TEASER

Cyber Security Auditing Software

Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and firewall devices. Any security issues identified within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.

Although various tools exist that can

examine some elements of a configuration,
the assessment would typically end up
being a largely manual process. Nipper
Studio is a tool that enables penetration
testers, and non-security professionals, to
quickly perform a detailed analysis of
network infrastructure devices. Nipper
Studio does this by examining the actual
configuration of the device, enabling a much
more comprehensive and precise audit than
a scanner could ever achieve.

www.titania.com
With Nipper Studio penetration testers can be experts in
every device that the software supports, giving them the
ability to identify device, version and configuration
specific issues without having to manually reference
multiple sources of information. With support for around
100 firewalls, routers, switches and other infrastructure
devices, you can speed up the audit process without
compromising the detail.
You can customize the audit policy for your customer’s
specific requirements (e.g. password policy), audit the
device to that policy and then create the report detailing
the issues identified. The reports can include device
specific mitigation actions and be customized with your
own companies styling. Each report can then be saved
in a variety of formats for management of the issues.
Why not see for yourself, evaluate for
free at titania.com
Ian has been working with leading global
organizations and government agencies to
help improve computer security for more
than a decade.
He has been accredited by CESG for his security and
team leading expertise for over 5 years. In 2009 Ian
Whiting founded Titania with the aim of producing
security auditing software products that can be used by
non-security specialists and provide the detailed
analysis that traditionally only an experienced
penetration tester could achieve. Today Titania’s
products are used in over 40 countries by government
and military agencies, financial institutions,
telecommunications companies, national infrastructure
organizations and auditing companies, to help them
secure critical systems.
www.titania.com
 Password Attacks

Copyright © 2014 Hakin9 Media Sp. z o.o. SK

TOOLS
NTLM Hash-based Password Cracking Using Cain and Abel
By Praveen Darshanam 09
When new users are created on Windows operating systems, passwords are converted to hash and
saved in Security Accounts Manager (SAM) file. If we modify or set a new password and is less
than 15 characters Windows generates LAN Manages Hashes (LM Hash) and Windows NT Hash
of the password. LM Hash is weak compared to NT hashes and prone for brute force attacks.
NTLM passwords can also be cracked by using Rainbow Tables.

POC – Hacking Access Control: SOYAL and ROSSLARE

By Roman Clavijo 15
This paper aims to demonstrate a method for performing an intrusion to an operating system.
Depends on the user. I do not take responsibility for any illegal use of the following procedure
and the legal effect of those who use it to their benefit. It should be reported to the manufacturer
directly involved.

Ettercap
By Mohsen Mostafa Jokar 18
In the computer world, attack is a type of destroying, exposing, and gaining unauthorized
access to data and computers. An attacker is a person that steals your data without any permit
and the feature of some attacks is that they are hidden. Attacks are not always simple and most
of them are complex. It is a big challenge for security researchers and companies that offer
solutions. An attack can be active or passive.

TECHNIQUES
The Famous Brute Forcing
By Rafael Fontes Souza 29
Brute forcing is the principle of multiple login attempts and is usually applied to get access
to accounts on a given site, service, server, etc. Automated or with the aid of software, it is
an algorithm tested to ensure access to the target, which is to enumerate all possible keys of a
solution and verify that each satisfies the problem and enters the exploited system.

Addressing Password Attacks

By Shruti Kulkarni 33
A lot has been written on passwords and password attacks. We have heard about passwords
being compromised, passwords being shared, passwords being misused and even list of most
“guessable” passwords of the year.

4
 Password Attacks

Cracking an IPsec-VPN Gateway Through the Cloud

By Mirko Raimondi 40
Internet communication does not have a data security built-in, in this way user data is sent in
clear text allowing information to be seen by any device as the packets traverse the networks.
Hence, your passwords could be seen and used in order to hack your system and the contents of
the IP packets can be modified without the possibility of being detected. Since packets content
can be also altered, an attacker could pretend to be someone else by creating IP packets with fake
source address accomplishing an attack called Identity Spoofing.

Cracking Windows Accounts Passwords in 25 Seconds

By Abdulkarim Zidani 50
In any secure operating system, passwords are stored, hashed, encrypted, or masked, but never
in clear text format for many reasons including improving security measurements and protecting
passwords from discovery in case of data leakage.

Testing VLAN Hopping With Scapy

By Mirko Raimondi 57
A single Layer 2 (L2) network could be partitioned in order to create multiple distinct broadcast
domains, which are mutually isolated. In this way the network packets can only pass between
them via Layer 3 (L3) devices, such as routers. Such network partitioning is referred to as Virtual
Local Area Network (VLAN). IEEE 802.1Q is the network standard that supports Virtual LANs
(VLANs) on the Ethernet networks.

