Passwords Attacks, Tools, and Techniques | Professional Windows Desktop and Server Hardening (Programmer to Programmer)

Passwords can be attacked in one of five major ways: reset, guessed, captured, cracked, or socially engineered out of the user. This chapter covers the first four.

Password Resetting

At least once in their careers, most network administrators find themselves locked out of a computer because they don't have the correct Administrator password. Or the administrator is asked by human resources to break into a password-protected Microsoft Word file. Many administrators spend time trying to brute force the password or fiddling around with password crackers when what they really need is a password resetter.

Many of the programs claiming to be password crackers are really password resetters. They don't recover the current password, they just reset it to something the administrator creates or the tool just makes the current password be blank. In most programs and operating systems, and Windows is no exception, the location of the password(s) is known or easily found. It is much easier to locate a password and insert your own than it is to try to defeat the password's encryption.

Local Windows logons access accounts and passwords stored in the local SAM database. The SAM database is located on disk at \%Windir%\System32\config (SECURITY and SAM files and in the registry at the HKLM\Security\SAM subkey and duplicated to the HKLM\SAM subkey. The local SAM database (as compared to the Active Directory database) is most often attacked by password crackers and resetters. Because the local SAM is simply a file located on a hard drive, it is possible for attackers to steal the SAM database file, to extract password hashes from it, and to overwrite existing passwords with new passwords.

Domain passwords are stored in SAM database files on Windows NT domain controllers and in Active Directory database files on Windows 2000 and later domains. In Windows 2000 and later domains, all domain controllers in the same domain have a nearly identical copy of the Active Directory database. Active Directory passwords are stored in a file called Ntds.dit located in the C:\Windows\NTDS directory on a domain controller. Like the SAM database, passwords can easily be located in the Active Directory database when it is offline, although most password resetting and cracking tools only work with SAM databases.

Windows attempts to protect both SAM and Active Directory database passwords against unauthorized access. However, many hacking tools can successfully access these databases to extract the password hashes or to reset the current passwords. In most cases it requires local access, whereby the attacker boots around the Windows operating system and hence its protections, or it requires administrator-level privileges.

Theoretically, any boot diskette that allows you to boot up in its operating system and can read NTFS partitions can reset a Windows password. The attacker boots up on their boot image, mounts the NTFS partition as a read/writable volume, and then modifies the appropriate bytes in the SAM file. The hard part is determining the appropriate bytes for resetting or changing a password. And if you plan to set a new password, you need to be able to write in its LM or NT hashed form.

Nordahl Boot Diskette

Norwegian Peter Nordahl-Hagen gained underground popularity when he created an open-source floppy-sized Linux distro that contained a script automating Windows SAM database password resetting. You can download a bootable floppy diskette or CD disc image from http://home.eunet.no/~pnordahl/ntpasswd. Widely known as the Nordahl boot disk, its official name is the Offline NT Password & Registry Editor.

Once booted, a user must tell Peter's command-line script program which disk contains the Windows SAM file, the path to the SAM file if it is not in its default location, the SAM file name, and whether the password should be blank or changed to something else. In most cases, the user can simply take all the defaults and the password will be reset. Nordahl menus are similar to the following examples:

 ========================================================= . Step THREE: Password or registry edit ========================================================= chntpw version 0.99.2 040105, (c) Petter N Hagen [.. some file info here ..] * SAM policy limits: Failed logins before lockout is: 3 Minimum password length        : 6 Password history count         : 20 <>========<> chntpw Main Interactive Menu <>========<> Loaded hives: <sam> <system> <security>   1 - Edit user data and passwords   2 - Syskey status & change   3 - RecoveryConsole settings       - - -   9 - Registry editor, now with full write support!   q - Quit (you will be asked if there is something to save) What to do? [1] -> 1 ===== chntpw Edit User Info & Passwords ==== RID: 01f4, Username: <Administrator> RID: 01f5, Username: <Guest>, *disabled or locked* Select: ! - quit, . - list users, 0x<RID> - User with RID (hex) or simply enter the username to change: [Administrator]

Note that hexadecimal value 01F4 equates to decimal value 500, which indicates that the Administrator account is the true Administrator account. It hasn't been renamed. After selecting the Administrator account, the user will see the following menu text:

 RID     : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : Account bits: 0x0210 = [ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | [ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | [X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | [ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | Failed login count: 0, while max tries is: 0 Total  login count: 3 * = blank the password (This may work better than setting a new password!) Enter nothing to leave it unchanged Please enter new password: *

After pressing Enter, the script will notify the user that the change has been made and re-confirm that the change should be written to disk. After rebooting the machine back to Windows, the new password should be in effect.

