-
Password Cracking
Generally, the goal of a hacker is to authenticate to the target with the highest level of access and permissions possible, then remove evidence of an attack. To hack a target system, an attacker has to establish the passwords associated with active usernames, escalate the level of permission where possible by exploiting operating system vulnerabilities, and erase traces that they were there. To achieve this successfully, an attacker has to be able to: employ various password cracking techniques and tools, escalate privileges, hide files, cover tracks, and erase evidence, maintain access via rootkits.
When the user provides an identity to gain access to a system, there has to be a mechanism to ensure that the assumed identity is valid.
Authentication verifies a user' s claimed identity is valid (binding of identity to subject), by something unique to the individual. The most common surrogate from of authentication is the password ('something you know') which is assumed secret. Knowledge of the password is assumed to guarantee that the user is authentic.
While a username (rarely secret) identifies an account, the password is the key to a person online identity. Passwords are a prime target for hackers to use in order to gain unauthorised access to critical data systems.
-
Science of passwords
Passwords are strings of characters used to authenticate computer system and/or users. Passwords are a widely employed form of verification and are vulnerable to multiple forms of attack. If weak then it can be guessed or easily cracked. The strength (i.e. effectiveness) of a password is a function of its length and complexity, which should be directly proportional to the sensitive of the data being protected. Security experts cite weak passwords as the most critical security threats.
Password Types
A static password is a string of characters that stays the same for each logon, although it should be changed at frequent intervals. This is the password that we normally used to access online services.
A dynamic password on the other hand, changes with each logon (aka "one-time" password). This type of password is often required to perform certain banking transaction.
- Password can take many forms and can contain:
- Only numbers, letters or characters 4239 - ABCEFG - $@$!(#)
- A combination of two inputs types h@cking - @$42$
- A combination of all inputs types Eth1c@I - 42!vwlc7t
Alternatively, a passphrase (a sequence of characteristics longer than a normal password) can be converted into a password.
alOngStr!ngOfWOrds1sStr0ng3r&3asyTOR3m3mb3r
- Passwords should not be:
- Created using personal information about yourself or your family - e.g., name, birthplace, nickname, pets, etc.
- Formed of words out of any dictionary or book. Using known words in any language allows the cracker to take shortcuts.
- Composed of proper nouns of places, ideas, or people. These words are commonly found in password cracker databases.
- Reused. Do not reuse recently employed passwords again.
- Variations of words (e.g. s3cr3t, 3th1c@I); concatenation of two words commonly following each other in a sentence. (e.g., ethicalhacking);
- A single digit or symbol added before or after a word (e.g., ethical!); word reversal (e.g., lacihte); Key sequences that can easily be repeated (e.g. qwerty)
Science of static password
The majority of systems authenticate users with a static password. A password of clear text would provide an easy target for an attacker. To make the target less vulnerable to attack, distinct one-way hash functions or encryption mechanism are used to protect the secrecy of the password when transmitted on a non-secure network. When a user logs onto the system and enters a password, a hash is generated and compared to a stored hash. If the stored hashes match, the user is authenticated. Encryption is no guarantee of protection, hashes can be cracked.
Encryption is the process of converting plain text into unreadable cipher text. To protect passwords, they are generally put through a one-way encryption algorithm or hash function. A one-way hash function turns an arbitrary length text into a fixed length string of characters/digits. The "one way" means that it is nearly impossible to obtain the original text once the algorithm is applied to the clear text. A hash function is an efficient one-way function mapping.
Depending on the password, hashing can be weak & easy to break .For example, the password is 123456abcdef the process of hashing for the LM hash algorithm (an old Windows standard) is:
1. Convert the string to all uppercase: 123456ABCDEF.
2. Pad it with blank characters to make it 14 characters long.
3. Split it into two 7 characters strings: 123456A and BCDEF_.
4. Each string is individually encrypted, and the results are concatenated:
5. 123456A,= 6BF11E04AFAB197F
6. BCDEF_ = F1E9FFDCC7557SB15
7. The hash is 6BF11E04AFAB197FF1E9FFDCC7557SB15 -
Science of password cracking
Once an attacker gathers the password hashes, the next step is to generate hashes rapidly until a match can be found. Password cracking is a term employed to describe the penetration of a network, system, or resource with or without the use of tools to unlock a resource that has been secured with a password.
