To understand how to protect yourself from a password attack, you should become familiar with the most commonly used types of attacks. With that information, you can use password cracking tools and techniques to regularly audit your own organization's passwords and determine whether your defenses need bolstering. To that end, here's a primer of the most widely used types of attacks.
The most common type of attack is password guessing. Attackers can guess passwords locally or remotely using either a manual or automated approach. Password guessing isn't always as difficult as you'd expect. Most networks aren't configured to require long and complex passwords, and an attacker needs to find only one weak password to gain access to a network. Not all authentication protocols are equally effective against guessing attacks. For example, because LAN Manager authentication is case-insensitive, a password guessing attack against it doesn't need to consider whether letters in the password are uppercase or lowercase.
Many tools can automate the process of typing password after password. Some common password guessing tools are Hydra (see http://www.thc.org for links to the downloadable tool), for guessing all sorts of passwords, including HTTP, Telnet, and Windows logons; TSGrinder (http://www.hammerofgod.com/download.htm), for brute-force attacks against Terminal Services and RDP connections; and SQLRecon (http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=26), for brute-force attacks against SQL authentication.
Automated password guessing programs and crackers use several different approaches. The most time consuming—and most successful—attack method is the brute-force attack, in which the attacker tries every possible combination of characters for a password, given a character set (e.g., abcd…ABCD…1234…[email protected]#$) and a maximum password length.
Dictionary attacks work on the assumption that most passwords consist of whole words, dates, or numbers taken from a dictionary. Dictionary attack tools require a dictionary input list. You can download varying databases with specific vocabularies (e.g., English dictionary, sports, even Star Wars trivia) free or commercially off the Internet.
Hybrid password guessing attacks assume that network administrators push users to make their passwords at least slightly different from a word that appears in a dictionary. Hybrid guessing rules vary from tool to tool, but most mix uppercase and lowercase characters, add numbers at the end of the password, spell the password backward or slightly misspell it, and include characters such as @!# in the mix. Both John the Ripper (http://www.openwall.com/john) and Cain & Abel (http://www.oxid.it) can do hybrid guessing.
Attackers often find it much easier to reset passwords than to guess them. Many password cracking programs are actually password resetters. In most cases, the attacker boots from a floppy disk or CD-ROM to get around the typical Windows protections. Most password resetters contain a bootable version of Linux that can mount NTFS volumes and can help you locate and reset the Administrator's password.
A widely used password reset tool is the free Petter Nordahl-Hagen program (http://home.eunet.no/~pnordahl/ntpasswd). Winternals ERD Commander 2005, one of the tools in Winternals Administrator's Pak (http://www.winternals.com/Products/AdministratorsPak/#erdcommander2005) is a popular commercial choice. Be aware that most password reset tools can reset local Administrator passwords residing only on local SAM databases and can't reset passwords in Active Directory (AD).
Although password resetting is a good approach when all you need is access to a locked computer, resetting passwords attracts unwelcome attention. Attackers usually prefer to learn passwords without resetting them. Password cracking is the process of taking a captured password hash (or some other obscured form of the plaintext password or challenge-response packets) and converting it to its plaintext original. To crack a password, an attacker needs tools such as extractors for hash guessing, rainbow tables for looking up plaintext passwords, and password sniffers to extract authentication information.
Hash guessing. Some password cracking tools can both extract and crack password hashes, but most password crackers need to have the LM password hash before they can begin the cracking process. (A few tools can work on NT hashes.) The most popular Windows password hash extractor is the Pwdump family of programs. Pwdump has gone through many versions since its release years ago, but Pwdump4 is the current version. (You can download Pwdump4 at http://pr.openwall.net/dl/pwdump/pwdump4.zip.)
To extract password hashes using Pwdump, you must have administrative access to the local or remote machine you're attacking, and you must be able to use NetBIOS to connect to the admin$ share. There are ways around the latter requirement, but the tool alone requires it. When you run Pwdump4 successfully, it extracts LM and NT password hashes and, if Windows' password history tracking is active, all hashes for older passwords. By default, Pwdump saves password hashes to the screen, but you can also output them to a file, then feed them to a password cracker.
Many password cracking tools accept Pwdump-formatted hashes for cracking. Such tools usually begin the cracking process by generating some guesses for the password, then hashing the guesses and comparing those hashes with the extracted hash.
Common password crackers are John the Ripper and Cain & Abel. John the Ripper, which comes in both Unix and Windows flavors, is a very fast command-line tool and comes with a distributed-computing add-on. Cain & Abel can break more than 20 kinds of password hashes, such as LM, NT, Cisco, and RDP.
Rainbow tables. These days, password crackers are computing all possible passwords and their hashes in a given system and putting the results into a lookup table called a rainbow table. When an attacker extracts a hash from a target system, he or she can simply go to the rainbow table and look up the plaintext password. Some crackers (and Web sites) can use rainbow tables to crack any LM hashes in a couple of seconds. You can purchase very large rainbow tables, which vary in size from hundreds of megabytes to hundreds of gigabytes, or generate your own using Rainbow Crack (http://www.antsight.com/zsl/rainbowcrack). Rainbow tables can be defeated by disabling LM hashes and using long, complex passwords.
Password sniffing. Some password crackers can sniff authentication traffic between a client and server and extract password hashes or enough authentication information to begin the cracking process. Cain & Abel both sniffs authentication traffic and cracks the hashes it retrieves. Other sniffing password crackers are ScoopLM (http://www.securityfriday.com/tools/ScoopLM.html) and KerbCrack (http://ntsecurity.nu/toolbox/kerbcrack), a sniffer and cracker for cracking Kerberos authentication traffic. None of these can crack NTLNv2 authentication traffic.
Many attackers capture passwords simply by installing a keyboard-sniffing Trojan horse or one of the many physical keyboard-logging hardware devices for sale on the Internet. Symantec reports that 82 percent of the most commonly used malware programs steal confidential information. Most steal passwords. For $99, anyone can buy a keyboard keystroke logger that can log more than 2 million keystrokes. Physical keyboard logging devices less than an inch long can easily be slipped between the keyboard cord and the computer's keyboard port. And let's not forget how easy it is to sniff passwords from wireless keyboards even from a city block away.