5.1 Cracking Passwords
Password Cracking
- Password cracking techniques are used to recover passwords from computer systems.
- Attackers use password cracking techniques to gain unauthorized access to the vulnerable system.
- Most of the password cracking techniques are successful due to weak or easily guessable passwords.
Types of Password Attacks
- Non-Electronic Attacks: Attacker need not posses technical knowledge to crack password, hence known as non-technical attack.
- Shoulder Surfing
- Social Engineering
- Dumpster Diving
- Active Online Attacks: Attacker performs password cracking by directly communicating with the victim machine.
- Dictionary and Brute Forcing Attack
- Hash Injection and Phishing
- Trojan/Spyware/Keyloggers
- Password Guessing
- Passive Online Attacks: Attacker performs password cracking without communicating with the authorizing party.
- Wire Sniffing
- Man-in-the-Middle
- Replay
- Offline Attack: Attacker copies the target's password file and then tries to crack passwords in his own system at different location.
- Pre-Computed Hashes (Rainbow Table)
- Distributed Network
Non-Electronic Attacks
- Shoulder Surfing: Looking at either the user's keyboard or screen while he/she is logging in.
- Social Engineering: Convincing people to reveal passwords
- Dumpster Diving: Searching for sensitive information at the user's trash-bins, printer trash bins, and user desk for sticky notes.
Active Online Attack: Dictionary, Brute Forcing and Rule-based Attack
- Dictionary Attack: A dictionary file is loaded into the cracking application that runs against user accounts.
- Brute Forcing Attack: The program tries every combination of characters until the password is broken.
- Rule-based Attack: This attack is used when the attacker gets some information about the password.
- Hybrid Attack
Syllable Attack
Brute Force考量的因素:
- Computations: CPU, GPGPU, Cloud, ASIC
- Charset: 98^8,(98個按鍵、長度為8)
- Length: 8
Active Online Attack: Password Guessing
- The attacker creates a list of all possible passwords from the information collected through social engineering or any other way and tries them manually on the victim's machine to crack the passwords.
- Find a valid user
- Create a list of possible passwords
- Rank passwords from high probability to low
- Key in each password, until correct password is discovered.
Default Passwords
- A default password is a password supplied by the manufacturer with new equipment (e.g. switches, hubs, routers) that is password protected.
- Attackers use default passwords in the list of words or dictionary that they use to perform password guessing attack.
Active Online Attack: Trojan/Spyware/Keylogger
- Attacker installs Trojan/Spyware/Keylogger on victim's machine to collect victim's user names and passwords.
- Trojan/Spyware/Keylogger runs in the background and send back all user credentials to the attacker.
Example of Active Online Attack Using USB Drive
- Download PassView, a password hacking tool
- Copy the downloaded files to USB drive
- Create autorun.info in USB drive
[autorun] en=launch.bat
- Contents of launch.bat
start pspv.exe/stext pspv.txt
- Insert the USB drive and the autorun window will pop-up (if enabled)
- PassView is executed in the background and passwords will be stored in the .TXT files in the USB drive
Active Online Attack: Hash Injection Attack
- A hash injection attack allows an attacker to inject a compromised hash into a local session and use the hash to validate to network resources.
- The attacker finds and extracts a logged on domain admin account hash.
- The attacker uses the extracted hash to log on to the domain controller.
PtH: Path the Hash
Passive Online Attack: Wire Sniffing
- Attackers run packet sniffer tools on the local area network (LAN) to access and record the raw network traffic.
- The captured data may include sensitive information such as passwords (FTP, rlogin sessions, etc.) and emails.
- Sniffed credentials are used to gain unauthorized access to the target system.
Passive Online Attacks: Man-in-the-Middle and Replay Attack
- Gain access to the communication channels: In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information.
- Use sniffer: In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access.
- Considerations:
- Relatively hard to perpetrate
- Must be trusted by one or both sides
- Can sometimes be broken by invalidating traffic
SMBRelay, PeerAuth
Offline Attack: Rainbow Table Attack
- Rainbow Table: A rainbow table is a precomputed table which contains word lists like dictionary files and brute force lists and their hash value.
- Compare the Hashes: Capture the hash of a passwords and compare it with the precomputed hash table. If a match is found then the password is cracked.
