Password hacking is one of the easiest and most common ways attackers obtain unauthorized computer or network access. Although strong passwords — ideally, longer and stronger passphrases that are difficult to crack (or guess) — are easy to create and maintain, network administratorsand users often neglect this. Therefore, passwords are one of the weakest links in the information security chain. Passwords rely on secrecy. After a password is compromised, its original owner isn’t the only person who can access the system with it. That’s when accountability goes out the windowand bad things start happening. External attackers and malicious insiders have many ways to obtain passwords. They can glean passwords simply by asking for them or by looking over the shoulders (shoulder surfing) of users while they type them. Hackers can also obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, attackers can use remote cracking utilities, keyloggers, or network analyzers. This chapter demonstrates how easily the bad guys can gather password information from your network and computer systems. I outline common password vulnerabilities and describe countermeasures to help prevent these vulnerabilities from being exploited on your systems. If you perform the tests and implement the countermeasures outlined in this chapter, you’ll be well on your way to securing your systems’ passwords.
Unless users are educated and reminded about using strong passwords, their
passwords usually are
✓ Easy to guess.
✓ Seldom changed.
✓ Reused for many security points. When bad guys crack one password,
they can often access other systems with that same password and
✓ Written down in unsecure places. The more complex a password is, the
more difficult it is to crack. However, when users create complex passwords,
they’re more likely to write them down. External attackers and
malicious insiders can find these passwords and use them against you.
Technical password vulnerabilities
You can often find these serious technical vulnerabilities after exploiting
organizational password vulnerabilities:
✓ Weak password encryption schemes. Hackers can break weak password
storage mechanisms by using cracking methods that I outline in
Many vendors and developers believe that passwords are
safe as long as they don’t publish the source code for their encryption
algorithms. Wrong! A persistent, patient attacker can usually crack this
security by obscurity (a security measure that’s hidden from plain view
but can be easily overcome) fairly quickly. After the code is cracked, it is
distributed across the Internet and becomes public knowledge.
Password-cracking utilities take advantage of weak password encryption.
These utilities do the grunt work and can crack any password,
given enough time and computing power.
✓ Programs that store their passwords in memory, unsecured files, and
easily accessed databases.
✓ User applications that display passwords on the screen while typing.
The National Vulnerability Database (an index of computer vulnerabilities
managed by the National Institute of Standards and Technology) currently
identifies over 2,000 password-related vulnerabilities — a number that has
doubled in just the past three years! You can search for these issues at
(http://nvd.nist.gov) to find out how vulnerable some of your systems
are from a technical perspective.
fuels their sense of exploration and desire to figure out things. You might
not have a burning desire to explore everyone’s passwords, but it helps to
approach password cracking with this mindset. So where should you start
hacking the passwords on your systems? Generally, any user’s password
works. After you obtain one password, you can often obtain others — including
administrator or root passwords.
Administrator passwords are the pot of gold. With unauthorized administrative
access, you can do virtually anything on the system. When looking for
your organization’s password vulnerabilities, I recommend first trying to
obtain the highest level of access possible (such as administrator) through
the most discreet method possible. That’s often what the bad guys do.
You can use low-tech ways and high-tech ways to exploit vulnerabilities to
obtain passwords. For example, you can deceive users into divulging passwords
over the telephone or simply observe what a user has written down on a
piece of paper. Or you can capture passwords directly from a computer, over a
network, and via the Internet with the tools covered in the following sections.
Cracking passwords the old-fashioned way
A hacker can use low-tech methods to crack passwords. These methods
include using social engineering techniques, shoulder surfing, and simply
guessing passwords from information that he knows about the user.
which I cover in detail in Chapter 5. Social engineering takes advantage
of the trusting nature of human beings to gain information that later can
be used maliciously. A common social engineering technique is simply to con
people into divulging their passwords. It sounds ridiculous, but it happens all
example, you can simply call a user and tell him that he has some importantlooking
e-mails stuck in the mail queue, and you need his password to log in
and free them up. This is often how hackers and rogue insiders try to get the
passwords with various password-cracking tools:
✓ Cain & Abel (www.oxid.it/cain.html) cracks LM and NT LanManager (NTLM) hashes, Windows RDP passwords, Cisco IOS and PIX hashes, VNC passwords, RADIUS hashes, and lots more.
✓ chknull (www.phreak.org/archives/exploits/novell) checks for Novell NetWare accounts with no password.
✓ Elcomsoft Distributed Password Recovery (www.elcomsoft.com/edpr.html) cracks Microsoft Office, PGP, and PKCS passwords in adistributed fashion using up to 10,000 networked computers at one time. Plus, this tool uses the same GPU video acceleration as the Elcomsoft
Wireless Auditor tool, which allows for cracking speeds up to 50 times faster.
✓ Elcomsoft System Recovery (www.elcomsoft.com/esr.html) cracks or resets Windows user passwords, sets administrative rights, and resets password expirations all from a bootable CD.
✓ John the Ripper (www.openwall.com/john) cracks hashed Linux/UNIX and Windows passwords.
✓ Pandora (www.nmrc.org/project/pandora) cracks Novell NetWare
passwords online and offline.
✓ Proactive Password Auditor (www.elcomsoft.com/ppa.html) runs brute-force, dictionary, and rainbow cracks against extracted LM and NTLM password hashes.
✓ Proactive System Password Recovery (www.elcomsoft.com/pspr.html) recovers practically any locally stored Windows password, such as logon passwords, WEP/WPA passphrases, SYSKEY passwords, and RAS/dialup/VPN passwords.
✓ pwdump3 (www.openwall.com/passwords/dl/pwdump/
pwdump3v2.zip) extracts Windows password hashes from the SAM
✓ RainbowCrack (http://project-rainbowcrack.com) cracks
LanManager (LM) and MD5 hashes very quickly by using rainbow tables.