PREVENTION
Staying Ahead of the Hacker
By Rob Somerville 63
The ongoing war between the white and black hats will always in effect be a technological arms
race. In this game of cat and mouse, like the battle against disease, crime, or poverty, while
there will never be an outright victor, there are strategies and techniques that can be used to
tilt the playing field in our favour. While some of these techniques are controversial, they may
be appropriate in certain circumstances. Different rules apply in different jurisdictions, so it is
important to remain within the law.

Password Types, Attacks, and Preventions

By Saeed Asgharzadeh Bonab 66
The ‘strength’ of a password, i.e. how easy it is to guess, can be judged on the amount of
characters and the mixture of numbers and other keyboard symbols used. A password made
from a single word, such as ‘earth’ is of very poor strength compared to ‘4_@s$’ which is
harder to crack. Of course it’s even harder to remember a complicated password, and that’s
one of the reasons why compromised systems can sometimes be traced back to the use of a
‘weak’ password.

Better Secure Than Sorry! Neglected, Assumed and Hence Vulnerable

Menace: Password Attacks
By Kishor Sonawane and Satish Chinchorkar (Varutra Consulting)
71
Confidentiality, integrity, and availability (CIA) triad is critical to guide policies for information
security within an organization. In this context, confidentiality is a set of rules that limits access
to information, integrity is the assurance that the information is trustworthy and accurate, and
availability is a guarantee of ready access to the information by authorized people.

5
 Password Attacks

Practical Anti-virus Evasion

By Daniel Sauder 78
During a penetration test, situation might occur where it is possible to upload and remotely
execute a binary file. For example, you can execute the file on a share during a windows test or
you have access to a web space and it is possible to execute something here. The executable file
can be built using Metasploit and could contain various payloads. Using Metasploit for this is
great, but on the other side most antivirus tools should recognize the executable as harmful file
even when using the built-in encoders. This article shows how to evade antivirus software.

DEEP WEB
The Dark and Mysterious – Deep Web
By hackerDesk 85
As Wikipedia says “The Deep Web (also called the Deepnet, Invisible Web, or Hidden Web)
is a World Wide Web content that is not a part of the Surface Web”. To really understand the
differences between the deep and surface web, we have to know how search engines like Google,
Yahoo, Bing, etc. work. Search engines obtain their listings in two ways: authors may submit
their own web pages, or search engines use softwares that “crawl” or “spider” web pages by
following one hypertext link to another.

The Password Attacks

by Davide Peruzzi 88
What is the weakest part of the security chain? You know the answer: the one who stand between
the keyboard and the desk chair. And what does this user do on her/his first job day? Set a
password. Yes, a big part of our security environment lies around that password.

advertisement
 Password Attacks

Dear Readers,

W
e are happy to bring you another of our issues. This time, we are focusing on password attacks.
Our experts had prepared a set of articles explaining the types of the attacks, ways od executing
them, and ideas for not getting hacked. As always, we also provide you with several extra
topics. We have decided to divide this publication into four parts.

The first section is tools. You will learn how to crack passwords with Cain and Abel, SOYAL, ROSSLARE,
and Ettercap. Secondly, we have gathered several articles about certain techniques. You will find out about
brute forcing, cracking an IPsec VPN gateway through the cloud, testing VLAN with Scapy, and more. Next,
we will show you how to prevent attacks. We will explain the common password attacks, ways to not get
hacked, or evade an antivirus. Finally, we have a very interesting extra article about deep web – the Internet
not available for a regular user.

We are hoping you will like this edition of PenTest. We gave much effort for you to have the best learning
materials possible. Have a pleasant and fruitful read.

Kaja Radzaj & PenTest Team

7
Editor in Chief: Milena Bobrowska
milena.bobrowska@pentestmag.com

Managing Editor: Kaja Radzaj

kaja.radzaj@pentestmag.com

Editorial Advisory Board: Jeff Weaver, Rebecca Wynn

Betatesters & Proofreaders: Sagar Rahalkar, David, Kosorok,

Tom Updegrove, Gregory Chrysanthou, Craig Thornton,
Jackson Bennett, Jakub Walczak, L. Motz, Elia Pinto, Jeff
Smith, Zbigniew Fiołna, David von Vistauxx, Gilles Lami,
Julian Esteves, K. S. Abhiraj, Arnoud Tijssen, Aniket Bhosle,
Shahid Hussain Rathore

Special Thanks to the Beta testers and Proofreaders who helped

us with this issue. Without their assistance there would not be
a PenTest magazine.

