Chapter 8: Password Cracking Brute-Force Tools

OVERVIEW

Asmile, a house key, a password. Whether you're trying to get into a nightclub, your house, or your computer, you will need something that only you possess. On a computer network, users' passwords have to be strong enough so that Dwayne can't guess Norm's password and Norm can't steal Dwayne's password (since Dwayne might have written it on the bottom of his keyboard). Bottom lineone weak password can circumvent secure host configurations, up-to-date patches, and stringent firewall rules.

In general an attacker has two choices when trying to ascertain a password. He can obtain a copy of the password or hash if encrypted and then use brute-force tools to crack the encrypted hash. Or he can try to guess a password. Password cracking is an old technique that is most successful because humans are not very good random sequence generators.

It's important that you understand how (and where) most passwords are stored so you know what these tools are doing and the method behind their madness. Passwords on Unix and Windows systems are stored with "one-way" hashes, and these passwords cannot be decrypted. Instead, a user login goes through a simple process. For example, Neil's password abc123 is stored on a Unix system as the hash kUge2g0BqUb7k (remember, we can't decrypt this hash). When Neil tries to log into the system, imagine he mistypes the password as abc124 . The Unix system calls its crypt() function on the password abc124 to generate a temporary hash. The hash for abc124 will not match the stored hash for abc123 , so the system tells Neil he has entered an incorrect password. Notice what has happened here. The candidate password ( abc124 ) is hashed and matched to the stored hash ( kUge2g0BqUb7k ). The stored hash is not decrypted. Taking the hash of a known word and comparing it to the target hash of the password is the basis for password cracking attacks.

Other brute-force techniques take advantage of rising hardware performance combined with falling hardware cost. This time-memory tradeoff means that it is actually easier to pregenerate an entire password dictionary and execute lookups of password hashes. These pregenerated dictionaries, often referred to as Rainbow Tables, consist of the entire key space for a combination of length and content. For example, one dictionary might consist of all seven character combinations of lower- and uppercase alphanumerics, while another dictionary might consist of nine character combinations of only lower- and uppercase letters . These dictionaries are encrypted with DES, MD5, or whatever target algorithm the user desires. Of course, these dictionaries can quickly reach the size of hundreds of gigabytes of data; however, desktop systems with a terabyte of storage can be reasonably constructed in 2005.

With these great dictionaries in hand, an attacker need only wait for a single search through the dictionary. The benefits of this technique become readily apparent when you consider searches for hundreds of passwords no longer require hundreds of redundant iterations through the key space. The real time to crack a password comes only once at the beginning when the attacker must first construct the dictionarya process that can take weeks or months (or longer!) to complete.

Note that precomputed dictionaries can be trivially defeated by the use of password salts. These dictionaries rely on the expectation that the word "ouroboros" will always be hashed to 0639bbc687a6a1be21576dc562a08fc4 in the MD5 scheme. Yet if any text is prepended or appended to the password, then the nine-character lowercase source of the hash can become much longer. For example, it is less likely that an attacker will have a 13-character MD5 dictionary to crack 6b149393cf909a49576032be9d73de85 (wormouroboros). Salts , if properly implemented, greatly reduce the threat of precomputed dictionary attacks.