Sultanate of Oman Ministry of Higher Education Sur
of Applied Science
Web-Based Password Cracking Techniques
Innovations in Network & Security
by: Dr. Gaurav Bhatia
Table of Contect
Authentication is the procedure of identifying an
entity based on a private detail. For example, a human can be identified by his
passport, his fingerprint etc. With system, other unique characteristics are
needed to prove their identity.
Some of the ways and forms for computer systems
authentication can be categorized as below:
• What the user knows—authentication
basing on what the user knows (e.g. PIN, pass code, salutation)
• What the user has—authentication
based on the something the user possess (e.g. memory card, a key, smart card
• What the user is—authentication
based on biometric features :
physiological features such as fingerprint or behavior feature like keyboard
Figure 1. Classification by
Knowledge based authentication is the
most used type of authenticating users
Instances of knowledge-based authentication are among
others: secrete passwords, pass sentences or pass phrases, PIN (Personal
Identification Numbers) or even a graphical image.
To prove users and authenticate them over a public
(Unsecure) network for instance the Internet, they are used digital signatures
and digital certificates which are encrypted using a public and private key to
make them secure enough. A secure entity provides the PKI (Public key
Authentication based on what one owns is also referred
as token based authentication and as named, it is built on a secrete device
that a user has. It is mainly intended to physical objects a user has as token
(a key for a door for example). Need to mention a very important disadvantage
of possession-based authentication as a token may have been stolen or copied
then presented, so it doesn’t authenticate the user as perfectly. There are
other administrative problems and the fact that the user has always to carry
his/her token whenever needs access.
Tokens are regularlydistributed intwo
main sets: memory and smart tokens.
On one hand, memory tokens stock information as it is
and need not to process it. A largely used memory token is the magnetic card,
which is used as a combination of what a user has and what he knows (PIN) ,this
adds a layer of security to the token. Memory token are not expensive to make,
and with a password they become more secure other than using a pin by itself or
a token itself.
Smart tokens on the other hand, they possess a circuit
in them making them able to process the data in some sort. As memory tokens,
smart tokens also are more secure when they are used with a knowledge based
authentication like a PIN. The most used smart token is the one embedded with
Unlike memory tokens, smart
tokens incorporate one or more embedded integrated circuits which enable them
to process information. Like memory tokens, most smart tokens are employed to
authenticate together side to a knowledge-based authenticatingsystem such as a
PIN. One of the many kinds of smart tokens is the one embedded with a chip that
contains a microprocessor. The fact that they’re easily portable and secured
with high cryptography have led them to be the most used in e-commerce.
Obviously, smart tokens are expensive than memory token but they provide better
security and greater flexibility. Smart tokens high security level, with a use
of an OTN (one time password) from a bank for instance, make it possible to
purchase online on public internet without wide insecurity.
Biometric based authentication is an authentication on
what the user is. It is the unique humanly features that are used to identify
them whether be anatomical, behavioral characteristics and features associated
to user or physiological. Biometric authentications rely on the fact that
humans are different, and some features exist one person and him only in the
world. So it is possible to prove an identity based on who the user claims to
be, rather than his knowledge-based or possession-based authenticity. The system involved in biometric is a pattern
recognition consisting 3 principal modules:
The users’ individualqualities
are recorded and stored in reference documents to be compared for future
authentication to define if there is a match. The accurateness of different
types of biometric systems can be checked by evaluating the percentage of
errors that the system give:
erroneous rejection, which is, false non-match (type I
erroneous acceptance, which is, false match (type II
A biometric system with low level of erroneous results
is much more preferred for authentication.
A password cracking mechanism is an application that
is used to figure out what a hidden password is. The use of password crackers
can be done illegally by black hat crackers or legally, by a professional
testing the robustness of a password or when trying to figure out a forgotten
Password crackers, to identify hidden passwords, use
two main methods:
brute force and dictionary attack
Brute force attack consist of running a set of words
guessing the correct password until it finds it. It does a good job of finding
the correct length then throws guesses until the correct combination is found
according to the computer system.
through combinations of characters within a
predetermined length until it finds the combination accepted by the computer
system. When conducting a dictionary
Password dictionaries come in various themes, from
politic, music, religions to kids names.
Password crackers programs are a hybrid of words and
numbers, sometimes even symbols. For instance if “ali” doesn’t work
as a password, it can throw in “ali90” “ali91”,
“ali92” etc. It doesn’t limit
the guessing to readable words only because, password crackers can go up to
using pre-encrypted words from various cryptographic algorithms.
In order to protect your system against todays attack,
one should be aware of any new trend in hacking so as to check if his system is
secured against it. It is imperative to audit ones system regularly to check if
infiltrated(by running cracking tools on your own organization), change the
passwords regularly, make passwords longer and including various symbols.
