I had a article published in PenTest Magazine earlier this year. Enough time has passed so I’m now able to post the entire article on my blog. You can find the original article in the PenTest Mag extra titled Backtrack Compendium found at http://pentestmag.com/.
A recent example is a team of hackers cracked more than 14,800 16-character cryptographically hashed passwords from a list of 16,449 in less than an hour using a computer cluster. Most employers leverage a far less complicated password policy making most organizations vulnerable to password attack.
Another element of weakness for passwords is that they are usually developed and managed by people. People are lazy by nature and predict- able in behavior. These human characteristics make passwords vulnerable to a range of attacks that extend beyond generic brute force attempts of every possible combination. In my team’s ex- perience, we find most users having the following flaws in developing passwords
Predictable password Creation – We find most users use a similar formula for de- veloping passwords. Once you capture one pass- word, it’s easy to reduce to possibilities of future passwords. An example is using a dictionary word followed by a numbers and special characters, such as PASSWORD123!
Password usage – People use the same password for all levels of security. For example, we find compromising a non-essential target such as gaming system or social media account will contain passwords used for high valued targets such as banking and remote access to internal resources.
Password expiration – Most users do not change their password unless required. This gives attackers an ample amount of time to break and use stolen passwords.
Contents of Password – Users tend to create passwords they can easily re- member. This typically includes dictionary words with common special character replacements. Ex- ample is [email protected]$$W0RD. Automated password cracking tools can easily mimic this behavior.
Password Length – Most passwords fall short of suggested character length to avoid brute force attacks. The suggested length is also a moving target as computing power improves. Most users are not increasing their password length to adjust for improved hacking capabilities.
These flaws can help an attacker develop a plan to capture a victim’s password. For example, there is a tool in Kali Linux, called Crunch that can generate password lists based on behaviors found in how a user creates passwords. Before we look at tools, lets first understand generic password concepts.
Password Cracking 101
So how are attackers cracking passwords? There are a few methods hackers use to crack pass- words.
- Guess – The attacker manually guesses the password using information obtain about a tar- get.
- Dictionary Attack – The attacker leverages an automated tool that tries all possible dictionary words.
- Brute Force – The attacker tries all possible character combinations.
- Hybrid – Combining Dictionary Attacks with Brute Forcing.
Passwords must be stored, so systems can verify a user’s identity and access rights. Systems do not store passwords in plain text files for obvious security reasons. Most systems do not use encryption as the only means to protect passwords, since a key is required to unencrypt, which poses a weakness to protecting the encrypted files. This is where Hashing comes into play.
Hashing was invented as a means to transform a key or password, usually arithmetic, into a completely different value. Hashing is non-reversible and outputs the same value for an entered key, which means a hash can be stored and verified against an entered password to verify authenticity. Changing one factor such as making a letter capital or adding a space generates a completely different hash output.
Hashes can be Brute Force attacked like a password if you know the formula for generating a Hash. Many password cracking tools such as John the Ripper are capable of detecting a hash and brute force attacking all possible output combinations with auto generated hash outputs. Once a match is found, John the Ripper will print out the plain text password used to generate the match- ing hash.
Rainbow tables are the worst adversaries to common Hash algorithms. Rainbow tables are a pre-computed database of all Hash outputs that can be searched to identify a Hash output. Web- sites such as www.freerainbowtables.com offer versions for popular Hash algorithms such as MD5 found in most windows systems. Kali Linux also offers applications such as RainbowCrack used to generate Rainbow tables.
Salting a hash was created as a means to com- bat Rainbow Tables by adding additional custom bits to change the output of a Hash to something not found in common Rainbow Tables. Unfortunately, many systems such as Windows do not use salted hashing.
Now that we understand the basic concepts to se- curing passwords, what tools are available to com- promise passwords during an authorized penetration test? The most popular arsenal that contains tops of password cracking options comes from the creators of BackTrack with their new release of Ka- li Linux.
Kali Linux is a distribution based on Debian, de- signed for digital forensics and penetration testing maintained and funded by Offensive Security. Kali Linux is the next generation of BackTrack contain- ing tons of updated tools for various exercises including a catalog of password cracking tools categorized as Password Attacks.
One could write a book covering Kali Linux, which a buddy and I are in the middle of doing scheduled to release fall 2013. Here are a few password cap- turing and cracking scenarios that could be accomplished leveraging tools available in Kali Linux.
Users are the weakest link for security. In many cases, an attacker can trick a user into providing a password or exposing their systems to malicious scripts using social engineering techniques. Kali Linux offers a tool called Social Engineering Tool- kit (SET) aimed at developing traps for Social Engineering attacks. SET can clone any website and embed attacks (however its recommended to keep the website simple to avoid detection). An example is cloning a SharePoint website with the intention of exploiting victims by loading a meterpreter when they access the cloned website. Another possibility is embedding attacks into PDFs that can be sent through email.
