Hacking techniques Introduction to password cracking

Level: Introductory ([email protected]), Lead Network and

Security Engineer

01 Jun 2009

Password and user account exploitation is one of largest issues in

network security. In this article Rob Shimonski will look at password
cracking: the how and why of it. Rob will explain just how easy it is
to penetrate a network, how attackers get in, the tools they use, and
ways to combat it.
More dW content related to: password hacking. techniques

Attacks on a company or organization's computer systems take many

different forms, such as spoofing, smurfing, and other types of
Denial of Service (DoS) attacks. These attacks are designed to harm
or interrupt the use of your operational systems. This article deals
with a single wide-spread form of attack known as password cracking.

Password cracking is a term used to describe the penetration of a

network, system, or resource with or without the use of tools to
unlock a resource that has been secured with a password. In this
article I will take a look at what password cracking is, why
attackers do it, how they achieve their goals, and what you can do to
do to protect yourself. I will briefly take a look at the attackers
themselves: their psychological makeup and their motives. Through an
examination of several scenarios, I will describe some of the
techniques they deploy and the tools that aid them in their assaults,
and how password crackers work both internally and externally to
violate a company's infrastructure. Finally, the article provides a
checklist to help protect you from password cracking.

Before exploring the methods for doing this, let's first peer into
the mind of the attacker and learn why they might want access to your
network and systems.

Attackers: how and why they attack

There is an on-going debate about the definition of the word hacker.

A hacker can be anyone with a deep interest in computer-based
technology; it does not necessarily define someone who wants to do
harm. The term attacker can be used to describe a malicious hacker.
Another term for an attacker is a black hat. Security analysts are
often called white hats, and white-hat analysis is the use of hacking
for defensive purposes.
Attackers' motivations vary greatly. Some of the most notorious
hackers are high school kids in their basements planted in front of
their computers looking for ways to exploit computer systems. Other
attackers are disgruntled employees seeking revenge on a company. And
still other attacks are motivated by the sheer challenge of
penetrating a well-secured system.

Methods of attack

Password cracking doesn't always involve sophisticated tools. It can

be as simple as finding a sticky note with the password written on it
stuck right to the monitor or hidden under a keyboard. Another crude
technique is known as "dumpster diving," which basically involves an
attacker going through your garbage to find discarded documentation
that may contain passwords.

Of course attacks can involve far greater levels of sophistication.

Here are some of the more common techniques used in password
cracking:

Dictionary attack
A simple dictionary attack is by far the fastest way to break into a
machine. A dictionary file (a text file full of dictionary words) is
loaded into a cracking application (such as L0phtCrack), which is run
against user accounts located by the application. Because the
majority of passwords are often simplistic, running a dictionary
attack is often sufficient to to the job.
Hybrid attack
Another well-known form of attack is the hybrid attack. A hybrid
attack will add numbers or symbols to the filename to successfully
crack a password. Many people change their passwords by simply adding
a number to the end of their current password. The pattern usually
takes this form: first month password is "cat"; second month password
is "cat1"; third month password is "cat2"; and so on.
Brute force attack
A brute force attack is the most comprehensive form of attack, though
it may often take a long time to work depending on the complexity of
the password. Some brute force attacks can take a week depending on
the complexity of the password. L0phtcrack can also be used in a
brute force attack.

Next, take a look at some of the tools attackers use to break into a
system.
Tools of the trade

One of the most popular tools is L0phtCrack (now called LC4).

L0phtCrack is a tool that allows an attacker to take encrypted
Windows NT/2000 passwords and convert them to plaintext. NT/2000
passwords are in cryptographic hashes and cannot be read without a
tool like L0phtCrack. It works by attempting every alphanumeric
combination possible to try to crack passwords.

Another commonly-used tool is a protocol analyzer (better known as a

network sniffer, such as Sniffer Pro or Etherpeek), which is capable
of capturing every piece of data on the network segment to which it
is attached. When such a tool is running in promiscuous mode, it can
"sniff" everything going around on that segment such as logins and
data transfers. As you'll see later, this can seriously damage
network security allowing attackers to capture passwords and
sensitive data.

Let's take a look at a few scenarios and examine how attackers launch
their attacks and how they might be stopped or prevented. I'll first
describe a couple of scenarios involving internal attacks (that is,
attacks that originate within an organization), and then take a look
at a couple of scenarios involving external attacks.

Internal attacks

Internal attackers are the most common sources of cracking attacks

because attackers have direct access to an organization's systems.
The first scenario looks at a situation in which a disgruntled
employee is the attacker. The attacker, a veteran systems
administrator, has a problem with her job and takes it out on the
systems she is trusted to administer, manage, and protect.

Example: The disgruntled employee

Jane Smith, a veteran system administrator with impeccable technical

credentials, has been hired by your company to run the backup tapes
during the late evenings. Your company, an ISP, has a very large data
center with roughly 4000+ systems all monitored by a Network
Operations Center. Jane works with two other technicians to monitor
the overnight backups and rotate the tapes before the morning shift
comes in. They all work independently of each other: one technician
works on the UNIX Servers, one technician covers the Novell Servers,
and Jane has been hired to work on the Windows 2000 Servers.

