database: change your password
Question In how many places do need to change your password if you want to change them for Canvas, Student-LADOK and XXXX)
Question
From Darknet you have discovered the following excerpt of a cisco router of one of the major ISP's in Sweden.
username amina password 0 S3cr3tw0rd
username basil password 7 08065E1648290A190B454C
username callan secret 5 $1$Uxvj$Svo9IuN9yIz8mxzjEN/l31
username edmund secret 9 $9$M58t/LypTk1kFk$VPcSlw4hmAPmJn5MPupdKBfx.d6GKO4EJjU77PpR5WE
key config-key password-encrypt MasterKey
username griffin secret 8 $8$7aEgp82GNeRhA.$ei9w0LXMPIQmkK.vkX9bJ0vlbvkJwB.XsskvNy8WpSg
username nadia password 6 ^^CM`ADdW^Kg]ZK`BHdTeWObYCiSBDFBC
a/ Which passwords can be cracked in a reasonable amount of time?
b/ Challange: how many of them can you crack?
Question
a/ What are the Password requirements for hv.se?
b/ How does that impact brute-force attacks according to van Oorschot compared to a freely chosen password? (remember to reference)
Question Read Chapter "3.3 Account recovery and secret questions" of van Oorschot.
a/ What is the password recovery mechanism of hv.se?
b/ What are the two tokens required for password-recovery of hv.se?
REMOVE ??
- https://www.ldapadministrator.com/download.htm
- SSO: 3 examples - try one login and see what happens (hv.instructure.com, LADOK = https://www.hv.se/student/it-support/webbtjanster/ladok-for-studenter/?sq=ladok and XXX)
Question Create a new connection to the hv-open wifi network: a/ Looking at the login splash; which system does this check?
b/ Why have the IT department choosen not to include Username and Password??
b/ Try to buy something and fail -- Question: Draw in diagrams.net a network diagram including:
โ๏ธ 
(Internet),
๐ข 
(Office) ,
๐ฅ 
(Firewall) ,
๐ช 
(webshop),
๐ฐ 
(Tabloid aka expressen.se)
๐จโ๐ผ๐ฉโ๐ผ๐๏ธ (University Management)
a/ What (very social) asset is protected here??
b/ Where is the actual protection taking place in the topology you draw? Close to the webshop, or close to the University??
ยถ MFA - Multi Factor Authentication
Question
a/ Which authenticator is used in combination with outlook.com/hv.se
b/ Give other examples of Athenticators for other systems (create account on WoW, www.forticloud.com, etc etc)
c/ are there any open source autenticators that you can use with some of the above mentioned systems?
d/ Given the three systems "VPN tunnel", "Username & Password" and "Multi Factor Authentication"; why have the IT-department chosen not to incorporate VPN in the protection of student emails?
e/ What implications could there be if the IT-department would require VPN for reading student emails?
ยถ Lab on Fortigate Cyberwall
- Fortigate lab: Create local users
- Fortigate lab: protect uers from youtube; only authorized have access
- Fortigate lab: protect network from users; only authorized have access
|
CLIENTS ๐จโ๐ฉโ๐ฆ |
GUARDS Checkpoint โ๏ธ โ๏ธ ๐ฆ INSPECTION ๐ข๏ธ ๐ฌ |
HAZARDS ๐ฆ |
End Goal |
TOKEN |
OTHERS ๐๏ธ ๐ ๐ โ๏ธ ๐
โโ๏ธ ๐ ๐ธ๐ช ๐ฉโ๐ซ |
โ
-""-
DATABASE ?? ๐ข๏ธOil Drum
MitM-attack ??
true
true
๐ 
๐๏ธ 
impersonator
โ
vs ๐ 
true
hej
hej