Identifying password vulnerabilities
Examining password-hacking tools and techniques
Hacking operating system passwords
Hacking password-protected files
Protecting your systems from password hacking
Password hacking is one of the easiest and most common ways attackers obtain unauthorized computer or network access. Although strong passwords — ideally, longer and stronger passphrases that are difficult to crack (or guess) — are easy to create and maintain, network administrators and users often neglect this. Therefore, passwords are one of the weakest links in the information security chain. Passwords rely on secrecy. After a password is compromised, its original owner isn't the only person who can access the system with it. That's when accountability goes out the window and bad things start happening.
External attackers and malicious insiders have many ways to obtain passwords. They can glean passwords simply by asking for them or by looking over the shoulders (shoulder surfing) of users while they type them. Hackers can also obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, attackers can use remote cracking utilities, keyloggers, or network analyzers.
This chapter demonstrates how easily the bad guys can gather password information from your network and computer systems. I outline common password vulnerabilities and describe countermeasures to help prevent these vulnerabilities from being exploited on your systems. If you perform the tests and implement the countermeasures outlined in this chapter, you'll be well on your way to securing your systems' passwords.
When you balance the cost of security and the value of the protected information, the combination of a user ID and a secret password is usually adequate. However, passwords give a false sense of security. The bad guys know this and attempt to crack passwords as a step toward breaking into computer systems.
One big problem with relying solely on passwords for information security is that more than one person can know them. Sometimes, this is intentional; often, it's not. The tough part is that there's no way of knowing who, besides the password's owner, knows a password. Remember: Knowing a password doesn't make someone an authorized user.
Here are the two general classifications of password vulnerabilities:
Organizational or user vulnerabilities: This includes lack of password policies that are enforced within the organization and lack of security awareness on the part of users.
Technical vulnerabilities: This includes weak encryption methods and unsecure storage of passwords on computer systems.
Before computer networks and the Internet, the user's physical environment was an additional layer of password security that actually worked pretty well. Now that most computers have network connectivity, that protection is gone.
It's human nature to want convenience — especially when it comes to remembering five, ten, and often dozens of passwords in our work and daily lives. This makes passwords one of the easiest barriers for an attacker to overcome. Almost 3 trillion (yes, trillion with a t and 12 zeros) eight-character password combinations are possible by using the 26 letters of the alphabet and the numerals 0 through 9. However, most people prefer to create passwords that are easy to remember. Users like to use such passwords as password, their login name, or even a blank password.
Unless users are educated and reminded about using strong passwords, their passwords usually are
Easy to guess.
Seldom changed.
Reused for many security points. When bad guys crack one password, they can often access other systems with that same password and username.
Written down in unsecure places. The more complex a password is, the more difficult it is to crack. However, when users create complex passwords, they're more likely to write them down. External attackers and malicious insiders can find these passwords and use them against you.
You can often find these serious technical vulnerabilities after exploiting organizational password vulnerabilities:
Weak password encryption schemes. Hackers can break weak password storage mechanisms by using cracking methods that I outline in this chapter. Many vendors and developers believe that passwords are safe as long as they don't publish the source code for their encryption algorithms. Wrong! A persistent, patient attacker can usually crack this security by obscurity (a security measure that's hidden from plain view but can be easily overcome) fairly quickly. After the code is cracked, it is distributed across the Internet and becomes public knowledge.
Password-cracking utilities take advantage of weak password encryption. These utilities do the grunt work and can crack any password, given enough time and computing power.
Programs that store their passwords in memory, unsecured files, and easily accessed databases.
User applications that display passwords on the screen while typing.
The National Vulnerability Database (an index of computer vulnerabilities managed by the National Institute of Standards and Technology) currently identifies over 2,000 password-related vulnerabilities — a number that has doubled in just the past three years! You can search for these issues at (http://nvd.nist.gov) to find out how vulnerable some of your systems are from a technical perspective.
Password cracking is one of the most enjoyable hacks for the bad guys. It fuels their sense of exploration and desire to figure out things. You might not have a burning desire to explore everyone's passwords, but it helps to approach password cracking with this mindset. So where should you start hacking the passwords on your systems? Generally, any user's password works. After you obtain one password, you can often obtain others — including administrator or root passwords.
Administrator passwords are the pot of gold. With unauthorized administrative access, you can do virtually anything on the system. When looking for your organization's password vulnerabilities, I recommend first trying to obtain the highest level of access possible (such as administrator) through the most discreet method possible. That's often what the bad guys do.
You can use low-tech ways and high-tech ways to exploit vulnerabilities to obtain passwords. For example, you can deceive users into divulging passwords over the telephone or simply observe what a user has written down on a piece of paper. Or you can capture passwords directly from a computer, over a network, and via the Internet with the tools covered in the following sections.
A hacker can use low-tech methods to crack passwords. These methods include using social engineering techniques, shoulder surfing, and simply guessing passwords from information that he knows about the user.
The most popular low-tech method for gathering passwords is social engineering, which I cover in detail in Chapter 5. Social engineering takes advantage of the trusting nature of human beings to gain information that later can be used maliciously. A common social engineering technique is simply to con people into divulging their passwords. It sounds ridiculous, but it happens all the time.
