5.1 Cracking Passwords

Password Cracking

• Password cracking techniques are used to recover passwords from computer systems.
• Attackers use password cracking techniques to gain unauthorized access to the vulnerable system.
• Most of the password cracking techniques are successful due to weak or easily guessable passwords.

Types of Password Attacks

• Non-Electronic Attacks: Attacker need not posses technical knowledge to crack password, hence known as non-technical attack.
  • Shoulder Surfing
  • Social Engineering
  • Dumpster Diving
• Active Online Attacks: Attacker performs password cracking by directly communicating with the victim machine.
  • Dictionary and Brute Forcing Attack
  • Hash Injection and Phishing
  • Trojan/Spyware/Keyloggers
  • Password Guessing
• Passive Online Attacks: Attacker performs password cracking without communicating with the authorizing party.
  • Wire Sniffing
  • Man-in-the-Middle
  • Replay
• Offline Attack: Attacker copies the target's password file and then tries to crack passwords in his own system at different location.
  • Pre-Computed Hashes (Rainbow Table)
  • Distributed Network

Non-Electronic Attacks

• Shoulder Surfing: Looking at either the user's keyboard or screen while he/she is logging in.
• Social Engineering: Convincing people to reveal passwords
• Dumpster Diving: Searching for sensitive information at the user's trash-bins, printer trash bins, and user desk for sticky notes.

Active Online Attack: Dictionary, Brute Forcing and Rule-based Attack

• Dictionary Attack: A dictionary file is loaded into the cracking application that runs against user accounts.
• Brute Forcing Attack: The program tries every combination of characters until the password is broken.
• Rule-based Attack: This attack is used when the attacker gets some information about the password.

• Hybrid Attack

• Syllable Attack

• Brute Force考量的因素:

  • Computations: CPU, GPGPU, Cloud, ASIC
  • Charset: 98^8，(98個按鍵、長度為8)
  • Length: 8

Active Online Attack: Password Guessing

• The attacker creates a list of all possible passwords from the information collected through social engineering or any other way and tries them manually on the victim's machine to crack the passwords.
  1. Find a valid user
  2. Create a list of possible passwords
  3. Rank passwords from high probability to low
  4. Key in each password, until correct password is discovered.

Default Passwords

• A default password is a password supplied by the manufacturer with new equipment (e.g. switches, hubs, routers) that is password protected.
• Attackers use default passwords in the list of words or dictionary that they use to perform password guessing attack.

Active Online Attack: Trojan/Spyware/Keylogger

• Attacker installs Trojan/Spyware/Keylogger on victim's machine to collect victim's user names and passwords.
• Trojan/Spyware/Keylogger runs in the background and send back all user credentials to the attacker.

Example of Active Online Attack Using USB Drive

1. Download PassView, a password hacking tool
2. Copy the downloaded files to USB drive
3. Create autorun.info in USB drive

   [autorun]
   en=launch.bat
   

4. Contents of launch.bat

   start pspv.exe/stext
   pspv.txt
   

5. Insert the USB drive and the autorun window will pop-up (if enabled)
6. PassView is executed in the background and passwords will be stored in the .TXT files in the USB drive

Active Online Attack: Hash Injection Attack

• A hash injection attack allows an attacker to inject a compromised hash into a local session and use the hash to validate to network resources.
• The attacker finds and extracts a logged on domain admin account hash.
• The attacker uses the extracted hash to log on to the domain controller.

PtH: Path the Hash

Passive Online Attack: Wire Sniffing

• Attackers run packet sniffer tools on the local area network (LAN) to access and record the raw network traffic.
• The captured data may include sensitive information such as passwords (FTP, rlogin sessions, etc.) and emails.
• Sniffed credentials are used to gain unauthorized access to the target system.

