Professional Documents
Culture Documents
PenTest 05 2014 Teaser
PenTest 05 2014 Teaser
Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and firewall devices. Any security issues identified within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
www.titania.com
With Nipper Studio penetration testers can be experts in You can customize the audit policy for your customer’s
every device that the software supports, giving them the specific requirements (e.g. password policy), audit the
ability to identify device, version and configuration device to that policy and then create the report detailing
specific issues without having to manually reference the issues identified. The reports can include device
multiple sources of information. With support for around specific mitigation actions and be customized with your
100 firewalls, routers, switches and other infrastructure own companies styling. Each report can then be saved
devices, you can speed up the audit process without in a variety of formats for management of the issues.
compromising the detail. Why not see for yourself, evaluate for
free at titania.com
www.titania.com
Password Attacks
TOOLS
NTLM Hash-based Password Cracking Using Cain and Abel
By Praveen Darshanam 09
When new users are created on Windows operating systems, passwords are converted to hash and
saved in Security Accounts Manager (SAM) file. If we modify or set a new password and is less
than 15 characters Windows generates LAN Manages Hashes (LM Hash) and Windows NT Hash
of the password. LM Hash is weak compared to NT hashes and prone for brute force attacks.
NTLM passwords can also be cracked by using Rainbow Tables.
Ettercap
By Mohsen Mostafa Jokar 18
In the computer world, attack is a type of destroying, exposing, and gaining unauthorized
access to data and computers. An attacker is a person that steals your data without any permit
and the feature of some attacks is that they are hidden. Attacks are not always simple and most
of them are complex. It is a big challenge for security researchers and companies that offer
solutions. An attack can be active or passive.
TECHNIQUES
The Famous Brute Forcing
By Rafael Fontes Souza 29
Brute forcing is the principle of multiple login attempts and is usually applied to get access
to accounts on a given site, service, server, etc. Automated or with the aid of software, it is
an algorithm tested to ensure access to the target, which is to enumerate all possible keys of a
solution and verify that each satisfies the problem and enters the exploited system.
4
Password Attacks
PREVENTION
Staying Ahead of the Hacker
By Rob Somerville 63
The ongoing war between the white and black hats will always in effect be a technological arms
race. In this game of cat and mouse, like the battle against disease, crime, or poverty, while
there will never be an outright victor, there are strategies and techniques that can be used to
tilt the playing field in our favour. While some of these techniques are controversial, they may
be appropriate in certain circumstances. Different rules apply in different jurisdictions, so it is
important to remain within the law.
5
Password Attacks
DEEP WEB
The Dark and Mysterious – Deep Web
By hackerDesk 85
As Wikipedia says “The Deep Web (also called the Deepnet, Invisible Web, or Hidden Web)
is a World Wide Web content that is not a part of the Surface Web”. To really understand the
differences between the deep and surface web, we have to know how search engines like Google,
Yahoo, Bing, etc. work. Search engines obtain their listings in two ways: authors may submit
their own web pages, or search engines use softwares that “crawl” or “spider” web pages by
following one hypertext link to another.
advertisement
Password Attacks
Dear Readers,
W
e are happy to bring you another of our issues. This time, we are focusing on password attacks.
Our experts had prepared a set of articles explaining the types of the attacks, ways od executing
them, and ideas for not getting hacked. As always, we also provide you with several extra
topics. We have decided to divide this publication into four parts.
The first section is tools. You will learn how to crack passwords with Cain and Abel, SOYAL, ROSSLARE,
and Ettercap. Secondly, we have gathered several articles about certain techniques. You will find out about
brute forcing, cracking an IPsec VPN gateway through the cloud, testing VLAN with Scapy, and more. Next,
we will show you how to prevent attacks. We will explain the common password attacks, ways to not get
hacked, or evade an antivirus. Finally, we have a very interesting extra article about deep web – the Internet
not available for a regular user.
We are hoping you will like this edition of PenTest. We gave much effort for you to have the best learning
materials possible. Have a pleasant and fruitful read.
7
Editor in Chief: Milena Bobrowska
milena.bobrowska@pentestmag.com
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
You can talk the talk.
All trade marks presented in the magazine were used only for Can you walk the walk?
informative purposes.