To obtain a password through social engineering, you just ask for it. For example, you can simply call a user and tell him that he has some important-looking e-mails stuck in the mail queue, and you need his password to log in and free them up. This is often how hackers and rogue insiders try to get the information!
Note
If a user gives you his password during your testing, make sure that he changes it. You don't want to be held accountable if something goes awry after the password has been disclosed.
User awareness and consistent security training is the best defense against social engineering. Train users to spot attacks (such as suspicious phone calls or deceitful phishing e-mails) and respond effectively. Their best response is not to give out any information and to alert the appropriate information security manager in the organization to see whether the inquiry is legitimate and whether a response is necessary.
Shoulder surfing (the act of looking over someone's shoulder to see what the person is typing) is an effective, low-tech password hack.
To mount this attack, the bad guys must be near their victims and not look obvious. They simply collect the password by watching either the user's keyboard or screen when the person logs in. An attacker with a good eye might even watch whether the user is glancing around his desk for either a reminder of the password or the password itself.
You can try shoulder surfing yourself. Simply walk around the office and perform random spot checks. Go to users' desks and ask them to log in to their computers, the network, or even their e-mail applications. Just don't tell them what you're doing beforehand, or they might attempt to hide what they're typing or where they're looking for their password — two things that they should've been doing all along! Just be careful doing this and respect other people's privacy.
Encourage users to be aware of their surroundings and not to enter their passwords when they suspect that someone is looking over their shoulders. Instruct users that if they suspect someone is looking over their shoulders while they're logging in, they should politely ask the person to look away or, do what I do often, just lean into their line of sight to keep them from seeing my typing and/or computer screen. 3M Privacy Filters (www.3m.com) work great as well.
Inference is simply guessing passwords from information you know about users — such as their date of birth, favorite television show, or phone numbers. It sounds silly, but criminals often determine their victims' passwords simply by guessing them!
The best defense against an inference attack is to educate users about creating secure passwords that do not include information that can be associated with them. Outside of certain password complexity filters, it's often not easy to enforce this practice with technical controls, so you need a sound security policy and ongoing security awareness and training to remind users of the importance of secure password creation.
External attackers and malicious insiders can obtain — or simply avoid having to use — passwords by taking advantage of older operating systems, such as Windows 9x and Windows ME. These operating systems don't require passwords to log in. The same goes for a BlackBerry or smartphone that isn't configured to use passwords.
On a Windows 9x or similar workstation that prompts for a password, you can press Esc on the keyboard to get right in. After you're in, you can find other passwords stored in such places as dial-up and VPN connections and screen savers. Such passwords can be cracked very easily using Elcomsoft's Proactive System Password Recovery tool (www.elcomsoft.com/pspr.html) and Cain & Abel (www.oxid.it/cain.html). These weak systems can serve as trusted machines — meaning that people assume they're secure — and provide good launching pads for network-based password attacks as well.
The only true defense against this is not to use operating systems that employ weak authentication. To eliminate this vulnerability, at least upgrade to Windows XP, or better yet, Windows 7 or use recent versions of Linux or one of the various flavors of UNIX, including Mac OS X.
Tip
More modern authentication systems, such as Kerberos (which is used in newer versions of Windows) and directory services (such as Novell's eDirectory and Microsoft's Active Directory), encrypt user passwords or don't communicate the passwords across the network at all, which creates an extra layer of security.
High-tech password cracking involves using a program that tries to guess a password by determining all possible password combinations. These high-tech methods are mostly automated after you access the computer and password database files.
The main password-cracking methods are dictionary attacks, brute-force attacks, and rainbow attacks.
You can try to crack your organization's operating system and application passwords with various password-cracking tools:
Cain & Abel (
www.oxid.it/cain.html) cracks LM and NT LanManager (NTLM) hashes, Windows RDP passwords, Cisco IOS and PIX hashes, VNC passwords, RADIUS hashes, and lots more.chknull (
www.phreak.org/archives/exploits/novell) checks for Novell NetWare accounts with no password.Elcomsoft Distributed Password Recovery (
www.elcomsoft.com/edpr.html) cracks Microsoft Office, PGP, and PKCS passwords in a distributed fashion using up to 10,000 networked computers at one time. Plus, this tool uses the same GPU video acceleration as the Elcomsoft Wireless Auditor tool, which allows for cracking speeds up to 50 times faster. (I talk about the Elcomsoft Wireless Auditor tool in Chapter 9.)Elcomsoft System Recovery (
www.elcomsoft.com/esr.html) cracks or resets Windows user passwords, sets administrative rights, and resets password expirations all from a bootable CD.John the Ripper (
www.openwall.com/john) cracks hashed Linux/UNIX and Windows passwords.ophcrack (
http://ophcrack.sourceforge.net) cracks Windows user passwords using rainbow tables from a bootable CD.Pandora (
www.nmrc.org/project/pandora) cracks Novell NetWare passwords online and offline.Proactive Password Auditor (
www.elcomsoft.com/ppa.html) runs brute-force, dictionary, and rainbow cracks against extracted LM and NTLM password hashes.Proactive System Password Recovery (
www.elcomsoft.com/pspr.html) recovers practically any locally stored Windows password, such as logon passwords, WEP/WPA passphrases, SYSKEY passwords, and RAS/dialup/VPN passwords.pwdump3 (
www.openwall.com/passwords/dl/pwdump/pwdump3v2.zip) extracts Windows password hashes from the SAM database.RainbowCrack (
http://project-rainbowcrack.com) cracks LanManager (LM) and MD5 hashes very quickly by using rainbow tables.