Senior Consultant/Publisher: Pawel Marciniak

CEO: Ewa Dudzic [ GEEKED AT BIRTH ]

ewa.dudzic@pentestmag.com

DTP: Ireneusz Pogroszewski

Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@pentestmag.com

Publisher: Hakin9 Media Sp. z o.o. SK

02-676 Warsaw, Poland
ul. Postepu 17D
Phone: 1 917 338 3631
www.pentestmag.com

Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
You can talk the talk.
All trade marks presented in the magazine were used only for Can you walk the walk?
informative purposes.

All rights to trade marks presented in the magazine are [ IT’S IN YOUR DNA ]
reserved by the companies which own them. LEARN:
Advancing Computer Science
Artificial Life Programming
DISCLAIMER! Digital Media
The techniques described in our articles may only be Digital Video
Enterprise Software Development
used in private, local networks. The editors hold no Game Art and Animation
responsibility for misuse of the presented techniques Game Design
or consequent data loss. Game Programming
Human-Computer Interaction
Network Engineering
Network Security
Open Source Technologies
Robotics and Embedded Systems
Serious Game and Simulation
Strategic Technology Development
Technology Forensics
Technology Product Design
Technology Studies
Virtual Modeling and Design
Web and Social Media Technologies

www.uat.edu > 877.UAT.GEEK

Please see www.uat.edu/fastfacts for the latest information about
degree program performance, placement and costs.
 Password Attacks

NTLM Hash-based Password Cracking

Using Cain and Abel
by Praveen Darshanam
When new users are created on Windows operating systems, passwords are converted to hash
and saved in Security Accounts Manager (SAM) file. If we modify or set a new password
and is less than 15 characters Windows generates LAN Manages Hashes (LM Hash) and
Windows NT Hash of the password. LM Hash is weak compared to NT hashes and prone for
brute force attacks. NTLM passwords can also be cracked by using Rainbow Tables.

Cain and Abel allows for easy recovery of different kinds of passwords for the Microsoft operating system.

SAM File
This file holds the usernames and password hashes for every account on the local machine or domain if it is
a domain controller server. Security Accounts Manager (SAM) file can be found on your hard disk drive in
the folder or registry

%systemroot%\system32\config
HKEY_LOCAL_MACHINE\SAM

SAM files can’t be opened by normal users including the Administrator; it can be read by Windows
SYSTEM users only. There are different ways to read a SAM file. Most of the tools like Cain and Abel,
pwdump, etc. use DLL Injection to a SYSTEM process (svchost.exe, csrss.exe, emss.exe, etc.) to read a
SAM file, mostly Local Security Authority Subsystem process is used for DLL Injection.

Password hashes can be stored in different forms: LAN Manager (LM), NT, AES key, or Digest (Table 1).
Table 1. Forms of storing password hashes
Hash Encryption Key length Supported Windows Versions
Type Algorithm
NT MD4 128-bit All
LM DES 56-bit Windows XP, Windows Server 2003
Digest MD5 128-bit All
AES keys AES 128-bit, 256-bit Windows Vista, Windows 7, Windows 8,
Windows Server 2008, Windows Server
2008 R2, Windows Server 2012

After opening Cain and Abel, click on “Cracker.” On the left pane we can see different password Cracking
Techniques. Select the Cracker method which you are interested in, here, “LM & NTLM Hashes” (Figures 1
and 2).

On Windows operating system, every user can be identified by either a Username or Security Identifier
Number (SID). Administrator has 500 (0x1F4) as an Identifier. Executing the below command will display
list of users on the host (Figure 3).

wmic useraccount get name,sid

9
 Password Attacks

Figure 1. Cain and Abel startup screenshot

Figure 2. Importing SAM file

Figure 3. List of users on Windows 7 SP1

After selecting „LM & NTLM Hashes,” you can see + sign getting highlighted, click on it. We can see
different users present on this machine (Figure 4).

10
 Password Attacks

Figure 4. Different users

Select the user for which you want to know/crack the password. We have different Password Cracking
Techniques like Dictionary Attacks, Bruteforce Password guessing, Cryptanalysis Attacks, etc. Once you
select the type of Cracking; go for “LM Hashes” or “NTLM Hashes” (Figure 5)

Figure 5. Hash types

Types of Password Cracking

Dictionary: Uses a file containing all words found in a dictionary.

Bruteforce: Using different combinations of characters including dictionary words.

Cryptanalysis: Uses a set of large tables of pre-computed hashes of passwords.

Dumpster Diving, Shoulder surfing, Googling/Google Dorks, etc. can be used to acquire passwords (Figure 6).

11
 Password Attacks

Figure 6. Cracking is in progress

Table 2. Passwords and their LM hashes
Passwords LM Hashes
root12 77379F15D5B78BDCAAD3B435B51404EE
admin12 AC804745EE68EBEAAAD3B435B51404EE
admin123 AC804745EE68EBEA1AA818381E4E281B

To calculate LM hashes from passwords, passwords are divided into 2 blocks of seven characters each
(Table 2). If the password length is less than seven characters the second block is always

AAD3B435B51404EE

The weakness here is, by looking at the hashes attacker can figure out if the password is longer than seven
characters or not.