All rights to trade marks presented in the magazine are [ IT’S IN YOUR DNA ]
reserved by the companies which own them. LEARN:
Advancing Computer Science
Artificial Life Programming
DISCLAIMER! Digital Media
The techniques described in our articles may only be Digital Video
Enterprise Software Development
used in private, local networks. The editors hold no Game Art and Animation
responsibility for misuse of the presented techniques Game Design
or consequent data loss. Game Programming
Human-Computer Interaction
Network Engineering
Network Security
Open Source Technologies
Robotics and Embedded Systems
Serious Game and Simulation
Strategic Technology Development
Technology Forensics
Technology Product Design
Technology Studies
Virtual Modeling and Design
Web and Social Media Technologies
Cain and Abel allows for easy recovery of different kinds of passwords for the Microsoft operating system.
SAM File
This file holds the usernames and password hashes for every account on the local machine or domain if it is
a domain controller server. Security Accounts Manager (SAM) file can be found on your hard disk drive in
the folder or registry
%systemroot%\system32\config
HKEY_LOCAL_MACHINE\SAM
SAM files can’t be opened by normal users including the Administrator; it can be read by Windows
SYSTEM users only. There are different ways to read a SAM file. Most of the tools like Cain and Abel,
pwdump, etc. use DLL Injection to a SYSTEM process (svchost.exe, csrss.exe, emss.exe, etc.) to read a
SAM file, mostly Local Security Authority Subsystem process is used for DLL Injection.
Password hashes can be stored in different forms: LAN Manager (LM), NT, AES key, or Digest (Table 1).
Table 1. Forms of storing password hashes
Hash Encryption Key length Supported Windows Versions
Type Algorithm
NT MD4 128-bit All
LM DES 56-bit Windows XP, Windows Server 2003
Digest MD5 128-bit All
AES keys AES 128-bit, 256-bit Windows Vista, Windows 7, Windows 8,
Windows Server 2008, Windows Server
2008 R2, Windows Server 2012
After opening Cain and Abel, click on “Cracker.” On the left pane we can see different password Cracking
Techniques. Select the Cracker method which you are interested in, here, “LM & NTLM Hashes” (Figures 1
and 2).
On Windows operating system, every user can be identified by either a Username or Security Identifier
Number (SID). Administrator has 500 (0x1F4) as an Identifier. Executing the below command will display
list of users on the host (Figure 3).
9
Password Attacks
After selecting „LM & NTLM Hashes,” you can see + sign getting highlighted, click on it. We can see
different users present on this machine (Figure 4).
10
Password Attacks
Select the user for which you want to know/crack the password. We have different Password Cracking
Techniques like Dictionary Attacks, Bruteforce Password guessing, Cryptanalysis Attacks, etc. Once you
select the type of Cracking; go for “LM Hashes” or “NTLM Hashes” (Figure 5)
Dumpster Diving, Shoulder surfing, Googling/Google Dorks, etc. can be used to acquire passwords (Figure 6).
11
Password Attacks
To calculate LM hashes from passwords, passwords are divided into 2 blocks of seven characters each
(Table 2). If the password length is less than seven characters the second block is always
AAD3B435B51404EE
The weakness here is, by looking at the hashes attacker can figure out if the password is longer than seven
characters or not.
12
Password Attacks
Figure 7 shows the cracked password. Passwords are divided into two blocks of 7 characters each. On each
block we calculate the LM hash which consists of 8 bytes. “T” is the character present in the password, part
of the second block in the hash. “IAMGREA” are characters present in password, a part of first block of
hash (Figure 8).
There are other methods like John the Ripper, L0phtCrack, etc., used to crack passwords. The method
described in this article is an offline cracking of passwords. We can crack passwords online by using tools
like Hydra but chances of getting caught may be very high by perimeter security devices(IDS, IPS, Web
Gateways, etc.) as it generates lots of network traffic.
References
1. http://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx
2. http://support.microsoft.com/kb/299656
3. http://media.blackhat.com/bh-us-12/Briefings/Duckwall/BH_US_12_Duckwall_Campbell_Still_Passing_WP.pdf
4. http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx
5. http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-grutzmacher.pdf
6. http://www.oxid.it/ca_um/ (doesn’t work with Chrome v34)
7. http://www.tobtu.com/lmntlm.php
13
Password Attacks
Password Cracking has been a very fancy word which is very common among the teens where it is regarded
as a very cool practice and of high esteem if you know about on how to do it.
