Password Cracker - Research Paper Example

?[Your full November 15, Password Cracker When somebody has access to someone’s network but does not have the password to enter it, he uses password cracking to retrieve the user’s password. Password crackers are most commonly used by hackers to gain unauthorized access to network systems but they are also used by network administrators to test the network security. This report intends to discuss three very important password cracking techniques namely the Brute- force technique, the Rainbow table technique, and social engineering. The report starts with introducing the Brute-force technique giving the reader an idea about its advantages and limitations. A Brute-force cracker tool has been discussed in detail shedding light upon how it uses the Brute-force technique. Next section of the paper discusses the Rainbow table technique. Its introduction follows a detailed discussion of a rainbow cracker tool. How that tool uses rainbow tables to retrieve passwords has been taken into account. Screenshots of Brute-force cracker and rainbow cracker are given at the end of the report. Last section is about social engineering which has been explained with the help of examples. The report is summarized in a concluding paragraph. MLA referencing style has been used properly both for in-text citations and the reference section. 1) Brute force technique Brute-force is one of the most powerful techniques to break plain authentications. TechTarget on the web defines brute-force technique as: “Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.” A brute-force attack is the process of deciphering or decrypting an encrypted text by trying each possible key. The key length of the code and the attacker’s computational power is very important in every brute-force attack. The major shortcoming of brute force technique is that it requires too much time to try username and password combinations. Also, brute force attacks are very noisy meaning that they generate too much of traffic along with leaving some evidence of the attack. All the possible combinations of characters are tested against the encrypted passwords that are obtained in the brute-force dialog, in most of the tools that use brute force technique. We can understand this as a thief cracking a locked cupboard and trying different combinations of numbers. The key space of all possible combinations of passwords is calculated using the following formula: KS = L^(m) + L^(m+1) + L^(m+2) + ........ + L^(M) Let’s say that we want to crack LanManager passwords (LM) using the character set "ABCDEFGHIJKLMNOPQRSTUVWXYZ" of 26 letters. In this case, the brute-force cracker will try the above formula in this way: KS = 26^1 + 26^2 + 26^3 + ...... + 26^7 = 8353082582 8353082582 is the number of different keys that the brute force cracker tool will try. Now let’s suppose that we want to crack the same password but this time the character set is “ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"',.?/". Then, using the same formula in this case, the number of different keys to try rises to 6823331935124. An extensive key search cracking is a very time consuming task. However, if we are using the right character set, password cracking becomes a relatively easy process. Figure 1 shows a dialogue that asks the user to either put in a character set which is predefined or put in a customized character set. The initial password can also be altered to begin a previous attack again. There is another option of “key rate” that shows the number of keys that the attack attempts every second against all encrypted passwords that are loaded. “Time left” is the time remaining to complete the key space. "Current password" is the real key which is tested by the program. In the end of the process, the list of the cracker that initiated the attack is updated when the dialog is exited. This list reveals all the passwords found (Montoro). When crackers are used to test network security in an organization, the crackers like L0phtcrack from L0pht Heavy Industries use brute force technique to crack Windows NT passwords from a workstation. A report in PC magazine said that “a system administrator, who used the program from a Windows 95 terminal with no administrative privileges, was able to uncover 85 percent of office passwords within twenty minutes”, TechTarget. A tool (cracker) that uses Brute-force technique In this section, we will describe Hydra which is a very powerful brute force password cracker. According to Faircloth (278), it supports most of the network login protocols which also run on network devices.” The complete list is as follows, as given by Hauser: AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP. For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported. Hydra is one of the very fast brute forcers so much so that speed becomes an issue especially in Cisco Telnet Services. To slow it down, -t option is used. Suppose the network router is using the most fundamental sort of authentication like when it