Detecting Password Cracking

 < Day Day Up > 

Detecting password cracking can be difficult depending on the type of attack taking place. During a standard brute force or password dictionary list attack, the hacker, in his efforts to gain access, typically sends hundreds or thousands of possible username and password attempts against the target. When a possible combination is successful, the hacker moves to the next step to gain even more access to the system. Another method a hacker might use is to gain physical access to a system and actually steal the password files or databases. If all of this is too difficult, the hacker might resort to the most basic attack of social engineering. The sections that follow detail some of the possible detection locations you can watch for these types of attacks.

Caution

The dangers of physical access to a system can be quite devastating. After a hacker has copied the files that contain passwords, such as the Windows SAM file, the entire system might as well be considered compromised.


Network Traffic

Monitoring network traffic can be a difficult thing to do in switched networks without the proper gear that supports SPAN ports. After you overcome this hurdle, the use of network sniffers can be employed to monitor and even record all traffic to the monitor screen or record it to the hard drive for later evaluation. As mentioned earlier, password guessing can send hundreds or even thousands of attempts against a target system within a short time. For example, you can configure the tool called Brutus (discussed in Chapter 7, "Performing Web-Server Attacks,") to use dictionary list password guessing against any Telnet server, such as a Windows Server or even a PIX Firewall. While in the attack, Brutus sends as many username and passwords combinations as it possibly can in the shortest time. By using a network sniffer, you can monitor this huge blast of attempts sent against the target. In normal operation, login attempts are sporadic, so when a single location sends so many attempts in a short period, you can logically deduce that a hacker is at work. However, this technique can be a little time consuming, to say the least. It is usually used after detection has taken place by other means.

System Log Files

A better location to detect login failures is within the systems security log files of the target. When enabled to record failed login requests, the log file can provide details such as time, date, and username involved in the login attempt. Typically, you see the same hundreds or thousands of attempts, such as the network sniffer, except in an easy-to-read format. Figure 9-23 shows failed login attempts in a Windows 2003 Event Viewer, and Figure 9-24 displays the detail that you can find about each login failure.

Figure 9-23. Windows Event ViewerI


Figure 9-24. Windows Event Viewer Failed Login


Account Lockouts

During any password guessing technique, hackers might come up against the "account locked out" problem. By default, the standard Windows computer does not lock user accounts no matter how many attempts have been made. This default setting is a dream system for a hacker to attack. A hacker can attempt to log in for days using the same account name, such as the administrator, until he finally gains access.

Good system administrators manually configure basic logout settings to something like this: For every failed 5 attempts, lock out the user account for 30 minutes. When script kiddies come up against account lockouts, they typically just move to the next account name on the list. They use that name until it gets locked out, and so on. In the end, the administrator of the target system will start hearing voices from all the legitimate users stating that they cannot log in and the account has been locked. If the dozens of people who do not normally lock their account are stating this, this is a sure symptom that password guessing is going on. This is also a sneaky way of performing a denial-of-service (DoS) attack against the office. When you lock every account, office work stops for at least 30 minutes for any users attempting to log in or until the administrator manually unlocks the accounts.

What about the non-script kiddie? Well, a pro hacker locks the account a maximum of once or not at all. If the lockout setting is set to 5, the hacker basically just slows down the attack to 3 to 4 attempts and then waits 30 minutes and tries again. Over a period of a week or a month, the hacker might finally gain access. You should continue to keep an eye on the log files even if you have account lockouts enabled.

Physical Access

Detecting hacking against physical theft of the password files such as the Windows SAM file or *nix shadow files can be quite difficult. If the file is stolen, a hacker can take the file and brute force the passwords for as long as he likes in the privacy of his own home. Indications of this can include a broken door or window into the office; a stolen laptop or computer; backup tapes missing; or strange administrator account activity to the SAM file or Shadow file. Shortly after the incident, the target system administrator might start seeing successful logins for users at odd times of the day or night. This might indicate that the hacker is using what he currently password-guessed against that file. If this seems difficult to detect, you are quite correct.

Dumpster Diving and Key Logging

Dumpster diving and key logging can actually be classified as physical access. Dumpster diving involves the classic rummaging through the trash looking for old hard drives, yellow post-it notes, or other possible items for username and passwords. If the system administrator comes into work one day and sees the trash scattered across the parking lot or in the office, this might mean that an amateur hacker was dumpster diving for password clues.

Key loggers allow hackers to install software-based or even more clever physical devices that look like keyboard adapters between the computer and the keyboard. With these, hackers can capture every keystroke ever sent, which is a disturbing thought indeed. Some basic software can detect software key loggers, but physical loggers are a little more difficult. As an administrator, you should review your server connections every day to help detect physical key loggers being installed. Like other physical access, it is hard to detect.

Social Engineering

One of the most difficult methods to detect might actually be social engineering. Hackers can use the good old trick of just using the telephone and asking a person for his username and password to the system to carry out some maintenance. Hopefully the user will not give out this information, but you would be surprised how many times basic nonsecurity-oriented users are trusting to the telephone caller and provide full username and password details. This is hard to detect unless users report it to the administrator of the security team, and it will probably only be done after a full-scale attack against the system was done and in the aftermath the user recalls a strange phone call a few days back. Another form of social engineering technique besides the standard phone call is shoulder surfing.

     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net