Social engineering

The most popular low-tech method for gathering passwords is social engineering, which I cover in detail in Chapter 6. Social engineering takes advantage of the trusting nature of human beings to gain information that later can be used maliciously. A common social engineering technique is simply to con people into divulging their passwords. It sounds ridiculous, but it happens all the time.

Shoulder surfing

Shoulder surfing (the act of looking over someone’s shoulder to see what the person is typing) is an effective, low-tech password hack.

Inference

Inference is simply guessing passwords from information you know about users — such as their date of birth, favorite television show, or phone numbers. It sounds silly, but criminals often determine their victims’ passwords simply by guessing them!

The best defense against an inference attack is to educate users about creating secure passwords that don’t include information that can be associated with them. Outside of certain password complexity filters, it’s often not easy to enforce this practice with technical controls. So, you need a sound security policy and ongoing security awareness and training to remind users of the importance of secure password creation.

Weak authentication

External attackers and malicious insiders can obtain — or simply avoid having to use — passwords by taking advantage of older or unsecured operating systems that don’t require passwords to log in. The same goes for a phone or tablet that isn’t configured to use passwords.

Password-cracking software

You can try to crack your organization’s operating system and application passwords with various password-cracking tools:

• Brutus (www.hoobie.net/brutus) cracks logons for HTTP, FTP, telnet, and more.
• Cain & Abel (www.oxid.it/cain.html) cracks LM and NT LanManager (NTLM) hashes, Windows RDP passwords, Cisco IOS and PIX hashes, VNC passwords, RADIUS hashes, and lots more. (Hashes are cryptographic representations of passwords.)
• ElcomSoft Distributed Password Recovery (www.elcomsoft.com/edpr.html) cracks Windows, Microsoft Office, PGP, Adobe, iTunes, and numerous other passwords in a distributed fashion using up to 10,000 networked computers at one time. Plus, this tool uses the same graphics processing unit (GPU) video acceleration as the ElcomSoft Wireless Auditor tool, which allows for cracking speeds up to 50 times faster. (I talk about the ElcomSoft Wireless Auditor tool in Chapter 10.)
• ElcomSoft System Recovery (www.elcomsoft.com/esr.html) cracks or resets Windows user passwords, sets administrative rights, and resets password expirations all from a bootable CD. This is a great tool for demonstrating what can happen when laptop computers do not have full disk encryption.
• John the Ripper (www.openwall.com/john) cracks hashed Linux/UNIX and Windows passwords.
• ophcrack (http://ophcrack.sourceforge.net) cracks Windows user passwords using rainbow tables from a bootable CD. Rainbow tables are pre-calculated password hashes that can help speed up the cracking process by comparing these hashes with the hashes obtained from the specific passwords being tested.
• Proactive Password Auditor (www.elcomsoft.com/ppa.html) runs brute-force, dictionary, and rainbow cracks against extracted LM and NTLM password hashes.
• Proactive System Password Recovery (www.elcomsoft.com/pspr.html) recovers practically any locally stored Windows password, such as logon passwords, WEP/WPA passphrases, SYSKEY passwords, and RAS/dialup/VPN passwords.
• pwdump3 (www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista-7) extracts Windows password hashes from the SAM (Security Accounts Manager) database.
• RainbowCrack (http://project-rainbowcrack.com) cracks LanManager (LM) and MD5 hashes very quickly by using rainbow tables.
• THC-Hydra (www.thc.org/thc-hydra) cracks logons for HTTP, FTP, IMAP, SMTP, VNC and many more.

Some of these tools require physical access to the systems you’re testing. You might be wondering what value that adds to password cracking. If a hacker can obtain physical access to your systems and password files, you have more than just basic information security problems to worry about, right? True, but this kind of access is entirely possible! What about a summer intern, a disgruntled employee, or an outside auditor with malicious intent? The mere risk of an unencrypted laptop being lost or stolen and falling into the hands of someone with ill intent should be reason enough.