Modern movies show that it takes seconds to crack a password which is very big misconception. It takes a
lot of time to crack a good password.
Technically the term Password Cracking can be stated as a process of recovering passwords from data that
have been stored in or transmitted by a computer system.
Earlier the purpose of password cracking was to help a user recover a forgotten password or to check how
strong a password was, but later the attacker or say the fun loving guys (evil fun lovers) used the techniques
to gain unauthorized access to a system.
The strength of a good password can be understood as the resistance to be guessed and get brute-forced.
I totally agree that at some point using a strong password lowers the overall risk of a security breach, but on
the other hand a strong password cannot replace the need for other effective security controls to avoid getting
attacked or breached.
Now when we know on what is password cracking let’s see on how can we make this cracking for the
attacker a little more difficult and what are the factors which contribute to it.
Whilst it is fair to say that a password is user’s responsibility and that the user needs to choose a safe and a
“non-guessable” password, it would be more appropriate to look at a whole picture comprising the users, the
applications, the vendors, education on information security and looking at password as a possible strong
control rather than stressing upon it as a weak control.
The strength of a password can be termed as a function of length, complexity, and unpredictability.
So when a password is being framed there has to be consideration for this function to create a good and a
strong password. From an end user perspective there are the following questions that should trouble his mind
to make a good password:
• How large the character set used is? – Which states the Complexity
15
Password Attacks
When we say that how it is being handled let us again put two more questions in the tray:
If we see the chain of authentication on a broad basis we see the Application where in the user enters his/
her password which travels down to the Authenticating Agent via a medium where it is stored and also
cross checked for the authenticity of a particular user. Let us quickly peek into the reasons why passwords
are attacked and the types of password attacks. Devices / Systems are made of user ids and passwords.
Knowledge about the user ids and passwords are gateways to the devices / systems. Once entered into
the system, the attacker can set up the system as a bot / zombie / conduct malicious activities / steal data /
compromise data etc.
• Dictionary attack
• Shoulder surfing
• Guessing
• Social Engineering
The intention of this article is not to talk about the reasons for password attacks or about the types of
password attacks. Let us look at the chain of authentication on a broad basis of user to system and back.
Passwords as treated by users: In today’s world of ever growing internet awareness and usage, the awareness
about “User id/Password”, “Login Screen”, “Home Page” has become more common than say ten years
back. The usage of online banking, online shopping, online bill payments and not to mention the Social
media has tremendously in coming years.
16
Password Attacks
8,0
Global
population
7,0
Internet
Number of people (billions)
User
6,0
5,0
4,0
3,0
2,0
1,0
Users, who access internet and need to use usernames and passwords, are of different types and are in all age
groups. For simplicity sake let us look at different types of users:
• Students
• Employees in IT sector
• Home users
The background and the approach towards internet would be different for each of these groups for example:
It is more likely that employees in IT sector would be more frequently trained on handling passwords, social
engineering, phishing, password strengths etc than the other groups. Among the other groups, it is more
likely that employees in non-IT sector are more aware of the passwords attacks than students, home users
and users in the age group of 60+ years.
Awareness regarding password attacks imparted to these groups would be different for each of the groups.
The following question would be as who should be imparting awareness – should it be in the form of
training / regular communication / roadshows / wall posters etc.
Whilst it is quite true that employees of IT sector, being closer to the physiology of password attacks, using
user names like admin / administrator / test etc and passwords like password123 / test123 / 123456789 are
quite common in the IT community as well.
17
Password Attacks
The reasons for selection of such kinds of passwords could be lack of awareness, ignorance or lack of
creativity to come up with strong user names and passwords.