Tip
Some of these tools require physical access to the systems you're testing. You might be wondering what value that adds to password cracking. If a hacker can obtain physical access to your systems and password files, you have more than just basic information security problems to worry about, right? True, but this kind of access is entirely possible! What about a summer intern, a disgruntled employee, or an outside auditor with malicious intent?
Password-cracking utilities take a set of known passwords and run them through a password-hashing algorithm. The resulting encrypted hashes are then compared at lightning speed to the password hashes extracted from the original password database. When a match is found between the newly generated hash and the hash in the original database, the password has been cracked. It's that simple.
Other password cracking programs simply attempt to log on using a predefined set of user IDs and passwords. This is how many dictionary-based cracking tools work, such as Brutus (www.hoobie.net/brutus) and SQLPing3 (www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx). I cover cracking Web application and database passwords in Chapters 14 and 15.
Passwords that are subjected to cracking tools eventually lose. You have access to the same tools as the bad guys. These tools can be used for both legitimate security assessments and malicious attacks. You want to find password weaknesses before the bad guys do, and in this section, I show you some of my favorite methods for assessing Windows and Linux/UNIX passwords.
Warning
When trying to crack passwords, the associated user accounts might be locked out, which could interrupt your users. Be careful if your systems intruder lockout is enabled — otherwise, you might lock out some or all computer/network accounts, resulting in a sort of denial of service situation for your users.
Passwords are typically encrypted when they're stored on a computer, using an encryption or one-way hash algorithm, such as DES or MD5. Hashed passwords are then represented as fixed-length encrypted strings that always represent the same passwords with exactly the same strings. These hashes are irreversible for all practical purposes, so, in theory, passwords can never be decrypted. Furthermore, certain passwords, such as those in Linux, have a random value called a "salt" added to them to create a degree of random-ness. This prevents the same password used by two people from having the same hash value.
Note
Password storage locations vary by operating system:
Warning
Windows usually stores passwords in these locations:
Windows sometimes stores passwords in either a backup of the SAM file in the
c:winnt epairdirectory or on an emergency repair disk.Some Windows applications store passwords in the Registry or as plain-text files on the hard drive!
Linux and other UNIX variants typically store passwords in these files:
/etc/passwd(readable by everyone)/etc/shadow(accessible by the system and the root account only)/etc/security/passwd(accessible by the system and the root account only)/.secure/etc/passwd(accessible by the system and the root account only)
Dictionary attacks quickly compare a set of known dictionary-type words — including many common passwords — against a password database. This database is a text file with hundreds if not thousands of "dictionary" words typically listed in alphabetical order. For instance, suppose that you have a dictionary file that you downloaded from one of the sites in the following list. The English dictionary file at the Purdue site contains one word per line starting with 10th, 1st ... all the way to zygote.
Many password-cracking utilities can use a separate dictionary that you create or download from the Internet. Here are some popular sites that house dictionary files and other miscellaneous word lists:
ftp://ftp.cerias.purdue.edu/pub/dictftp://ftp.ox.ac.uk/pub/wordlistshttp://packetstormsecurity.nl/Crackers/wordlistswww.outpost9.com/files/WordLists.html
The above links are good but I find the BlackKnightList (http://rs159.rapidshare.com/files/184075601/BlackKnightList.rar) is the most comprehensive. After you download the file, you need WinRAR (www.rarlab.com) or a similar program to open it and gain access to the text file inside.
Don't forget to use other language files as well, such as Spanish and Klingon.
Note
Dictionary attacks are only as good as the dictionary files you supply your password-cracking program.
Most dictionary attacks are good for weak (easily guessed) passwords. However, some special dictionaries have common misspellings or alternate spellings of words, such as pa$$w0rd (password) and 5ecur1ty (security). Additionally, special dictionaries can contain non-English words and thematic words from religions, politics, or Star Trek.
Brute-force attacks can crack practically any password, given sufficient time. Brute-force attacks try every combination of numbers, letters, and special characters until the password is discovered. Many password-cracking utilities let you specify such testing criteria as the character sets, password length to try, and known characters (for a "mask" attack). Sample Proactive Password Auditor brute-force password-cracking options are shown in Figure 7-1.
Warning
A brute-force test can take quite a while, depending on the number of accounts, their associated password complexities, and the speed of the computer that's running the cracking software. As powerful as brute-force testing can be, it literally can take forever to exhaust all possible password combinations, which in reality, is not practical in every situation.