Figure 7. Cracked password

12
 Password Attacks

Figure 7 shows the cracked password. Passwords are divided into two blocks of 7 characters each. On each
block we calculate the LM hash which consists of 8 bytes. “T” is the character present in the password, part
of the second block in the hash. “IAMGREA” are characters present in password, a part of first block of
hash (Figure 8).

Figure 8. Final output with all cracked passwords

There are other methods like John the Ripper, L0phtCrack, etc., used to crack passwords. The method
described in this article is an offline cracking of passwords. We can crack passwords online by using tools
like Hydra but chances of getting caught may be very high by perimeter security devices(IDS, IPS, Web
Gateways, etc.) as it generates lots of network traffic.

References
1. http://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx
2. http://support.microsoft.com/kb/299656
3. http://media.blackhat.com/bh-us-12/Briefings/Duckwall/BH_US_12_Duckwall_Campbell_Still_Passing_WP.pdf
4. http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx
5. http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-grutzmacher.pdf
6. http://www.oxid.it/ca_um/ (doesn’t work with Chrome v34)
7. http://www.tobtu.com/lmntlm.php

About the Author

Praveen Darshanam has over seven years of experience in Information Security with companies
like McAfee, Cisco Systems, and iPolicy Networks. His core expertise and passions are
Vulnerability Research, Application Security and Malware Analysis, Signature Development, Snort,
etc. He pursued Bachelor of Technology (B.Tech) in Electrical Engineering (EE) and Master of
Engineering (MS/ME/M.Tech) in Control and Instrumentation (C&I, EE) from one of the premier
institutes of India. He holds industry Certifications like CHFI, CEH, and ECSA. He is a known
Ethical Hacking trainer in India. He also blogs at http://blog.disects.com/.

13
 Password Attacks

Addressing Password Attacks

by Shruti Kulkarni and Amit Kumar Sharma
A lot has been written on passwords and password attacks. We have heard about passwords
being compromised, passwords being shared, passwords being misused and even list of most
“guessable” passwords of the year.

Password Cracking has been a very fancy word which is very common among the teens where it is regarded
as a very cool practice and of high esteem if you know about on how to do it.

Modern movies show that it takes seconds to crack a password which is very big misconception. It takes a
lot of time to crack a good password.

There is a lot of science and mathematics which is involved at its background.

Technically the term Password Cracking can be stated as a process of recovering passwords from data that
have been stored in or transmitted by a computer system.

Earlier the purpose of password cracking was to help a user recover a forgotten password or to check how
strong a password was, but later the attacker or say the fun loving guys (evil fun lovers) used the techniques
to gain unauthorized access to a system.

The strength of a good password can be understood as the resistance to be guessed and get brute-forced.

I totally agree that at some point using a strong password lowers the overall risk of a security breach, but on
the other hand a strong password cannot replace the need for other effective security controls to avoid getting
attacked or breached.

Now when we know on what is password cracking let’s see on how can we make this cracking for the
attacker a little more difficult and what are the factors which contribute to it.

Whilst it is fair to say that a password is user’s responsibility and that the user needs to choose a safe and a
“non-guessable” password, it would be more appropriate to look at a whole picture comprising the users, the
applications, the vendors, education on information security and looking at password as a possible strong
control rather than stressing upon it as a weak control.

The strength of a password can be termed as a function of length, complexity, and unpredictability.

So when a password is being framed there has to be consideration for this function to create a good and a
strong password. From an end user perspective there are the following questions that should trouble his mind
to make a good password:

• How long the password is? – Which states the Length

• How large the character set used is? – Which states the Complexity

• How much predictable it is? – Which states the Unpredictability

If one end user is able to answer these questions he is expected to build a good password for his data.
But here comes the twist. Now when the end user is protected let’s see on the other aspects of the chain of
Authentication on how the Password is being handled?

15
 Password Attacks

When we say that how it is being handled let us again put two more questions in the tray:

• How the password does travels to the Authenticating Agent?

• How the password is stored and used?

If we see the chain of authentication on a broad basis we see the Application where in the user enters his/
her password which travels down to the Authenticating Agent via a medium where it is stored and also
cross checked for the authenticity of a particular user. Let us quickly peek into the reasons why passwords
are attacked and the types of password attacks. Devices / Systems are made of user ids and passwords.
Knowledge about the user ids and passwords are gateways to the devices / systems. Once entered into
the system, the attacker can set up the system as a bot / zombie / conduct malicious activities / steal data /
compromise data etc.

