Password Cracking by George Lewis

This article is from Hakin9 OPEN – Cyber Security edition, which is available for download for free.

Before getting into the main target of the article which is Password Cracking, let’s go over the phases that a Penetration Tester conducted up to this point.

  • Reconnaissance (Footprinting): the phase on which an attacker will gather as much information aspossible about the target/client before launching the attack.
  • Scanning/Enumeration: A procedure for identifying active hosts on a network, services andvulnerabilities.
  • After that the challenging part starts, below are the remaining phases of a normal Pen-Test Engagement:-
  • Exploitation: The phase where the tester gain access to the OS Layer or the application Layer on a systemor network.
  • Maintaining Access: once access achieved, tester can choose to use the compromised system as a lunchpad to scan and exploit other systems and resources.
  • Report Delivery with recommendation: A report with final presentation to the management will be delivered explaining the different risk areas along with a recommendation how to fix them.
  • This article will cover Exploitation Phase and mainly will focus on Gaining Access / Privilege escalation throughout different Password Cracking techniques.

So let’s started.

Figure 1. Exploitation Phase

Exploitation cannot be accomplished at a single go. It is accomplished through multiple steps that include but not limited to the following: Password Cracking, Privilege Escalation, backdoor execution and covering tracking.

A password is an undisclosed word or string of characters used for user authentication to prove identity or authorization to gain access to a resource (example: an access code is a type of password), which should be kept secret from those not allowed access. Password are the vital piece of information mandatory to access a system.

Password Cracking is the process of recovering passwords from the data that has been transmitted by a computer system or stored in it. The good side of this technique is to help user recover a forgotten or lost password or by the Security Engineer to check for easily cracked passwords or the bad side of the story on which to gain unauthorized access to a system.

Cracking a password can be accomplished by either manual or automated tools i.e. Dictionary or Brute- Force attacks.

The good news is that most of the passwords cracking techniques are successful due to the weak password policy in place and the easily guessable ones.

So what are the different cracking techniques?

  • Dictionary Attacks: – A test file that contains a number of dictionary words is loaded into the crackingsoftware that runs against known user accounts.
  • Brute Force Attacks: – Security tester will produce each and every single key used to encrypt data untilthe needed piece of information is perceived. Keep in mind that this kind of attack required a lot of processing power i.e. CPUs & RAM
  • Hybrid Attack: – Very Similar to Dictionary Attacks except that the cracking program adds somenumbers and special character to the words from the dictionary and then tries to crack the password.
  • Syllable Attack: – Is the technique on which both the Dictionary and Hybrid Attacks are used together.
  • Rule-based Attack: – The Rule-based attack is used when the Penetration Tester knows some informationabout the password i.e. Password length or Password Policy characteristic. For example if he knows that the password contains at least two digit number, then he will use some customized techniques and reveal the password in less time than other techniques.
  • We talked about different cracking techniques, their characteristics and now let’s discuss the different tactics to rip-off passwords from the System or Network. Those tactics are classified based on the tester’s methods to crack a password.
  • Online Tactics
    • Passive Online Tactics: Passive means that the attack will not cause a change to the system in any wayand is to only monitor or record data. There are different types of Passive Online Tactics listed as follow:
      • Wire Sniffing: see Figure 2

Figure 2. Wire sniffing

Figure 3. MITM Attack

  • Active Online Tactics: – one of the simplest method to gain unauthorized access to the system. Thereare different types of Active Online Tactics summarized as follow:
    • Password Guessing: – By using the Dictionary attack we talked about earlier in our discussion
      the Security Tester tries many means to guess the passphrase for a certain accounts i.e. Admin, Administrator etc. Usually accomplished by software that are capable of trying hundreds or may be thousands of words per second.
    • Man-in-the-middle: – Considered one of the most advanced and hard to carry out techniques. Inthis one Penetration Tester intercepts the communication in place between two parties, giving the assurance for the two participants that they are communicating with each other. See Figure 3
    • Backdoor / Spyware / Key logger: – Software that are running in the background and allow Testersto capture and store sensitive information.
    • Hash Injection: – Is the concept of injecting a compromised hash into a local session and then usingthe hash to authenticate to the different resources available. The Penetration Tester managed to gain access to one server/workstation by using an exploit then extracts logged-on domain admin accounthashes then use the hash he found to log on to the DC and finally he will extracts all the hashes inthe Active Directory DB.
    • Phishing
  • Offline Tactics: – Occur when the Tester checks the validity of the passwords, he or she will check thepassword format and how the password is stored in the system.
    • Rainbow: – In the Rainbow attack, the password hash table is created in advance and stored into thememory to be used later to validate the hash that will be captured. Such a table is called Rainbow table (or Pre-Computed Hash Table) which is a lookup table used in recovering the plaintext password from ta cipher text i.e. password hashes.
      • Non-Technical Tactics: – This kind of tactic doesn’t require any technical knowledge about themethods of breaking into target’s system.
    • Shoulder surfing: – Is happens when an attacker is standing unnoticeably, but close to a legitimate user,watching as he enter his or her password.
    • Social Engineering: – Is the art of procuring confidential information by deceiving or swaying people. 
    • Dumpster diving: – It allows you to gather information about the target’s password by looking through the trash.