The most common type of attack is password guessing. Attackers can guess
passwords locally or remotely using either a manual or automated approach.
Password guessing isn’t always as difficult as you’d expect. Most networks
aren’t configured to require long and complex passwords, and an attacker needs
to find only one weak password to gain access to a network. Not all
authentication protocols are equally effective against guessing attacks. For
example, because LAN Manager authentication is case-insensitive, a password
guessing attack against it doesn’t need to consider whether letters in the
password are uppercase or lowercase.
can automate the process of typing password after password. Some common
password guessing tools are Hydra, for guessing all sorts of passwords,
including HTTP, Telnet, and Windows logons; TSGrinder, for brute-force attacks
against Terminal Services and RDP connections; and SQLRecon, for brute-force
attacks against SQL authentication.
password guessing programs and crackers use several different approaches. The
most time consuming—and most successful—attack method is the brute-force
attack, in which the attacker tries every possible combination of characters
for a password, given a character set and a maximum password length.
attacks work on the assumption that most passwords consist of whole words,
dates, or numbers taken from a dictionary. Dictionary attack tools require a
dictionary input list. You can download varying databases with specific
vocabularies (e.g., English dictionary, sports, even Star Wars trivia) free or
commercially off the Internet.
password guessing attacks assume that network administrators push users to make
their passwords at least slightly different from a word that appears in a
dictionary. Hybrid guessing rules vary from tool to tool, but most mix
uppercase and lowercase characters, add numbers at the end of the password,
spell the password backward or slightly misspell it, and include characters
such as @!# in the mix. Both John the Ripper and Cain & Abel can do hybrid
Attackers often find it much easier to reset passwords than to guess them. Many
password cracking programs are actually password resetters. In most cases, the
attacker boots from a floppy disk or CD-ROM to get around the typical Windows
protections. Most password resetters contain a bootable version of Linux that
can mount NTFS volumes and can help you locate and reset the Administrator’s
used password reset tool is the free PetterNordahl-Hagen program. Winternals
ERD Commander 2005, one of the tools in Winternals Administrator’s Pak is
a popular commercial choice. Be aware that most password reset tools can reset
local Administrator passwords residing only on local SAM databases and can’t
reset passwords in Active Directory (AD).
Although password resetting is a good approach when all you need is access to a
locked computer, resetting passwords attracts unwelcome attention. Attackers
usually prefer to learn passwords without resetting them. Password cracking is
the process of taking a captured password hash (or some other obscured form of
the plaintext password or challenge-response packets) and converting it to its
plaintext original. To crack a password, an attacker needs tools such as
extractors for hash guessing, rainbow tables for looking up plaintext
passwords, and password sniffers to extract authentication information.
password cracking tools can both extract and crack password hashes, but most
password crackers need to have the LM password hash before they can begin the
cracking process. (A few tools can work on NT hashes.) The most popular Windows
password hash extractor is the Pwdump family of programs. Pwdump has gone
through many versions since its release years ago, but Pwdump4 is the current
password hashes using Pwdump, you must have administrative access to the local
or remote machine you’re attacking, and you must be able to use NetBIOS to
connect to the admin$ share. There are ways around the latter requirement, but
the tool alone requires it. When you run Pwdump4 successfully, it extracts LM
and NT password hashes and, if Windows’ password history tracking is active,
all hashes for older passwords. By default, Pwdump saves password hashes to the
screen, but you can also output them to a file, then feed them to a password
password cracking tools accept Pwdump-formatted hashes for cracking. Such tools
usually begin the cracking process by generating some guesses for the password,
then hashing the guesses and comparing those hashes with the extracted hash.
password crackers are John the Ripper and Cain & Abel. John the
Ripper, which comes in both Unix and Windows flavors, is a very fast
command-line tool and comes with a distributed-computing add-on. Cain &
Abel can break more than 20 kinds of password hashes, such as LM, NT, Cisco,
days, password crackers are computing all possible passwords and their hashes
in a given system and putting the results into a lookup table called a rainbow
table. When an attacker extracts a hash from a target system, he or she can
simply go to the rainbow table and look up the plaintext password. Some
crackers (and Web sites) can use rainbow tables to crack any LM hashes in a
couple of seconds. You can purchase very large rainbow tables, which vary in
size from hundreds of megabytes to hundreds of gigabytes, or generate your own
using Rainbow Crack. Rainbow tables can be defeated by disabling LM hashes and
using long, complex passwords.
password crackers can sniff authentication traffic between a client and server
and extract password hashes or enough authentication information to begin the
cracking process. Cain & Abel both sniffs authentication traffic and cracks
the hashes it retrieves. Other sniffing password crackers are ScoopLM and
KerbCrack, a sniffer and cracker for cracking Kerberos authentication traffic.