Types of password attacks are:

• Brute force attack

• Dictionary attack

• Rainbow table attack

• Gain control of the hashes

• Shoulder surfing

• Guessing

• Misconfiguration of password files

• Social Engineering

The intention of this article is not to talk about the reasons for password attacks or about the types of
password attacks. Let us look at the chain of authentication on a broad basis of user to system and back.
Passwords as treated by users: In today’s world of ever growing internet awareness and usage, the awareness
about “User id/Password”, “Login Screen”, “Home Page” has become more common than say ten years
back. The usage of online banking, online shopping, online bill payments and not to mention the Social
media has tremendously in coming years.

Figure 1. No of global internet users [1]

16
 Password Attacks

Global population and Internet users 2000-2020

8,0
Global
population
7,0
Internet
Number of people (billions)

User
6,0

5,0

4,0

3,0

2,0

1,0

2000 2010 2020

Figure 2. Global population and Internet users 2000-2020

Consequently, password attacks have also increased in proportion in the past years. The users have to be
wiser in selecting their passwords and protecting their assets on the internet.

Users, who access internet and need to use usernames and passwords, are of different types and are in all age
groups. For simplicity sake let us look at different types of users:

• Students

• Employees in IT sector

• Employees in non-IT sector

• Home users

• Users in the age group of 60 years and above

The background and the approach towards internet would be different for each of these groups for example:

It is more likely that employees in IT sector would be more frequently trained on handling passwords, social
engineering, phishing, password strengths etc than the other groups. Among the other groups, it is more
likely that employees in non-IT sector are more aware of the passwords attacks than students, home users
and users in the age group of 60+ years.

Awareness regarding password attacks imparted to these groups would be different for each of the groups.
The following question would be as who should be imparting awareness – should it be in the form of
training / regular communication / roadshows / wall posters etc.

Whilst it is quite true that employees of IT sector, being closer to the physiology of password attacks, using
user names like admin / administrator / test etc and passwords like password123 / test123 / 123456789 are
quite common in the IT community as well.

17
 Password Attacks

The reasons for selection of such kinds of passwords could be lack of awareness, ignorance or lack of
creativity to come up with strong user names and passwords.

Following are some of the areas in which awareness can be imparted:

• Security trainings and password education regarding complexity, length and unpredictability

• Regular communication about commonly used passwords

• Enforcing stronger passwords through policies

• Awareness about not sharing passwords.

Applying the above areas and the awareness forms to the groups of users:

• Students, home users, users in the age group of 60+ years: Security trainings and password education:
Typically, students get to know about computers from schools, colleges and by observing parents, elder
siblings. A lot more is learnt from friends and peer group. Students usually access applications like
emails, social sites, education sites, financial aid loan calculator etc. In this scenario, a forum for a formal
training and password education may not be available unless these trainings are incorporated as a part of
the education curriculum or is conducted by the education institution. Password education can be taken up
by the application owners by

• Sharing information on how not to use commonly used passwords eg asking students to create
innovative passwords that can be difficult to guess. This message can be made available on the “Create
User” page, “Change Password” page. Messages can also be posted in form of running banners on
selected pages of the application.

• Enforcing stronger passwords through policies. Eg displaying strength of the password

*******
Password strength: Too short

**********
Password strength: Weak

**********
Password strength: Fail

***********
Password strength: Good

***************
Password strength: Strong

Figure 3. Password strength

18
 Password Attacks

• Awareness about not sharing passwords: this is an important factor in password protection.
Compromised passwords can be reused later on the basis of familiarity and the shared knowledge.

• Employees / contractors / third party users in IT sector and non-IT sector

• Security trainings and password education: Security awareness trainings are anyway conducted as a
part of training sessions in IT companies. Is not already incorporated, password education should be a
part of these sessions, which should include information on commonly used passwords and awareness
on not sharing passwords.

Employees need to be aware of password attacks in a more rigorous way as opposed to other groups of
users. This is because of the large number of devices that the industry handles, that have passwords as
one of their security controls.

• Enforcing stronger passwords through policies, this can be done on the authentication tool.

• Educating users not to use the same user id / password combination for various applications. In the
event of compromise of user id / password the attack of accounts with different web application is
made easy for the attacker. This is all the more important when user ids and password of professional
and personal accounts are mixed up.

• Emphasizing on the importance of passwords and the impact of compromise of passwords.

Passwords as treated by applications

This is a very important aspect on how the application one is building is treating a password. It has to be
kept in mind that this is the most important feature of the application that has to be guarded against the evil
people to protect your customer’s assets.

Learning form the pasts and with the event of attacks happening the Application Owners have become
more cautious and have introduced many different kind of controls to educate the end user to select a good
password like:

• Introducing Graphical passwords more likely in the Mobile devices

• Password Strength Meter

• Displaying Warnings or errors to show the usage of easier guessed passwords

How this information is handled and stored are the major points that has to be taken into consideration.