does not ask for a username and only password is required. Let this be the test case. In this scenario, this command is used: Hydra –t 3 –P password.txt 10.0.0.254 cisco. In this command, the speed of the cracker is specified which is the number of parallel connects; the password file is specified which is to be used; the network device’s IP address has been given; and, cisco specifies the service (Cisco Telnet here) which is to be brute forced to crack the password. When this test case was run, Hydra took only twenty two seconds to crack the password. Faircloth (279) states that we can also use Hydra to brute force the passwords in the privileged mode enable which gives Hydra absolute power over the device. Hence, Hydra is fast, flexible, supports various protocols to attack, and it is easy to add new modules to it (Hauser). According to Hauser, “Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX, and is made available under GPLv3 with a special OpenSSL license expansion.” Hydra gives security consultants the chance to gain unauthorized access to networks from remote. We can use Hydra with various brute force attacks. It also works with HTTP post form attacks which enables the user to attack web based applications. Some screenshots of this tool have been given at the end of this report, see Figure (2, 3, 4). How Hydra uses brute force? Command: Hydra [options] server service Input: [options] can be any of the following input fields: -R (restore a previous session) -S (use SSL) -s (port, used to specify a non-default port to connect to) -l (use login name) -L (filename, read login names from file) -p (use specified password) -P (filename, load passwords from file) How to use Hydra Hydra is installed by downloading it from any web source. After this, we can unzip Hydra: $ tar xvzf hydra-5.7-src.tar.gz $ cd Hydra-5.7-src/ This will unpack Hydra. We should also make sure that all C compiler dependencies have already been installed. After this, following commands are used to configure Hydra: $ ./configure Starting hydra auto configuration... Checking for openssl (libssl/ssl.h)... ... NOT found, SSL support disabled Get it from http://www.openssl.org Checking for Postgres (libpq.so)... ... found Checking for SVN (libsvn_client-1 libapr-0.so libaprutil-0.so)... ... NOT found, module svn disabled Checking for firebird (libfbclient.so)... ... NOT found, module firebird disabled Checking for NCP (libncp.so / nwcalls.h)... ... NOT found, module NCP disabled Checking for SAP/R3 (librfc/saprfc.h) ... ... NOT found, module sapr3 disabled Get it from http://www.sap.com/solutions/netweaver/linux/eval/index.asp Checking for libssh (libssh/libssh.h)... ... NOT found, module ssh2 disabled Get it from http://www.libssh.org Checking for GUI req's (pkg-config)... ... found Hydra will be installed into .../bin of: /usr/local (change this by running ./configure --prefix=path) Writing Makefile.in... now type "make" The errors that appear here mean that some C compiler dependencies have not been installed. It is important to install them if we want Hydra to work with all protocols. The above errors mean that we cannot use Hydra with SSL, SVN, and SSH protocols. When all dependencies are installed, the configuration is rerun, and then the make and the make install commands are run. For the make install command, we will prove to be a privileged user so that we can put the necessary libraries on the filesystem (i.e. use "sudo make install"). Once installation is complete, we can use Hydra from the command line or xHydra. Using the command line is totally adequate for nearly all requirements, but at times having a GUI is supportive. A Use Case One possible use case for Hydra can be to test the power of Drupal usernames and passwords. Drupal is an open source content management platform controlling millions of websites and applications. We have a users.txt and a password.txt file. The first file contains all users and the second contains all possible passwords. Now, we will identify the token component that Drupal attaches with all its login forms. To do this, we will bring the target in a web browser to view the source. The last stride is to locate a unique string that emerges when login fails. If this is not done, Hydra cannot determine if a login attempt was successful. Drupal by default gives the string "Sorry, unrecognized username or password" on wrong login attempt. When all this information has been retrieved, a Hydra brute force attack can be started: $ hydra -L users.txt -P passwords.txt 172.16.46.129 http-post-form "/drupal-6.16/node?destination=node:name=^USER^&pass=^PASS^&form_id=user_login_block&form_build_id=form-545eb8f40f49cc07d5cf994f2f7ffe2e:Sorry, unrecognized username or password." Hydra v5.7 (c) 2006 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2011-11-16 11:56:02 [DATA] 16 tasks, 1 servers, 20 login tries (l:4/p:5), ~1 tries per task [DATA] attacking service http-post-form on port 80 [80][www-form] host: 172.16.46.129 login: admin password: password [STATUS] attack finished for 172.16.46.129 (waiting for childs to finish) Hydra (http://www.thc.org) finished at 2011-11-16 11:56:03 The above output reveals that Hydra effectively logged into the target site with the username "admin" and password "password". Both of these values had already appeared in the user.txt and passwords.txt files respectively. 