• Security trainings and password education regarding complexity, length and unpredictability
Applying the above areas and the awareness forms to the groups of users:
• Students, home users, users in the age group of 60+ years: Security trainings and password education:
Typically, students get to know about computers from schools, colleges and by observing parents, elder
siblings. A lot more is learnt from friends and peer group. Students usually access applications like
emails, social sites, education sites, financial aid loan calculator etc. In this scenario, a forum for a formal
training and password education may not be available unless these trainings are incorporated as a part of
the education curriculum or is conducted by the education institution. Password education can be taken up
by the application owners by
• Sharing information on how not to use commonly used passwords eg asking students to create
innovative passwords that can be difficult to guess. This message can be made available on the “Create
User” page, “Change Password” page. Messages can also be posted in form of running banners on
selected pages of the application.
*******
Password strength: Too short
**********
Password strength: Weak
**********
Password strength: Fail
***********
Password strength: Good
***************
Password strength: Strong
18
Password Attacks
• Awareness about not sharing passwords: this is an important factor in password protection.
Compromised passwords can be reused later on the basis of familiarity and the shared knowledge.
• Security trainings and password education: Security awareness trainings are anyway conducted as a
part of training sessions in IT companies. Is not already incorporated, password education should be a
part of these sessions, which should include information on commonly used passwords and awareness
on not sharing passwords.
Employees need to be aware of password attacks in a more rigorous way as opposed to other groups of
users. This is because of the large number of devices that the industry handles, that have passwords as
one of their security controls.
• Enforcing stronger passwords through policies, this can be done on the authentication tool.
• Educating users not to use the same user id / password combination for various applications. In the
event of compromise of user id / password the attack of accounts with different web application is
made easy for the attacker. This is all the more important when user ids and password of professional
and personal accounts are mixed up.
Learning form the pasts and with the event of attacks happening the Application Owners have become
more cautious and have introduced many different kind of controls to educate the end user to select a good
password like:
How this information is handled and stored are the major points that has to be taken into consideration.
How safely it is stored and communicated via the medium are big challenges and use of secure
configurations on the databases used and the server in question are very important points that an
administrator has to keep in mind. A small vulnerability of any of the assets in use can hamper the whole
system. Things that should be kept in mind by the Application Owner are:
• Strong password policy: Be it changing of the default password / forcing regular change in the password,
password length, complexity, lack of repeatability of previous passwords or password aging, having a
strong password policy does provide the first line of defense for password attacks. Never use “password
does not expire” option. Account lockouts should be enforced after a specified number of attempts. This is
also referred to as password hardening
• Applying patch of the software used timely: any detected backdoor or defect or bug in the application
should be patched up in a timely manner to ensure protection of passwords.
• Implementation of the SSL during the transit of the password and not transmitting passwords in clear text:
Passwords are important, be it for the network of an organisation that processes sensitive data or be it that
19
Password Attacks
of an email id of a student. Passwords are passwords that need to be protected. Hence transmission of
passwords in clear text should be strictly not followed.
• Storage of passwords: Passwords should be stored in hashed format. A strong hashing algorithm should be
used for this. Also, the keys should be stored in different logical /physical assets. Hashes are vulnerable to
rainbow table attacks. Hence it is useful to salt hashes with random numbers and then store them. Passwords
to sensitive user ids like admin / root user ids should also be encrypted along with hashing and stored.
• Not using Common user ids: Another vulnerability exposed for attackers is by having common user
ids like admin / administrator for an admin role. This leaves the attacker with only the password to be
guessed / attacked.
• Split passwords for sensitive roles: For sensitive roles, passwords should be split between two or three
people. This makes compromise of passwords by social engineering / phishing more difficult.
• Proper logs for detecting failed attempts: Failed logon attempts and password resets should always be
logged, be it for any type of application. This allows the forensics team to t the rate of attacks and the user
ids that are under attack.
• Multi factor authentication: is another control that can be used to strengthen password policies. A multi
factor authentication is authentication using what the user knows (passwords), what the user has (a PIN
generated randomly on a token device) or where the user is (location) or what the user is (biometrics).
On the basis of a report “ Trustwave’s 2012 Global Security Report “, it was seen that the most used
password was “Password1”!.
Our favorite or the end users which is regarded as the easiest member of the security chain that can be
hacked are not much creative when it comes to choose a password. They sometime create a password out of
hurry or to just meet the minimum requirements that is being asked by the system.
Also there was a study which portrayed that the successive change in the password for one particular account
decreases its security.