How safely it is stored and communicated via the medium are big challenges and use of secure
configurations on the databases used and the server in question are very important points that an
administrator has to keep in mind. A small vulnerability of any of the assets in use can hamper the whole
system. Things that should be kept in mind by the Application Owner are:

• Strong password policy: Be it changing of the default password / forcing regular change in the password,
password length, complexity, lack of repeatability of previous passwords or password aging, having a
strong password policy does provide the first line of defense for password attacks. Never use “password
does not expire” option. Account lockouts should be enforced after a specified number of attempts. This is
also referred to as password hardening

• Applying patch of the software used timely: any detected backdoor or defect or bug in the application
should be patched up in a timely manner to ensure protection of passwords.

• Implementation of the SSL during the transit of the password and not transmitting passwords in clear text:
Passwords are important, be it for the network of an organisation that processes sensitive data or be it that

19
 Password Attacks

of an email id of a student. Passwords are passwords that need to be protected. Hence transmission of
passwords in clear text should be strictly not followed.

• Storage of passwords: Passwords should be stored in hashed format. A strong hashing algorithm should be
used for this. Also, the keys should be stored in different logical /physical assets. Hashes are vulnerable to
rainbow table attacks. Hence it is useful to salt hashes with random numbers and then store them. Passwords
to sensitive user ids like admin / root user ids should also be encrypted along with hashing and stored.

• Not using Common user ids: Another vulnerability exposed for attackers is by having common user
ids like admin / administrator for an admin role. This leaves the attacker with only the password to be
guessed / attacked.

• Split passwords for sensitive roles: For sensitive roles, passwords should be split between two or three
people. This makes compromise of passwords by social engineering / phishing more difficult.

• Proper logs for detecting failed attempts: Failed logon attempts and password resets should always be
logged, be it for any type of application. This allows the forensics team to t the rate of attacks and the user
ids that are under attack.

• Multi factor authentication: is another control that can be used to strengthen password policies. A multi
factor authentication is authentication using what the user knows (passwords), what the user has (a PIN
generated randomly on a token device) or where the user is (location) or what the user is (biometrics).

The Weak Chain?

There have been various researches on this topic which reflects different criteria and angle on the way we
look into it.

On the basis of a report “ Trustwave’s 2012 Global Security Report “, it was seen that the most used
password was “Password1”!.

Our favorite or the end users which is regarded as the easiest member of the security chain that can be
hacked are not much creative when it comes to choose a password. They sometime create a password out of
hurry or to just meet the minimum requirements that is being asked by the system.

Also there was a study which portrayed that the successive change in the password for one particular account
decreases its security.

When done a research on a lot of passwords it was found that the most common password chosen are related
to one person’s favorites, likes, dislikes, pets, teams, dates etc..

Here we have to understand one thing that we are not trying to create a strong password (similar to alpha numeric
or a blend of some special characters etc.) but we are trying to create a password which is difficult to be guessed.

For example a password which is like a pets name with a special character and a number may seem to be a strong
password but for an evil mind out there it will take only some social engineering and some guessing to break it.

If we see the math increasing the number of characters in a password makes it more robust towards Brute
Force Attacking.

Studies have shown that adding one single character increases the chances exponentially.

Also a lot of research has been done on how to make users remember passwords and how to help them
choose one. Paraphrases was to an extent a very good solution though not so famous yet.

For example a password similar to “ThisIsGoingToBeAGreatRide” will take more time to be guessed
in comparisons to “Tarry1”. For more research and getting data related to passwords, visit [2] in the
references section.

20
 Password Attacks

How to Minimize the Risk?

In summary, risk can be minimized by keeping the following points in mind:

• Educating the user on choosing a password and the impact of not choosing a good password.

• Enforcing Password hardening Guidelines in the organization.

• Having security controls on the application that will not compromise passwords.

References
• http://en.wikipedia.org/wiki/Global_Internet_usage
• http://passwordresearch.com/

About the Authors

Shruti Kulkarni is a Service Management and Information security consultant. She is a certified LA
ISO27001:2005, CISA, CRISC, CISSP, ITIL V3 Expert and a CCSK. Shruti’s activities include security
architecture reviews, implementation of ISO27001 and ISO20000. Shruti also works on risk assessments
and on business continuity management.

Amit Kumar Sharma commonly known as AKS-44 has a B.E in EC and works in Information Security for
a reputed firm. He is passionate about Security and spends his time learning/researching in the wild.

advertisement

21
 Password Attacks

Cracking Windows Accounts Passwords

in 25 Seconds
by Abdulkarim Zidani
In any secure operating system, passwords are stored, hashed, encrypted, or masked, but
never in clear text format for many reasons including improving security measurements and
protecting passwords from discovery in case of data leakage.

