Leighton Johnson , in Security Controls Evaluation, Testing, and Assessment Handbook (Second Edition), 2020
Theoretically all passwords are "crackable"
Password cracking can also be performed with rainbow tables, which are lookup tables with pre-computed password hashes. For example, a rainbow table can be created that contains every possible password for a given character set up to a certain character length. Assessors may then search the table for the password hashes that they are trying to crack. Rainbow tables require large amounts of storage space and can take a long time to generate, but their primary shortcoming is that they may be ineffective against password hashing that uses salting. Salting is the inclusion of a random piece of information in the password hashing process that decreases the likelihood of identical passwords returning the same hash. Rainbow tables will not produce correct results without taking salting into account—but this dramatically increases the amount of storage space that the tables require. Many operating systems use salted password hashing mechanisms to reduce the effectiveness of rainbow tables and other forms of password cracking.17
Eric Conrad , ... Joshua Feldman , in CISSP Study Guide, 2010
Password Guessing and Password Cracking
Though some fail to distinguish between the two, it is prudent to differentiate between password guessing and cracking as the techniques differ. Password guessing is the simpler of the two techniques from both the attacker's and defender's vantage point. Password guessing is an online technique that involves attempting to authenticate a particular user to the system. Password cracking refers to an offline technique in which the attacker has gained access to the password hashes or database. Note that most web-based attacks on passwords are of the password guessing variety, so web applications should be designed with this in mind from a detective and preventive standpoint.
Password guessing may be detected by monitoring the failed login system logs. In order to differentiate between the normal user accidentally mistyping their passwords and the attacker, clipping levels are useful. Clipping levels define a minimum reporting threshold level. Using the password guessing example, a clipping level might be established such that the audit system only alerts if failed authentication occurs more frequently than five times in an hour for a particular user. Clipping levels can help to differentiate the attacks from noise, however they can also cause false negatives if the attackers can glean the threshold beneath which they must operate.
Preventing successful password guessing attacks is typically done with account lockouts. Account lockouts are used to prevent an attacker from being able to simply guess the correct password by attempting a large number of potential passwords. Some organizations require manual remediation of locked accounts, usually in the form of intervention by the help desk. However, some organizations configure account lockouts to simply have an automatic reset time, which would not necessarily require manual intervention. Care should be taken in the account lockout configuration as an attacker, though unsuccessful at retrieving a correct password, might be able to cause significant administrative burden by intentionally locking out a large volume of accounts.
Password cracking is considered an offline attack because the attacker has gained access to a password hash for a particular account or the entire password database. Most password databases store the passwords as hashes rather than clear text. These one way cryptographic hashes are created by running the plaintext password through a hashing algorithm such as MD5, LM, NT Hash (MD4), etc. The attacker will attempt to crack the password with a dictionary, hybrid, and then finally a brute force method if suitably motivated to achieve the plaintext password. The dictionary method simply directs the password cracking tool to use a supplied list of words as potential passwords. The tool will encrypt the supplied word using the matching password algorithm, and compare the resulting hash with the hash in the database. If the two hashes match then the plaintext password is now known. If the dictionary method is unsuccessful then the hybrid approach will likely be attempted. The hybrid approach to password cracking still leverages a word list (dictionary), but makes alterations to the word before putting the guess through the hashing algorithm. Common alterations made by hybrid crackers include prepending or appending numbers or symbols to the password, changing the case of the letters in the word, making common symbol or number substitutions for letters (e.g., replacing an "o" with a "0"). Finally, password brute forcing involves simply attempting every possible password until the correct match is found. Brute forcing will eventually yield the password, but the question is whether it will return the plaintext password quickly enough (days, months, or years) for it to still be of value. A variation on typical password brute forcing that can greatly increase the speed with which the correct password can be retrieved is a precomputation brute force attack. This technique employs rainbow tables which are tables of precomputed password-hash combinations, sometimes within specific confines such as an upper limit on password length or only including the more common symbols, collection of all password hashes that are applicable for a given algorithm. While rainbow tables can reduce the password cracking to a mere table lookup to find the password hash in question, the creation of these rainbow tables is an extremely time consuming process.