The Nordahl password reset diskette works very well and is frequently updated. There are some caveats, such as it may or may not work with dynamic disks and it doesn't always work. With that said, the price is right—it's free! There are many other Windows password resetting programs, free and commercial, including the following:

Winternals Administrator's Pak (www.winternals.com/products/repairandrecovery/index.asp?pid=ap)
NT Resetter (www.mirider.com/ntaccess.html). It is notable because not only will it reset a local Administrator password, but it can re-enable the account if it is disabled.
Windows XP/2000/NT Key (www.lostpassword.com/windows-xp-2000-nt.htm). A commercial product that needs Windows install boot diskettes to work, but claims to reset domain administrator passwords and work with Windows Server 2003.
EBCD-Emergency Boot CD (http://ebcd.pcministry.com)
Austrumi (http://sourceforge.net/projects/austrumi). Another open-source bootable Linux image.
O&O BlueCon XXL (www.oo-software.com/en/products/oobluecon/index.html). A commercial product that can reset local SAM passwords. Works with XP, 2000, and NT, but does not mention Windows Server 2003.

Note

There is even an article detailing how to install a Linux-based password resetter on a USB flash drive or music player; see http://sl.mvps.org/docs/PasswordResetUSBDrive.htm.

Keep in mind that password resetting is often the solution to a missing or forgotten password problem, and hackers might be as happy resetting a password as they are cracking it.

Password Guessing

One of the most rudimentary ways to crack a password is to guess it. A password guesser could simply find an abandoned computer on the target network, press Ctrl+Alt+Del and begin guessing logon names and passwords. As discussed above, most networks have easily guessable passwords. Most penetration testers will tell you that they have never failed to get into a network by guessing at easy passwords, even when the target company requires complex passwords. The trick is finding input avenues that were overlooked by the administrator and looking for forgotten accounts. It is the rare enterprise that has all user accounts and passwords across the environment managed completely. There is almost always low-hanging fruit somewhere.

Most Windows password-guessing attacks use a remote connection to guess passwords, or they use the command-line Net Use drive mapping method. There are a few simple batch files you can find on the Internet to automate using the Net Use command for password guessing. Here's an example:

 For /f "tokens=1,2*" %i in (Input.txt) do Net Use *:\\TargetIPAddress\Netlogon %j /u:TargetIPAddress\%i^ 2>>nul && echo Logonname %i Password %j >>Passwords.txt

Every password cracking tool is essentially a faster and more sophisticated version of the previous programming logic. In the Input.txt file, the attacker would have potential logon names followed by a space and then a potential password. Each line in the Input.txt file would have a separate logon name and password. If the intruder wanted to guess with multiple passwords using the same logon name, the login name would have to be repeated on multiple lines followed by the possible passwords. Here's an example:

 Arcserve tape Arcserve backup Arcserver tapebackup

The resulting Passwords.txt file would contain only successful logon events. Unfortunately, manually guessing at the logon GUI or Net Use prompt can be slow—less than one per second even when automated by a batch file. Fortunately, there are tools that do faster password guessing. Several programs will answer a user name/password prompt with a predetermined list of user names and passwords. Brutus (www.hoobie.net/brutus/brutus-download.html) is one of the most popular.

Brutus

Brutus can do brute-force password guessing on a variety of mechanisms, including SMB, HTTP, POP3, FTP, Telnet, Cisco routers, NNTP, and SMTP. It can maintain up to 60 simultaneous connections. Brutus is a GUI tool, but it relies on two text files: Users.txt and Words.txt. Users.txt is an ASCII text file of the logon names you wish to try. Words.txt contains the passwords you wish to try for each logon name. Both files are meager with the default install, but you can download very large text files for both off the Internet. As Figure 4-8 shows, once Brutus is started, you simply choose which authentication method to attack (in this case, SMB) and type in a host name or IP address of the target computer. Brutus will do the rest.

image from book
Figure 4-8

TSGrinder

TSGrinder (available at www.hammerofgod.com/download.htm) is a brute-force attack tool for Terminal Services and RDP connections. It works in conjunction with Microsoft's Roboclient (ftp://ftp.microsoft.com/ResKit/win2000/roboclient.zip) to mimic the keystrokes an intruder would manually take when trying to brute force a RDP connection. This means it connects to port 3389 and sends the normal RDP client connection request commands, and when prompted sends a logon name and password. It works great and you can see TSGrinder grinding away on the remote RDP connection in a nice GUI window. If the remote RDP service isn't running on default port 3389 (as I strongly recommend), you can run the accompanying ProbeTS (www.hammerofgod.com/download/probets.zip) or TSEnum (www.hammerofgod.com/download/TSEnum.zip) to find the moved ports.