Warning
Smart hackers attempt logins slowly or at random times so the failed login attempts aren't as predictable or obvious in the system log files. Some malicious users might even call the IT help desk to attempt a reset of the account they just locked out. This social-engineering technique could be a major issue, especially if the organization has no (or minimal) mechanisms in place to verify that locked-out users are who they say they are.
Can an expiring password deter a hacker's attack and render password-cracking software useless? Yes. After the password is changed, the cracking must start again if the hacker wants to test all the possible combinations.
This is one reason why it's often a good idea to change passwords periodically. Shortening the change interval can reduce the risk of passwords being cracked. Refer to the U.S. Department of Defense's Password Management Guideline document (www.itl.nist.gov/fipspubs/app-e.htm) for more information on this topic.
Tip
Exhaustive password cracking attempts usually aren't necessary. Most passwords are fairly weak. Even minimum password requirements, such as a password length, can help you in your testing; you might be able to discover security policy information by using other tools (see Part IV for tools and techniques for testing the security of operating systems) and configure your cracking programs with more well-defined cracking parameters, which often generate faster results.
A rainbow password attack uses rainbow tables (see the earlier sidebar, "A case study in Windows password vulnerabilities with Philippe Oechslin") to crack various password hashes for LM, NTLM, Cisco PIX, and MD5 much more quickly and with extremely high success rates (near 100%). Password-cracking speed is increased in a rainbow attack because the hashes are pre-calculated, thus, don't have to be generated individually on the fly as they are with dictionary and brute-force cracking methods.
Warning
Unlike dictionary and brute-force attacks, rainbow attacks cannot be used to crack password hashes of unlimited length. The current maximum length for Microsoft LM hashes is 14 characters and the tables are available for purchase and download via the ophcrack site at http://ophcrack.sourceforge.net. There's a length limitation because it takes significant time to generate these rainbow tables. Given enough time, a sufficient number of tables will be created. Of course, by then, computers and applications likely have different authentication mechanisms and hashing standards — including a new set of vulnerabilities — to contend with.
If you have a good set of rainbow tables, such as those offered via the ophcrack site and Project RainbowCrack (http://project-rainbowcrack.com), you can crack passwords in seconds, minutes, or hours versus the days, weeks, or even years required by dictionary and brute-force methods.
The following steps use two of my favorite utilities to test the security of current passwords on Windows systems:
pwdump3 (to extract password hashes from the Windows SAM database)
John the Ripper (to crack the hashes of Windows and Linux/UNIX passwords)
This test requires administrative access to either your Windows standalone workstation or the server:
Create a new directory called
passwordsfrom the root of your Windows C: drive.Download and install a decompression tool if you don't already have one.
Download, extract, and install the following software into the
passwordsdirectory you created, if you don't already have it on your system:pwdump3: Download the file from
www.openwall.com/passwords/dl/pwdump/pwdump3v2.zipJohn the Ripper: Download the file from
www.openwall.com/john
Enter the following command to run pwdump3 and redirect its output to a file called
cracked.txt:c:passwordspwdump3 > cracked.txt
This file capture the Windows SAM password hashes that are cracked with John the Ripper. Figure 7-2 shows the contents of the
cracked.txtfile that contains the local Windows SAM database password hashes.Enter the following command to run John the Ripper against the Windows SAM password hashes to display the cracked passwords:
c:passwordsjohn cracked.txt
This process — shown in Figure 7-3 — can take seconds or days, depending on the number of users and the complexity of their associated passwords. My Windows example took only five seconds to crack five weak passwords.
John the Ripper can also crack UNIX passwords. You need root access to your system and to the password (/etc/passwd) and shadow password (/etc/shadow) files. Perform the following steps for cracking UNIX passwords:
Download the UNIX source files from
www.openwall.com/john.Extract the program by entering the following command:
[root@localhost kbeaver]#tar -zxf john-1.7.1.tar.gz
Tip
You can crack UNIX passwords on a Windows system using the Windows/DOS version of John the Ripper.
Change to the
/srcdirectory that was created when you extracted the program and enter the following command:make generic
Change to the
/rundirectory and enter the following command to use the unshadow program to combine thepasswdandshadowfiles and copy them to the filecracked.txt:./unshadow /etc/passwd /etc/shadow > cracked.txt
Warning
This will not work with all UNIX variants.
Enter the following command to start the cracking process:
./john cracked.txt
When John the Ripper is complete (and this could take some time), the output is similar to the results of the preceding Windows process. (Refer to Figure 7-3.)
After completing the preceding Windows or UNIX steps, you can either force users to change passwords that don't meet specific password policy requirements, or create a new password policy.
Warning
Be careful handling the results of your password cracking. You create an accountability issue because more than one person now knows the passwords. Always treat the password information of others as strictly confidential.
You can also perform a rainbow attack by using the open source tool ophcrack (not to be confused with the retired L0phtcrack). Perform the following steps for the Windows version:
Download the source file from
http://ophcrack.sourceforge.net.Extract and install the program by entering the following command:
ophcrack-win32-installer-3.3.1.exe(or whatever the current filename is)Load the program.
Click the Load button and select the type of test you wish to run.