One more topic to cover before digging into the practical guide to password cracking. How Operating System storing passwords?!

Microsoft Windows stores account password in the Security Account Manager database which sometimes known by SAM. SAM is used by the OS to manage user accounts and passwords and is located at C:\ windows\system32\config\SAM. If it is a Directory Service then it will be stored in Active Directory database in domains. Keep in mind that password never stored in a clear format as they are hashed and the results are stored in the SAM file we discussed earlier. Also note that this SAM file is provided with a filesystem lock by Windows Kernel which provide a way to secure the storage of passwords. With this lock in place it is very hard from the Attacker prospective to copy the SAM file while the OS is running.

In a Windows network, NTLM (NT LAN Manager) is a suite of Microsoft security proprietary protocols that provides authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product, and attempts to provide backwards compatibility with LANMAN.

NTLM version 2 (NTLMv2), which was introduced in Windows NT 4.0 SP4 (and natively supported in Windows 2000), enhances NTLM security by hardening the protocol against many spoofing attacks, andadding the ability for a server to authenticate to the client.

While Kerberos has replaced NTLM as the default authentication protocol in an Active Directory (AD) based single sign-on scheme, NTLM is still widely used in situations where a domain controller is not available or is unreachable. For example, NTLM would be used if a client is not Kerberos capable, the serveris not joined to a domain, or the user is remotely authenticating over the web.

Kerberos is an authentication protocol, it offers mutual authentication for Client/Server applications by using secret-key cryptography. Both Client and Server verify the identity of each other.

Kerberos works as follows:

  • Authentication exchange: The client asks the authentication server for a ticket to the ticket-granting server(TGS). The authentication server looks up the client in its database, then generates a session key (SK1) for use between the client and the TGS. Kerberos encrypts the SK1 using the client’s secret key. The authentication server also uses the TGS’s secret key (known only to the authentication server and the TGS) to create and send the user a ticket-granting ticket (TGT).
  • Ticket-granting service exchange: The client decrypts the message and recovers the session key, then usesit to create an authenticator containing the user’s name, IP address and a time stamp. The client sends this authenticator, along with the TGT, to the TGS, requesting access to the target server. The TGS decryptsthe TGT, then uses the SK1 inside the TGT to decrypt the authenticator. It verifies information in theauthenticator, the ticket, the client’s network address and the time stamp. If everything matches, it lets the request proceed. Then the TGS creates a new session key (SK2) for the client and target server to use, encrypts it using SK1 and sends it to the client. The TGS also sends a new ticket containing the client’s name, network address, a time stamp and an expiration time for the ticket – all encrypted with the target server’s secret key – and the name of the server.
  • Client/server exchange: The client decrypts the message and gets the SK2. Finally ready to approachthe target server, the client creates a new authenticator encrypted with SK2. The client sends the session ticket (already encrypted with the target server’s secret key) and the encrypted authenticator. Because the authenticator contains plaintext encrypted with SK2, it proves that the client knows the key. The encrypted time stamp prevents an eavesdropper from recording both the ticket and authenticator and replaying them later. The target server decrypts and checks the ticket, authenticator, client address and time stamp. For applications that require two-way authentication, the target server returns a message consisting of the time stamp plus 1, encrypted with SK2. This proves to the client that the server actually knew its own secret key and thus could decrypt the ticket and the authenticator.
  • Secure communications: The target server knows that the client is who he claims to be, and the two nowshare an encryption key for secure communications. Because only the client and target server share this key, they can assume that a recent message encrypted in that key originated with the other party.