2) Rainbow table technique Cross and Shinder (480) write in their book that, “The rainbow attack technique works by calculating all the possible hashes for a character set, and storing them in a table. The password hash is presented to the tool that uses the rainbow algorithm, and a table search is made until the password is found.” The advantage of rainbow table technique is that it is much faster that the brute force technique. However, the shortcoming of this technique is that the table size is too big and must be in terabytes for complicated or big sized passwords. Described by Philippe Oechslin, rainbow tables are the lookup tables that store pre-computed password hashes (Scarfone 5-1). A rainbow table stores all possible passwords for a character set of a specific size. The crackers search for password hashes in the table to crack the password. In other words, the attackers look up for the hash value in a rainbow table that they are curious about and can find out if that hash value is present in the table. If it is, then they are able to crack the password. Additional techniques in rainbow attacks Rainbow table technique can be enhanced by using additional techniques that make sure the effective implementation of password hashes. First of them is salting. Rainbow tables can be ineffective when we do not hash passwords using salting. Salting is the process in which some arbitrary chunk of information is included in password hashing with the aim of reducing the occurrence of identical passwords returning the similar hash. We must give serious consideration to the salting process if we want the rainbow tables to work with accuracy although we have to bear with the shortcoming that salting will require much more table space. Another technique is iterative hashing. In this process, the output of the hash function is further hashed with the hash function. Iterative hashing is repeated over and over again thousands of times. This technique slows down the hashing procedure. To get the password from the hash, it is searched in the second column of the rainbow table. If it does not match, then it is further hashed which is looked up in the second column of the table again. The process continues until matching is done. A match means that the password is present in the chain which is then recomputed frontwards from the word in the first column to acquire the password. Hash function Anderson, Bright and Cheng state that, “any hash function can be used to generate rainbow tables.” Slow hash functions take more time to generate rainbow tables while fast ones take less time. Also, those hash functions that generate smaller hash values require less storage space in rainbow tables that those whose output is longer hash values. Due to these issues, only a few hash functions are available. One most well known hash function is MD5 which is very fast and “produces an output that is only 128 bits (16 bytes) per hash” (Anderson, Bright and Cheng). We should also note that a very long password or one that is based on a character set consisting of the full 95 characters, cannot be found in a rainbow table because that will too much storage space on the table and the generation time will also be high. Too simple passwords can be found in every rainbow table. A tool (cracker that uses rainbow table technique) Ophcrack 3.3.1 is a powerful password cracker that uses rainbow table technique. It is a multi-platform password cracker and the speed is very fast as compared to brute force crackers. To give an idea, this tool can crack the password “Ghqzeji915534” in 160 seconds. Such as password is considered as very secure by many people and even by the Microsoft password strength checker which rates it as strong. The fast speed of Ophcrack is due to the rainbow table technique. As we know that passwords are not stored in memory as plain text; rather, in the form of output of a hash function, as described in the previous section. An attacker cannot gain access to the password even if he accesses the hash of that password. However, crackers like Ophcrack can gain access to the passwords by attacking the hash values using rainbow tables. A PC that attacks is able to calculate all hashes, and the speed increases due to enormous rainbow table consisting of pre-computed hash values. The attacking PC should, however, have enough storage space to store the huge rainbow table. This is why we call it a typical time-memory tradeoff. The Ophcrack website states that Ophcrack is a free rainbow cracker with a GUI and runs on multiple platforms (“What is Ophcrack?”). The features listed on the website are as follows: “Runs on Windows, Linux/Unix, Mac OS X, ... Cracks LM and NTLM hashes. Free