5.1 Understand the different types of passwords, password attacks, and password cracking techniques

Exam Focus: Understand the different types of passwords, password attacks, and password cracking techniques. Objective includes:

  • Understand the different types of passwords.
  • Identify the different types of password attacks.
  • Identify password cracking techniques.

Goals of system hacking

The following are the goals of system hacking:

  • Gaining access: Collects enough information in order to gain access. Password eavesdropping and brute forcing techniques are used to gain access.
  • Escalating privileges: Creates a privileged user account if the user level is obtained. Password cracking and known exploits techniques are used to escalate privileges.
  • Executing applications: Creates and maintains backdoor access.
  • Hiding files: Hides malicious files.
  • Covering tracks: Hides the presence of compromise.

Password

A password is a combination of characters, integers, and special symbols that allow a user to access a file or any program. The password prevents an unauthorized user from accessing a file or any application. The following are the different types of passwords:

  • Power on password: It protects the system from being powered on by an unauthorized person. A prompt appears while the system starts up when the Power-on password has been set; the Power-on password needs to be entered before an operation system boots.
  • Hard drive password: A user's hard drive password is used for the user and a master hard drive password is used for the system administrator. If a user has changed his hard drive's password, the administrator can use the master password to get access to the hard drive.
  • Supervisor password (BIOS password): It is also known as a BIOS password. It protects the system information stored in the BIOS. A user is required to enter the Supervisor password to get access to the BIOS in order to change the system configuration.
  • User password: It is required for most accounts. After entering the user name, the user is prompted for a password. Two passwords are required to be entered if the account requires both primary and secondary passwords.
  • System password: It controls access to particular terminals and is required at the discretion of the security administrator. These passwords are often required to control access to terminals that might be targets for unauthorized use, such as dialup and public terminal lines.

Default password

A default password is defined as a password provided by the manufacturer with new equipment that is password protected. The following online tools can be used to search default passwords:

Password complexity

A user can create a password in different ways to increase the complexity of the passwords. The user can create passwords:

  • Containing letters, special characters, and numbers

cd1@78

  • Containing only numbers

56568579

  • Containing only special characters

@#$%#@#$

  • Containing letters and numbers

hkjh2345

  • Containing only letters

MARKPETE

  • Containing only letters and special characters

mar#kjm

  • Containing only special characters and numbers

234@$90

Types of password attacks

The following are types of password attacks:

Passive online attack

In a passive online attack, the attacker puts a sniffer to get information about the network raw data packets. The attacker further analyzes those packets and gets the password information. The following attacks come under the passive online attack:

  • Wire sniffing attack: To access and record the raw network traffic, attackers run packet sniffer tools on the LAN. The captured data may contain passwords that are sent to remote systems during Telnet, FTP, rlogin sessions, and electronic mail sent and received.
  • MITM attack: A man-in-the-middle attack occurs when an attacker successfully inserts an intermediary software or program between two communicating hosts.
  • Replay attack: In a replay attack, whenever packets pass between two hosts on a network, attackers capture packets including passwords or digital signatures. Attackers then resend the captured packet to the system in an attempt to obtain an authenticated connection. The attacker does not know the actual password in this type of attack, but can simply replay the captured packet.

Active online attack

In active online attacks, an attacker needs to get the password of the victim by guessing it. It includes the following attacks:

  • Password guessing: A password guessing attack takes place when an unauthorized user guesses usernames and passwords to log on repeatedly to a computer or network. Many password guessing programs that try to break passwords are present on the Internet. The following are the considerations of the password guessing attack:
  • Time consuming
  • Needs huge amount of network bandwidth
  • Easily detected

The following are the types of password guessing attacks:

  • Brute force attack
  • Dictionary attack
  • Trojan/ spyware/ keyloggers: By using a Trojan, an attacker gets access to the stored passwords in the attacked computer and can read personnel documents, delete files, and display pictures.
    Spyware is software that collects information regarding a user without his knowledge. When the user downloads software from the Internet, spyware can get into a computer. Spyware can search the contents of a hard disk, address book of an e-mail, or any information about the computer, and transmits the information to the advertisers or other interested parties.
    A keylogger is a software tool that traces all or specific activities of a user on a computer. Once a keylogger is installed on a victim's computer, it can be used for recording all keystrokes on the victim's computer in a predefined log file. An attacker can configure a log file in such a manner that it can be sent automatically to a predefined e-mail address. Some of the main features of a keylogger are as follows:
  • It can record all keystrokes.
  • It can capture all screenshots.
  • It can record all instant messenger conversations.
  • It can be remotely installed.
  • It can be delivered via FTP or e-mail.
  • Hash injection: A hash injection attack permits an attacker to inject a compromised hash into a local session and validate to network resources by using the hash. The attacker finds and extracts a logged on domain admin account hash. The attacker logs on to the domain controller by using the extracted hash.