A quick trick to defeat TSGrinder and other GUI brute-force attacks is to enable Windows logon banners (covered in Chapter 14). When a Windows logon banner is turned on, each time a GUI user tries to log on, they are first shown a banner warning dialog box that they must acknowledge to get to the normal user name and password logon prompt. Although it would be trivial to fix, I've yet to see a brute-force GUI attack tool that took the banner warning message box into account. Instead, they trip themselves up waiting for a logon prompt that isn't going to appear without an additional Enter.

SQL Brute Forcing

Microsoft SQL server is interesting in that it supports two types of logon authentication: normal Windows authentication and SQL authentication. There are tools to help locate active SQL servers (and MSDE clients), including SQLRecon (www.sqlsecurity.com/DesktopDefault.aspx?tabid=26) and the excellent GUI tool SQLPing2 (www.sqlsecurity.com/DesktopDefault.aspx?tabid=26).

Once you find active SQL servers, there are several tools that will automate attacks against Microsoft SQL servers, including command-line ForceSQL (www.nii.co.in/resources/tools.html#fsql), MSSqlPwd (http://packetstormsecurity.org/Crackers/mssqlpwd.zip), Sqlbf (http://packetstormsecurity.org/Crackers/sqlbf.zip), SQL Auditing Tool (www.cqure.net/tools.jsp?id=6), and Sqlbf-all (http://packetstormsecurity.org/Crackers/sqlbf-all-src-1.0.1.zip). The free tools located at www.sqlsecurity.com are among the best password auditing tools in existence.

There are brute-force guessing tools for nearly any application or service.

Password Capturing

Why spend time guessing the password when you can find or capture it? Social engineering is still a primary method for most professional hackers for gaining passwords. Even after all the warnings, help desks are still too eager to help "distraught" users reset their passwords. The problem seems worse the larger the company. Hackers, of course, look through garbage for passwords, and if physically onsite, shoulder surf or look for written passwords.

Keylogging Trojans

Password logging trojans are becoming ever more popular today. Many Internet worms, when installed, contain keystroke logging trojans. The trojans intercept the user's keystrokes as they type in passwords and store the collected information in a file. The hacker can then remotely pick up the file at a predetermined interval, or the trojan can e-mail, ftp, or use instant messaging to send the captured passwords.

An early password logging trojan was called FakeGina (http://ntsecurity.nu/toolbox/fakegina). In order to use, the hacker must modify the registry key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon so that its original value of Msgina.dll (the legitimate Microsoft password GUI) is replaced with Fakegina.dll. When the user logs on using their normal Ctrl+Alt+Del sequence, their password is captured and written to a text file. FakeGina was startling when it was first released, but today there are many such trojans.

Why let all the hacker kids have all the fun? There are dozens of commercial products that brag about their ability to capture every keystroke. The keystrokes can be sent in real time or e-mailed at a later date. To find these types of products, just search the Internet for the keywords "divorce" and "spyware." Here are some links that lead to top-rated spyware products: www.e-spy-software.com, www.netspysoftware.com, and www.win-spy.com/partnerlinks/Cheating%20Spouse%20Spy%20Software.htm. You can't but shudder when you read some of the feature sets.

Hardware Keyloggers

Even more serious are the new hardware keystroke logging products (for example, see www.keyghost.com). Hardware keyloggers are small PS/2-looking devices that attach to the keyboard cable between the PC and the keyboard cable. Containing memory chips, they record thousands of keystrokes for up to months. Some hardware keyloggers will allow the installers to remotely download the data from a hidden file, although most require that the hardware logger be physically picked up to retrieve any captured information.

