Password Cracking Method

Password Cracking Overview

Password cracking is a technique used to gain unauthorized access to systems by exploiting weak passwords. Successfully obtaining access to even a single account can provide entry into a system, which underscores the importance of understanding various attack vectors.

Methods of Unauthorized Access

Access can often be obtained through a variety of methods:

  1. Acquiring Multiple User Accounts: Obtain a list of user accounts from the target organization.

  2. Guessing Passwords: Attempt to use easily guessable passwords, which may often include common themes such as seasons, years, or company names.

Factors Influencing Guessable Passwords

Common strategies for guessing passwords include:

  • Using seasonal names (e.g., "Winter2023")

  • Incorporating significant dates or the company's foundation year (e.g., "CompanyName2023!").

  • Finding just one account to compromise can be sufficient for further exploitation.

Types of Password Attacks

Password attacks can be classified into two main categories: non-electronic and electronic attacks.

Non-Electronic Attacks

  • Shoulder Surfing: Attacker observes a user entering their password from a location where they can see the screen and keyboard.

  • Dumpster Diving: Searching through trash to find discarded items that may contain sensitive information, such as written passwords.

  • Social Engineering: Manipulating individuals into revealing their passwords through deceitful stories or pressure tactics.

    • Example Scenario: An attacker posing as a member of the IT team could convince an employee to change their password to a temporary one controlled by the attacker, with a fabricated urgency related to network changes.

Electronic Attacks

These attacks can be further subdivided into passive online and active online methods.

Passive Online Attacks

  • Packet Sniffing: Capturing packets as they traverse the network. For web applications, cookies that serve as authentication tokens can be intercepted. If the attacker can capture a cookie, they can potentially authenticate as the user.

  • Man-in-the-Middle Attacks (MitM): Attacker places themselves between the client and server to manipulate or capture data packets. This typically involves:

    • ARP Poisoning: Associating the attacker’s MAC address with the IP address of the target, misleading traffic.

    • Gateway Hijacking: Redirecting data through the attacker’s system.

    • Spanning Tree Protocol Hijacking: Exploiting network protocols that may not have robust authentication, allowing traffic interception.

Active Online Attacks

In this scenario, attackers employ software to automate attempts to log into user accounts:

  • Metasploit Framework: A tool with auxiliary modules to perform automated logins on services like Telnet, SSH, or RDP.

  • Hydra: A utility designed for online brute-force attacks against various protocols, using a supplied word list for usernames and passwords.

    • Process: An attacker selects a target IP and specifies the protocol, then systematically attempts combinations from the word lists. This method may generate a lot of logging activity due to failed attempts (chattier).

Offline Attacks

In an offline attack, an attacker retrieves password hashes from a compromised system rather than attacking directly:

  • Password Hashes: When users create passwords, the system typically hashes these passwords rather than storing them in plaintext to ensure security. A common hashing algorithm is MD5, despite its vulnerabilities, while SHA-256 is recommended for secure hash generation now.

  • Accessing Password Files: The attacker may target files that contain password hashes, such as the SAM file on Windows or shadow files on Linux systems.

    • Requires administrative privileges to access these files. Once an attacker has the hash, they can attempt to crack it using various methods, such as:

    • Brute-forcing all possible combinations.

    • Utilizing graphical processing units (GPUs) to expedite the cracking process significantly (e.g., using an Nvidia 1080).

Challenges with Non-Cleared Authentication

Sometimes, password data is not transmitted in plaintext but utilizes protocols such as:

  • Challenge Handshake Authentication Protocols: These methods require a response to a challenge sent by the server, which includes a random string concatenation with the user's password run through a hashing algorithm (potentially using MD5 or SHA-256).

    • Capturable during wire sniffing, these challenge-response pairs can be used later in offline attacks to crack the authentication method.

Dictionary vs. Brute Force

  • Dictionary Attacks: Utilizes a predetermined list of common passwords or phrases that might be used, making them quicker than brute-force attempts, which test every possible combination.

  • Brute Force Attacks: In contrast, this method guarantees success as it tries every possibility, but it's time-consuming and slower due to the complexity involved.

In summary, password cracking is a foundational technique in information security, involving various methods and technologies. Being aware of these techniques is essential for both offensive and defensive cybersecurity practices, emphasizing the significance of secure password management and user training against social engineering tactics.