Passive Online Attacks: Man-in-the-Middle and Replay Attack

• Gain access to the communication channels: In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information.
• Use sniffer: In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access.
• Considerations:
  • Relatively hard to perpetrate
  • Must be trusted by one or both sides
  • Can sometimes be broken by invalidating traffic

SMBRelay, PeerAuth

Offline Attack: Rainbow Table Attack

• Rainbow Table: A rainbow table is a precomputed table which contains word lists like dictionary files and brute force lists and their hash value.
• Compare the Hashes: Capture the hash of a passwords and compare it with the precomputed hash table. If a match is found then the password is cracked.
• Easy to Recover: It is easy to recover passwords by comparing captured password hashes to the precomputed tables.
• Precomputed Hashes:
  • 1qazwed -> 21c40e47dba72e77518ee3ef88ad0cc8
  • hh021da -> 2ce80b192cfa47a0d6c8a2446314810b
  • 9da8dasf -> eb0f5690164ffabbed1744087a4d6761
  • sodifo8sf -> 2c749bf3fff89778efc50af7e4f8d6a8

Tools to Create Rainbow Tables: rtgen and Winrtgen

• rtgen: The rtgen program need serveral parameters to generate a rainbow table, the syntax of the command line is:
  • Syntax: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index
• Winrtgen: Winrtgen is a graphical Rainbow Tables Generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2(256), SHA-2(384), and SHA-2(512) hashes.

Offline Attack: Distributed Network Attack

• A Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password protected files using the unused processing power of machines across the network to decrypt passwords.
• The DNA Manager is installed in a central location where machines running on DNA Client can access it over the network.
• DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network.
• DNA Client runs in the background, consuming only unused processor time.
• The program combines the processing capabilities of all the clients connected to network and uses it to crack the password.

Elcomsoft Distributed Password Recovery

• Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documents in a production environment.

Microsoft Authentication

• Security Accounts Manager (SAM) Database:
  • Windows stores user passwords in SAM, or in the Active Directory database in domain. Passwords are never stored in clear text; passwords are hashed and the results are stored in the SAM.
• NTLM Authentication:
  • The NTLM authentication protocol types:
    • NTLM authentication protocol
    • LM authentication protocol
  • These protocols stores user's password in the SAM database using different hashing methods.
• Kerberos Authentication:
  • Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM.

How Hash Passwords Are Stored in Windows SAM?

• Note: LM hashes have been disable in Windows Vista and later Windows operating systems, LM will be blank in those systems.

• reg save hklm\sam c:\temp\sam.save
• reg save hklm\system c:\temp\system.save
• pwdump, SMBPasswd

NTLM Authentication Process

Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides strong authentication for client/server applications than NTLM.

• XP: LM, NTLM
• Vista~: NTLMv2
• LM使用DES: PASSWOR DXXXXXX，各7字元，每個7×8=56 bits，大小寫不分

Kerberos Authentication

Password Salting

• Password salting is a technique where random string of character are added to the password to the password before calculating their hashes.
• Advantage: Salting makes it more difficult to reverse the hashes and defeats pre-computed hash attacks. Note: Windows password hashes are not salted

pwdump7 and fgdump

• PWDUMP extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database.
• fgdump works like pwdump but also extracts cached credentials and allows remove network execution.
• These tools must be run with administrator privileges.

Password Cracking Tools

• L0phtCrack: L0phtCrack is a password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and networks monitoring and decoding.
• Ophcrack: Ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms.
• Cain & Abel: It allows recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks.
• RainbowCrack: RainbowCrack cracks hashes with rainbow tables. It uses time-memory tradeoff algorithm to crack hashes.

Password Cracking Tool for Mobile: FlexiSPY Password Grabber

• It capture the security pattern used to access the phone itself and crack the passcode used to unlock the iPhone, plus the actual passwords they use for social messaging.
• It allows you to login to their Facebook, Skype, Twitter, Pinterest, LinkedIn, GMail and other Email accounts directly from your own computer.

How to Defend against Password Cracking

• Enable information security audit to monitor and track password attacks.
• Do not use the same password during password change.
• Do not share passwords.
• Do not use passwords that can be found in a dictionary.
• Do not use cleartext protocols and protocols with weak encryption.
• Set the password change policy to 30 days.
• Avoid storing passwords in an unsecured location.
• Do not use any system's default passwords.
• Make passwords hard to guess by using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, numbers, and symbols.
• Ensure that application neither store passwords to memory nor write them to disk in clear text.
• Use a random string (salt) as prefix or suffix with the password before encrypting.
• Enable SYSKEY with strong password to encrypt and protect the SAM database.
• Never use passwords such as date of birth, spouse, or child's or pet's name.
• Monitor the server's logs for brute force attacks on the users accounts.
• Lock out an account subjected to too many incorrect password guesses.

Implement and Enforce Strong Security Policy