In this example, shown in Figure 7-4, I'm connecting to a remote server called
test1. This way, ophcrack will authenticate to the remote server using my locally logged-in username and run pwdump code to extract the password hashes from the server's SAM database. You can also load hashes from the local machine or from hashes extracted during a previous pwdump session.The extracted password hash usernames will look similar to those shown in Figure 7-5.
Click the Launch icon to begin the rainbow crack process.
The process can take a little while depending on your computer's speed. Three of the long, random passwords I created for my test accounts were cracked in just a couple of minutes, as shown in Figure 7-6. The only reason the fourth wasn't cracked is because it had an exclamation point on the end and I was using ophcrack's smaller "10k" alphanumeric character set that doesn't test for extended characters. ophcrack has other options that will test for extended characters, so no worries for more "creative" passwords.
There's also a bootable Linux-based version of ophcrack (available at http://ophcrack.sourceforge.net) that allows you to boot a system and start cracking passwords without having to log in or install any software.
Tip
I highly recommend you use the ophcrack LiveCD on a sample laptop computer or two to demonstrate just how simple it is to recover passwords, and subsequently, sensitive information from laptops that do not have have encrypted hard drives.
Warning
Before submitting password hashes to a third party, make sure doing so will not violate any internal policies, business contracts, or nondisclosure agreements or get you into hot water. Also, remember that submitting password hashes to a third party creates an accountability issue because three or more parties technically have access to the passwords.
By using the chknull program, you can test for NetWare users that have empty passwords, passwords that match their usernames, and passwords that match a specific password that you supply on the command line. Figure 7-7 shows the output of a chknull session against a NetWare server without being logged in: Four users have blank passwords, three users have the password "123," and one user's password is the same as her username (avadminuser).
Do you wonder how vulnerable password-protected word-processing, spreadsheet, and zip files are when users send them into the wild blue yonder? Wonder no more. Some great utilities can show how easily passwords are cracked.
Most password-protected files can be cracked in seconds or minutes. You can demonstrate this "wow factor" security vulnerability to users and management. Here's a hypothetical real-world scenario:
Your CFO wants to send some confidential financial information in an Excel spreadsheet to a company board member.
She protects the spreadsheet by assigning it a password during the file-save process in Excel.
For good measure, she uses WinZip to compress the file, and adds another password to make it really secure.
The CFO sends the spreadsheet as an e-mail attachment, assuming that the e-mail will reach its destination.
The financial advisor's network has content filtering, which monitors incoming e-mails for keywords and file attachments. Unfortunately, the financial advisory firm's network administrator is looking in the content-filtering system to see what's coming in.
This rogue network administrator finds the e-mail with the confidential attachment, saves the attachment, and realizes that it's password protected.
The network administrator remembers a great password-cracking tool available from Elcomsoft called Advanced Archive Password Recovery (
www.elcomsoft.com/archpr.html) that can help him out so he proceeds to use it to crack the password.
Cracking password-protected files is as simple as that! Now all that the rogue network administrator must do is forward the confidential spreadsheet to his buddies or to the company's competitors.
Tip
If you carefully select the right options in Advanced Archive Password Recovery, you can drastically shorten your testing time. For example, if you know that a password is not over five characters long or is lowercase letters only, you can cut the cracking time in half.
I recommend performing these file password-cracking tests on files that you capture with a content filtering or network analysis tool. This is a good way to determine whether your users are adhering to policy and using adequate passwords to protect sensitive information they're sending.
The best defense against weak file password protection is to require your users to use a stronger form of file protection, such as PGP, or the AES encryption that's built in to WinZip, when necessary. Ideally, you don't want to rely on users to make decisions about what they should use to secure sensitive information, but it's better than nothing. Stress that a file encryption mechanism, such as a password-protected zip file, is secure only if users keep their passwords confidential and never transmit or store them in unsecure cleartext (such as in a separate e-mail).
If you're concerned about unsecure transmissions through e-mail, consider using a content filtering or data leak prevention system to block all outbound e-mail attachments that aren't protected on your e-mail server.
Over the years, I've found other ways to crack (or capture) passwords technically and through social engineering.
One of the best techniques for capturing passwords is remote keystroke logging — the use of software or hardware to record keystrokes as they're typed into the computer.
Warning
Be careful with keystroke logging. Even with good intentions, monitoring employees raises various legal issues if it's not done correctly. Discuss with your legal counsel what you'll be doing, ask for their guidance, and get approval from upper management.
With keystroke-logging tools, you can assess the log files of your application to see what passwords people are using:
Keystroke-logging applications can be installed on the monitored computer. I recommend that you check out eBlaster and Spector Pro by SpectorSoft (
www.spectorsoft.com). Another popular tool is Invisible KeyLogger Stealth, available atwww.amecisco.com/iks.htm. Dozens of other such tools are available on the Internet.Hardware-based tools, such as KeyGhost (
www.keyghost.com), fit between the keyboard and the computer or replace the keyboard altogether.
Warning
A keystroke-logging tool installed on a shared computer can capture the passwords of every user who logs in.