So let’s start with the fun part the practical guide to Password Cracking, on this section I will walk you through a couple of scenario to crack passwords. The lab setup diagram as in Figure 4.

Figure 4. Lab Setup Diagram

Lab1- Creating our own customized password lists. (Figure 4)

Scenario: Suppose that you managed to gather information throughout the earlier phases of the engagement about the complexity of the password along with some personal information about a specific user account.You can use one of the tools i.e. associated with Backtrack 5 or Kali Linux to create your own custompasswords list which can be used later to crack passwords. CUPP uses the variable that you input to make the password lists.

Let’s assume that the name of our target is Justin Miller and his Birthday is 01/02/1983 and you also knowhis daughter name is Jayne and her birthday is 08/03/2010.

We navigated to the cupp directory by typing cd /pentest/passwords/cup at (1), we launched the interactive questionnaire by running ./ –i at (2), entered the personal information of our target account at (3), instructed cupp to append some key words, special characters, random numbers as well as enable leet mode i.e. replace letter with numbers (e = 3) and so on at (4) and finally we got our password list justin.txt customized based on the information we provided at (5).

Figure 5 Customized Password List

Lab2- Password Cracking using previously customized password lists. (Figure 5, 6 and 7)

You can simply open anyone of your favorite cracking tools. For this one I will use Hydra and there are two options to work with Hydra. One is directly from the command line and the other through the GUI as follow.

We typed our target IP address at (1), selected the protocol at (2), if they are using nonstandard port we need to insert it as well at (3)then we typed in our target username at (4) and pointed to our customized password lists we created earlier at (5) and finally click on start button to start the start the cracking attempts and bingo you got the key to the kingdom at (6).

Note that, GUI will provide the commands line for the different option you selected which is a good thing to practice the command line options for Hydra at (7).

Figure 6 Online Password Attack with Hydra

Figure 7. Online Password Attack with Hydra

Figure 8. Online Password Attack with Hydra

Lab3- Pass the Hash. (Figure 8 and 9)

Suppose that we have the administrator’s username and password hashes from one of the techniques we discussed earlier, but we can’t crack the password in a reasonable time frame. If we don’t know the password, how can we log into additional machines and compromise more systems with this user account? We can use the pass-the-hash technique, which requires that we have only the password hash, not the password itself.

After we select the windows/smb/psexec module at (1) and set the options for LHOST, and RHOST at (2) , we set the SMBUser, SMBPass variable at (3) i.e. SMBPass is the hash that we dumped earlier. Now authentication is successful and we gain our Meterpreter session at (4). We didn’t have to crack a password, and no password was needed. We’ve secured Administrator privileges using the password hash alone. This attack would allow us to hop from one system to another without ever needing to crack the password itself.

Figure 9. Password Hashes

Figure 10. Metasploit Pass the Hash

We talked about the different techniques to hack passwords and we went through a couple of practical guide on how to do that. Now it is time for the offensive part which is providing the how-to for defending against Password Cracking.

  • Develop, implement and enforce password policy which might include all of some of the following basedon the business requirement:-
    • Enable auditing to help monitor and track of password attacks.
    • Prevent the use of clear text protocols i.e. telnet, FTP etc.
    • Change the password change policy as often as possible
    • Change the systems default passwords
  • Develop a Security Awareness Program to educate users on the security issues that come with weakpasswords.


About the Author

George Lewis a Director, Security Consulting at BEAR Data Solutions – CA, USA. He has over 10 years of consulting experience including 3years of industry experience and a big 4 experience with Ernst & Young as an Assistant Manager. George holds a Bachelor’s Degree in Engineering; he is also a Certified Information System Security Professional (CISSP) and a Certified In-formationSecurityManager(CISM). George has been conducting Enterprise Risk Assessment for the last 7years. Focusedon Internal / External Penetration Testing, Web Application Penetration Testing, Wireless Assessment, Vulnerability Assessment, developing and implementing Information Security Policies and Procedures, carrying out ISMS implementation and review, IT Audit, carrying out Infrastructure Devices hardening, developing and implementing Information Technology Policies and Proce- dures, developing and implementing an enterprise Security Awareness Program, developing and testing Business Continuity Plan & Disaster Recovery Plan and developing Physical Security Policy and Procedures Manual.

Did you liked the article? If you want to read more similar tutorials check the full free edition: Hakin9 Open - Cyber Security Edition

May 16, 2019

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013