The Windows operating system opposite to other operating systems uses its own hash algorithm. There are
two version of the hashing algorithm used: LM and NTLM. These hashes are explained briefly in this article,
then several types of cracking the Windows hashes are introduced, followed by step by step guide to crack a
less than seven characters password hashed using NTLM.

The Basics
In this section two types of hashing algorithms are explained without digging too deep into the details of
each. A great focus is made about security strength and weakness.

LM Hashes
Also known as LanMan Hashes or Lan Manager Hashes. LM Hash is an obsolete hashing function used in
earlier versions of Windows (prior of NT). This function is not used anymore. If found in a system, it is for
backward compatibility purposes and not for password storing.
Weakness

Passwords are limited (trimmed) to 14 characters only. Password case is ignored and everything is converted
into uppercase.

Limited key-space. A normal desktop computer can brute force all the key-space in several hours due to
the fact that any password that is more than seven characters is actually spilled into two chunks of data and
encrypted using DES, leaving the hashing function severely vulnerable.

Vulnerable to pass-the-hash exploitation of re-using the hash instead of the password in a network environment.

NTLM Hashes
Because of the weakness in LM hashing function, NTLM was implemented in next generations of Windows
after the NT family. NTLM or NT Lan Manager is the new hashing function used in today’s Windows
versions, including Windows 7.
Weakness

Still not using any type of salting – where random value is added to the password then hash it to prevent
rainbow tables attacks. All types of attacks are explained later in this article.

22
 Password Attacks

Attacks Types
Brute Force
Unlike other types of attacks where the attacker’s focus is on finding a single weakness (usually called
security vulnerability) and exploit it to gain access to the system. A brute force attack targets a single
or multiple accounts of any application or system by trying different combinations of usernames and
passwords. It is also called exhaustive key search.

In the case of LM/NTLM hash function brute forcing, a password is generated, hashed, and then compared
to the target hash. Since there is no salting added to the hashes in Windows system, this is a fairly effective
method when the password is short.

The efficiency of this attack depends on the power of processor used to calculate the hashes of the generated
passwords. The generation of passwords phrases is usually random but sometimes developers use special
algorithm to use only the most used passwords first, then random ones later.

One of the most famous tools used for this method is called JTR or JohnTheRipper. JTR and other cracking
tools are explained later in this article.
Protection

A usage of lengthy passwords and enforcing accounts lockout should be sufficient to protect any user from
this type of attacks (Figure 1).

Figure 1. iOS protection agaisnt brute forcing

Memory Based Attacks – Rainbow Tables

This is also called Time–Memory Trade Off (TMTO) where the process does not depend on the power of the
processor used to calculate the hashes. The hashes are usually pre-calculated and stored in huge data tables
called Rainbow Tables.

To have an idea how ‘big’ can the table size be, Figure 2 is an NTLM precalculated hashes table for different
character sets. Usually an alpha-numeric of one to nine characters is very effective on most passwords and
that is due to the limitation of human memory remembering long complex passwords.

23
 Password Attacks

Figure 2. Rainbow Tables sizes of different character sets

Cloud (Hybrid) Attacks

This is not another type, rather than it is a combination of both depending on the attacker’s needs. Cloud
passwords cracking is becoming more familiar than before. That is due to the low cost, easy of renting ‘CPU
power,’ and the unlimited hosting storage size.

Many of these services are offered for free initially, but users have to pay if the password is recovered.
Also the name might be changed to “password recovery service” for legal issues.

Tools
Freeware and commercial tools are both available for use to crack passwords. By cracking a password it
means one of the attacks is used to recover a hash to its original password.

Figure 3. Testing JTR in a Linux environment

24
 Password Attacks

JTR – JohnTheRipper
JohnTheRipper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS,
BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3)
password hash types most commonly found on various Unix systems, supported out of the box are Windows
LM hashes, plus lots of other hashes and ciphers in the community-enhanced version [1].

This tool is obviously not only for LM/NTLM hashes, but also usable for other hashes as well. It uses brute
force attack on the hash (Figure 3).

Ophcrack
Ophcrack is a free Windows password cracker based on Rainbow Tables. It is a very efficient
implementation of Rainbow Tables done by the inventors of the method. It comes with a Graphical User
Interface and runs on multiple platforms [2].

This tool is more focused on Windows passwords (hashes), and it uses the TMTO attacks type. What is more
interesting is that a live CD was created to help attackers exporting the hashes from a Windows machine – since
these are protected by the operating system as mentioned earlier in this article.

What is appealing about this tool is its well-formed GUI and easy to use interface and buttons. Figure 4 is an
example of Ophcrack used to crack multiple Windows passwords in a Linux machine.