To understand how the preceding password-cracking programs generally work, you first need to understand how passwords are encrypted. Passwords are typically encrypted when they’re stored on a computer, using an encryption or one-way hash algorithm, such as SHA2 or MD5. Hashed passwords are then represented as fixed-length encrypted strings that always represent the same passwords with exactly the same strings. These hashes are irreversible for all practical purposes, so, in theory, passwords can never be decrypted. Furthermore, certain passwords, such as those in Linux, have a random value called a salt added to them to create a degree of randomness. This prevents the same password used by two people from having the same hash value.

Password-cracking utilities take a set of known passwords and run them through a password-hashing algorithm. The resulting encrypted hashes are then compared at lightning speed to the password hashes extracted from the original password database. When a match is found between the newly generated hash and the hash in the original database, the password has been cracked. It’s that simple.

Other password-cracking programs simply attempt to log on using a predefined set of user IDs and passwords. This is how many dictionary-based cracking tools work, such as Brutus (www.hoobie.net/brutus) and SQLPing3 (www.sqlsecurity.com/downloads). I cover cracking web application and database passwords in Chapters 15 and 16.

Passwords that are subjected to cracking tools eventually lose. You have access to the same tools as the bad guys. These tools can be used for both legitimate security assessments and malicious attacks. You want to find password weaknesses before the bad guys do, and in this section, I show you some of my favorite methods for assessing Windows and Linux/UNIX passwords.

When trying to crack passwords, the associated user accounts might be locked out, which could interrupt your users. Be careful if intruder lockout is enabled in your operating systems, databases, or applications. If lockout is enabled, you might lock out some or all computer/network accounts, resulting in a denial of service situation for your users.

Password storage locations vary by operating system:

• Windows usually stores passwords in these locations:

  • Security Accounts Manager (SAM) database (c:windowssystem32config)
  • Active Directory database file that’s stored locally or spread across domain controllers (ntds.dit)

  Windows may also store passwords in a backup of the SAM file in the c:winnt epair or c:windows epair directory.

  Some Windows applications store passwords in the Registry or as plain-text files on the hard drive! A simple registry or file-system search for “password” may uncover just what you’re looking for.

• Linux and other UNIX variants typically store passwords in these files:
  • /etc/passwd (readable by everyone)
  • /etc/shadow (accessible by the system and the root account only)
  • /etc/security/passwd (accessible by the system and the root account only)
  • /.secure/etc/passwd (accessible by the system and the root account only)

Dictionary attacks

Dictionary attacks quickly compare a set of known dictionary-type words — including many common passwords — against a password database. This database is a text file with hundreds if not thousands of dictionary words typically listed in alphabetical order. For instance, suppose that you have a dictionary file that you downloaded from one of the sites in the following list. The English dictionary file at the Purdue site contains one word per line starting with 10th, 1st … all the way to zygote.

Many password-cracking utilities can use a separate dictionary that you create or download from the Internet. Here are some popular sites that house dictionary files and other miscellaneous word lists:

• ftp://ftp.cerias.purdue.edu/pub/dict
• www.outpost9.com/files/WordLists.html

Don’t forget to use other language files as well, such as Spanish and Klingon.

Dictionary attacks are only as good as the dictionary files you supply to your password-cracking program. You can easily spend days, even weeks, trying to crack passwords with a dictionary attack. If you don’t set a time limit or similar expectation going in, you’ll likely find that dictionary cracking is often a mere exercise in futility. Most dictionary attacks are good for weak (easily-guessed) passwords. However, some special dictionaries have common misspellings or alternative spellings of words, such as pa$$w0rd (password) and 5ecur1ty (security). Additionally, special dictionaries can contain non-English words and thematic words from religions, politics, or Star Trek.

Brute-force attacks

Brute-force attacks can crack practically any password, given sufficient time. Brute-force attacks try every combination of numbers, letters, and special characters until the password is discovered. Many password-cracking utilities let you specify such testing criteria as the character sets, password length to try, and known characters (for a “mask” attack). Sample Proactive Password Auditor brute-force password-cracking options are shown in Figure 8-1.