None of these can crack NTLNv2 authentication traffic.
Many attackers capture passwords simply by installing a keyboard-sniffing
Trojan horse or one of the many physical keyboard-logging hardware devices for
sale on the Internet. Symantec reports that 82 percent of the most
commonly used malware programs steal confidential information. Most steal
passwords. For $99, anyone can buy a keyboard keystroke logger that can log
more than 2 million keystrokes. Physical keyboard logging devices less than an
inch long can easily be slipped between the keyboard cord and the computer’s keyboard
port. And let’s not forget how easy it is to sniff passwords from wireless
keyboards even from a city block away.
Password Cracking Countermeasures
If you have
to choose between weak passwords that your users can memorize and strong
passwords that your users must write down, have readers write down passwords
and store the information securely. Train users to store their written
passwords in a secure place — not on keyboards or in easily cracked
password-protected computer files. Users should store a written password in
either of these locations:
A locked file cabinet or office
Full (whole) disk encryption
which can prevent an intruder from ever accessing the OS and passwords
stored on the system.
A secure password management
tool such as
Password Safe, an open source software
originally developed by Counterpane
ethical hacker, you should show users the importance of securing their
passwords. Here are some tips on how to do that:
Demonstrate how to create secure
to them as passphrases because people tend to take passwords literally
and use only words, which can be less secure.
Show what can happen when weak
passwords are used or passwords are shared.
Diligently build user awareness
of social engineering attacks.
at least encourage the use of) a strong password-creation policy that includes
the following criteria:
Use upper- and lowercase
letters, special characters, and numbers.Never use only numbers. Such
passwords can be cracked quickly.
Misspell words or create
acronyms from a quote or a sentence. For example, ASCII is an
acronym for American Standard Code for Information
Interchange that can also be used as part of a password.
Use punctuation characters to
separate words or acronyms.
Change passwords every 6 to 12
months or immediately if they’re suspected of being compromised. Anything more frequent
introduces an inconvenience that serves only to create more
Use different passwords for each
is especially important for network infrastructure hosts, such as servers,
firewalls, and routers. It’s okay to use similar passwords — just make
them slightly different for each type of system, such as SummerInTheSouth-Win7 for
Windows systems and Linux+SummerInTheSouth for Linux systems.
Use variable-length passwords. This trick can throw off
attackers because they won’t know the required minimum or maximum length
of passwords and must try all password length combinations.
Don’t use common slang words or
words that are in a dictionary.
Don’t rely completely on
similar-looking characters, such as 3 instead of E,
5 instead of S, or ! instead
of 1. Password-cracking programs can check for this.
Don’t reuse the same password
within at least four to five password changes.
Use password-protected screen
screens are a great way for systems to be compromised even if their hard
drives are encrypted.
Don’t share passwords. To each his or her own!
Avoid storing user passwords in
an unsecured central location, such as an unprotected spreadsheet on a hard drive.
This is an invitation for disaster. Use Password Safe or a similar program
to store user passwords.
some other password-hacking countermeasures:
Enable security auditing to help
monitor and track password attacks.
Test your applications to make
sure they aren’t storing passwords indefinitely in memory or writing them
to disk. A
good tool for this is WinHex.
Keep your systems patched. Passwords are reset or
compromised during buffer overflows or other denial of service (DoS)
Know your user IDs. If an account has never
been used, delete or disable the account until it’s needed. You can
determine unused accounts by manual inspection or by using a tool such
as DumpSec, a tool that can enumerate the Windows operating
system and gather user IDs and other information.
security administrator in your organization, you can enable account
lockoutto prevent password-cracking attempts. Account lockout is the
ability to lock user accounts for a certain time after a certain number of
failed login attempts has occurred. Most operating systems have this
Don’t set it
too low, and don’t set it too high to give a malicious user a greater chance of
breaking in. Somewhere between 5 and 50 might work for you. Consider the
following when configuring account lockout on your systems:
To use account lockout to
prevent any possibilities of a user DoS condition, require two different
passwords, and don’t set a lockout time for the first one if that feature
is available in your operating system.
If you permit autoreset of the
account after a certain period — often referred to as intruder
lockout — don’t set a short time period. Thirty minutes often
login counter can increase password security and minimize the overall effects
of account lockout if the account experiences an automated attack. A login
counter can force a password change after a number of failed attempts. If the
number of failed login attempts is high and occurred over a short period, the
account has likely experienced an automated password attack.
password-protection countermeasures include
Stronger authentication methods. Examples of these are
challenge/response, smart cards, tokens, biometrics, or digital
Automated password reset. This functionality lets
users manage most of their password problems without getting others
involved. Otherwise, this support issue becomes expensive, especially for
Password-protect the system
is especially important on servers and laptops that are susceptible to
physical security threats and vulnerabilities.