When done a research on a lot of passwords it was found that the most common password chosen are related
to one person’s favorites, likes, dislikes, pets, teams, dates etc..
Here we have to understand one thing that we are not trying to create a strong password (similar to alpha numeric
or a blend of some special characters etc.) but we are trying to create a password which is difficult to be guessed.
For example a password which is like a pets name with a special character and a number may seem to be a strong
password but for an evil mind out there it will take only some social engineering and some guessing to break it.
If we see the math increasing the number of characters in a password makes it more robust towards Brute
Force Attacking.
Studies have shown that adding one single character increases the chances exponentially.
Also a lot of research has been done on how to make users remember passwords and how to help them
choose one. Paraphrases was to an extent a very good solution though not so famous yet.
For example a password similar to “ThisIsGoingToBeAGreatRide” will take more time to be guessed
in comparisons to “Tarry1”. For more research and getting data related to passwords, visit [2] in the
references section.
20
Password Attacks
• Educating the user on choosing a password and the impact of not choosing a good password.
• Having security controls on the application that will not compromise passwords.
References
• http://en.wikipedia.org/wiki/Global_Internet_usage
• http://passwordresearch.com/
Amit Kumar Sharma commonly known as AKS-44 has a B.E in EC and works in Information Security for
a reputed firm. He is passionate about Security and spends his time learning/researching in the wild.
advertisement
21
Password Attacks
The Windows operating system opposite to other operating systems uses its own hash algorithm. There are
two version of the hashing algorithm used: LM and NTLM. These hashes are explained briefly in this article,
then several types of cracking the Windows hashes are introduced, followed by step by step guide to crack a
less than seven characters password hashed using NTLM.
The Basics
In this section two types of hashing algorithms are explained without digging too deep into the details of
each. A great focus is made about security strength and weakness.
LM Hashes
Also known as LanMan Hashes or Lan Manager Hashes. LM Hash is an obsolete hashing function used in
earlier versions of Windows (prior of NT). This function is not used anymore. If found in a system, it is for
backward compatibility purposes and not for password storing.
Weakness
Passwords are limited (trimmed) to 14 characters only. Password case is ignored and everything is converted
into uppercase.
Limited key-space. A normal desktop computer can brute force all the key-space in several hours due to
the fact that any password that is more than seven characters is actually spilled into two chunks of data and
encrypted using DES, leaving the hashing function severely vulnerable.
Vulnerable to pass-the-hash exploitation of re-using the hash instead of the password in a network environment.
NTLM Hashes
Because of the weakness in LM hashing function, NTLM was implemented in next generations of Windows
after the NT family. NTLM or NT Lan Manager is the new hashing function used in today’s Windows
versions, including Windows 7.
Weakness
Still not using any type of salting – where random value is added to the password then hash it to prevent
rainbow tables attacks. All types of attacks are explained later in this article.
22
Password Attacks
Attacks Types
Brute Force
Unlike other types of attacks where the attacker’s focus is on finding a single weakness (usually called
security vulnerability) and exploit it to gain access to the system. A brute force attack targets a single
or multiple accounts of any application or system by trying different combinations of usernames and
passwords. It is also called exhaustive key search.
In the case of LM/NTLM hash function brute forcing, a password is generated, hashed, and then compared
to the target hash. Since there is no salting added to the hashes in Windows system, this is a fairly effective
method when the password is short.
The efficiency of this attack depends on the power of processor used to calculate the hashes of the generated
passwords. The generation of passwords phrases is usually random but sometimes developers use special
algorithm to use only the most used passwords first, then random ones later.
One of the most famous tools used for this method is called JTR or JohnTheRipper. JTR and other cracking
tools are explained later in this article.
Protection
A usage of lengthy passwords and enforcing accounts lockout should be sufficient to protect any user from
this type of attacks (Figure 1).
To have an idea how ‘big’ can the table size be, Figure 2 is an NTLM precalculated hashes table for different
character sets. Usually an alpha-numeric of one to nine characters is very effective on most passwords and
that is due to the limitation of human memory remembering long complex passwords.
23
Password Attacks
Many of these services are offered for free initially, but users have to pay if the password is recovered.