Figure 4. Cracking Windows NT/NTLMv1/NTLMv2 hashes using ophcrack

HashCat
HashCat is a GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack),
combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack.

There are two things to note here:

• First is the usage of CPGPU – General-Purpose computation on Graphics Processing Units, also known
as GPU Computing. Graphics Processing Units (GPUs) are high-performance many-core processors
capable of very high computation and data throughout. Once especially designed for computer graphics
and difficult to program, today’s GPUs are general-purpose parallel processors with support for

25
 Password Attacks

accessible programming interfaces and industry-standard languages such as C. Developers who port their
applications to GPUs often achieve speedups of orders of magnitude vs. optimized CPU implementations.
[3] Using GPU can massively speed up a brute force attack. To see the difference, a test was made and a
comparison between GPU vs. CPU performance is plotted in Figure 5.

Figure 5. GPU vs CPU in performance

• The usage of multiple attack types including hybrid of multiple attacks at once. This is what cloud
services use to crack passwords and charge users for them (Figure 6).

Figure 6. Cracking Windows NT/NTLMv1/NTLMv2 hashes using hashcat (threaded)

26
 Password Attacks

Step by Step Guide

Exporting the SAM and SYSTEM Hives
To start with cracking Windows password hashes, an attacker needs the hashes first. The hashes are stored in
special and protected files in the System directory under Windows file system.

Since both are protected under Windows environment – unless the attacker has a SYSTEM privilege (via
privilege escalation), both hives are inaccessible and hence there is a need to boot into a Linux live CD like
Knoppix, Kali, BackTrack, etc.
What is SAM and SYSTEM Hives?

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files
containing backups of its data. [4] SAM (Security Accounts Manager) Hive is where the hashes of all user
accounts are stored. Depending on the target machine Windows version, the location of the SAM hive
diverse. By default it is under x:\windows\system32\config.

Now that both hives are located and mounted with the Linux OS running, both can be copied into a safe
place to be cracked later.
Extracting the Hashes from the Hives

Before hashes can be cracked they need to be extracted from the hives. Thankfully there is a tool for that
called samdump2. Assuming SAMHive is the SAM file copied before and SYSTEMHive is the SYSTEM
file copied before as well, an attacker can export the hashes using this simple 1-line command:

$ samdump2 /mnt/XXX/WINDOWS/system32/config/system /mnt/XXX/WINDOWS/system32/config/sam

The output should be something like this:

Administrator:500:**NO PASSWORD********:0CB6948805F797BF2A82807973B89537:::

The NO PASSWORD section is reserved for LM hashes but it is not used. The hash to be cracked in this
case is: 0CB6948805F797BF2A82807973B89537.

Download Pre-calculated Hash Tables

Fortunately attackers have resources to massive Rainbow Tables, which are precalculated before. Some of
the providers charge for each table, other are free. FreeRainbowTables.com is probably the best website that
offers free Rainbow Tables for password recovery.

Recovering the Hash

This step completely depends on the software the attacker uses. Refer back to the tools section.

Rcracki_mt can be used to perform a Rainbow Table attack on password hashes. It is intended for indexed and
perfected Rainbow Tables, mainly generated by the distributed project. [5]

$ rcracki_mt -h ***HASH*** -t 4 /path/to/RainbowTables/

Depending on how complex the password is and which table is used, the time varries from few seconds to
numerous minutes (Figures 7 & 8).

27
 Password Attacks

Figure 7. Successfully cracked hashes using rainbow tables in less than a minute (complex)

Figure 8. Successfully cracked hashe using rainbow tables in less than 25 sec! (less complex)

Many other methods exist. Google is a good start.

One More Thing

Users usually have a serious issue or a habit of reusing passwords. Expect to see the same password for that
user all over his/her online accounts.

References
1 http://www.openwall.com/john/
2 http://ophcrack.sourceforge.net/
3 http://gpgpu.org/about
4 http://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx
5 http://sourceforge.net/projects/rcracki/

About the Author

Abdulkarim Zidani, MSc, BSCoE
B.A.Sc Computer Engineering, MSc Information Security.
American Uni. of Sharjah, Royal Holloway Uni. of London.
Freelance Software Developer & Security Pen-Tester.
Qatar | United Kingdom.
Linkedin.com/in/AbdulkarimZidani
Twitter.com/i4AK

28
U P D AT E
NOW WITH
STIG
AUDITING

IN SOME CASES

nipper studio
HAS VIRTUALLY

REMOVED
the
NEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titania’s award winning Nipper Studio configuration
auditing tool is helping security consultants and end-
user organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.

Now used in over 45 countries, Nipper Studio provides a

thorough, fast & cost effective way to securely audit over
100 different types of network device. The NSA, FBI, DoD
& U.S. Treasury already use it, so why not try it for free at
www.titania.com

www.titania.com