Hardware keyloggers have been involved in several large banking heists and have even been used to capture hackers. Hardware keyloggers are becoming a favorite evidence tool for the FBI and CIA. I've even heard several security vendors complaining about their customers using hardware loggers to capture the vendor's passwords while the vendor was onsite helping in an emergency.

The major distinction of all of the mechanisms in the password capturing category is that they capture the passwords in plaintext. No further computation is needed to find a usable password.

Password Cracking

Password cracking involves capturing the password credentials in a non-plaintext state and then using automation tools to attempt to find the original plaintext passwords. Usually, password cracking is done by capturing authentication traffic on the network or extracting password hashes from the password authentication database on the client or server.

Extracting Password Hashes

Extracting Windows password hashes can be done in one of two ways: offline or online. Offline attacks involve using bootable operating systems that support NTFS partitions to boot around Windows. But unlike the Peter Nordahl boot disk that simply resets passwords, these boot disks allow the user to extract the local SAM or Active Directory database and attack it offline. Once a SAM file has been extracted, there are several tools it can be imported into for analysis, including Cain & Able (www.oxid.it), John the Ripper (www.openwall.com/john), and LC5 (covered below). These types of attacks can be prevented simply by preventing booting on anything but the primary boot disk, and password protecting the BIOS to ensure that the boot order remains as you set it.

Pwdump

More common is an attacker accessing Windows while the password databases are online and in use. These methods usually require an administrator-level account connection. The most famous free attack tool in this class is called Pwdump. Invented by Todd Sabin, it has been taken over by several different programmer teams working independently of each other. Todd's last official version was Pwdump2 (www.bindview.com/Services/RAZOR/Utilities/Windows/pwdump2_readme.cfm). Pwdump2 can bypass Syskey protection and download password hashes from Active Directory. The original version could not extract password hashes from Active Directory. It was then upgraded to Pwdump3, which allowed remote extraction (you still need an Administrator-level account), and it would also extract Password History hashes. Pwdump4.02 (http://pr.openwall.net/dl/pwdump/pwdump4.zip) is the latest version and it fixes a few bugs found in Pwdump3. Be careful when downloading Pwdump. There are several trojan versions posing as legitimate copies.

Pwdump4.02 can extract password hashes from local or remote NT and later machines and dump the results to the screen (or text file). It accomplishes this by copying and executing a service called Pwservice.exe to the target machine and injecting a dll (Lsaext.dll) into the Lsass.exe process. It then enumerates the user accounts and intercepts the results from Lsass. The target machine must have an enabled Admin$ share, the Remote Registry service must be enabled, and the attacker must have administrator privileges. The output is displayed in l0phtcrack format, which is the industry standard for this sort of thing. Figure 4-9 shows an example Pwdump4.02 result.

image from book
Figure 4-9

Pwdump's output is formatted like this:

 Account Name: SID: LM hash: NT hash: Password History1: Password History2:.

Figure 4-9 shows that the account called Administrator is the true Administrator because it has SID 500. The Krbtgt account exists only on domain controllers, so the queried computer must be a domain controller. ExampleW2K3$ is the domain controller's computer account. There are no Password History hashes revealing that either all the accounts are new or the passwords have not be changed since they were initially created. The Guest, krbtgt, and ExampleW2K3$ accounts have the null LM hash value in the LM hash field, but the other accounts don't. This means that these three accounts have passwords longer than 15 characters or they contain unusual Unicode characters. If LM hashing was disabled, all accounts would have the null LM password hash or at least the ones that had changed their passwords after it was enabled (but no account is showing a Password History hash).

Note

A modified version of Pwdump3e, Pwdump6 is available at www.foofus.net/fizzgig/pwdump. However, it is largely untested, and it is unknown at this time how it compares to Pwdump4e's functionality (although it certain that Pwdump6 does not encrypt password hashes sent over the wire).

The Administrator, Elizabeth, and Amanda user accounts share identical LM and NT hashes. This means their passwords are identical. Crack one and you crack them all. Lastly, the Administrator, Amanda, Richard, and Elizabeth accounts all share the same first half of the LM hash field, but Richard has a different hash in the second half. This means Richard shares a common password root, at least the first 7 characters, with the other accounts, but it ends differently. You can learn a lot from a password hash dump. Once the hashes are extracted, they need to be imported into a password cracker.