The best defense against the installation of keystroke-logging software on your systems is to use a spyware-detection program or other antivirus product. As for physical keyloggers, you'll need to visually inspect each system.
Warning
The potential for hackers to install keystroke-logging software is another reason to ensure that your users aren't downloading and installing random shareware or opening attachments in unsolicited e-mails. Consider locking down your desktops by setting the appropriate user rights through local or group security policy in Windows. Alternatively, you could use a commercial lockdown program, such as Fortres 101 (www.fortresgrand.com) for Windows or Deep Freeze (www.faronics.com/html/deepfreeze.asp) for Windows, Linux, and Mac OS X.
Many legacy and standalone applications, such as e-mail, dial-up network connections, and accounting software, store passwords locally, making them vulnerable to password hacking. By performing a basic text search, I've found passwords stored in cleartext on the local hard drives of machines. You can automate the process even further by using a program called Identity Finder Pro (www.identityfinder.com/pro). I cover these file and related storage vulnerabilities in Chapter 15.
You can try using your favorite text-searching utility — such as the Windows search function, findstr, or grep — to search for password or passwd on your computer's drives. You might be shocked to find what's on your systems. Some programs even write passwords to disk or leave them stored in memory.
The only reliable way to eliminate weak password storage is to use only applications that store passwords securely. This might not be practical, but it's your only guarantee that your passwords are secure. Another option is to instruct users not to store their passwords when prompted.
Before upgrading applications, contact your software vendor to see how they manage passwords, or search for a third-party solution.
A network analyzer sniffs the packets traversing the network. This is what the bad guys do if they can gain control of a computer, tap into your wireless network, or gain physical network access to set up their network analyzer. If they gain physical access, they can look for a network jack on the wall and plug right in!
Figure 7-8 shows how crystal-clear passwords can be through the eyes of a network analyzer. This figure shows how Cain & Abel (www.oxid.it/cain.html) can glean thousands of passwords going across the network in a matter of a couple of hours. As you can see in the left pane, these clear-text password vulnerabilities can apply to FTP, Web, telnet, and more. (The actual usernames and passwords are blurred out to protect them.)
If traffic is not tunneled through a VPN, SSH, SSL, or some other form of encrypted link, it's vulnerable to attack.
Cain & Abel is a password-cracking tool that also has network analysis capabilities. You can also use a regular network analyzer, such as the commercial products OmniPeek (www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer) and CommView (www.tamos.com/products/commview) as well as the free open source program, Wireshark (www.wireshark.org). With a network analyzer, you can search for password traffic in various ways. For example, to capture POP3 password traffic, you can set up a filter and a trigger to search for the PASS command. When the network analyzer sees the PASS command in the packet, it captures that specific data.
Network analyzers require you to capture data on a hub segment of your network or via a monitor/mirror/span port on a switch. Otherwise, you can't see anyone else's data traversing the network — just yours. Check your switch's user guide for whether it has a monitor or mirror port and instructions on how to configure it. You can connect your network analyzer to a hub on the public side of your firewall. You'll capture only those packets that are entering or leaving your network — not internal traffic. I cover this type of network infrastructure hacking in detail in Chapter 8.
Here are some good defenses against network analyzer attacks:
Use switches on your network, not hubs. If you must use hubs on network segments, a program like sniffdet (
http://sniffdet.sourceforge.net) for UNIX-based systems and PromiscDetect (http://ntsecurity.nu/toolbox/promiscdetect) for Windows can detect network cards in promiscuous mode (accepting all packets, whether destined for the local machine or not). A network card in promiscuous mode signifies a network analyzer is running on the network.Make sure that unsupervised areas, such as an unoccupied lobby or training room, don't have live network connections.
Don't let anyone without a business need gain physical access to your switches or the network connection on the public side of your firewall. With physical access, a hacker can connect to a switch monitor port or tap into the unswitched network segment outside the firewall and capture packets.
Warning
Switches do not provide complete security because they are vulnerable to ARP poisoning attacks, which I cover in Chapter 8.
Most computer BIOS (basic input/output system) settings allow power-on passwords and/or setup passwords to protect the computer's hardware settings that are stored in the CMOS chip. Here are some ways around these passwords:
You can usually reset these passwords either by unplugging the CMOS battery or by changing a jumper on the motherboard.
Password-cracking utilities for BIOS passwords are available on the Internet and from computer manufacturers.
If gaining access to the hard drive is your ultimate goal, you can simply remove the hard drive from the computer and install it in another one and you're good to go. This is a great way to prove that BIOS/power-on passwords are not an effective countermeasure for lost or stolen laptops.
Tip
For a good list of default system passwords for various vendor equipment, check www.cirt.net/passwords.
There are tons of variables for hacking and hacking countermeasures depending on your hardware setup. If you plan to hack your own BIOS passwords, check for information in your user manual or refer to the BIOS password hacking guide I wrote at http://tinyurl.com/fwom6. If protecting the information on your hard drives is your ultimate goal then whole disk (PGP) or whole volume (Windows BitLocker) encryption is the best way to go.