Offline attack

Offline attacks are time consuming. They often lead to brute force attacks. Some important offline attacks are as follows:

  • Brute force attack: In Windows hacking, a brute force attack plays a vital role. In a brute force attack, an attacker uses software that tries a large number of key combinations in order to get a password. To prevent such attacks, users should create passwords more difficult to guess, e.g., using a minimum of eight characters, alphanumeric combinations, and lower-upper case combinations, etc.
  • Dictionary attack: A dictionary attack is a type of password guessing attack. This type of attack finds the password of a user by using a dictionary of common words. It can also use common words in either upper or lower case in order to find a password. Many programs are available on the Internet to automate and execute dictionary attacks.
  • Hybrid attack: The attack is referred to as a hybrid attack when an attacker performs a dictionary as well as a brute force attack.
  • Rainbow attack: A rainbow attack retrieves plain text passwords by using a hash table. The rainbow attack is considered as the fastest method of password cracking. All the possible hashes for a set of characters are calculated and then stored in a table known as the Rainbow table to implement the rainbow attack. These password hashes are then used with the tool that uses the Rainbow algorithm and searches the Rainbow table until the password is not fetched.
  • Distributed Network Attack (DNA): A Distributed Network Attack is used to recover password-protected files. It decrypts passwords by using the unused processing power of machines across the network. In this attack, a DNA manager is installed in a central location. Machines running DNA clients in the central location can access the DNA manager over the network. The DNA manager coordinates the attack and assigns the small portions of the key search to machines distributed over the network. A DNA client runs in the background and consumes only unused processor time. The program combines the processing capabilities of all the clients that are connected to the network and uses it to perform key search to decrypt them.

Non-electronic attack

Non-electronic attack is an attack that does not require any technical knowledge. It includes the following attacks:

  • Social engineering: Social engineering is the art of convincing people and making them disclose useful information, such as account names and passwords. This information is further exploited by hackers to gain access to a user's computer or network. This method involves mental ability of people to trick someone rather than their technical skills. A user should always distrust people who ask him for his account name, password, computer name, IP address, employee ID, or other information that can be misused. Proper user training is an effective way of mitigating social engineering attacks. The following are the different types of social engineering attacks.
  • Shoulder surfing: Shoulder surfing is a type of in person attack in which an attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. An attacker can also gather information by looking at open documents on the employee's desk, posted notices on the notice boards, etc.
  • Dumpster diving: Dumpster diving is a term that refers to going through someone's trash in an attempt to find out useful or confidential information. Dumpster divers check and separate items from commercial or residential trash to get the information they desire. This information may be used for identity theft and for breaking physical information security.

Password cracking

Password cracking techniques are used for recovering passwords from computer systems. Attackers use password cracking techniques in order to gain unauthorized access to the vulnerable system. Many password cracking techniques are successful as many people use weak or easily guessable passwords.

Password cracking techniques

The following are password cracking techniques:

  • Dictionary attack: In a dictionary attack, a dictionary file is loaded into the cracking application running against user accounts.
  • Brute forcing attack: In a brute force attack, the programs try a large number of key combinations in order to get a password.
  • Hybrid attack: It is like a dictionary attack. But in this attack, attackers add some numbers and symbols to the words from the dictionary and attempt to crack the password.
  • Syllable attack: It is the combination of both the brute force attack and dictionary attack.
  • Rule-based attack: It is used when the attacker gets some information regarding the password.

Manual password cracking (guessing)

The following steps are taken for manual password cracking (guessing):

  1. Find a valid user.
  2. Create a list of possible passwords.
  3. Rank passwords from high probability to low.
  4. Key in each password, until the correct password is discovered.

Automatic password cracking

The following steps are taken for automatic password cracking:

  1. Find a valid user.
  2. Find the algorithm used for encryption.
  3. Obtain the encrypted passwords.
  4. Create a list of the possible passwords.
  5. Encrypt each word.
  6. Verify whether there is a match for each user ID.

Using a USB drive for stealing passwords

Take the following steps to steal passwords using a USB drive:

  1. Select a password hacking tool.
  2. Copy the downloaded files to the USB drive.
  3. Create autorun.inf in the USB drive.