A brute-force test can take quite a while, depending on the number of accounts, their associated password complexities, and the speed of the computer that’s running the cracking software. As powerful as brute-force testing can be, it literally can take forever to exhaust all possible password combinations, which in reality is not practical in every situation.

Smart hackers attempt logins slowly or at random times so the failed login attempts aren’t as predictable or obvious in the system log files. Some malicious users might even call the IT help desk to attempt a reset of the account they just locked out. This social engineering technique could be a major issue, especially if the organization has no (or minimal) mechanisms in place to verify that locked-out users are who they say they are.

Can an expiring password deter a hacker’s attack and render password cracking software useless? Yes. After the password is changed, the cracking must start again if the hacker wants to test all the possible combinations. This is one reason why it’s a good idea to change passwords periodically. Still, I’m not a big fan of forcing users to change their passwords often. Shortening the change interval can reduce the risk of passwords being cracked but can also be politically unfavorable in your business and end up creating the opposite effect you’re going for. You have to strike a balance between security and convenience and usability. In many situations, I don’t think it’s unreasonable to require password changes every 6 to 12 months or after a suspected compromise.

Exhaustive password cracking attempts usually aren’t necessary. Most passwords are fairly weak. Even minimum password requirements, such as a password length, can help you in your testing. You might be able to discover security policy information by using other tools or via your web browser. (See Part IV for tools and techniques for testing the security of operating systems. See Chapter 15 for information on testing websites/applications.) If you find this password policy information, you can configure your cracking programs with more well-defined cracking parameters, which often generate faster results.

Rainbow attacks

A rainbow password attack uses rainbow cracking to crack various password hashes for LM, NTLM, Cisco PIX, and MD5 much more quickly and with extremely high success rates (near 100 percent). Password cracking speed is increased in a rainbow attack because the hashes are precalculated and thus don’t have to be generated individually on the fly as they are with dictionary and brute-force cracking methods.

Unlike dictionary and brute-force attacks, rainbow attacks cannot be used to crack password hashes of unlimited length. The current maximum length for Microsoft LM hashes is 14 characters, and the maximum is up to 16 characters (dictionary-based) for Windows Vista and 7 hashes (also known as NT hashes). The rainbow tables are available for purchase and download via the ophcrack site at http://ophcrack.sourceforge.net. There’s a length limitation because it takes significant time to generate these rainbow tables. Given enough time, a sufficient number of tables will be created. Of course, by then, computers and applications likely have different authentication mechanisms and hashing standards — including a new set of vulnerabilities — to contend with. Job security for IT professionals working in this area never ceases to grow.

If you have a good set of rainbow tables, such as those offered via the ophcrack site and Project RainbowCrack (http://project-rainbowcrack.com), you can crack passwords in seconds, minutes, or hours versus the days, weeks, or even years required by dictionary and brute-force methods.

Cracking Windows passwords with pwdump3 and John the Ripper

The following steps use two of my favorite utilities to test the security of current passwords on Windows systems:

• pwdump3 (to extract password hashes from the Windows SAM database)
• John the Ripper (to crack the hashes of Windows and Linux/UNIX passwords)

The following test requires administrative access to either your Windows standalone workstation or the server:

1. Create a new directory called passwords from the root of your Windows C: drive.

2. Download and install a decompression tool if you don’t already have one.

   WinZip (www.winzip.com) is a good commercial tool I use and 7-Zip (www.7-zip.org) is a free decompression tool. Windows also includes built-in Zip file handling, albeit a bit kludgy.

3. Download, extract, and install the following software into the passwords directory you created, if you don’t already have it on your system:
   • pwdump3: Download the file from www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista-7.
   • John the Ripper: Download the file from www.openwall.com/john.
4. Enter the following command to run pwdump3 and redirect its output to a file called cracked.txt:

   c:passwordspwdump3 > cracked.txt

   This file captures the Windows SAM password hashes that are cracked with John the Ripper. Figure 8-2 shows the contents of the cracked.txt file that contains the local Windows SAM database password hashes.