Sniffing Authentication Traffic off the Network

Password hashes and authentication credentials can also be captured in network authentication traffic. The bare minimum requirement is that the sniffing machine must be able to physically capture the authentication traffic headed between the client and the server. If Ethernet switches are involved, the intruder may need to employ another adjunct tool called an ARP spoofer. ARP spoofing allows a third machine to initiate a MitM (Man-in-the-Middle) attack by fooling switch-connected computers into believing the attacker's PC is their intended legitimate target. ARP spoofers do this by flooding the switch and network with fraudulent Address Resolution Protocol (ARP) requests and replies. This falsely tells the involved computers that the IP address of their intended target is the intruder's IP address. It does this by spoofing layer 2 MAC addresses.

Hackers have developed many network sniffers to capture network authentication traffic.

SMB Attack Tools

As the earlier SMB/NetBIOS sidebar discussed, Windows SMB is a favorite hacker target. Dozens of hacker tools have been developed to exploit weaknesses in Windows' most frequently used protocol. Many tools either attempt brute-force password attacks against a particular computer's NetBIOS shares or trick the target computer into sending authentication traffic to a rogue server where it can be intercepted.

ScoopLM and BeatLM

One of the first Windows authentication—specific tools was ScoopLM (www.securityfriday.com/tools/ScoopLM.html). It captures LM, NTLM, and NTLMv2 authentication exchanges over SMB, NetBIOS, Active Directory, Telnet, HTTP (IIS), and DCOM traffic. Figure 4-10 shows ScoopLM in action. When started, the user first chooses which network interface is wanted for ScoopLM to listen on. Then the user clicks the Start button. ScoopLM will capture all the Windows authentication traffic (minus Kerberos) that it sees. When enough traffic has been captured, the user clicks Stop and saves the resulting data into an importable CSV file.

image from book
Figure 4-10

Then the user imports the CSV file into ScoopLM's companion product, BeatLM (www.securityfriday.com/tools/BeatLM.html). BeatLM conducts a brute-force attack against the authentication traffic but cannot decode NTLMv2 or Kerberos traffic. In my experience, BeatLM takes hours to days to successfully brute force passwords from authentication traffic, and if special Unicode characters are used it never breaks them.

Other SMB Attack Tools

The SMBRelay tool (www.xfocus.net/articles/200305/smbrelay.html) automates a MitM NetBIOS attack and then grabs NTLM authentication traffic and writes it to a text file for later brute-force analysis. SMBGrind (http://packetstormsecurity.org/Crackers/NT/l0phtcrack/smbgrinder.zip) is an optimized SMB authentication brute-force analysis tool. Attackers import SMB authentication traffic and SMBGrind works to reveal plaintext passwords.

The SMB Auditing Tool (www.cqure.net/tools.jsp?id=1) is an extremely fast Linux/Windows SMB brute forcer for ports 139 and 445. It can attempt up to 1,200 SMB connections per second against a NetBIOS host. It scans for SMB servers and automatically enumerates the user accounts.

The SMB Downgrade Attacker (www.ntsecurity.nu/toolbox/downgrade) is a small utility that attempts to force clients using NTLM authentication to use the much more insecure LM protocol.

There are many other password-cracking programs capable of sniffing Windows authentication traffic and then brute forcing it. Both Cain & Able and LC5 are excellent GUI programs capable of capturing network traffic and then processing it. Cain & Able has the added benefit of being able to initiate an ARP spoof attack if needed. None of the previously mentioned tools can break NTLMv2 or Kerberos authentication traffic.

Share Password Attacks

When drive shares are created, they can be password protected. Windows 9x allowed the user to create a "share password" that was connected to the particular share, although most 9x users left it blank. Windows NT and later machines can manage shares using their normal Share and NTFS permissions and require local or domain authentication.

There are several password cracking utilities that attempt to crack Windows password-protected shares. Many computer worms and trojans do the same thing as part of their infection routine. One such utility is the Share Password Checker (www.securityfriday.com/tools/SPC.html). It acquires a list of shared folders available on the network, looks for blank passwords, and checks for old Windows share vulnerabilities.

Kerbsniff and Kerbcrack

The first published tools to attempt to crack Kerberos traffic are Kerbsniff and Kerbcrack (http://ntsecurity.nu/toolbox/kerbcrack). Like ScoopLM and BeatLM, Kerbsniff and Kerbcrack is a two-part program. Kerbsniff captures Kerberos authentication traffic and Kerbcrack then brute force cracks the resulting information. As shown in Figure 4-11, when Kerbsniff is started, it displays an asterisk for each Kerberos authentication packet captured.

image from book
Figure 4-11

The resulting text file with the Kerberos authentication information (see below) can then be fed into Kerbcrack to reveal the plaintext passwords.