tables available for Windows XP and Vista. Audit mode and CSV export. Real-time graphs to analyze the passwords. LiveCD available to simplify the cracking. Loads hashes from encrypted SAM recovered from a Windows partition, Vista included. Free and open source software (GPL)”. How Ophcrack uses rainbow technique? Let’s suppose we want to crack a Windows XP/2000/98/95 password using Ophcrack. We know that Windows stores passwords in hash forms. The first type of this hash form is called LM (LanManager) Hash. Suppose a password consists of 7 characters. These 7 characters are broken down into 7 character chunks which are then converted to uppercase and then hashed with DES. This implies that 237 8-bit hashes instead of 283 16-bit hashes (Back). This makes cracking easier. Now, the first thing that we will need is the Ophcrack software which can be downloaded from the website of Sourceforge. The rainbow table sets are also needed for which we will browse to LASEC and download the SSTIC04-5k rainbow table. The attacking machine should have larger memory space as already mentioned. However, if the RAM is as low as 1GB, then a smaller rainbow table can also be downloaded. When we are installing Ophcrack, we should continue without installing the rainbow tables which should be installed separately (see Figure 5). The next thing we need is hashes. We can locate them on Windows XP in C:\windows\system32\config; or in SAM file in C:\windows\repair if rdisk has ever run; or, in a register in HKEY_LOCAL_MACHINESAM. Now, to deal with Windows protection system, we can retrieve hashes by booting to Linux and copying the file from C:\windows\system32\config with a live CD. Another way is to run pwdump2 which is included in Ophcrack to locate the registry values installed by default in C:\Program Files\ophcrack\win32_tools. The command line is as follows (start -> run -> type “cmd” -> enter): C:\Documents and Settings\MrXYZ>cd “C:\Program Files\ophcrack\win32_tools” C:\Program Files\ophcrack\win32_tools>pwdump2 Administrator:499:aabbcc:3311dd::: MrXYZ:234:aabbcc:3311dd::: C:\Program Files\ophcrack\win32_tools> (The hashes and the number of users have not been shown here.) Now, since we have also retrieved hashes, we can start using Ophcrack to start cracking (see Figure 6). We click “load, PWDump file,” and select the hashes we retrieved from pwdump2 or some other source of SAM hashes (see Figure 7). Next step is to load the rainbow tables. We can do this by selecting “Tables” options and then selecting the location and type of rainbow hash table we are using which are the 5k tables in this case (see Figure 8).After that, we click the “Launch” button. First the tables will be loaded into memory which will take some time. It will begin cracking passwords (see Figure 9). Our Ophcrack test shows that the cracker took only 178 seconds per hash. 3) Social Engineering Social engineering is the oldest non-tool technique of gaining unauthorized access to passwords. The victims fall prey to social engineering when they trust that the hacker is not actually a hacker! For example, a hacker can call an IT department of an organization and show himself as an employee. Let’s understand this by a simple telephonic conversation between the hacker and Smith who works in the IT department. Hacker: Hello, This is Michael here speaking from the IT department. I wanted to ask you a favor. Actually, the boss has told me to install a new security update on your system but the problem is that I am not able to connect to the user database to retrieve your user information. Would you please tell me your password so that I fasten up the process? The boss seems to be in such a fury if I do not report him in half an hour. Smith: I see, it is no problem at all. Write down “abcd1234”, have a good day. Smith will feel sympathetic enough to reveal the password to the hacker. He becomes socially engineered at the hands of the hacker. Now, we look at another scenario. Bob is a hacker who has been appointed as a new security analyst in a company. He wants to check the security strength for which he calls the help desk. Bob: Hello help desk, I am the CEO here. I want you to reset my password urgently. Since the help desk resets 100s of passwords on daily routine, the officer resets the CIO’s password and calls back at the same number to tell Bob the new password. Help Desk: Sir, your new password is John9876. Bob already knows half of the information which is about the login IDs. He knows that the company’s convention is to use the initial of the first name attached with the last name of the person at the end as login IDs. Since the name of the CEO is John Anderson, the hacker uses JAnderson as username and John9876 as the new password, and enters the CEOs shared files on server and his confidential information. These are some of the simplest examples of social engineering. Beasley (389) defines social engineering as “a way for an intruder to gain enough information from people to gain access to the network.” It is a very low