Jane has been working on the job for six months now and is a rising
star. She comes in early, stays late and has asked to transfer to
another department within the company. One problem: there are no open
positions at the time. During the last month you (security analyst)
have noticed a dramatic increase in the number of attempts at Cisco
router and UNIX Server logins. You have CiscoSecure ACS implemented
so you can audit the attempts and you see that most of them occur at
3 a.m.

Your suspicions are aroused, but as a security analyst, you can't go

around pointing fingers without proof.

A good security analyst starts by looking deeper into the situation.

You note that the attacks are from someone of high caliber and occur
during Jane's shift, right after she is done with her tape rotation
assignment and usually has an extra hour to study or read before the
day operations team comes in. So you decide to have Jane supervised
at night by the night operations manager. After three weeks of heavy
supervision, you notice that the attacks have stopped. You were
right. Jane was attempting to log into the Cisco routers and UNIX
servers.

A good security analyst also needs to employ a good auditing tool,

such as Tacacs+, to log attacks. Tacacs+ is a protocol used by
applications such as CiscoSecure ACS that will force Authorization,
Accountability, and Authentication (AAA for short). If you have
Authorization, then the person requesting access needs to be
authorized to access the system. If you have Authentication, then the
user accessing a resource needs to be authenticated with rights and
permissions to have access. What happens when you are authorized and
also authenticated? You must be held Accountable. Accounting logs
alone solve many password cracking problems by forcing an attacker to
be held accountable, authenticated and authorized.

Next, I'll give an example of an old (but still widely used) attack,
which involves sniffing passwords right off the network. You can see
how a network supervisor had his Cisco routers and switches cracked
by a help desk technician within the company.

Example: The help desk technician

Tommy is hired for the position of help desk technician to work with
the after hours help desk crew. The after hours help desk staff is
made up of roughly 10 technicians who provide coverage for eight
remote sites that the company needs to support during off hours.
Tommy always brings his laptop with him to work. When questioned
about the laptop by his manager, Tommy explains that he is using his
break time to prepare for a certification test. This seems harmless
and is approved, even though there is a company-wide security policy
in place about bringing machines from the outside into the corporate
network without corporate security looking the device over.

Tommy is eventually caught by a surveillance camera leaving a small

wiring closet with something under his arm. But since nothing is
reported missing, there is no way to prove that Tommy has done
anything wrong. And when questioned by the help desk manager about
why he was in the closet, Tommy says that he mistakenly entered it
thinking it was a break room.

The company's security manager, Erika, sees the report filed by the
guards responsible for the physical security of the building. She
wonders what Tommy was doing in that closet and is not satisfied with
the answer he gave to the help desk manager. Upon searching the
closet, she finds an unplugged patch cable hanging from one of the
patch panels and an empty hub port. When she plugs the cable back in,
the link light does not come back on suggesting that this is a dead
port. Cable management Velcro straps neatly hold all the other cables
together. With Erika's years of experience and keen sense of security
exploitation, she knows exactly what happened.

Erika assumes that Tommy has brought his laptop in the wiring closet
unseen. He most likely looked for a dead port on the hub and plugged
his laptop in with a packet sniffer installed on it, which
promiscuously picks up traffic on a network segment. He returns later
to pick up the laptop, which is caught on the surveillance camera, to
take home for analysis after saving the capture file.

Using the company's security policy, she confronts Tommy and explains
that all personal property, such as laptops and palm pilots, are
subject to search if on the premises illegally. Since Tommy never
should have had his laptop there in the first place, he hands it over
to Erika. Upon careful examination, Erika finds the following trace
decode as seen in Figure 1.

Figure 1. Captured telnet traffic with a protocol analyzer

A close examination of the Hex pane of the Sniffer Pro analyzer in

Figure 2 reveals ASCII data in clear view on the right side of the
pane. While attached to a switch in the closet, Tommy ran the
configuration while connected via a telnet session. Since the telnet
protocol is unsecure and sent via cleartext, it is easy to see the
password: "cisco."

Figure 2. ASCII decode of plaintext data

This is one of the most basic principles of security: Never use a
product name as a password. But in spite of how basic a principle it
is, it's remarkable how often it is still done.

Next, turn your attention to some external threats.

External attacks

External attackers are those who must traverse your "defense in

depth" to try and break into your systems. They don't have it as easy
as internal attackers. The first scenario involves a fairly common
form of external attack known as Web site defacing. This attack uses
password cracking to penetrate the systems that the attacker wants to
deface. Another possible password cracking attack is when an attacker
tries to obtain passwords via Social Engineering. Social Engineering
is the tricking of an unsuspecting administrator into giving the
account ID and passwords over to an attacker. Lets take a look at
both.

Example: Web site home page defacing

Figure 3 demonstrates a fairly common and simple example of external

password cracking: defacing a Web site's home page. It takes little
effort and is usually accomplished by simply exploiting an Internet
Information Server (IIS) that has its permissions set incorrectly.
The attacker simply goes to a workstation and tries to attack the IIS
server with an HTML editing tool. When trying to attach over the
Internet to the site, the attacker uses a password generator tool,
such as L0phtCrack, which launches a brute force attack against the
server.