 KellyHiggins LOCAL.BANNERETCS.COM EDD657042B7CDB68060618FE9B0A29A9FE1387C98FF586946B3D98F762898D0E97926456C6A34857798 6900EDE3324A3AADC6862 # LeeGrimes BANNERET DAF46AF38084F499472DF023303D04AE840CE65DBD5B5A1EF5606B36A91C10C3B493C7E1D680ED01587 CFE95B39FE5C3EF18CAF5 # KathleenGrimes BANNERET F4DA6AF38084F499472DF023303D04AE840CE65DBD5B5A1EF5606B36A91C10C3B493C7E1D680ED01578 E9CF5B39FE5C3EF18CA5F # TriciaGrimes LOCAL.BANNERETCS.COM 4D43FF7F3C35ACF31E817933B5968E7744A7BCF2156C23C4CFD34E45600C82D3503AD06C68020A4B3A9 36F4016D255E66199F5A6

Even though Kerbcrack can work through 1 million password guesses in less than 10 minutes on a Celeron 533 MHz computer, even slightly complex passwords seem to provide it a significant challenge. Once I knowingly captured a Kerberos authentication stream with the password of "password embedded" and left Kerbcrack running all day and night. When I came in the next morning, it still did not display the correct password. Kerbsniff and Kerbcrack work, but it will take optimization before it becomes a significant attack tool.

Guessing and Cracking Methods

Password crackers take an encrypted or obscured password representation and attempt to find its plaintext version. Because good cryptography is used to protect passwords, crackers most often resort to intense computations and permutations in their search for the correct password. Five main methods are used in automated password guessers and crackers: brute force, dictionary, hybrid, birthday, and rainbow tables.

Brute-Force Attacks

Brute-force password attack tools grind away at obscured passwords starting with the first symbol in their password list (often the lowercase letter a) and sequential increment symbols until they reach the very end of their symbol list. For example, a brute force cracking tool may try a, b, c…z, aa, ab, ac…az, and so on. It tries every possible combination without regard for what types of passwords are more common. Brute-force password attack tools are the most computationally expensive. They take a long time to work, but if configured correctly will eventually find any password. Every password cracking tool has a brute-force feature. Often the user selects a character set of all the possible characters or symbols it wants the tool to try and tells the password cracker the password size boundaries. Brutus was already mentioned above, but here are some other great password crackers.

Cain & Able

Cain & Able (www.oxid.it) is an excellent free password cracking tool. It has dozens of features and can crack dozens of different types of passwords and password hashes, including LM, NTLM, RDP, Cisco, VNC, MySQL, PWL, Kerberos, RIP, OSPF, SIP, and dozens of others. If you want a tool that nearly has it all in one place, Cain & Able is it. It has one of the best GUI interfaces of any password cracking tool and it's frequently updated. ARP poisoning and MitM attacks literally take a few clicks of the mouse. While Cain & Able isn't always the fastest password cracker, when you throw in its versatility and interface, it's a hard cracker to top.

Figure 4-4, earlier in the chapter, shows Cain & Able in the middle of a brute-force password attack against dozens of loaded LM and NTLM password hashes. The loaded character set consists of the 68 standard alphanumeric keyboard characters, but bigger character sets can easily be added. In this example, a maximum password length of 16 has been set. On most engagements, Cain & Able can find at least a few passwords within the first hour.

John the Ripper

Another open-source password cracker, John the Ripper (www.openwall.com/john), excels at speed. Available in both Windows and Unix/Linux versions, John (as hackers like to call it) works on the command line, saving every spare CPU cycle for computations, not a pretty GUI. It is widely supported by the open-source community, extensible, and supports a wide range of password hash attacks.

As a command-line tool, it intimidates many Windows administrators who would rather use a GUI. Many users are turned off by it and only see it as a brute-force guessing batch file on steroids. Don't be put off: John is the fastest free brute-force cracker in the business. It also has a companion Unix-only product, Distributed John (www.net-security.org/software.php?id=409), which works by distributing the password-cracking workload to two or more computers.