[autorun] en=launch.bat

  1. Insert the USB drive. The autorun window will pop-up (if enabled). Password2 is executed in the background and passwords will be stored in the .TXT files in the USB drive.

5.2 Authentication mechanism, password sniffing, various password cracking tools, and countermeasures

Exam Focus: Authentication mechanism, password sniffing, various password cracking tools, and countermeasures. Objective includes:

  • Understand Microsoft Authentication mechanism.
  • Describe password sniffing.
  • Identifying various password cracking tools.
  • Identify various password cracking countermeasures.

Authentication

Authentication is a process to verify the identity of a person, network host, or system process. In the authentication process, the provided credentials are compared with the credentials that are stored in the database of an authentication server.

Basic authentication

Basic authentication is the simplest method of authentication. It is based on the premise that the client must authenticate itself with a user-ID and a password for each realm. The realm value (which is case-sensitive) is a string that may have additional semantics specific to the authentication scheme. The realm value should be considered as an opaque string, which can only be compared for equality with other realms on that server. The server will service the request if, and only if, it can validate the user-ID and password for the protection space of the Request-URI. There are no optional authentication parameters. To receive authorization, the client sends the user ID and password, separated by a single colon (":") character, within a base64 encoded string in the credentials.

Security holes in the basic authentication scheme

The basic authentication scheme uses the username and password. It uses base64 encoding to encrypt the password. In spite of this, many security holes are available in the basic authentication scheme. The password is stored on the server in an encrypted format, but it is passed from the client to the server in the plain text format across the network. Therefore, the username and password can be easily read in the plain text format by any attacker listening with a packet sniffer. The username and password are passed not just when the user first types them, they are passed with every request. Hence, the packet sniffer does not need to listen at any particular time, but just long enough to observe any single request coming across the wire. The encryption used in the authentication is not very secure and can be easily decoded.

Digest authentication scheme

The digest authentication scheme is a replacement of the basic authentication scheme and is based on the challenge response model. In digest authentication, the password is always transmitted as an MD5 digest of the user's password. The password is never sent across the network in a clear text format and cannot be determined with the help of a sniffer.
Function of digest authentication scheme
In this authentication scheme, an optional header permits the server to specify the algorithm to create the checksum or digest (by default, the MD5 algorithm). The digest authentication scheme provides the challenge using a randomly chosen value. This randomly chosen value is a server-specified data string. It may be uniquely generated each time a 401 response is made. A valid response includes the following:

  • Checksum (by default, the MD5 checksum) of the username
  • Password
  • Given random value
  • HTTP method
  • Requested URL

In this way, the password is never sent in a clear text format.
Drawback: The password is not sent in a clear text format, but an attacker can gain access using the digested password, as the digested password is really all the information required to access the web site.

SAM database

User passwords are stored by Windows in the Security Accounts Manager (SAM) database or in the Active Directory database in domains. Passwords are never stored in clear text. Passwords are hashed. The results are stored in the SAM.

NTLM authentication scheme

NTLM is a protocol that authenticates users and computers based on an authentication challenge and response. The NTLM authentication process is used by all members of the Windows NT family. NTLM authentication does not send the user's password (or hashed representation of the password) across the network. Instead, NTLM authentication utilizes challenge/response mechanisms to ensure that the actual password never traverses the network.
How does it work?
The client sends a login request to the telnet server when the authentication process begins. The server replies with a randomly generated 'token' to the client. The client hashes the currently logged-on user's cryptographically protected password with the challenge and sends the resulting "response" to the server. The server receives the challenge-hashed response and compares it in the following manner:

  • The server takes a copy of the original token.
  • Now it hashes the token against the user's password hash from its own user account database.
  • If the received response matches the expected response, the user is successfully authenticated to the host.

Drawbacks:

  • NTLM authentication is not entirely safe because NTLM hashes (or challenge/response pairs) can be cracked with the help of brute force password guessing. The "cracking" program would iteratively try all possible passwords, hashing each and comparing the result to the hash that the malicious user has obtained. When it discovers a match, the malicious user would know that the password that produced the hash is the user's password.
  • This authentication technique works only with Microsoft Internet Explorer.

NTLM authentication process

The following are the steps of the NTLM authentication process:

  1. A user types a password into the logon window.
  2. Windows OS runs the password via hash algorithm.
  3. The computer sends login request to Domain Controller (DC).
  4. DC sends logon challenge.
  5. The computer sends response to the challenge.
  6. DC compares computer's response with the response it created with its own hash. If they are the same, the logon is successful. Domain Controller holds a stored copy of the user's hashed password.

Differences between the various NTLM authentication schemes