Figure 3. Home page replaced by an attacker

Your company's reputation is on the line. Business vendors and

associates will lose faith in you if they perceive that your data is
kept on unsecured servers. Make sure you look at inside and outside
threats equally.

Example: Social engineering tricks

Non-tool related tricks to crack passwords are called social

engineering attacks. Read this a scenario to learn more.
Jon is the new security analyst for a large company. His first job is
to test his company's security stance. He of course lets management
know what he is about to do (so he doesn't get labeled as an attacker
himself). He wants to see how hard it is to crack into the network
without even touching a single tool. He tries two separate but
equally devastating attacks.

As a new employee in a large organization, John isn't known to many

people yet, which makes it easy for him to pull off his first social
engineering attack. His first target is the help desk. Jon makes a
routine call to the help desk and asks for a password reset as a
supposed remote user. Jon already has half the information he needs
since he knows that the company's naming convention is simply first
name and the first initial of the user's last name. The CIO's name is
Jeff and his last name is Ronald, so JeffR is his login ID. This
information is readily available from the company's phone directory.
Masquerading as the CIO, Jon calls the help desk and asks for a
password reset because he has forgotten his password. This is a
normal ritual for the help desk technician who resets forgotten
passwords 100 times a day and calls the requestor back letting them
know what their knew password is. The help desk technician calls Jon
back five minutes later and lets him know that his new password is
"friday" because it happens to be Friday. Within another 5 minutes,
Jon is in the CIO's shared files on the server and in his e-mail.

Jon's next social engineering attack involves a good friend of his

who works for the local telephone company. Jon borrows some of his
gear and his belt and badge on his friend's day off. Jon takes his
new gear and heads to another part of the organizations campus where
all the disaster recovery routers and servers are located. This
hardware contains a working copy of all the company's current data
and is considered confidential. Jon walks into the campus security
office in his Telco costume and explains that he has been called out
by the Local Exchange Carrier (LEC) because a circuit appears to be
looped from the Telco. He needs to be let into the data center so he
can check out if there are any alarms on the Smart Jack.

The onsite administrator escorts Jon to the data center not even
checking his ID. Once inside, the administrator wisely sticks around,
so Jon starts his test. After a few minutes, Jon informs the
administrator that he will have to call his office and have them run
some more tests so he can loop off the Smart Jack and try to
troubleshoot. Jon lets the administrator know that this will take
about 45 minutes, so the administrator gives Jon his pager number and
asks that he page him when he is done to let him out. Jon has now
successfully eliminated the only obstacle between him and the 30
servers all lined up in racks along the back wall of the data center.

Jon has a few different opportunities now. He can go to every server

and start looking for unlocked consoles, or he can plug his laptop
into an open port and start sniffing. Since he really wants to see
how far he can go, he decides to look for open consoles. After five
minutes of looking through all the KVM slots, he finds a Windows NT
server running as the Backup Domain Controller for the Domain. Jon
pulls a CD out of his bag and enters it into the CD tray of the
server. He installs L0phtCrack onto a BDC for the companies Domain
and runs a dictionary attack. Within five minutes produces the
following password: Yankees. It turns out the lead administrator is a
New York Yankees fan. He now has access to the company's most vital
information.

Now look at how this was done.

Figure 4. Using L0phtCrack to break the Administrator password

A protection check list

Here is a checklist of things you can do to make password cracking

more difficult:

Audit your organization! Do a walk through and make sure passwords

are not stuck to monitors or under keyboards.
Set up dummy accounts. Get rid of the administrator (or admin)
account or set it up as a trap and audit it for attempts.
Use strong, difficult to guess passwords, and never leave a console
unlocked.
Backups are necessary in case you are compromised. You need a working
set of data, so make sure you have it. Keep the tapes secure too, or
the data there will be compromised as well.
Prevent dumpster diving. Don't throw sensitive information away;
shred it or lock it up.
Check IDs and question people you don't know. When you have visitors,
check them out and make sure they belong.
Educate your end users. Make sure they aren't prone to social
engineering and educate and remind internal users of the company's
security policies.

Summary

In this article I've described some of the psychology behind an

attacker's motivation and some of the low-tech and high-tech methods
used to crack passwords. You've looked at several attack scenarios,
including attacks against major companies by a veteran administrator,
a help desk technician, and an outside vandal. You also saw how
password crackers use techniques both internally and externally to
your infrastructure. Finally, some ideas on how to properly secure
yourself and your systems from the possibility of a password cracking
attack were offered. Combating these attacks ultimately requires a
conscious effort, trained individuals, useful tools, and sound
security policies. Hopefully, as a proactive security analyst, you
can make a difference in helping to slow down this malicious activity
within your organizations as well as outside of them. Otherwise, you
may find Jon in your server room with a smirk on his face and your
data in his hands.

S.m Ghazanfar Ali