5.1 Cracking Passwords

Password Cracking

  • Password cracking techniques are used to recover passwords from computer systems.
  • Attackers use password cracking techniques to gain unauthorized access to the vulnerable system.
  • Most of the password cracking techniques are successful due to weak or easily guessable passwords.

Types of Password Attacks

  • Non-Electronic Attacks: Attacker need not posses technical knowledge to crack password, hence known as non-technical attack.
    • Shoulder Surfing
    • Social Engineering
    • Dumpster Diving
  • Active Online Attacks: Attacker performs password cracking by directly communicating with the victim machine.
    • Dictionary and Brute Forcing Attack
    • Hash Injection and Phishing
    • Trojan/Spyware/Keyloggers
    • Password Guessing
  • Passive Online Attacks: Attacker performs password cracking without communicating with the authorizing party.
    • Wire Sniffing
    • Man-in-the-Middle
    • Replay
  • Offline Attack: Attacker copies the target's password file and then tries to crack passwords in his own system at different location.
    • Pre-Computed Hashes (Rainbow Table)
    • Distributed Network

Non-Electronic Attacks

  • Shoulder Surfing: Looking at either the user's keyboard or screen while he/she is logging in.
  • Social Engineering: Convincing people to reveal passwords
  • Dumpster Diving: Searching for sensitive information at the user's trash-bins, printer trash bins, and user desk for sticky notes.

Active Online Attack: Dictionary, Brute Forcing and Rule-based Attack

  • Dictionary Attack: A dictionary file is loaded into the cracking application that runs against user accounts.
  • Brute Forcing Attack: The program tries every combination of characters until the password is broken.
  • Rule-based Attack: This attack is used when the attacker gets some information about the password.
  • Hybrid Attack
  • Syllable Attack

  • Brute Force考量的因素:

    • Computations: CPU, GPGPU, Cloud, ASIC
    • Charset: 98^8,(98個按鍵、長度為8)
    • Length: 8

Active Online Attack: Password Guessing

  • The attacker creates a list of all possible passwords from the information collected through social engineering or any other way and tries them manually on the victim's machine to crack the passwords.
    1. Find a valid user
    2. Create a list of possible passwords
    3. Rank passwords from high probability to low
    4. Key in each password, until correct password is discovered.

Default Passwords

  • A default password is a password supplied by the manufacturer with new equipment (e.g. switches, hubs, routers) that is password protected.
  • Attackers use default passwords in the list of words or dictionary that they use to perform password guessing attack.

Active Online Attack: Trojan/Spyware/Keylogger

  • Attacker installs Trojan/Spyware/Keylogger on victim's machine to collect victim's user names and passwords.
  • Trojan/Spyware/Keylogger runs in the background and send back all user credentials to the attacker.

Example of Active Online Attack Using USB Drive

  1. Download PassView, a password hacking tool
  2. Copy the downloaded files to USB drive
  3. Create autorun.info in USB drive
    [autorun]
    en=launch.bat
    
  4. Contents of launch.bat
    start pspv.exe/stext
    pspv.txt
    
  5. Insert the USB drive and the autorun window will pop-up (if enabled)
  6. PassView is executed in the background and passwords will be stored in the .TXT files in the USB drive

Active Online Attack: Hash Injection Attack

  • A hash injection attack allows an attacker to inject a compromised hash into a local session and use the hash to validate to network resources.
  • The attacker finds and extracts a logged on domain admin account hash.
  • The attacker uses the extracted hash to log on to the domain controller.

PtH: Path the Hash

Passive Online Attack: Wire Sniffing

  • Attackers run packet sniffer tools on the local area network (LAN) to access and record the raw network traffic.
  • The captured data may include sensitive information such as passwords (FTP, rlogin sessions, etc.) and emails.
  • Sniffed credentials are used to gain unauthorized access to the target system.