Figure 4-12 shows John the Ripper's overall syntax as well as the start of a successful password cracking attack. John has revealed two passwords, Brooks, belonging to two accounts, including one named Administrator. John cracked the first two passwords in under five seconds. You can stop and start John any time and it will begin where it left off. You can also ask John to calculate the estimated time to crack prior to beginning the analysis.

image from book
Figure 4-12

There are hundreds of free password crackers available on the Internet. Cain & Able and John the Ripper are at the top of the heap because of their feature sets, stability, and speed. The author of this book has used dozens of password crackers and each cracker has password types that it cracks faster than another tool. Overall, John the Ripper is pretty fast, but penetration testers often run multiple password-cracking tools at the same time. One quickly hits what another doesn't ever resolve. Using multiple tools, if you have the computational power available, ensures the fastest cracks overall.

Dictionary Attacks

Brute-force cracks grind away against the password keyspace without regard for which passwords are more likely to be used versus another. Good password crackers, such as Cain & Able, support dictionary attacks. With a dictionary attack tool, a dictionary (or word list) full of commonly used dictionary words is imported or linked to the attack tool. A good dictionary contains over 100,000 words. You can download huge password dictionary lists from all over the Internet. Some are GBs in size.

You can download specialized dictionaries that focus on foreign languages (e.g., Bulgarian, Yiddish, and Persian), Unicode characters, or themes. For example, one dictionary I've seen contains Star Trek terms and Klingon words. As strange as this sounds, if you know the network administrator is a trekkie, it's a good password dictionary to use. Other themes include common passwords, common phrases, dates, music, literature, names, religion, science, and sports. If you know your target user has a certain hobby or interest, attack them with it.

There are even dozens of programs designed to generate password dictionary lists. To find already generated lists, search the Internet using the terms "password dictionary" or "password word list." Two sites that will get you headed in the right direction are www.packetstormsecurity.org/Crackers/wordlists and www.geocities.com/SiliconValley/Port/5886/Dict.html??200523.

Hybrid Attacks

Hybrid attacks blend brute force and dictionary methods in an intelligent way. The hybrid method assumes that most users will still use as much of a dictionary word as possible even when forced to make the password complex. Hence, a hybrid attack will often do the following to a normal dictionary search:

Substitute uppercase and lowercase letters throughout the dictionary word randomly
Spell dictionary words backwards, with reverse spelling
Add one or two numbers to the end of the dictionary word
Add special symbols throughout the dictionary word, often substituting @ for a, and 5 for S, etc.

Note

Cain & Able has the hybrid function built into its dictionary attack.

Birthday Attacks

Yet another methodology change often appears in password crackers: that of the birthday attack. Birthday attackers start by using one of the other methods (i.e., brute force, dictionary, or hybrid), but then randomly choose password attempts instead of sequentially cycling through from the beginning to the end of the potential password keyspace. The idea is that by randomly guessing, the password cracker is more likely to stumble upon the correct password than by using a sequential method.

The birthday attack gets its name from a mathematical theory that states that although the odds of any one person having a birthday on any particular day of the year is 1 in 365.25, when two random people compare birth dates, the odds of them sharing the same birthday are half of that. And as you add people into the mix, each additional person halves the odds. At the addition of the 18th person, the odds of two people having the same birthday (not including the year) approaches 50%. In demonstrations of this theory, the author frequently conducts the "birthday experiment" in his classes and lectures. Rarely has he had to reach the 18th student to find a birthday match. Many times, matches are made in the first few people.

Rainbow Tables

For a long time, password cracking theory involved optimizing the previous four methods and relying increasingly on more computing power to crack difficult passwords. Then someone stumbled upon the idea that has changed the current field of password cracking dramatically. Password cracking is difficult because password hashes, although known, are non-trivial to convert back to their original non-hashed password forms.

But what if all the possible hashing outcomes (millions and millions) were pre-computed and placed into a table? Basically, the password cracker takes a word list of all the possible password values and runs them through the hashing routine. Each result is stored along with the plaintext password that made the hash. When a hash is found, the password cracker need only look up the stored pre-computed password hash to find the original password. The first very popular implementation of this method was called rainbow tables and the name has stuck ever since.

The results were astounding. Good rainbow tables are GBs and GBs in size and contain billions of pre-computer password hashes. When a user plugs in a non-complex LM hash (which is what most networks are full of) the rainbow table program "breaks" the password in seconds. There are several online demonstration programs where you can plug in a password hash to see the outcome, including http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/index.php#Demo. It has cracked thousands of passwords, most in under two seconds.