Note
The efficacy of precomputation brute force attacks leveraging rainbow tables is dependent upon the password hashing algorithm's implementation. The main feature that determines whether rainbow tables will greatly increase the speed of password recovery is whether the implementation of the algorithm involves salts, which is simply a way of introducing randomness into the resultant hashes. In the absence of salts, the same password will yield the exact same hash every single time. Notably, Windows' LM and NT hashes do not include salts, which makes them particularly vulnerable to this type of brute forcing. Linux and UNIX systems have employed salts for decades. A 16 bit salt would effectively require an attacker to create 65,536 separate sets of rainbow tables, one set for each possible salt.
Prevention of successful password cracking attempts can be achieved by strong password policies that prescribe appropriate length, complexity, expiration, and rotation of passwords. Further, strong system security that precludes that attacker ever gaining access to the password database in the first place is another preventive measure.
John Sammons , Michael Cross , in The Basics of Cyber Safety, 2017
Botnets and Rootkits
Rootkits are tools that may be installed on a computer to give a person elevated privileges to a system and/or to install other software. The rootkit may be installed automatically by hiding it in other software you've downloaded, as a Trojan horse, or installed manually once a hacker's gained access to your system. Once installed, it may create a backdoor that gives a hacker remote access to your computer, install other malware, or install bots (small programs designed to perform a specific task).
Bots aren't always malicious, as seen by spiders or crawlers that are used by search engines to access websites and gather information about what content is on a site. Unfortunately, the ones that aren't innocuous may be designed to access accounts, or determine what downloads are on a site so malware can be created that's disguised as programs that site offers. Another kind of bot is a spambot, which gathers valid email addresses, so mailing lists can be created to send SPAM. Bots are particularly dangerous when they're deployed to large collections of computers, called botnets. Once a computer is infected, the bot can lay dormant until an attacker chooses to activate them. At this point, the attacker has control of your computer (now called a zombie) and all the other computers in the botnet (also called a zombie army). The attacker can send a signal to have these computers distribute viruses, or send messages to a particular server in a coordinated attack called a Distributed Denial of Service attack. Because the server gets so many messages from the zombie army, it can't serve legitimate requests to provide a web page or send-and-receive emails. By flooding the targeted server with traffic, the websites and services it provides become inaccessible and the server may crash.
Password cracking
Despite improvements in authenticating a user, passwords are still a common method of determining if a person or process is supposed have access. While someone may try and crack your password manually by guessing and/or using social engineering tactics, there are also tools that will automatically try combinations of letters, numbers, special characters, dictionary words, check for patterns, and other methods to determine the password. Even if a password is encrypted, it doesn't mean that it can't be cracked. A brute force cracking tool may try millions of combinations per second until the hacker gives up or the password is finally discovered.
Password cracking tools are often associated with hacking an account on a site, app, or computer, but there are also ones designed to crack the encryption keys used on Wi-Fi networks. Some of the password-cracking tools that may be used include:
●
John the Ripper (www.openwall.com/john/)
●
Cain and Able (www.oxid.it/cain.html)
●
AirCrack (www.aircrack-ng.org)
Because the tool goes through a calculated method of guessing passwords, the time it takes to crack a password varies. The strength of the password, whether encryption is used, and whether there is a limited number of attempts before the account is locked out are all variables in this. In August 2014, Apple's cloud services called iCloud was hacked, resulting in almost 500 private images of celebrities, including those with nudity be stolen. The accounts were accessed using a combination of spear phishing and brute force attacks, and Apple later patched a vulnerability that allowed unlimited attempts to guess usernames and passwords (VoVPN, 2015). Such a vulnerability isn't unique. When AppBugs (www.appbugs.co) randomly tested 100 popular apps, they found that 53 of them allowed unlimited logon attempts, meaning a hacker could try over and over again to guess the password without being locked out (AppBugs, 2015).
Another way to get someone's password is to use recovery tools. In using recovery tools, you're able to do such things as see the passwords saved on a person's computer, such as those used in email clients and ones saved in the browser, as well as view other information and restore data that may have been deleted.