The steps to use SET for the SharePoint example are: clone the trusted website, select the attack vector to embed into the cloned site and trick users into accessing the cloned website. A victim access- ing the cloned website would get a Java pop-up, which if ran, will provide a reserve TCP meterpreter to the Kali Linux server hosting the cloned website. The attacker can start a meterpreter session and have full administration privileges on the de- vice accessing the cloned website.
Another great method to perform a similar at- tack is using The Browser Exploitation Frame- work (BeEF). Like SET, BeEF is available in Kali Linux and can be used to clone a trusted web- site and attack victims that are tricked into surf- ing to it. BeEF’s method of attack is based on exploiting vulnerabilities found in web browsers. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attack systems from within the browser context. The more vulnerable the user’s browser is based on type, security settings, patch level, etc., the more commands are available for the attacker to launch. For example, a victim using an out of date ver- sion of Windows Explorer may be able to have all keystrokes captured while another user with Firefox may not show that option in BeEF how- ever permit screen captures. Hooked users that closed their browsers will show up in BeEF once they return online regardless if they return to the cloned website.
Both SET and BeEF are very powerful social engineer tools and available in Kali Linux 1.0. Check out their respected websites for more information on other use cases.
Cracking a stolen host password
The typical stolen host password file will be hashed. For Microsoft Windows based systems, you need the System Account Management (SAM) regis- try file and SYSKEY utility to unencrypt the stolen hashed passwords. One method steal a windows host password is by booting another operating system such as Kali Linux, mounting the windows system as a drive, stealing the SAM file, recovering the SYSKEY using a tool like bkreg, dump- ing the password hashes and cracking them with a password cracking utility. For Linux based systems, you need the capture the Shadow file, which tends to be tougher to do than windows. There are boot loaders such as grub that can do this as well as other methods.
Kali Linux offers a ton of password cracking utilities. John the Ripper is the most popular and found under Kali’s top tools catalog. John has several engines that allow it to crack different types of passwords, including encrypted and hashed passwords. John the Ripper is considered a hybrid tool meaning it tries dictionary words, uses alphanumerical characters append- ed and prepended, mixes in special characters and other combinations with a end attempt of brute force attacking when all else fails. Ka- li Linux also offers a GUI front end for John the Ripper, called Johnny for those who are scared of Linux command line utilities. Regardless of the version you run, it is recommended to search online for password lists used for your attack rather than using the default word list. We find the majority of passwords will not be cracked by John the Ripper if the generic password list is used. You can find many large password lists by searching Google.
John the Ripper has the ability to auto detect most hashes and encrypted passwords making life easier for attackers. There are also other pro- grams in Kali Linux such as Hash-identifier that can help determine the hash type used to protect the password file however we find John the Ripper is around 90% accurate in identifying the correct hash. The downside of the approximate 10% fail rate is John the Ripper can’t tell when it fails. This means John will be running however time will be wasted believing progress is being made. It is best practice to monitor your attack session for this use case when using John the Ripper.
Another hash cracking tools available in Kali Linux is Ophcrack. Ophcrack is a Microsoft Windows password cracking tool based on rainbow tables. Ophcrack comes with built in rainbow tables however it is best to download your own or use a tool in Kali Linux called RainbowCrack to generate custom tables. Website like freerainbowtables.com will probably contain rainbow tables that match your target’s hash so we find it’s a rare requirement to build your own.
There is a ton of Mitm tools available in Kali Linux. A traditional Mitm attacks can be accomplished using a GUI utility Ettercap. Ettercap can scan a subnet for hosts and quickly permit an attacker to setup a Mitm attack between a routing source and victim. In the GUI, the attacker can select both targets, enable ARP poising and start sniffing traffic on the fly. If the victim users HTTP security or HTTPS, Kali Linux includes a tool called SSLstrip that can prevent a web browser from upgrading to an SSL connection in a way the victim will not notice. This is important for many tools to see the un-encrypted traffic such as the Hamster and Ferret sidejacking tools found in Kali Linux for stealing cookies. The combination of SSLstrip with a sniffing tool is a powerful method to steal user credentials.
There are many methods a penetration tester could use to compromise a victim’s password. This article is just a glimpse of the available tools found in Kali Linux that can aid a penetration tester as well as malicious hacker. Check out the latest version of Kali Linux and make sure to use strong password policies so you don’t fall victim to attack.
I’ll conclude with one suggestion I provide to my clients regarding developing strong passwords. The key is never use dictionary words in pass- words. Have users take a long sentence that can be remembered and use the first letter of each word. This way the password is random to the naked eye; however, means something to the user to help them remember. Include numbers and special characters to increase the length. Having a repeat- ed element at the end is not the best practice however dramatically improves the security against brute forcing attacks. Hope this helps!