Passive Online Attacks: Man-in-the-Middle and Replay Attack

  • Gain access to the communication channels: In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information.
  • Use sniffer: In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access.
  • Considerations:
    • Relatively hard to perpetrate
    • Must be trusted by one or both sides
    • Can sometimes be broken by invalidating traffic

SMBRelay, PeerAuth

Offline Attack: Rainbow Table Attack

  • Rainbow Table: A rainbow table is a precomputed table which contains word lists like dictionary files and brute force lists and their hash value.
  • Compare the Hashes: Capture the hash of a passwords and compare it with the precomputed hash table. If a match is found then the password is cracked.
  • Easy to Recover: It is easy to recover passwords by comparing captured password hashes to the precomputed tables.
  • Precomputed Hashes:
    • 1qazwed -> 21c40e47dba72e77518ee3ef88ad0cc8
    • hh021da -> 2ce80b192cfa47a0d6c8a2446314810b
    • 9da8dasf -> eb0f5690164ffabbed1744087a4d6761
    • sodifo8sf -> 2c749bf3fff89778efc50af7e4f8d6a8

Tools to Create Rainbow Tables: rtgen and Winrtgen

  • rtgen: The rtgen program need serveral parameters to generate a rainbow table, the syntax of the command line is:
    • Syntax: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index
  • Winrtgen: Winrtgen is a graphical Rainbow Tables Generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2(256), SHA-2(384), and SHA-2(512) hashes.

Offline Attack: Distributed Network Attack

  • A Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password protected files using the unused processing power of machines across the network to decrypt passwords.
  • The DNA Manager is installed in a central location where machines running on DNA Client can access it over the network.
  • DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network.
  • DNA Client runs in the background, consuming only unused processor time.
  • The program combines the processing capabilities of all the clients connected to network and uses it to crack the password.

Elcomsoft Distributed Password Recovery

  • Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documents in a production environment.

Microsoft Authentication

  • Security Accounts Manager (SAM) Database:
    • Windows stores user passwords in SAM, or in the Active Directory database in domain. Passwords are never stored in clear text; passwords are hashed and the results are stored in the SAM.
  • NTLM Authentication:
    • The NTLM authentication protocol types:
      • NTLM authentication protocol
      • LM authentication protocol
    • These protocols stores user's password in the SAM database using different hashing methods.
  • Kerberos Authentication:
    • Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM.

How Hash Passwords Are Stored in Windows SAM?

  • Note: LM hashes have been disable in Windows Vista and later Windows operating systems, LM will be blank in those systems.
  • reg save hklm\sam c:\temp\sam.save
  • reg save hklm\system c:\temp\system.save
  • pwdump, SMBPasswd

NTLM Authentication Process

Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides strong authentication for client/server applications than NTLM.

  • XP: LM, NTLM
  • Vista~: NTLMv2
  • LM使用DES: PASSWOR DXXXXXX,各7字元,每個7×8=56 bits,大小寫不分

Kerberos Authentication

Password Salting

  • Password salting is a technique where random string of character are added to the password to the password before calculating their hashes.
  • Advantage: Salting makes it more difficult to reverse the hashes and defeats pre-computed hash attacks. Note: Windows password hashes are not salted

pwdump7 and fgdump

  • PWDUMP extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database.
  • fgdump works like pwdump but also extracts cached credentials and allows remove network execution.
  • These tools must be run with administrator privileges.

Password Cracking Tools

  • L0phtCrack: L0phtCrack is a password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and networks monitoring and decoding.
  • Ophcrack: Ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms.
  • Cain & Abel: It allows recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks.
  • RainbowCrack: RainbowCrack cracks hashes with rainbow tables. It uses time-memory tradeoff algorithm to crack hashes.

Password Cracking Tool for Mobile: FlexiSPY Password Grabber

  • It capture the security pattern used to access the phone itself and crack the passcode used to unlock the iPhone, plus the actual passwords they use for social messaging.
  • It allows you to login to their Facebook, Skype, Twitter, Pinterest, LinkedIn, GMail and other Email accounts directly from your own computer.

How to Defend against Password Cracking

  • Enable information security audit to monitor and track password attacks.
  • Do not use the same password during password change.
  • Do not share passwords.
  • Do not use passwords that can be found in a dictionary.
  • Do not use cleartext protocols and protocols with weak encryption.
  • Set the password change policy to 30 days.
  • Avoid storing passwords in an unsecured location.
  • Do not use any system's default passwords.
  • Make passwords hard to guess by using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, numbers, and symbols.
  • Ensure that application neither store passwords to memory nor write them to disk in clear text.
  • Use a random string (salt) as prefix or suffix with the password before encrypting.
  • Enable SYSKEY with strong password to encrypt and protect the SAM database.
  • Never use passwords such as date of birth, spouse, or child's or pet's name.
  • Monitor the server's logs for brute force attacks on the users accounts.
  • Lock out an account subjected to too many incorrect password guesses.

Implement and Enforce Strong Security Policy

results matching ""

    No results matching ""