- Easy to Recover: It is easy to recover passwords by comparing captured password hashes to the precomputed tables.
- Precomputed Hashes:
- 1qazwed -> 21c40e47dba72e77518ee3ef88ad0cc8
- hh021da -> 2ce80b192cfa47a0d6c8a2446314810b
- 9da8dasf -> eb0f5690164ffabbed1744087a4d6761
- sodifo8sf -> 2c749bf3fff89778efc50af7e4f8d6a8
Tools to Create Rainbow Tables: rtgen and Winrtgen
- rtgen: The rtgen program need serveral parameters to generate a rainbow table, the syntax of the command line is:
- Syntax: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index
- Winrtgen: Winrtgen is a graphical Rainbow Tables Generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2(256), SHA-2(384), and SHA-2(512) hashes.
Offline Attack: Distributed Network Attack
- A Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password protected files using the unused processing power of machines across the network to decrypt passwords.
- The DNA Manager is installed in a central location where machines running on DNA Client can access it over the network.
- DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network.
- DNA Client runs in the background, consuming only unused processor time.
- The program combines the processing capabilities of all the clients connected to network and uses it to crack the password.
Elcomsoft Distributed Password Recovery
- Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documents in a production environment.
Microsoft Authentication
- Security Accounts Manager (SAM) Database:
- Windows stores user passwords in SAM, or in the Active Directory database in domain. Passwords are never stored in clear text; passwords are hashed and the results are stored in the SAM.
- NTLM Authentication:
- The NTLM authentication protocol types:
- NTLM authentication protocol
- LM authentication protocol
- These protocols stores user's password in the SAM database using different hashing methods.
- The NTLM authentication protocol types:
- Kerberos Authentication:
- Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM.
How Hash Passwords Are Stored in Windows SAM?
- Note: LM hashes have been disable in Windows Vista and later Windows operating systems, LM will be blank in those systems.
reg save hklm\sam c:\temp\sam.save
reg save hklm\system c:\temp\system.save
- pwdump, SMBPasswd
NTLM Authentication Process
Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides strong authentication for client/server applications than NTLM.
- XP: LM, NTLM
- Vista~: NTLMv2
- LM使用DES: PASSWOR DXXXXXX,各7字元,每個7×8=56 bits,大小寫不分
Kerberos Authentication
Password Salting
- Password salting is a technique where random string of character are added to the password to the password before calculating their hashes.
- Advantage: Salting makes it more difficult to reverse the hashes and defeats pre-computed hash attacks. Note: Windows password hashes are not salted
pwdump7 and fgdump
- PWDUMP extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database.
- fgdump works like pwdump but also extracts cached credentials and allows remove network execution.
- These tools must be run with administrator privileges.
Password Cracking Tools
- L0phtCrack: L0phtCrack is a password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and networks monitoring and decoding.
- Ophcrack: Ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms.
- Cain & Abel: It allows recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks.
- RainbowCrack: RainbowCrack cracks hashes with rainbow tables. It uses time-memory tradeoff algorithm to crack hashes.
Password Cracking Tool for Mobile: FlexiSPY Password Grabber
- It capture the security pattern used to access the phone itself and crack the passcode used to unlock the iPhone, plus the actual passwords they use for social messaging.
- It allows you to login to their Facebook, Skype, Twitter, Pinterest, LinkedIn, GMail and other Email accounts directly from your own computer.
How to Defend against Password Cracking
- Enable information security audit to monitor and track password attacks.
- Do not use the same password during password change.
- Do not share passwords.
- Do not use passwords that can be found in a dictionary.
- Do not use cleartext protocols and protocols with weak encryption.
- Set the password change policy to 30 days.
- Avoid storing passwords in an unsecured location.
- Do not use any system's default passwords.
- Make passwords hard to guess by using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, numbers, and symbols.
- Ensure that application neither store passwords to memory nor write them to disk in clear text.
- Use a random string (salt) as prefix or suffix with the password before encrypting.
- Enable SYSKEY with strong password to encrypt and protect the SAM database.
- Never use passwords such as date of birth, spouse, or child's or pet's name.
- Monitor the server's logs for brute force attacks on the users accounts.
- Lock out an account subjected to too many incorrect password guesses.