5. Enter the following command to run John the Ripper against the Windows SAM password hashes to display the cracked passwords:

   c:passwordsjohn cracked.txt

   This process — shown in Figure 8-3 — can take seconds or days, depending on the number of users and the complexity of their associated passwords. My Windows example took only five seconds to crack five weak passwords.

Cracking UNIX/Linux passwords with John the Ripper

John the Ripper can also crack UNIX/Linux passwords. You need root access to your system and to the password (/etc/passwd) and shadow password (/etc/shadow) files. Perform the following steps for cracking UNIX/Linux passwords:

1. Download the UNIX source files from www.openwall.com/john.
2. Extract the program by entering the following command:

   [root@localhost kbeaver]#tar -zxf john-1.8.0.tar.xz

   or whatever the current filename is.

   You can also crack UNIX or Linux passwords on a Windows system by using the Windows/DOS version of John the Ripper.

3. Change to the /src directory that was created when you extracted the program and enter the following command:

   make generic

4. Change to the /run directory and enter the following command to use the unshadow program to combine the passwd and shadow files and copy them to the file cracked.txt:

   ./unshadow /etc/passwd /etc/shadow > cracked.txt

   The unshadow process won’t work with all UNIX variants.

5. Enter the following command to start the cracking process:

   ./john cracked.txt

   When John the Ripper is complete (and this could take some time), the output is similar to the results of the preceding Windows process. (Refer to Figure 8-3.)

After completing the preceding Windows or UNIX steps, you can either force users to change passwords that don’t meet specific password policy requirements, you can create a new password policy, or you can use the information to update your security awareness program. Just do something.

Be careful handling the results of your password cracking efforts. You create an accountability issue because more than one person now knows the passwords. Always treat the password information of others as strictly confidential. If you end up storing them on your test system, make sure it’s extra secure. If it’s a laptop, encrypting the hard drive is the best defense.

Cracking files

Most password-protected files can be cracked in seconds or minutes. You can demonstrate this “wow factor” security vulnerability to users and management. Here’s a hypothetical scenario that could occur in the real world:

1. Your CFO wants to send some confidential financial information in an Excel spreadsheet to a company board member.
2. She protects the spreadsheet by assigning it a password during the file-save process in Excel.
3. For good measure, she uses WinZip to compress the file and adds another password to make it really secure.

4. The CFO sends the spreadsheet as an e-mail attachment, assuming that the e-mail will reach its destination.

   The financial advisor’s network has content filtering, which monitors incoming e-mails for keywords and file attachments. Unfortunately, the financial advisory firm’s network administrator is looking in the content-filtering system to see what’s coming in.

5. This rogue network administrator finds the e-mail with the confidential attachment, saves the attachment, and realizes that it’s password protected.
6. The network administrator remembers a great password-cracking tool available from ElcomSoft called Advanced Archive Password Recovery (www.elcomsoft.com/archpr.html) that can help him out so he proceeds to use it to crack the password.

Cracking password-protected files is as simple as that! Now all that the rogue network administrator must do is forward the confidential spreadsheet to his buddies or to the company’s competitors.

If you carefully select the right options in Advanced Archive Password Recovery, you can drastically shorten your testing time. For example, if you know that a password is not over five characters long or is lowercase letters only, you can cut the cracking time in half.

I recommend performing these file-password-cracking tests on files that you capture with a content filtering or network analysis tool. This is a good way to determine whether your users are adhering to policy and using adequate passwords to protect sensitive information they’re sending.

Countermeasures

The best defense against weak file password protection is to require your users to use a stronger form of file protection, such as PGP, or the AES encryption that’s built in to WinZip, when necessary. Ideally, you don’t want to rely on users to make decisions about what they should use to secure sensitive information, but it’s better than nothing. Stress that a file encryption mechanism, such as a password-protected Zip file, is secure only if users keep their passwords confidential and never transmit or store them in unsecure cleartext (such as in a separate e-mail).

If you’re concerned about unsecure transmissions through e-mail, consider using a content-filtering system or a data loss–prevention system to block all outbound e-mail attachments that aren’t protected on your e-mail server.