Bad guys often exploit user accounts that have just been created or reset by a network administrator or help desk. New accounts might need to be created for new employees or even for your own ethical hacking purposes. Accounts might need to be reset if users forget their passwords or if the accounts have been locked out because of failed attempts.
Here are some reasons why user accounts can be vulnerable:
When user accounts are reset, they often are assigned an easily cracked password (such as the user's name or the word password). The time between resetting the user account and changing the password is a prime opportunity for a break-in.
Many systems have either default accounts or unused accounts with weak passwords or no passwords at all. These are prime targets.
The best defenses against attacks on passwords in limbo are solid help desk policies and procedures that prevent weak passwords from being available at any given time during the new account generation and password reset processes. Perhaps the best ways to overcome this vulnerability are as follows:
Require users to be on the phone with the help desk, or have a help desk member perform the reset at the user's desk.
Require that the user immediately log in and change the password.
If you need the ultimate in security, implement stronger authentication methods, such as challenge/response questions, smart cards, or digital certificates.
Automate password reset functionality on your network so users can manage most of their password problems without help from others.
Network administrators occasionally use programs that reset the administrator password, which can be used against a network.
My favorite tool for this task is Elcomsoft System Recovery (www.elcomsoft.com/esr.html). You simply burn this tool to a CD and use it to boot the system you want to recover the password from, as shown in Figure 7-9.
You can also use another proven tool for Windows called NTAccess (www.mirider.com/ntaccess.html). This program isn't pretty or fancy, but it does the job. As with ophcrack, these tools provide an excellent way to demonstrate that you need to encrypt your laptop hard drives.
Tip
If you want to perform similar checks on a UNIX or Linux-based laptop, you should be able to boot from a Knoppix (www.knoppix.net) or similar "live" Linux distribution and edit the local passwd file (/etc/shadow) to reset or change it. Remove the encrypted code between the first and second colons for the "root" (or whatever user) entry or copy the password from the entry of another user and paste it into that area.
The best safeguard against a hacker using a password reset program against your Windows systems is to encrypt your hard drives by using Windows BitLocker in Windows Vista and Windows 7 or PGP Whole Disk Encryption (www.pgp.com/products/wholediskencryption). For Linux you can use TrueCrypt (www.truecrypt.org). You also need to ensure that people can't gain unauthorized physical access to your computers. When a hacker has physical access and your drives are not encrypted, all bets are off.
A password for one system usually equals passwords for many other systems because many people use the same (or at least similar) passwords on every system they use. For this reason, you might want to consider instructing users to create different passwords for different systems, especially on the systems that protect information that's more sensitive. The only downside to this is that users have to keep multiple passwords and, therefore, might be tempted to write them down, which can negate any benefits.
Tip
Strong passwords are important, but balance security and convenience:
You can't expect users to memorize passwords that are insanely complex and must be changed every few weeks.
You can't afford weak passwords or no passwords at all, so come up with a strong password policy and accompanying standard — preferably one that requires long and strong passphrases (combinations of words that are easily remembered yet next to impossible to crack) that have to be changed only once or twice a year.
If you have to choose between weak passwords that your users can memorize and strong passwords that your users must write down, I recommend having readers write down passwords and store the information securely. Train users to store their written passwords in a secure place — not on keyboards or in easily cracked password-protected computer files (such as spreadsheets). Users should store a written password in either of these locations:
A locked file cabinet or office safe
An encrypted file or database, using such tools as
PGP (
www.pgpi.orgoffers the free, open-source version, andwww.pgp.comoffers the commercial version)Password Safe, an open-source software originally developed by Counterpane (
http://passwordsafe.sourceforge.net)
Warning
No passwords on schecky notes! People joke about it, but it happens a lot and it's not good for business!
As an ethical hacker, you should show users the importance of securing their passwords. Here are some tips on how to do that:
Demonstrate how to create secure passwords. Refer to them as passphrases because people tend to take passwords literally and use only words, which can be less secure.
Show what can happen when weak passwords are used or passwords are shared.
Diligently build user awareness of social engineering attacks.
Enforce (or at least encourage the use of) a strong password-creation policy that includes the following criteria:
Use upper- and lowercase letters, special characters, and numbers. Never use only numbers. These passwords can be cracked quickly.
Misspell words or create acronyms from a quote or a sentence. For example, ASCII is an acronym for American Standard Code for Information Interchange that can also be used as part of a password.
Use punctuation characters to separate words or acronyms.
Change passwords every 6 to 12 months or immediately if they're suspected of being compromised. Anything more frequent introduces an inconvenience that only serves to create more vulnerabilities.
Use different passwords for each system. This is especially important for network infrastructure hosts, such as servers, firewalls, and routers. It's okay to use similar passwords — just make them slightly different for each type of system, such as SummerInTheSouth_WinXP for Windows systems and SummerInTheSouth_Lin for Linux systems.
Use variable-length passwords. This can throw off attackers because they won't know the required minimum or maximum length of passwords and must try all password length combinations.
Don't use common slang words or words that are in a dictionary.
Don't rely completely on similar-looking characters, such as 3 instead of E, 5 instead of S, or ! instead of 1. Password cracking programs can check for this.