technical method to retrieve passwords which takes benefit from the naivety of human beings who reveal the passwords with a little emotional or verbose manipulation. It simply convinces them to tell their passwords. You only have to ask for the password in this method of password cracking. Attackers can also make use of discarded trash in order to attain passwords. This matter cannot be completely solved, because the more is the number of users, the more are the chances of social engineering attacks. The hacker can be from outside the organization or he may be a rascal employee. Employee sabotage is an important issue that must be understood to escape social engineering. Bogue states that “Bogue (2003) states that, “Sometimes those who are gaining access to a system are not cyberterrorists; they're just curious employees who want to learn more about the systems or perhaps play with some settings to see if they can allow themselves a greater ability to control their PCs.” How to escape social engineering? It is important to train the employees and make them aware of social engineering threats that they may face at the workplace. Also, if an employee reveals his password to us while testing, then it is our obligation to make sure that he changes his password after testing is over. This helps save us from any ill situation if ever the password gets revealed to a hacker. Employees must be able to make out fictitious phone calls; must know how to protect their data from phishing and scam e-mails; and, must be able to act quickly as soon as they spot something or someone suspicious around their surroundings. It is important for the employees not to share any critical information with anyone in or outside the workplace, and to ask for identification information for the relative department whenever someone tells them to be a part of the organization requiring certain passwords. When password cracking becomes a good idea Since we now know how crackers use different techniques to retrieve passwords, we must also know when password cracking is a good idea. If we are not hackers, which we must not be, then we can use password cracking in case we forget our own passwords; when someone in family or friends forgets a password; when, say, we bought a computer at Ebay and the seller forgot to give us the Admin account; or, when our own security of the country’s security is threatened. When password cracking becomes a bad idea Password cracking is a bad idea when, for example, we use it for gaining access to somebody’s system to know his secrets; when we want to hack into our friends’ accounts and files; when it becomes a temptation to enter into a network; when an employee attempts to disclose the organization’s critical information. Conclusion This report discussed password cracking techniques in detail. Brute-force technique is efficient but slow method of retrieving passwords. It tries different combinations of characters to get to the password. Rainbow table technique is a much faster method but it requires large memory storage space when the rainbow table gets too big. Hydra and Ophcrack are two password crackers that use Brute-force and Rainbow table techniques respectively. Social engineering technique is the oldest method of cracking a password and is done through simple, rogue manipulation of trusting persons. The need of the hour is to spread user awareness and train the employees so that they are able to protect their networks and critical passwords. Figure 1: Brute-force Password Cracking Figure 2: Hydra- Target Setup Figure 3: Hydra- Username and Password Setup Figure 4: Hydra- Start and Output Figure 5: Ophcrack installation Figure 6: Ophcrack GUI Figure 7: Ophcrack- loading hashes Figure 8: Ophcrack- loading tables Figure 9: Ophcrack output References Anderson, Nate, Bright, Peter, and Jacqui, Cheng. Unmasked. USA: Ars Technica, 2000. Back, Elliot C. “Cracking Windows Passwords with Ophcrack and Rainbow Tables.” Internet and Technology. Bug & Bird LLC, 2011. Web. 18 Nov 2011. . Beasley, Jeffrey S. “Social Engineering.” Networking. India: Pearson Education India, 2009. Bogue, Robert L. “What is physical security?” Lock IT Down: Don't Overlook Physical Security On Your Network. CBS Interactive, 2003. Web. 18 Nov 2011. Cross, Michael, and Debra Littlejohn Shinder. “Rainbow Attack.” Scene of the Cybercrime. USA: Syngress, 008. Faircloth, Jeremy. Penetration Tester's Open Source Toolkit. USA: Elsevier, 2011. Hauser, Van. THC-Hydra. N.p., n.d. Web. 17 Nov 2011. . Montoro, Massimiliano. Brute-Force Password Cracker. N.p., 2009. Web 17 Nov 2011. . Oechslin, Philippe. Making a Faster Cryptanalytic Time-Memory Trade-O?. N.p., n.d. Web. 18 Nov 2011. . TechTarget. “Brute Force Cracking.” SearchSecurity. TechTarget, 2000. Web. 17 Nov 2011. . Scarfone, Karen. Technical Guide to Information Security Testing and Assessment: Recommendations of the National Institute of Standards and Technology. USA: DIANE Publishing, 2009. “What is Ophcrack?” Ophcrack. N.p., n.d. Web. 18 Nov 2011. . Read More