Password Attacks

Password Attacks

On-path and malware attacks can be difficult to perpetrate. Many network intrusions occur because a threat actor simply obtains credentials to access the network. Also, when threat actors gains some sort of access via an on-path or malware attack, they are likely to attempt to escalate privileges to gain access to other targets on the network by harvesting credentials for administrative accounts.

A plaintext password can be captured by obtaining a password file or by sniffing unencrypted traffic on the network. If the protocol does not use encryption, then the threat actor can simply read the password string from the captured frames.

If authentication credentials are transmitted in cleartext, such as the unencrypted version of the IMAP mailbox access protocol, it is a simple matter for the credentials to be intercepted via packet sniffing. (Screenshot courtesy of Wireshark.)

In most cases, a password is stored and transmitted more securely by making a cryptographic hash of the string entered by the user. A cryptographic hash algorithm produces a fixed-length string from a variable-length string using a one-way function. This means that, in theory, no one except the user (not even the system administrator) knows the password, because the plaintext should not be recoverable from the hash.

A password might be sent in an encoded form, such as Base64, which is simply an ASCII representation of binary data. This is not the same as cryptographic hashing. The password value can easily be derived from the Base64 string.

A threat actor might obtain a database of password hashes from the local system. Common password hash files and databases include %SystemRoot%\System32\config\SAM, %SystemRoot%\NTDS\NTDS.DIT (the Active Directory credential store), and /etc/shadow . The threat actor could also use an on-path attack to capture a password hash transmitted during user authentication.

While the original string is not supposed to be recoverable, password cracking software can be used to try to identify the password from the cryptographic hash. A password cracker uses two basic techniques:

• Dictionary —The software matches the hash to those produced by ordinary words found in a dictionary. This dictionary could include information such as user and company names, pet names, significant dates, or any other data that people might naively use as passwords.

• Brute force —The software tries to match the hash against one of every possible combination it could be. If the password is short (under eight characters) and noncomplex (using only lower-case letters, for instance), a password might be cracked in minutes. Longer and more complex passwords increase the amount of time the attack takes to run.

Hashcat password cracking utility. This example uses a mask to speed up a brute force attack. The attacker can use a mask by learning or guessing likely facts about how the target chooses a password, such as its length and likelihood of being a variation on a simple word or phrase.