This was a fun chapter to study, learning about password and the methods that can be used to crack them. Although the awareness regarding the need for password strength appears to be increasing, there are still an overwhelming number of cases where weak passwords are used, or even a general lack of password policy in an organisation. Brute force attacks and educated guesses pose a serious risk to weak passwords, so to combat this two factor authentication and biometric identification are becoming increasingly common. However, weak passwords are still a vulnerability in many instances and especially so on older systems or applications. It is feasible that increased password complexity has lead to users slacking off and storing the passwords as files on their computer, using the same password for multiple accounts or writing them down on paper.
Password attacks have two main methods: brute force and reversing password hashes.
- Brute force attacks attempt to gain access to a service by trying every possible username and password combination. Given enough time, they will find valid credentials, but ‘enough’ time could stretch well beyond an average lifetime. Brute force attacks have adapted to include word lists, which can be preset lists of common passwords or custom made.
A tool that can create word-lists based on a website is ceWL. For example, this could be useful when penetration testing a company, as is is possible the password of an employee may be related to the company itself. Creating a custom word-list from the company website could then provide a higher chance of success.
In this way, brute force attacks have become closer to ‘educated guesses’ than actual brute force – a method that is not as effective given the amount of time they require.
- Password hashes are designed to be the product of a one way hash function, meaning even if the hashes were discovered there is no way to determine the plaintext password. However, a password can be guessed and hashed with the same hash function to compare the resulting hash against the known hashes. If they match, then the guessed password must also be correct.
Some hash functions are no longer considered secure and can be more easily reversed. Although these hash functions are no longer recommended, older services may still use older hash functions which could be a vulnerability.
Password attacks can be carried out in two avenues: online and offline.
- Online attacks attempt to gain access to a service by finding valid credentials in real time while the service is still online. Most services have an account lock out which works to prevents these types of online attacks which creates a few limitations around online password attacks.
- Offline attacks are much easier to execute in comparison. Once the relevant information has been downloaded and stored on a separate drive, the issues around account lockouts is no longer a barrier. Brute force or password hash exploits can be run offline, often with faster results. Once the attack is successful, the attacker can then go back online to gain access with a valid set of credentials.
Password Cracking Tools
There are a number of automated tools that can be used to execute password attacks. The ones I studied are as follows:
Hydra – this is an online password guessing tool that essentially automates the otherwise manual process of inputting possible username and password combinations. Because it is used to test running services, there is the possibility that a lockout will occur, or that the repeat attempts will be detected by a firewall or IPS which could result in a blocked IP address.
John the Ripper (aka John) – One of the most popular and widely used password cracking tools, John the Ripper guesses the passwords by comparing the hashes which can be obtained via the SAM or SYSTEM files. Depending on the type of hash used, John the Ripper can crack a password very quickly. For example, windows LM hashes can be cracked within a matter of hours. Windows NTLM hashes, on the other hand, may take up to years to crack. This is where using set word lists can be useful, to limit the options John the Ripper is guessing from instead of using a pure brute-force method. Adding rules to a wordlist will also account for numbers or symbols replacing letters in a password, or them being added to the end of a password. This provides further complexity to the passwords being guessed.
ceWL – As discussed above, ceWL is a custom word list generator that can parse websites to create ‘educated’ word lists that are more likely to be successful for specific targets. The ceWL is a command line based tool found in Kali Linux, the –help command provides a useful list of features along with information on how to use each one.
Although password awareness continues to increase, so too does the computing power available to us. Passwords and hashes that were once deemed to be secure are now trivial for standard hardware available to the consumer. As the processing power of computers continues to increase, it is important for password complexity to also increase alongside it. It will be interesting to see if the shift toward biometric identification continues beyond the simple fingerprint and facial recognition software we have today. Even if it does, I am sure these will be similarly exploitable.