There are also optimized rainbow table programs that are pretty fast at cracking weak passwords. The Ophcrack (http://ophcrack.sourceforge.net) is probably one of the most popular. It comes with free 388MB and 720MB optimized rainbow tables for users to begin experimenting with. You can buy GB tables off the Internet and on eBay for prices ranging from $20 to $200.

You can even generate your own rainbow tables. Another popular rainbow table cracker is Rainbowcrack (www.antsight.com/zsl/rainbowcrack). Run by the Project Rainbow team, it enables users to generate their own rainbow tables. Demos have been shown using tables up to 36 GB in size. Thousands of people around the world are running clustered computers simply churning out larger and larger rainbow tables. In order to be faster and more accurate, the rainbow tables have to be larger and larger—to the point that available processing power, memory, and hard drive space is a consideration of every active rainbow cracker. The average PC starts to get bogged down when trying to create rainbow tables for passwords six characters or longer. A rainbow table with all the seven-character or less possible passwords would take several years to generate on the average PC. With that said, plenty of people have computed most LM password hashes to 14 places and are working on the NT hash keyspace.

The holy grail of Windows password hash cracking would be realized if a single database could hold every possible LM and NT hash and its plaintext equivalent (remember 4.92 × 10⁶¹¹ possible passwords). Currently it is computationally infeasible, because of computational and storage requirements, and probably will be impossible for the foreseeable future. But rainbow table makers realize that they don't need every possible password to be mostly successful, just the most likely passwords. Hence, they are falling back on the other four methods to choose the most likely candidates, and cryptographic scientists are coming up with optimization techniques.

Although rainbow tables can be frightening to network administrators, long, complex passwords beat them. Most rainbow tables can only break LM hashes, so if you disable them, your password hashes are relatively safe. If you make your passwords sufficiently long enough (say, 15 characters), and even slightly complex, few rainbow tables can break them.

LC5 and LCP

@Stake's commercial LC5 password-cracking program was considered the premier Windows password-cracking program for the professional enterprise. Its GUI interface, ease of use, and cracking and reporting capabilities made it a solid choice for password auditing, if you could afford it. Unfortunately, it was purchased by Symantec in 2004 and then discontinued in late 2005. If you are lucky enough to have a recent copy, it remains a top choice for cracking Windows passwords, at least until Windows password technology changes.

Currently, there are no other commercial programs for the enterprise on a par with LC5, although some company is sure to fill the void in the future. There is a relatively new program called LCP (www.lcpsoft.com), which appears to be a near clone of LC5, or a previous version (see Figure 4-13). It works almost identically to LC5, but contains a few bugs and is not nearly as trusted as LC5. The author of this book attempted to contact LCP's author via e-mail, but did not receive a reply. Because it has not been thoroughly reviewed for bugs and other potential issues, readers should be cautious when testing this program. For example, run it isolated in a virtual session until it becomes more trusted, or don't run it at all.

image from book
Figure 4-13

Password-Cracking Programs

There are literally hundreds of password cracking/recovery programs, one for nearly every program that uses passwords. Here is a partial list of the application programs with password-recovery programs available (this list isn't bulleted to save space): MS-Access, ACT, AIM, Apache, ArcServe, BIOS passwords, Cheyenne Innoculan, Cisco routers, CompuServe, EFS, MS-Excel, FTP, Hotmail, Intuit Quicken, IRC, Lotus, Lotus Notes/Domino, MySQL, MSN Messenger, Norton Antivirus, Novell Netware, MS-Office, OpenLDAP, Oracle, MS-Outlook, password-protected Outlook PST files, Palm PDA's, PDF, PGP secret keys, POP, PPP, PPTP, printers, RAR, RDP, Real Media server, routers, Shockwave, SSH, MS-SQL, Telnet, Terminal Services, VBA, web cams, brute force web site guesser, WEP, MS-Word, VNC, Wingate, WordPerfect, Yahoo news tickers, and Zip files.

One of my favorite sites to search for password crackers is www2.packetstormsecurity.org. Visit there and then search on any type of password cracker or resetter that you need. My general search returned over a 1,000 different programs, most of them free or open source. In my review, I found that perhaps only 50% would work on current and patched systems, but that is still a lot of hacker programs.