Chapter 8: Password Cracking Brute-Force Tools

Overview

A smile, a house key, a password. Whether you’re trying to get into a nightclub, your house, or your computer, you will need something that only you possess. On a computer network, users’ passwords have to be strong enough so that Dwayne can’t guess Norm’s password and Norm can’t steal Dwayne’s password (since Dwayne might have written it on the bottom of his keyboard). Bottom line—one weak password can circumvent secure host configurations, up-to-date patches, and stringent firewall rules.

In general, an attacker has two choices when trying to ascertain a password. He can obtain a copy of the password or hash if encrypted and then use brute-force tools to crack the encrypted hash. Or he can try to guess a password. Password cracking is an old technique that is most successful because humans are not very good random sequence generators.

It’s important that you understand how (and where) most passwords are stored so you know what these tools are doing and the method behind their madness. Passwords on Unix and Windows systems are stored with “one-way” hashes, and these passwords cannot be decrypted. Instead, a user login goes through a simple process. For example, Neil’s password abc123 is stored on a Unix system as the hash kUge2g0BqUb7k (remember, we can’t decrypt this hash). When Neil tries to log into the system, imagine he mistypes the passwords as abc124. The Unix system calls its crypt() function on the password abc124 to generate a temporary hash. The hash for abc124 will not match the stored hash for abc123, so the system tells Neil he has entered an incorrect password. Notice what has happened here. The candidate password (abc124) is hashed and matched to the stored hash (kUge2g0BqUb7k). The stored hash is not decrypted. Taking the hash of a known word and comparing it to the target hash of the password is the basis for password-cracking attacks.