Don't reuse the same password within at least four to five password changes.
Use password-protected screen savers. Unlocked screens are a great way for systems to be compromised even if their hard drives are encrypted.
Don't share passwords. To each his or her own!
Avoid storing user passwords in an unsecured central location, such as an unprotected spreadsheet on a hard drive. This is an invitation for disaster. Use PGP, Password Safe, or a similar program to store user passwords.
Here are some other password-hacking countermeasures that I recommend:
Tip
Enable security auditing to help monitor and track password attacks.
Test your applications to make sure they aren't storing passwords indefinitely in memory or writing them to disk. A good tool for this is WinHex (
www.winhex.com/winhex/index-m.html). I've used this tool to search a computer's memory for password, pass=, login, and so on and have come up with some passwords that the developers thought were cleared from memory.Some password-cracking Trojan-horse applications are transmitted through worms or simple e-mail attachments. Such malware can be lethal to your password-protection mechanisms if they're installed on your systems. The best defense is malware protection software, such as antivirus protection (from a vendor like Webroot or McAfee), spyware protection (such as Spybot), or malicious-code behavioral protection (such as Finjan's offerings).
Keep your systems patched. Passwords are reset or compromised during buffer overflows or other denial of service (DoS) conditions.
Know your user IDs. If an account has never been used, delete or disable the account until it's needed. You can determine unused accounts by manual inspection or by using DumpSec (
www.systemtools.com/somarsoft/?somarsoft.com), a tool that can enumerate the Windows operating system and gather user IDs and other information.
As the security administrator in your organization, you can enable account lockout to prevent password-cracking attempts. Account lockout is the ability to lock user accounts for a certain time after a certain number of failed login attempts has occurred. Most operating systems (and some applications) have this capability. Don't set it too low (fewer than five failed logins), and don't set it too high to give a malicious user a greater chance of breaking in. Somewhere between 5 and 50 might work for you. I usually recommend a setting of around 10 or 15. Consider the following when configuring account lockout on your systems:
To use account lockout to prevent any possibilities of a user DoS condition, require two different passwords, and don't set a lockout time for the first one if that feature is available in your operating system.
If you permit autoreset of the account after a certain period — often referred to as intruder lockout — don't set a short time period. Thirty minutes often works well.
A failed login counter can increase password security and minimize the overall effects of account lockout if the account experiences an automated attack. A login counter can force a password change after a number of failed attempts. If the number of failed login attempts is high and occurred over a short period, the account has likely experienced an automated password attack.
Other password-protection countermeasures include
Stronger authentication methods, such as challenge/response, smart cards, tokens, biometrics, or digital certificates.
Automated password reset. This functionality lets users manage most of their password problems without getting others involved. Otherwise, this support issue becomes expensive, especially for larger organizations.
Password protect the system BIOS. This is especially important on servers and laptops that are susceptible to physical security threats and vulnerabilities.
You can implement various operating system security measures to ensure that passwords are protected.
Note
Regularly perform these low-tech and high-tech password-cracking tests to make sure that your systems are as secure as possible — perhaps as part of a monthly, quarterly, or biannual audit.
The following countermeasures can help prevent password hacks on Windows systems:
Some Windows passwords can be gleaned by simply reading the cleartext or crackable ciphertext from the Windows Registry. Secure your registries by doing the following:
Allow only administrator access.
Harden the operating system by using well-known hardening best practices, such as those from SANS (
www.sans.org), NIST (http://csrc.nist.gov), and the Center for Internet Security Benchmarks/Scoring Tools (www.cisecurity.org), and the ones outlined in Network Security For Dummies, by Chey Cobb.
Use SYSKEY for enhanced Windows password protection.
By default, Windows 2000 and newer systems encrypts the SAM database that stores hashes of the Windows account passwords. Encryption is not the default on older Windows NT systems.
You can use the SYSKEY utility to encrypt the database for Windows NT machines and to move the database encryption key from Windows 2000 and later machines.
Don't rely on only the SYSKEY utility. Many tools can crack SYSKEY encryption.
Keep all SAM database backup copies secure.
Disable the storage of LM hashes in Windows for passwords that are shorter than 15 characters.
For example, in Windows 2000 SP2 and later, you can create and set the NoLMHash registry key to a value of 1 under
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa.Use
passfilt.dllor local or group security policies to help eliminate weak passwords on Windows systems before they're created.Disable null sessions in your Windows version:
In Windows XP and later versions, enable the Do Not Allow Anonymous Enumeration of SAM Accounts and Shares option in the local security policy.
In Windows 2000, enable the No Access without Explicit Anonymous Permissions option in the local security policy.
In Windows NT, enable the following Registry key:
HKLM/System/CurrentControlSet/Control/LSA/ RestrictAnonymous=1
The following countermeasures can help prevent password cracks on Linux and UNIX systems:
Help prevent the creation of weak passwords. You can use either the built-in operating-system password filtering (such as cracklib in Linux) or a password-auditing program (such as npasswd or passwd+).
Check your
/etc/passwdfile for duplicate root UID entries. Hackers can exploit such entries as root backdoors.