Password Cracking

Password CrackingSECURITY INNOVATION
2003
1
Sidebar Password Cracking

We have discussed authentication mechanisms
including <username, password > authenticators. We
also indicated that anything short of one-time
passwords was not strong password authentication.
So how are passwords broken GUESSING AND
CRACKING.
Guessing Find or guess a users identifier
Create a list of possible password
Try each one
On success you are in, else keep trying
Hampered by unsuccessful login timeout If (n)
attempts are unsuccessful, lock the system for (m)
minutes n & m variable.

2003
2
Windows NT Passwords
Length
Anywhere from 0 to 14 characters
Characters
All letters (upper and lowercase), numbers, and
symbols are acceptable
Stored in SAM database
2003
3
Windows NT Security
Local Security Authority (LSA)
Determines whether a logon attempt is valid
Security Accounts Manager (SAM)
Receives user logon information and checks it with
its database to verify a correct
username/password
SAM Database
Stores the LM and NT password hashes
2003
4
Cracking
Obtain copy of SAM and run L0phtCrack
BUT cant get real SAM if system uses
Active Directory
UNLESS, use PWDUMP3 first
2003
5
Password Cracking Off Line
Most cracking is done off-line to avoid the timeout
problem.
Major steps:
Find user ids
Get encrypted or hashed passwords or password files
Create a list of trial passwords
Encrypt or hash the trial passwords
See if there is a match

2003
6
Password Cracking Off Line
Attacks:
Dictionary attacks (build a dictionary of
passwords).
Brute force (try all possible passwords).
Hybrid attacks (modified dictionary attack using
altered dictionary words (party becomes p$art%y).
This really is still guessing these systems
dont break encryption!

2003
7
Password Cracking - Starters

What can we find out up front commercial
systems?
Format for user id.
Some user ids (e.g., guest, system, administrator)
Password minimum/maximum length, legal
characters.
Rules of construction.
The encryption or hash algorithm.
Where the password file is stored by default.

2003
8
Password Cracking Generic Methods

Assume we have an encrypted or hashed
passwords the following methods are used
to recover the plaintext password.
Create a dictionary of words encrypt or hash
each word and test to
see if the result matches the original
encrypted/hashed password.
Many Internet sites have downloadable
dictionaries.

2003
9
Password Cracking Generic Methods
Pros/Cons
Brute force means trying every possible
combination (e.g., a, aa, aaa to zzzzzzzzzzzzzz,
azbycx, etc.). This method will always recover the
password sooner or later later may be a long
time, but gets shorter with each new technology
advance
Hybrid methods use a dictionary, but insert special
characters (e.g., %, $ # or r0ya1- Zero for o and one
for l) and/or permute words.

2003
10
Password Cracking How Do We get
the Passwords?
If administrator Dump the hashes to a file
If not administrator Sniff the passwords off the
network
Get administrator privilege
Boot another OS and read the file
Copy from backup
Copy from emergency repair disk
Reminder to physically protect the system and all
media.
Also to install patches that allow intrusions that result
in root or
administrator access.

2003
11
NTFSDos and SAMDump
NTFSDos
Utility that allows DOS
to view NTFS partitions
Can be placed on a boot
disk and used to access
files that cant be
accessed in Windows
SAMDump
Utility that dumps the
password hashes in the
SAM database
Can be used to view the
password hashes or to
export them into a text
file
If Syskey is used,
displayed hashes will be
incorrect
2003
12
PWDump3
A utility similar to SAMDump
Grabs password hashes from memory instead
of the SAM database
Because of this, it will work with Syskey enabled
Can only be used by the Administrator on
each system
2003
13
Password Cracking Tools
L0phtCrack

The windows tool of choice Win 9x, NT, 2000, XP.
Cracks two types or passwords LANMAN/NT.
LAN MANager Older network password system
used to log onto a Microsoft network domain used
for mixed 9x & NT/2000/XP nets.
NT Newer network password system used in
NT/2000/XP-only nets.
Fully featured tool:
Sniffs passwords
Dumps passwords from the registry
Cracks passwords
Easy to use Graphical user Interface (GUI)

2003
14
Windows NT Passwords
LM Password
Used for backward
compatibility
Stores passwords in CAPS
Much easier to crack than NT
Hashes
Password is not hashed or
encrypted
Broken up into 2 groups of 7
characters
Usually gives away the NT
password if cracked
NT Password
Used for compatibility with
Windows NT/2000 systems
Stores password exactly how
they were entered by the
user
Uses a series of 2 one way
hashes to hash the password
Does not salt passwords like
Unix
2003
15
LM Passwords VS. NT Passwords
An 8 character LM password is 890 times
easier to crack than an 8 character NT
password
A 14 character LM password is 450 trillion
times easier to crack than a 14 character NT
Password
450 trillion = 450,000,000,000,000
2003
16
LANMAN Passwords

Maximum Length 14 Characters (128 bits).
Case Converted to all upper case before processing.
Processing Split 14 characters into 2 7-Byte halves.
Use each half as a DES key.
Multiple encrypt each half and store in the Security
Account Manager (SAM) database.
Trouble is: Encryption algorithm is known.
Only uses a 7-Byte key (56 bits).
Easy to find the key.
Why??

2003
17
LANMAN Passwords Easy
Cracking

Character Set = Uppercase alpha, numeric, specials,
and punctuation.
About 80 symbols.
N = SL = 807 ~ 2.1 x 1013
Time = (2.1 x 1013)/(108 sec)(1/60x60x24) = 2.4 days
(really easier).
Password = Choose Karen12$.
Becomes KAREN12$ (convert to upper case).
Becomes KAREN12 & $_______ (split & pad).
KAREN12 breaks with dictionary.
$_______ breaks with brute force.
More like minutes to break!

2003
18
NT Passwords
1. Hashed using RSA MD4 function
Not reversable! But can be replicated
2. Hashed again using MS function into SAM
Reversable and fairly simple
3. Encrypted using Syskey function
Strong encryption of SAM on disk

2003
19
NT Passwords Not So Easy
Cracking

Character Set = Upper & lower case alpha, numeric,
specials and punctuation about 106 characters
N = SL = 807 ~ 2.26 x 1028
Time = (2.26 x 1028)/(108 sec)(1/60x60x24) ~ 2.62 x 1015 days
(harder)
Now issue becomes the quality of construction
remember we are assuming that all passwords are
equally likely this is theory!
The real result is the historical work function for a
large set of user generated passwords. If poorly
constructed, the dictionary will get them.
Makes a very, very good audit tool for security folks!

2003
20
Unix Passwords John The Ripper
Very capable password cracker for Unix systems
including S/Key files and Kerberos Ticket Granting
Tickets for the Andrew File System.
Runs cross platform (Unix, DOE, 9x, NT).
Takes a Unix password file as input - etc/passwd or
etc/shadow.
etc/passwd is a user-level public file
etc/shadow requires root-level access
Modes:
Dictionary (called wordlist) specify a text file to use as a
dictionary.
Brute force (called incremental mode) tries all possible
combinations.

2003
21
Unix Passwords John The Ripper
Modes:
Single Crack mode simplest mode.
External mode provides the means to add external
functions that can be used to generate passwords to
try.
Since Unix uses different hash/encryption
algorithms, the program
Detects the encryption type:
DES and double length DES
BSDIs DES,
OpenBSDs Blowfish,
FreeBSDs MD5 hashes
Others are out there: Crack, Cracker Jack

Password Cracking

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Password Cracking

Uploaded by

Copyright:

Available Formats

Password CrackingSECURITY INNOVATION

You might also like