Keylogger
Keyloggers are programs that record what you type, logging each keystroke. Some provide the ability to record mouse clicks, what programs you're using, and may even take screenshots at regular intervals. They can be installed manually or automatically without your knowledge, such as by inserting a flash drive into a USB slot or through a rootkit. Once it's on your computer, someone can discreetly monitor everything you're doing. The keylogger may save the recorded keystrokes on your machine (such as to a local or external drive, or flash drive), to a remote location (such as sending it to an FTP site), or emailed.
As seen in the Fig. 5.1 (www.blazingtools.com/bpk.html), Perfect Keylogger provides an easy-to-use interface that allows you to navigate through different dates. Once you've selected a particular date in question, you can then choose to see the text someone typed on their keyboard, chats, websites they visited, and screenshots of their activity. If you're using it to monitor someone, it also includes useful date and time stamps to show when the person did something.
Figure 5.1. Perfect keylogger.
As we'll see in Chapter 10, Protecting your kids, and Chapter 13, keyloggers can be useful in situations where you want to monitor someone's activity, such as when your child is using the Internet. However, in the hands of a cybercriminal, it can be a vital resource in seeing the usernames and passwords someone typed, the sites those credentials are used for, and other data that may be used for identity theft, blackmail, fraud, and countless other crimes.
Littlejohn Shinder , Michael Cross , in Scene of the Cybercrime (Second Edition), 2008
Understanding Password Cracking
The best way to get into a system is to "trick" the system into thinking you're an authorized user. In many cases, you can do this simply by using a valid account name and password. This method is called password cracking. In this section, we look at the tools and resources hackers use to crack passwords. Investigators need to be aware of all the techniques and tools that can be used to impersonate a legitimate user and how they work. Understanding how a crack was accomplished provides valuable clues to the cracker's skill level and how determined he or she is to get into a particular network, as well as other characteristics that can help track down the culprit.
Password cracking involves acquiring valid passwords. You can do this in several ways, including:
▪
Via various types of attacks
▪
Recovery and exploitation of passwords stored on the system
▪
Use of password decryption software
▪
Social engineering
In the following sections, we look at each of these methods and ways to protect against them.
Types of Password Cracking
Ever since the first passwords were used, methods have been available for trying to crack the actual text-based version of the password. We can crack passwords for two reasons. One, users can select a weak password if the administrator has not enforced a strict password policy; two, some vendors have done a poor job scrambling the password. We will discuss several methods of attacking passwords. The methods are guessing, dictionary, brute force, syllable attack, rule-based, and hybrid.
Guessing Attack
In the guessing attack, perpetrators are successful when they are able to guess a person's password. This can occur if a user has selected a blank password. It can also occur if the user has chosen a simple password such as "password." Some users think they are smart, and will try a word in reverse, such as "drowssap." Another problem is when users select a password based on their kids, spouse, relative, or other personal information that is easy to identify.
Dictionary Attack
With a dictionary attack you load a file of dictionary words into the password cracking tool, and if the password is one of the words within the dictionary file it is cracked. It is important to note that dictionary files are available for many languages; therefore, it is a simple process of loading your dictionary for the country in which you are conducting the testing. Consultants have successfully cracked many passwords of foreign languages using this technique—a dictionary even exists for the Klingon language.
Brute Force Attack
In the brute force method of password attacking, the concept is to try every possible combination of characters until a password is found. It is the slowest method of attack, but given enough time and resources it will discover any password.
Syllable Attack
The syllable attack is a combination of brute force attack and dictionary attack. The technique usually is used when the password is known to be a nonexistent word.
Rule-Based Attack
The rule-based attack is used when the perpetrator is able to get some information about the password, usually following some form of enumeration that has identified the password policy in place for an organization. For example, if the policy indicates that the length of the password is not fewer than eight characters and must contain at least numbers and a special character, the perpetrator will adjust and customize the cracking tool for this.
Hybrid Attack
A hybrid attack is used to find a password that is a dictionary word with combinations of characters prepended or postpended to it. This attack is surprisingly successful, because in most cases users will select a password that is a dictionary word surrounded by additional characters.
