9.7 Password Gathering and Cracking Software

9.7.1 WinSniffer

WinSniffer is a utility capable of capturing SMTP, POP3, IMAP, FTP, HTTP, ICQ, Telnet, and NNTP usernames and passwords in a wired/wireless blended networking environment. WinSniffer is a Windows-based utility. It is usually on a laptop dedicated to use for auditing wireless networks. In a switched network environment, WinSniffer captures passwords from clients or servers. WinSniffer can also be used to capture passwords saved in applications when users have forgotten them. WinSniffer can be used by an adversary to monitor users checking e-mail over an unencrypted WLAN segment. With this tool, the attacker could easily pick up a user's e-mail login information and determine which domain the user accesses when checking mail. The information obtained in this manner provides the attacker full and unrestricted access to the unwitting user's e-mail account.

Hotspots (a.k.a. public access wireless networks) are commonly found in airports or in metropolitan areas. They are some of the most vulnerable areas for user or peer-to-peer attacks. Victims who are unfamiliar with security vulnerabilities in these hotspots are easy prey. Mobile users should be trained on just how easy it is to obtain login information from a peer-to-peer attack. Often, such users check their e-mail or access a corporate network from a hotspot and in the process can unwittingly give access to their accounts to hackers. Once a hacker has obtained a valid login to the victim's corporate account, they often try to obtain further access into the corporate network using the victim's credentials in order to locate more sensitive corporate information.

9.7.2 Ettercap

Ettercap is a multipurpose sniffer/interceptor/logger for switched use on a LAN. Ettercap supports almost every major operating system platform and can be downloaded from Sourceforge [8]. Ettercap can gather data in a switched network environment. This capability exceeds the abilities of most audit tools, making ettercap a quite valuable edition to the hacker's toolbox. Ettercap uses a Unix-style ncurses code library to create a menu-driven user interface that is considered very user friendly for beginner-level users. Some of the better known features available in Ettercap are character injection into an established connection, SSH1 support, HTTPS support, remote traffic via GRE tunnels, PPTP brokering, plug-in support, a password collector, packet filtering and packet rejection , OS fingerprinting, a connection killer, passive LAN scanning, poison checking, and binding of sniffed data to a local port.

9.7.3 L0phtCrack

Operating systems commonly implement password authentication and encryption at the application layer. Microsoft Windows file sharing and NetLogon processes are examples of this. The challenge and response mechanism used by Microsoft over the years has changed from LM (weak security) to NTLM (medium-level security) to NTLMv2 (strong security). Before release of NTLMv2, tools such as L0phtcrack could easily crack these hashes in a matter of minutes. It is also important to properly configure your Windows operating system to use NTLMv2 and not to use the weaker versions. Proper administration of patches and service packs is not enough. To properly secure a network to use NTLMv2, much of this process must be accomplished manually [9]. LC4 is the latest version of the password auditing and recovery application L0phtCrack. According to the L0phtcrack Web site [10], LC4 provides two critical capabilities to Windows network administrators:

1. It helps systems administrators secure Windows-authenticated networks through comprehensive auditing of Windows NT and Windows 2000 user account passwords.

2. It recovers Windows user account passwords to streamline migration of users to another authentication system or to access accounts whose passwords are lost.

LC4 supports a wide variety of audit approaches. It can retrieve encrypted passwords from stand-alone Windows NT, 2000, and XP workstations, networked servers, primary domain controllers, or Active Directories, with or without Syskey installed. The software is capable of sniffing encrypted passwords from the challenge-response exchanged when one machine authenticates to another over the network. This software allows administrators to match the rigor of their password audit to their particular needs by choosing from three different types of cracking methods : dictionary, hybrid, and brute force analysis. Finally, using a distributed processing approach, LC4 provides administrators the ability to perform time-consuming audits by breaking them into parts that can be run simultaneously on multiple machines.

Once the intruder has captured the targeted password hashes, the hashes are imported into LC4's engine, and the dictionary attack automatically ensues. If the dictionary attack is unsuccessful , a brute force attack is automatically initiated. The processor power of the computer doing the audit will determine how fast the hash can be broken. L0phtCrack has many modes for capturing password hashes and dumping password repositories. One mode allows for "sniffing" in a shared medium (such as wireless), while another goes directly after the Windows Security Access Manager (SAM).

Windows 2000 service pack 3 introduced support for a feature called "SysKey" (short for System Key). This feature, first seen in Windows NT, is invoked using the syskey.exe executable. It encrypts the SAM so well that even L0phtCrack cannot extract passwords from it. L0phtCrack can notify an auditor that a SAM has been encrypted so the auditor need not waste time attempting to extract an uncrackable password. L0phtCrack is one of the preferred tools in a hacker's arsenal. The hacker is most likely going to use L0phtcrack in an attempt to gain access to a network. Once a hacker obtains administrator-level account information, many other tools already discussed will become quite useful to him or her.

9.7.4 Lucent Registry Crack

Proxim Orinoco PC cards store an encrypted hash of the WEP key in the Windows registry. The Lucent Registry Crack (LRC) utility is a simple command-line tool used to decrypt these values. The problem hackers face is getting these values from another computer, especially one that has the proper WEP key for the AP that the hacker wants to attack. This task is accomplished using a remote registry connection. The attacker can make a remote registry connection using the Window's Registry Editor found on his own computer. Once the hacker is remotely connected, he or she must know where the key is located in the remote registry in order to copy and paste it into a text document on his or her computer. Once this is done, the hacker can use LRC to analyze this encrypted string and produce the WEP key. This process takes only a few seconds at most to complete. When the attacker has derived the WEP key using LRC, he or she can simply insert it into a computer to gain access to the target network. This process can be defeated when wireless end users are properly trained to implement safeguards against peer-to-peer attacks (such as installing personal firewall software or enabling IPSec policies).

9.7.5 Wireless Protocol Analyzers

Wireless protocol analyzers are used to capture, decode, and filter wireless packets in real time. Many products also support multiple frequency bands used in 802.11b and 802.11a networks. Protocol analyzers operate in RF monitor mode capturing packets as they are transmitted across the medium. Protocol analyzers make no attempt to connect or communicate with APs or other wireless peers while in this mode. There are many vendors in the protocol analyzer space, whose products include the following:

• AirMagnet

• Ethereal

• Fluke WaveRunner Wireless Tester

• Network Associates Sniffer Pro Wireless

• Network Instruments Observer

• Wildpackets Airopeek

Not all wireless packet analysis tools have identical functionality. For example, some do not offer real-time packet decoding. Some force the user to capture packets and export them to a reader utility. Some analyzers decode OSI Layer 2 through 7 protocols, whereas others decode only Layer 2 frame headers.