Keystroke logging

One of the best techniques for capturing passwords is remote keystroke logging — the use of software or hardware to record keystrokes as they’re typed into the computer.

Be careful with keystroke logging. Even with good intentions, monitoring employees raises various legal issues if it’s not done correctly. Discuss with your legal counsel what you’ll be doing, ask for their guidance, and get approval from upper management.

Weak password storage

Many legacy and standalone applications, such as e-mail, dial-up network connections, and accounting software, store passwords locally, making them vulnerable to password hacking. By performing a basic text search, I’ve found passwords stored in cleartext on the local hard drives of machines. You can automate the process even further by using a program called FileLocator Pro (www.mythicsoft.com). I cover these file and related storage vulnerabilities in Chapter 16.

Network analyzer

A network analyzer sniffs the packets traversing the network. This is what the bad guys do if they can gain control of a computer, tap into your wireless network, or gain physical network access to set up their network analyzer. If they gain physical access, they can look for a network jack on the wall and plug right in!

Testing

Figure 8-4 shows how crystal-clear passwords can be through the eyes of a network analyzer. This figure shows how Cain & Abel (www.oxid.it/cain.html) can glean thousands of passwords going across the network in a matter of a couple of hours. As you can see in the left pane, these cleartext password vulnerabilities can apply to FTP, web, telnet, and more. (The actual usernames and passwords are blurred out to protect them.)

If traffic is not tunneled through a VPN, SSH, SSL, or some other form of encrypted link, it’s vulnerable to attack.

Cain & Abel is a password-cracking tool that also has network analysis capabilities. You can also use a regular network analyzer, such as the commercial products OmniPeek (www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysis) and CommView (www.tamos.com/products/commview) as well as the free open source program, Wireshark (www.wireshark.org). With a network analyzer, you can search for password traffic in various ways. For example, to capture POP3 password traffic, you can set up a filter and a trigger to search for the PASS command. When the network analyzer sees the PASS command in the packet, it captures that specific data.

Network analyzers require you to capture data on a hub segment of your network or via a monitor/mirror/span port on a switch. Otherwise, you can’t see anyone else’s data traversing the network — just yours. Check your switch’s user guide for whether it has a monitor or mirror port and instructions on how to configure it. You can connect your network analyzer to a hub on the public side of your firewall. You’ll capture only those packets that are entering or leaving your network — not internal traffic. I cover this type of network infrastructure hacking in detail in Chapter 9.

Weak BIOS passwords

Most computer BIOS (basic input/output system) settings allow power-on passwords and/or setup passwords to protect the computer’s hardware settings that are stored in the CMOS chip. Here are some ways around these passwords:

• You can usually reset these passwords either by unplugging the CMOS battery or by changing a jumper on the motherboard.
• Password-cracking utilities for BIOS passwords are available on the Internet and from computer manufacturers.
• If gaining access to the hard drive is your ultimate goal, you can simply remove the hard drive from the computer and install it in another one and you’re good to go. This is a great way to prove that BIOS/power-on passwords are not an effective countermeasure for lost or stolen laptops.

For a good list of default system passwords for various vendor equipment, check www.cirt.net/passwords.

There are tons of variables for hacking and hacking countermeasures depending on your hardware setup. If you plan to hack your own BIOS passwords, check for information in your user manual or refer to the BIOS password-hacking guide I wrote at http://searchenterprisedesktop.techtarget.com/tutorial/BIOS-password-hacking. If protecting the information on your hard drives is your ultimate goal, then full (sometimes referred to as whole) disk is the best way to go. I cover mobile-related password cracking in-depth in Chapter 11. The good news is that newer computers (within the past five years or so) are using a new type of BIOS called unified extensible firmware interface (UEFI), which is much more resilient to boot-level system cracking attempts. Still, a weak password may be all it takes for the system to be exploited.

Weak passwords in limbo

Bad guys often exploit user accounts that have just been created or reset by a network administrator or help desk. New accounts might need to be created for new employees or even for your own security testing purposes. Accounts might need to be reset if users forget their passwords or if the accounts have been locked out because of failed attempts.