Chapter 9. Password Cracking

Login: yes

Password: i dont have one

password is incorrect

Login: yes

Password: incorrect

Before the advent of computers, companies relied on locked doors and filing cabinets to secure their data. Physical security provided enough peace of mind for businesses to protect their corporate assets. Now, with network access to company data providing accessibility from virtually anywhere, physical security is no longer sufficient.

Thus, companies have turned to access control to protect their data. Strong access control should entail at least two of the following:

• Something an identity knows A pin number or password

• Something an identity has A SecureID card

• Something an identity is Biometrics

• Something an identity does Monitoring pen pressure changes when you sign your name

Two-factor security is when at least two of these are being used, such as when access is granted through a fingerprint and a password. Four-factor involves all four. Unfortunately, most applications still use the weakest form of security one factor authentication by passwords only. People often think that two-factor authentication is being used because both a username and password are required, but this is still only one-factor authentication because they are both based on things you know.

Passwords provide the weakest form of security because someone can guess them through password cracking. As a penetration tester, you should be acquainted with the means of password cracking. Penetration testers are often employed to perform password cracking for one of two reasons:

• Policy audits

• Recovery

When you are cracking passwords for policy audits, you are trying to determine if the company is enforcing its password policy. Suppose, for example, that a company has a policy that all passwords must be eight digits long and a combination of letters and numbers. The password a3vg8ll0 is a strong password in this example.

As a penetration tester, you might be asked to come in and attempt to crack the company passwords. After doing so, you might discover that only 80 percent of the passwords follow this policy. This would inform the corporation that it is not adequately enforcing its password policy.

The second time you might be asked to perform password cracking is when you are hired to recover a lost password. If a systems administrator leaves the company without anyone knowing the password to the administrator account, you might be hired to come in and attempt to crack that administrator password.

Many tools can assist you with password cracking. This chapter introduces you to how passwords are stored on servers, followed by brief descriptions of some of the more popular tools used in password cracking. As always, this chapter concludes with tips on how to protect against malicious password cracking.

Tip

Most of the chapter covers password cracking to recover an existing password. However, you can actually use tools to overwrite or erase a password if you have direct physical access to a machine. If this is what you need, look at http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html.