Rainbow Attack
The rainbow attack technique works by calculating all the possible hashes for a character set, and storing them in a table. The password hash is presented to the tool that uses the rainbow algorithm, and a table search is made until the password is found. This is a much quicker method than the other types of attack; however, the limitation of the rainbow technique is the size requirements for a table, so you need to think in terms of terabytes for complex passwords.
Password Recovery Tools
A large number of password recovery programs are available on the Internet, and they are often marketed as security tools. You might not immediately think that password-cracking programs also have a legitimate use. An employee might leave a company or die suddenly without revealing passwords that were used to protect important files, which other employees now need to access. Even if they're still around, sometimes employees forget their passwords. Some companies do password recovery as a service. One such company is Password Crackers Inc. (www.pwcrack.com). Programs marketed for legitimate purposes are usually called password recovery programs, but of course crackers can use the same software for less-than-legitimate purposes.
Note
Some recovery programs are focused on operating system passwords and others on application passwords. The Passware software at www.lostpassword.com is a modular system that lets you select modules according to your needs, to recover passwords in Windows 2000, XP, Vista, and other operating systems, as well as Excel, Access, Outlook, Word, WinZip, WordPerfect, QuickBooks, ACT, and more. The Passware Kit includes all the modules, and you can download a free demo version from the site.
Some password protection schemes are more difficult to crack than others. The passwords on documents created with older versions of Microsoft Office and zipped files are notoriously easy to crack with readily available software. With any password scheme, the better (the longer and more complex) the passwords, the longer it takes to crack them. For difficult cracking jobs, some tools even allow you to divide the task into parts and use multiple machines simultaneously to work on it in a method called distributed cracking. In the sections that follow, we'll discuss a number of the most popular tools used by network administrators, computer forensic investigators, and crackers alike.
Decryption Collection Enterprise
Paraben's Decryption Collection Enterprise is an advanced password recovery suite with support for Windows Vista and Server 2003, EFS, SQL, and Lotus Notes along with support for everything included in the Standard Edition of the suite. One of its most advanced features is its ability to distribute its processing on a network of up to 16 computers. This allows brute force or dictionary attacks using several computers. This tool is available from www.paraben-forensics.com, and its features include:
▪
MD5 hash verification
▪
An easy-to-use interface that lets you just drag and drop the file to be recovered
▪
A listing of the most recent files recovered
▪
Hypertext Markup Language (HTML) reporting of recovery results
▪
A password cache for quick recovery of repeat passwords
▪
English password recovery accuracy of 90 percent and higher
Reactive Software
Reactive Software (www.reactive-software.com) has created a number of utilities that can decrypt the logon passwords used by instant messaging (IM) tools such as AOL Instant Messenger, Google Talk, Miranda, MSN Messenger, Paltalk, Trillian, and Windows Live Messenger. The company also has tools for acquiring passwords used in other tools and services, such as File Transfer Protocol (FTP) tools (CuteFTP, WS FTP, and so on), online mail services (Hotmail, Gmail), Voice over IP (VoIP) tools such as Skype, and other utilities.
Cain and Abel
A Windows-based password recovery tool, Cain and Abel uses multiple methods to capture password hashes. It can get the hash from the network, or it can dump it from the local machine. Cain and Abel uses dictionary attacks, brute force, and other cryptanalysis techniques to crack passwords. In addition, it can sniff the network for data, can record VoIP conversations, and has other features that go beyond simple password cracking. Figure 11.4 shows the password cracking capabilities of this tool.
Figure 11.4. Password Cracking with Cain and Abel
LCP
The LCP tool was developed as a free alternative to the very popular L0phtcrack tool that was the pioneer in cracking passwords on a Windows platform. L0phtcrack is no longer offered, and LCP is an excellent way to get the features that used to be available with L0phtcrack. The tool offers the ability to import from a variety of formats, and it uses dictionary, hybrid, and brute force attack methodologies to discover passwords. Figure 11.5 shows the LCP tool with a dump of the SAM database.