Also the name might be changed to “password recovery service” for legal issues.
Tools
Freeware and commercial tools are both available for use to crack passwords. By cracking a password it
means one of the attacks is used to recover a hash to its original password.
24
Password Attacks
JTR – JohnTheRipper
JohnTheRipper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS,
BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3)
password hash types most commonly found on various Unix systems, supported out of the box are Windows
LM hashes, plus lots of other hashes and ciphers in the community-enhanced version [1].
This tool is obviously not only for LM/NTLM hashes, but also usable for other hashes as well. It uses brute
force attack on the hash (Figure 3).
Ophcrack
Ophcrack is a free Windows password cracker based on Rainbow Tables. It is a very efficient
implementation of Rainbow Tables done by the inventors of the method. It comes with a Graphical User
Interface and runs on multiple platforms [2].
This tool is more focused on Windows passwords (hashes), and it uses the TMTO attacks type. What is more
interesting is that a live CD was created to help attackers exporting the hashes from a Windows machine – since
these are protected by the operating system as mentioned earlier in this article.
What is appealing about this tool is its well-formed GUI and easy to use interface and buttons. Figure 4 is an
example of Ophcrack used to crack multiple Windows passwords in a Linux machine.
HashCat
HashCat is a GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack),
combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack.
• First is the usage of CPGPU – General-Purpose computation on Graphics Processing Units, also known
as GPU Computing. Graphics Processing Units (GPUs) are high-performance many-core processors
capable of very high computation and data throughout. Once especially designed for computer graphics
and difficult to program, today’s GPUs are general-purpose parallel processors with support for
25
Password Attacks
accessible programming interfaces and industry-standard languages such as C. Developers who port their
applications to GPUs often achieve speedups of orders of magnitude vs. optimized CPU implementations.
[3] Using GPU can massively speed up a brute force attack. To see the difference, a test was made and a
comparison between GPU vs. CPU performance is plotted in Figure 5.
• The usage of multiple attack types including hybrid of multiple attacks at once. This is what cloud
services use to crack passwords and charge users for them (Figure 6).
26
Password Attacks
Since both are protected under Windows environment – unless the attacker has a SYSTEM privilege (via
privilege escalation), both hives are inaccessible and hence there is a need to boot into a Linux live CD like
Knoppix, Kali, BackTrack, etc.
What is SAM and SYSTEM Hives?
A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files
containing backups of its data. [4] SAM (Security Accounts Manager) Hive is where the hashes of all user
accounts are stored. Depending on the target machine Windows version, the location of the SAM hive
diverse. By default it is under x:\windows\system32\config.
Now that both hives are located and mounted with the Linux OS running, both can be copied into a safe
place to be cracked later.
Extracting the Hashes from the Hives
Before hashes can be cracked they need to be extracted from the hives. Thankfully there is a tool for that
called samdump2. Assuming SAMHive is the SAM file copied before and SYSTEMHive is the SYSTEM
file copied before as well, an attacker can export the hashes using this simple 1-line command:
Administrator:500:**NO PASSWORD********:0CB6948805F797BF2A82807973B89537:::
The NO PASSWORD section is reserved for LM hashes but it is not used. The hash to be cracked in this
case is: 0CB6948805F797BF2A82807973B89537.
This step completely depends on the software the attacker uses. Refer back to the tools section.
Rcracki_mt can be used to perform a Rainbow Table attack on password hashes. It is intended for indexed and
perfected Rainbow Tables, mainly generated by the distributed project. [5]
Depending on how complex the password is and which table is used, the time varries from few seconds to
numerous minutes (Figures 7 & 8).
27
Password Attacks
Figure 7. Successfully cracked hashes using rainbow tables in less than a minute (complex)
Figure 8. Successfully cracked hashe using rainbow tables in less than 25 sec! (less complex)
References
1 http://www.openwall.com/john/
2 http://ophcrack.sourceforge.net/
3 http://gpgpu.org/about
4 http://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx
5 http://sourceforge.net/projects/rcracki/
28
U P D AT E
NOW WITH
STIG
AUDITING
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED
the
NEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titania’s award winning Nipper Studio configuration
auditing tool is helping security consultants and end-
user organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
www.titania.com