Password Cracking

 

Description

  • Probably the single most common root cause of password issues is the human issue passwords are annoying and it seems like there are far too many of them to remember. There are frequent admonishment to have strong passwords that are changed regularly and aren’t reused for several months. There should be a different strong password for every site that is used as well ,but how are we supposed to remember all these Passwords?
  • Despite knowing better, most people come up with a short list or password that they find easy to remember and stick with those, reusing them for multiple sites and not changing them often if at all.
  • These very facts of human behavior mean that the potential victims make it easier for attackers, and this is one of the reasons why password attacks are very common and surprisingly effective. The victims, in essence, shoot themselves in the foot all too often with their password behavior. This is not isolated to just personal passwords but sometimes server or software administrator passwords.

Default Passwords

  • Many pieces of software are installed with either blank or default passwords with the assumption that the users will change these passwords as soon as the software is installed. Except, even if the user's guide, administrator's guide, or online reminder tells the user to change the password for security, a surprising number of users never bother to do so.
  • This can leave all the system's security wide open, as has been shown many times on many products. There are extensive lists available online of the default account names and passwords for just about every Piece of major software that ships with defaults.

Weak Passwords/Password Guessing

  • Password guessing is the most common password cracking techniques but it is one that requires some personal knowledge of the victim if it’s going to be more than moderately effective.
  • To start, the attacker takes some effort to discover various Personal information about the victim. This can include items ranging from a girl friend's name. pet's name, parents' names, birth dates, etc
  • After gathering the above information, the attacker simply tries to guess the victim's password by trying various combinations of different names and numbers. People are relatively predictable, and there are some common password patterns like:
    • Loved ones name + birth date/phone number
    • Victim's name + birth date/phone number
  • Storing passwords in plaintext is really the equivalent of writing them on the playground wall.
  • If passwords must be stored, at the very least they should be encrypted.
  • A better option is to store a hash that is calculated from the user's password instead of the password itself.
  • This vulnerability centers around transmitting passwords in plaintext.
  • If passwords are transmitted in plaintext, they are easily obtained by network sniffing, and reliance on a Secure Socket Layer (SSL) connection still leaves the vulnerability of a spoofed or man-in-the-middle attack.
  • All transmission of sensitive information should require that the data he encrypted.

Dictionary-Based Attacks

  • This is a version of a password attack that relies on an automated tool that simply starts trying every word in whatever dictionary it uses as a resource to find the victim's password.
  • When it meets with success, the tool displays the password for the attacker.
  • This type of password attack is very slow and uses a lot of system resources to function. It's also useless if the user's password isn't in the dictionary.

Brute Force Attacks

  • The fall back password attack is a simple brute force attack.
  • This type of attack a tool to try all the possible combinations of the available keys on the keyboard.
  • This takes a long time as there are a huge number of combinations to be tried out, but it isn't reliant on the user's choice of password.
  • Because of this, it has a good success rate if the attacker wants to invest that sort of effort.

Anatomy of an Exploit

  • Default Passwords
    • An attacker sends a packet to a target machine, which is directed to a port used by the software they are targeting, to see if their potential victim is running the target software. If they get the response they are expecting. they know they might be able to attack this victim.
    • Once the attacker knows the target software is installed, he attempts to connect to that software using the well-known default administrator password.
    • If the default password works, the attacker now has administrative rights to that software.

* Password Guessing

  • An attacker is attempting to log in to the network of the company he was fired from with the username of his ex-boss.
  • for awhile, he begins trying to guess at possible passwords until he succeeds with the ex-boss's wife's name and the day of their anniversary.
  • The attacker is now logged onto the network with the credentials of his ex-boss.
  • Insecure Password Storage
  • An attacker merely has to obtain access to the place the password is stored to change or steal the password.
  • Network sniffing of the various network traffic can expose Plaintext password transmission.
  • Dictionary-Based Password Attacks
  • This is the simple use of a tool to keep submitting the username and dictionary password guess until success is reached or the dictionary is exhausted.
  • Brute Force Attacks
    • This attack also uses a tool and keeps submitting the username and password guess until either success is reached or the tool exhausts its options.

Examples

  • Default Passwords: In 1995, it was reported that the IRIX system of Silicon Graphics, Inc. (SGI) was being shipped with multiple accounts preconfigured with no password to provide easy plug and play install and operations.
  • Insecure Password Storage: In 1993, it was reported that a flaw in the LOGIN.EXE program in some versions of Novell's Netware software would temporarily write a user's password and username to the disk in clear text.
  • Insecure Password Transmission: In 2002, a vulnerability was reported in the driver for the SunPCi II VNC, which would allow an attacker that is sniffing unencrypted network traffic during the authentication process to see the plaintext password.

Test Techniques

  • Insecure Password Storage
    • The easiest way to detect plaintext password storage is to exercise your system while you run monitoring software in the background to monitor what is being created and stored on the local system.
    • It's important to include install and uninstall on your system while running this same monitoring software.
    • It's also important to see what storage is being done on the server, if applicable, to eliminate the possibility of insecure password storage on the server itself.
  • Insecure Password Transmission
    • Setting up a network sniffer and then performing functions that would require the user to log onto the system will disclose plaintext password transmission.
    • Remember that wireless networks can also have this vulnerability, so they should be verified as well.
  • Password Cracking
    • Attempting to brute-force crack the password of a user account by simply entering a variety of different incorrect passwords will not test the security of the password itself, but it will demonstrate whether there are any mitigations in place like those that lockout the user after a certain number of incorrect password entries.
    • Password cracking and guessing can also be made more difficult by setting and enforcing password length and complexity rules.