Figure 11.5. LCP with a Dump of the SAM Database
Ophcrack
Ophcrack is a Windows-based password cracker that uses the concept of rainbow cracking methodology by conducting the crack from existing rainbow tables. The algorithm deployed is based on the time-memory trade-off technique of precomputing all possible hashes and then applying the hash to the table.
John the Ripper
John the Ripper (JTR) is a fast password cracking tool that will not only crack Windows-based passwords, but also passwords on UNIX and Linux systems. The tool runs within UNIX and Linux environments.
Brutus
Brutus is a very fast and flexible password cracking tool that can perform cracks remotely. It commonly is used to crack Web site passwords. It is a Windows-based tool that can support up to 60 simultaneous target connections.
Exploitation of Stored Passwords
Trying to guess passwords, even with software to expedite the process, is a tedious business. It would be much easier if a cracker could just find a list of passwords lying around somewhere. Well, in some cases, that's exactly what happens—the list is right there for the taking on the computer's hard disk. Passwords have to be stored somewhere; after all, how else will the system know whether a user has entered the correct password? Additionally, most people have several different passwords in addition to their logon passwords; these are used for e-mail access, entry to restricted Web sites, and the like. Rather than memorizing all these secondary passwords, many users elect to have the system "remember" the password for them. Because computers have short memories (you'll recall that all the data in RAM is lost when the computer is rebooted), these "remembered" passwords must be stored in a file somewhere. All a cracker has to do is get his or her eager little hands on that file.
Thank goodness it's a little more complicated than that. In most cases, passwords are not stored in a plain-text file that the cracker can simply open and read, except in cases in which a forgetful user creates such a file, diligently recording passwords for various services and applications. Usually, stored passwords are encrypted or hashed.
For example, UNIX systems store passwords in a file located in one of several places—the /etc /passwd file, /etc/shadow (or /etc/master.passwd on BSD systems)—along with other user information. The passwords are encrypted with a hash function. The computer doesn't compare the actual password you type in to a list to determine whether to log you on; instead, the password you enter is hashed and the resultant hash value is compared to that of the stored (hashed) password.
This system sounds foolproof, but it's not. The cracking software just needs to be a little more sophisticated. If the cracker can get the password file, the program uses whatever hash function the system uses and encrypts possible passwords (generating them via brute force and dictionary methods), then compares the results with the encrypted passwords in the password file. This technique is called comparative analysis.
Note
UNIX and Linux systems can use shadow passwords to circumvent comparative analysis techniques. If shadow passwords are enabled, the encrypted password in the passwd file is replaced by an x. The real passwords are stored in another file, called /etc/shadow. What good does it do to store the information in a different file, especially when everyone familiar with UNIX knows the name and location of that file? The secret is that the /etc/shadow file can be accessed only by the root account. Although group accounts usually aren't assigned passwords, they can be. Group passwords can be shadowed like user passwords. In that case, the encrypted passwords are stored in a file called /etc/gshadow.
Why does all of this matter to the investigator? In some cases, an investigator can use his or her knowledge of how various operating systems store passwords to track criminals' actions. If security auditing is properly configured, investigators will be able to tell whether and when various files have been accessed. Logs that record access to password files could indicate that passwords have been or will be compromised.
Interception of Passwords
Crackers don't always have to access password files or resort to guessing (brute force) to learn usable passwords. When passwords are sent across the network via local or remote access connections in plain-text form, they can be intercepted, as can other data traveling across the network, using sniffer software. Telnet sessions to UNIX computers can be intercepted and the plain-text password extrapolated if security measures haven't been taken. Use of nonsecure authentication protocols such as PAP for remote access results in sending plain-text passwords across the link and should be avoided when possible.
Note
We discuss authentication protocols in more detail in Chapter 12.
Another means of intercepting passwords is to use a keystroke logger. This is a hardware device or software program that captures and records every character that is typed—including passwords. In many cases, when the program or tool is installed on a computer, there is no indication that the program is running. Users on the machine have no idea that everything they type is being recorded to a file, or in some cases e-mailed at regular intervals to the person who installed the program.