Keep in mind that all passwords, no matter the length, can be eventually discovered.
Even a hash-encrypted password is not entirely secure. Cracking tools are used to attack password protection reverting the hash to the plaintext password.
- Four types of password attacks can be defined:
- active online attacks;
- passive online attacks
- offline attacks
- non-technical attacks.
Active online attacks
Guessing seems a fruitless task, but often successful because most users employ easy to remember passwords. People tend to use weak passwords: children's names, spouse, pet, nicknames, car model and other familiar things as their password. While other users may use the default system assigned password. Some attacks are aimed at online services and attempts to obtain access by continuously trying commonly used passwords.
This attack is almost obsolete in modern days as web sites and online services use techniques to block several successive login attempts in a short period of time. This is called password-throttling
Passive online attacks
Passive attacks are still popular especially in local area networks and Wi-Fi networks. Examples include:
Wire Sniffing - Access and record the raw network traffic; wait until the authentication sequence or brute force credentials. This can be relatively hard to perpetrate and it is usually computationally complex. However, tools are widely available for both wired and wireless networks.
Man-in-the-Middle and Replay Attacks - The attacker can obtain the authentication sequence by monitoring communication between two parties. Again this is relatively hard to perpetrate as the attacker needs to be inside a trusted environment. It is popular within wireless networks (especially those with open access). Many tools are available.
Offline attacks
Offline attacks are perpetrated using a number of techniques explained below. All of these require the attacker to obtain an encrypted password file. We will experiment with these techniques in the lab.
Stealing the SAM
Before explaining the various techniques that could be used in offline password cracking let’s provide an example of how a password file can be obtained.
Microsoft Windows stores the users password in an encrypted format in the security accounts manager (SAM) file. The SAM file contains the usernames and passwords (hash form) for every account on the local machine. By accessing the SAM an attacker has access potentially to all passwords.
The file is located in the %systemroot%\system32\config directory, but it is locked when Windows is booted.
One option to copy the SAM file is to boot to an alternate OS (i.e., Linux with a boot CD). Alternately, the file can be obtained in other methods which we will experiment with in the lab.
Once hashes have been extracted, an automated password recovery utility (using the techniques below) can be employed to crack them.
Dictionary Attack
If password policies permit dictionary words as passwords, they can be readily broken, even in their encrypted form. The simplest and quickest method for cracking a password is a dictionary attack, which uses all words in a dictionary or text file.
A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching a large number of possibilities. A dictionary attack exploits weak passwords. If dictionary words have been employed, this will be sufficient to recover the password.
This type of attack has some limitations. It cannot be used against strong passwords containing numbers or other symbols.
Brute force Attack
A brute force attack tries all possible character combinations until the password is determined. This is the most comprehensive form of attack, but it is time-consuming. This attack is generally employed as a last resort technique, as it can take a long time to crack an encrypted password (depending on complexity and length). Knowing the password policy could help. If a password contains any partial structure then the processing needed to discover can be reduced.
Hybrid Attack
It is common practice to change passwords by adding a number to the end of their password (e.g. password, password1, password2, etc.).
When policies require a mix of input types, users often resort to a simple substitution to form visual similarity passwords (e.g. h@ck1ng)
Despite adding complexity, these passwords can be cracked with software which make the same substitutions. Hybrid attacks are based on dictionary and brute force techniques by adding or substituting numbers and/or symbolic characters for certain letters in dictionary words. These attacks are faster than brute force, but slower than dictionary.
Pre-computation hashes
Many passwords are thought secure due to the time required to crack. Another technique is rainbow cracking. A rainbow table is a lookup table specially used in recovering the plaintext password from a cipher text.