It is often possible to detect an unauthorized packet sniffer on the wire using a device called a time domain reflectometer (TDR), which sends a pulse down the cable and creates a graph of the reflections that are returned. Users who know how to read the graph can tell whether and where unauthorized devices are attached to the cable.
Other ways of detecting unauthorized connections include monitoring hub or switch lights, using Simple Network Management Protocol (SNMP) managers that log connections and disconnections, or using one of the many tools designed for the specific purpose of detecting sniffers on the network.
Password Decryption Software
Most password-cracking programs don't actually decrypt anything. However, if the encryption algorithm is weak or implemented incorrectly, it is sometimes possible to use a technique called one-byte patching, which is able to decrypt the password by changing one byte in the program. Another technique used with weak algorithms requires that the cracker already have obtained one or more files in decrypted form; then they can be used to decrypt others that use the same algorithm. This is called the known plain-text method. This technique is popular as an attack against password-protected .zip, .rar, and .arj files. All of these are extensions used for compressed archive files.
When strong cryptography is used and complex passwords are chosen, it is much more difficult to use direct decryption; in these cases, a dictionary or brute force attack is more often successful. PDF "decryptors" such as Guaranteed PDF Decryptor/Restrictions Remover (GuaPDF) use a type of brute force that involves testing all possible keys.
On the Scene
The Weak Encryption Debate
Many security experts feel that weak, easily broken encryption is worse than no encryption at all because it gives users a false sense of security, leading them to be careless with sensitive data because they believe it is protected. Others argue that weak encryption is better than no encryption because it at least keeps out the casual, merely curious, or technically unsophisticated "snoop." The truth, as usual, lies between the extremes; weak encryption might be beneficial in some situations—for example, for a noncritical document such as a personal journal that a user wants to protect from other, nontechnical users who share the computer. On the other hand, weak security can be disastrous in the case of vitally important information such as trade secrets or military data that is likely to be targeted by technically sophisticated crackers. In this situation, the weak encryption actually can be worse than none at all because the fact that the file is encrypted draws the attention of the cracker, who might otherwise have ignored it.
MCSE/MCSA 70–294: Creating User and Group Strategies
Michael Cross , ... Thomas W. Shinder Dr. Technical Editor , in MCSE (Exam 70-294) Study Guide, 2003
System Key Utility
Most password-cracking software used in attacking computer networks attempts to target the SAM database or the Active Directory database in order to access passwords for user accounts. To secure your password information, you should use the system key utility (the syskey.exe file itself is located in the %systemroot%\System32 directory by default) on every critical machine that you administer. This utility provides additional encryption for password information, which provides an extra line of defense against would-be attackers. To use this utility on a workstation or member server, you must be a member of the local Administrators group on the machine in question. If the machine is a member of a domain, remember that the Domain Admins group is a member of the local Administrators group by default. On a domain controller (DC), you need to be a member of the Domain Admins or Enterprise Admins group.
Test Day Tip
On workstations and member servers, password information is stored within the computer's Registry. Domain controllers integrate password information into the Active Directory database that is replicated between domain controllers.
In Exercise 3.01, we go through the steps in enabling the system key utility on a Windows Server 2003 server.
EXERCISE 3.01
Creating a System Key
1.
From the Windows Server 2003 server desktop, click Start | Run, then type syskey and click OK. You'll see the screen shown in Figure 3.1.
2.
As shown in Figure 3.1, select Encryption Enabled, and then click Update.
3.
Choose from the security options shown in Figure 3.2. The various options available to you are as follows:
■
Password Startup This choice encrypts the account password information and stores the associated key on the local computer. You will also need to select a password that will be used to further protect the key. You'll need to enter this password during the computer's boot sequence. This is a more secure option than storing the startup key locally without requiring a password, because the password used to secure the system key isn't stored anywhere on the local computer. The drawback to this method is that an administrator must be present to enter the syskey password whenever the machine is rebooted, which might make this a less attractive option for a remote machine that requires frequent reboots.