Pre-computed tables reduce the difficulty in brute force cracking a password by creating a large pre-generated data set of passwords and their corresponding hashed value. Encrypted password can be compared to values stored and cracked within seconds, making it almost instantaneous. This attack reduces the auditing time for complex passwords.
-
Non-technical Attack
Password cracking does not always involve sophisticated tools as they can be difficult to remember they are often written down. Other crude non-technical based techniques are based on Social Engineering which we will cover in depth later.
-
Keystroke loggers
Keystroke loggers are designed to intercept the target's keyboard activity and either save them or transmit them to the attacker. Keyloggers record every keystroke to automatically reveal typed passwords (and other sensitive and confidential data). Two types exist: hardware devices or software applications.
Hardware keyloggers are small devices that connect the keyboard to the PC (requires physical access, but not detectable by anti-spyware software) and save data into the memory of the device.
Software keyloggers, which we will use in the lab, are pieces of stealth software installed by in the victim computer that runs in the background.
-
Countermeasures - Designing strong passwords
All that stands between a criminal and personal data is often a password. Making it strong is essential to protect your data.
Selecting a secure password will help to ensure that the password cracker must take as long as possible to obtain the password in clear text. Keep in mind that no password is ultimately secure, but if it takes longer to crack the password than it takes for the password to become useless, you will have succeeded in mitigating the attack [1].
- Creating a complex password:
- Mix it up (no regular pattern defined by rules).
- Use a combination of input types (avoid dictionary words)
- Enforce at least 10 characters (preferable 15).
- Creating passphrases (“alOngstr!ngOfwOrds”) provides strength.
Keep it secure!! Do not share it with anyone; don't write it down; change it regularly; don't use the same password in different places; never use the same password twice; check its strength.
Mary had a little lamb formula
Consider a phrase: "Mary had a little lamb its fleece was white as snow"
1. Consider the first letter of each word, i.e.: MHALLIFWWAS
2. Every second letter of the abbreviation can be put in the lower case, i.e. MhAILiFwWaS
3. Replace "A" with "@" and "L" with "!".
4. Thus, a new alphanumeric password with more than eight characters will be formed.
New Password: Mh@J!iFwW@S
Another example: “Jack and Jill went up the hill to fetch a pail of water”
Resulting password: J@JwUtHtF@POW
-
Biometrics
Technology moves quickly and alternative methods for authentication are continuously sought. Biometrics is an example of this and essentially is a pattern recognition system that makes identification by determining the authenticity of a specific physiological or behavioural characteristic possessed by the user.
This method is generally preferred over traditional methods involving passwords and PIN numbers for various reasons. Primarily, the requirement to be physically present at the point of identification makes it fairly secure (although some techniques exist to fool a device into believing the person authenticating is the real one). Additionally, it obviates the need to remember a password or carry a token
-
References
1. Acura Computers, Article on Tips for creating secure password. Available at: 🔗 http://www.acuracomputer.com/article.php?article=7
2. Links to web sites related to default passwords commonly assigned to popular systems:
🔗 http://www.defaultpassword.com/
🔗 http://cirt.net/passwords -
Quiz
1. Explain the differences between a static and dynamic password.
Answer:
A static password is the same (does not change) for each logon (although it should be changed at frequent intervals). Whereas a dynamic password changes with each logon (a “one-time” password that is used once and then discarded).
2. In the context of password cracking what can be achieved by dictionary, hybrid and brute force attacks.
Answer:
Dictionary attacks—A textile full of dictionary words is loaded into a password program and then run against user accounts located by the application. If simple passwords have been used, this might be enough to do the trick. Hybrid attacks—Similar to a dictionary attack, except that it adds numbers or symbols to the dictionary words. Many people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: first month’s password is “Mike”; second month’s password is “Mike2”; third month’s password is “Mike3”; and so on. Brute force attacks—The most comprehensive form of attack and the most potentially time-consuming. Brute force attacks can take weeks, depending on the length and complexity of the password.
3. Explain the type of password attacks that would be most successful against: A34!df#64A.