■
System Generated Password, Store Startup Key on Floppy Disk This option stores the system key on a separate diskette, which must be inserted during the system startup. This is the most secure of the three possible options, since the system key itself is not stored anywhere on the local computer and the machine will not be able to boot without the diskette that contains the system key.
■
System Generated Password, Store Startup Key Locally This choice encrypts the SAM or Active Directory password information using a random key that's stored on the local computer. You can reboot the machine without being prompted for a password or a diskette. However, if the physical machine is compromised, the system key can be modified or destroyed. Of the three possible options when using syskey, this is the least secure.
4.
Once you have selected the option you want, click OK to finish encrypting the account information. You'll see the confirmation message shown in Figure 3.3.
Exam Warning
If you lose the diskette or forget the password that you created when you ran syskey, you won't be able to boot the computer in question without restoring the Registry or the Active Directory database from a point before you implemented syskey.
Eric Conrad , ... Joshua Feldman , in CISSP Study Guide, 2010
Self test
1.
What type of password cracking attack will always be successful?
A.
Brute Force
B.
Dictionary
C.
Hybrid
D.
Rainbow Table
2.
What is the difference between password cracking and password guessing?
A.
They are the same
B.
Password guessing attempts to log into the system, password cracking attempts to determine a password used to create a hash
C.
Password guessing uses salts, password cracking does not
D.
Password cracking risks account lockout, password guessing does not
3.
The most insidious part of Phishing and Spear Phishing attacks comes from which part of the attack anatomy?
A.
Each Phishing and Spear Phishing attack is socially engineered to trick the user to provide information to the attacker.
B.
Phishing and Spear Phishing attacks always have malicious code downloaded onto the user's computer.
C.
Phishing and Spear Phishing attacks are always poorly written.
D.
Phishing and Spear Phishing attacks are rarely successful.
4.
What is the term used for describing when an attacker, through a command and control network, controls hundreds, thousands, or even tens of thousands of computers and instructs all of these computers to perform actions all at once?
A.
Flooding
B.
Spamming
C.
Phishing
D.
Botnets
5.
What are the main differences between retina scans and iris scans?
A.
Retina scans are not invasive and iris scans are
B.
Iris scans invade a person's privacy and retina scans do not
C.
Iris scans change depending on the person's health, retina scans are stable
D.
Retina scans change depending on the person's health, iris scans are stable
6.
What is the most important decision an organization needs to make when implementing RBAC?
A.
Each user's security clearance needs to be finalized
B.
The roles users have on the system needs to be clearly defined
C.
Users' data needs to be clearly labeled
D.
Users' must be segregated from one another on the IT system to prevent spillage of sensitive data
7.
What access control method weighs additional factors such as time of attempted access before granting access?
A.
Content-dependent access control
B.
Context-dependent access control
C.
Role-based access control
D.
Task-based access control
8.
An attacker sees a building is protected by security guards, and attacks a building next door with no guards. What control combination are the security guards?
A.
Physical/Compensating
B.
Physical/Detective
C.
Physical/Deterrent
D.
Physical/Preventive
9.
A type II biometric is also known as what?
A.
Crossover Error Rate (CER)
B.
Equal Error Rate (EER)
C.
False Accept Rate (FAR)
D.
False Reject Rate (FRR)
10.
Within Kerberos, which part is the single point of failure?
A.
The Ticket Granting Ticket
B.
The Realm
C.
The Key Distribution Center
D.
The Client-Server session key
Questions 11 and 12 are based on this scenario:
Your company has hired a Third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are:
(1)
The tests will be conducted on live, business functional networks. These networks must be functional in order for business to run and cannot be shut down, even for an evaluation.
(2)
The company wants the most in depth test possible.
11.
What kind of test should be recommended?
A.
Zero knowledge
B.
Partial knowledge
C.
Full knowledge
D.
Vulnerability testing
12.
While conducting the penetration test, the tester discovers a critical business system is currently compromised. What should the tester do?
A.
Note the results in the penetration testing report
B.
Immediately end the penetration test and call the CIO
C.
Remove the malware
D.
Shut the system down
13.
What group launches the most attacks?
A.
Insiders
B.
Oustiders
C.
Hacktivists
D.
Script kiddies
14.
A policy that states a user must have a business requirement to view data before attempting to do so is an example of enforcing what?
A.
Least privilege
B.
Need to know
C.
Rotation of duties
D.
Separation of duties
15.
What technique would raise the False Accept Rate (FAR) and Lower the False Reject Rate (FRR) in a fingerprint scanning system?
In Hack Proofing Your Network (Second Edition), 2002
John the Ripper
John the Ripper is another password-cracking program, but it differs from Crack in that it is available in UNIX, DOS, and Win32 editions. Crack is great for older systems using crypt(), but John the Ripper is better for newer systems using MD5 and similar password formats. John the Ripper is used primarily for UNIX passwords, but there are add-ons available to break other types of passwords, such as Windows NT LanManager (LANMAN) hashes and Netscape Lightweight Directory Access Protocol (LDAP) server passwords. John the Ripper supports brute force attacks in incremental mode. Because of John the Ripper's architecture, one of its most useful features is its ability to save its status automatically during the cracking process, which allows for aborted cracking attempts to be restarted even on a different system. John the Ripper is part of the OpenWall project and is available from www.openwall.com/john.
A sample screenshot of John the Ripper is shown in Figure 6.3. In this example, a sample section of a password file in OpenBSD format is cracked using John the Ripper. Shown below the password file snippet is the actual output of John the Ripper as it runs. You can see that each cracked password is displayed on the console. Be aware that the time shown to crack all four passwords is barely over a minute only because I placed the actual passwords at the top of the "password.lst" listing, which John uses as its dictionary. Real attempts to crack passwords would take much longer. After John has cracked a password file, you can have John display the password file in unshadowed format using the show option.
Tarfa Hamed , ... Stefan C. Kremer , in Computer and Information Security Handbook (Third Edition), 2017
Account Cracking
An attacker can use some tools to perform password cracking. The attacker can use those tools to crack a hashed password file. Brutus, Web cracker, Obiwan, burp intruder, and burp repeater are some examples of password cracking tools. Different techniques are used by a hacker for password cracking [21]:
•
Dictionary attack: involves using a dictionary of words against the victim's account
•
Brute force attack: involves trying every possible combination of characters until the password is cracked
•
Hybrid attack: basically combines the two attacks (dictionary and brute force)
Another popular tool for OS X password cracking has been built to automate the aforementioned process. This tool is called Dave Grohl. Dave Grohl was made open source and can be found at https://github.com/octomagon/davegrohl. It takes a number of arguments and includes built in dictionary cracking abilities. Since this code was made open source it would be simple for an adversary to modify it making it easy to avoid static hash-based detections.
As you can see Dave Grohl comes with a number of cracking options as well as the option to dump the hash in a format made for the infamous John the Ripper password cracking program. To dump a hash for a user named "test", we would do the following:
The reason we're looking at this password dumper is because it's important for an analyst to know what steps the adversary might take if they're determined to retrieve the password and all other methods have failed. Dumping the user's hash is really a last resort. Again, keep in mind that just because the attacker has sudo privileges does not mean that they know the user's password. It just means they're likely to care less about what it might be. This process takes a dedicated attacker as cracking the salted PBKDF2 hash is incredibly slow. Here's an example of using Dave Grohl with lowercase letters from the built in dictionary to try and crack the password.
You'll notice that even when using a dictionary (one of the faster ways to crack a hash if you're lucky), I was only testing a little more than 1500 passwords per minute. The attacker would likely need access to a sophisticated supercomputer. This is why cracking the user hash is last resort.
It is prudent to differentiate password guessing and password cracking, as the techniques differ. Password guessing, the simpler of the two from both the attacker's and the defender's vantage point, is an online technique for authenticating as a particular user to the system. Password cracking is an offline technique in which the attacker gains access to the password hashes or the database.
Password guessing may be detected by monitoring failed-login system logs. In order to differentiate between attackers and normal users accidentally mistyping their passwords, clipping levels are useful. Clipping levels define a minimum reporting threshold level.
0 Response to "Cracking Encrypted Files is Not an Easy Task"
Post a Comment