Password cracking (also called, password hacking) is an attack vector that involves hackers attempting to crack or determine a password. Password hacking uses a variety of programmatic techniques and automation using specialized tools. These password cracking tools may be referred to as ‘password crackers’. Credentials can also be stolen via other tactics, such as by memory-scraping malware, and tools like Redline password stealer, which has been part of the attack chain in the recent, high-profile Lapsus$ ransomware attacks.
A password can refer to any string of characters or secret to authenticate an authorized user to a resource. Passwords are typically paired with a username or other mechanism to provide proof of identity.
Most breaches today include credentials. According to Forrester Research, 80% of breaches involve compromised privileged credentials. The threat actor can easily get around additional security measures, undertake lateral movement, and break other passwords when the compromised account has rights. The most crucial credentials to secure are those with a high level of privilege because of this.
- Password cracking techniques are used to recover passwords from computer systems.
- Attackers use password cracking techniques to gain unauthorized access to the vulnerable system.
- Most of the password cracking techniques are successful due to weak or easily guessable passwords.
Types of Password Attacks
- Non-Electronic Attacks: Attacker need not posses technical knowledge to crack password, hence known as non-technical attack.
- Shoulder Surfing
- Social Engineering
- Dumpster Diving
- Active Online Attacks: Attacker performs password cracking by directly communicating with the victim machine.
- Dictionary and Brute Forcing Attack
- Hash Injection and Phishing
- Password Guessing
- Passive Online Attacks: Attacker performs password cracking without communicating with the authorizing party.
- Wire Sniffing
- Offline Attack: Attacker copies the target’s password file and then tries to crack passwords in his own system at different location.
- Pre-Computed Hashes (Rainbow Table)
- Distributed Network
- Shoulder Surfing: Looking at either the user’s keyboard or screen while he/she is logging in.
- Social Engineering: Convincing people to reveal passwords
- Dumpster Diving: Searching for sensitive information at the user’s trash-bins, printer trash bins, and user desk for sticky notes.
Active Online Attack: Dictionary, Brute Forcing and Rule-based Attack
- Dictionary Attack: A dictionary file is loaded into the cracking application that runs against user accounts.
- Brute Forcing Attack: The program tries every combination of characters until the password is broken.
- Rule-based Attack: This attack is used when the attacker gets some information about the password.
Active Online Attack: Password Guessing
- The attacker creates a list of all possible passwords from the information collected through social engineering or any other way and tries them manually on the victim’s machine to crack the passwords.
- Find a valid user
- Create a list of possible passwords
- Rank passwords from high probability to low
- Key in each password, until correct password is discovered.
- A default password is a password supplied by the manufacturer with new equipment (e.g. switches, hubs, routers) that is password protected.
- Attackers use default passwords in the list of words or dictionary that they use to perform password guessing attack.
Active Online Attack: Trojan/Spyware/Keylogger
- Attacker installs Trojan/Spyware/Keylogger on victim’s machine to collect victim’s user names and passwords.
- Trojan/Spyware/Keylogger runs in the background and send back all user credentials to the attacker.
Example of Active Online Attack Using USB Drive
- Download PassView, a password hacking tool
- Copy the downloaded files to USB drive
- Create autorun.info in USB drive
- Contents of launch.bat
- Insert the USB drive and the autorun window will pop-up (if enabled)
- PassView is executed in the background and passwords will be stored in the .TXT files in the USB drive
Active Online Attack: Hash Injection Attack
- A hash injection attack allows an attacker to inject a compromised hash into a local session and use the hash to validate to network resources.
- The attacker finds and extracts a logged on domain admin account hash.
- The attacker uses the extracted hash to log on to the domain controller.
PtH: Path the Hash
Passive Online Attack: Wire Sniffing
- Attackers run packet sniffer tools on the local area network (LAN) to access and record the raw network traffic.
- The captured data may include sensitive information such as passwords (FTP, rlogin sessions, etc.) and emails.
- Sniffed credentials are used to gain unauthorized access to the target system.
Passive Online Attacks: Man-in-the-Middle and Replay Attack
- Gain access to the communication channels: In a MITM attack, the attacker acquires access to the communication channels between victim and server to extract the information.
- Use sniffer: In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access.
- Relatively hard to perpetrate
- Must be trusted by one or both sides
- Can sometimes be broken by invalidating traffic
Offline Attack: Rainbow Table Attack
- Rainbow Table: A rainbow table is a precomputed table which contains word lists like dictionary files and brute force lists and their hash value.
- Compare the Hashes: Capture the hash of a passwords and compare it with the precomputed hash table. If a match is found then the password is cracked.
- Easy to Recover: It is easy to recover passwords by comparing captured password hashes to the precomputed tables.
- Precomputed Hashes:
- 1qazwed -> 21c40e47dba72e77518ee3ef88ad0cc8
- hh021da -> 2ce80b192cfa47a0d6c8a2446314810b
- 9da8dasf -> eb0f5690164ffabbed1744087a4d6761
- sodifo8sf -> 2c749bf3fff89778efc50af7e4f8d6a8
- rtgen: The rtgen program need serveral parameters to generate a rainbow table, the syntax of the command line is:
- Syntax: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index
- Winrtgen: Winrtgen is a graphical Rainbow Tables Generator that supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2(256), SHA-2(384), and SHA-2(512) hashes.
Offline Attack: Distributed Network Attack
- A Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password protected files using the unused processing power of machines across the network to decrypt passwords.
- The DNA Manager is installed in a central location where machines running on DNA Client can access it over the network.
- DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network.
- DNA Client runs in the background, consuming only unused processor time.
- The program combines the processing capabilities of all the clients connected to network and uses it to crack the password.
Elcomsoft Distributed Password Recovery
- Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documents in a production environment.
- Security Accounts Manager (SAM) Database:
- Windows stores user passwords in SAM, or in the Active Directory database in domain. Passwords are never stored in clear text; passwords are hashed and the results are stored in the SAM.
- NTLM Authentication:
- The NTLM authentication protocol types:
- NTLM authentication protocol
- LM authentication protocol
- These protocols stores user’s password in the SAM database using different hashing methods.
- Kerberos Authentication:
- Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM.
How Hash Passwords Are Stored in Windows SAM?
- Note: LM hashes have been disable in Windows Vista and later Windows operating systems, LM will be blank in those systems.
reg save hklm\sam c:\temp\sam.save
reg save hklm\system c:\temp\system.save
- pwdump, SMBPasswd
NTLM Authentication Process
Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides strong authentication for client/server applications than NTLM.
- XP: LM, NTLM
- Vista~: NTLMv2
- LM使用DES: PASSWOR DXXXXXX，各7字元，每個7×8=56 bits，大小寫不分
- Password salting is a technique where random string of character are added to the password to the password before calculating their hashes.
- Advantage: Salting makes it more difficult to reverse the hashes and defeats pre-computed hash attacks. Note: Windows password hashes are not salted
pwdump7 and fgdump
- PWDUMP extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database.
- fgdump works like pwdump but also extracts cached credentials and allows remove network execution.
- These tools must be run with administrator privileges.
- L0phtCrack: L0phtCrack is a password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and networks monitoring and decoding.
- Ophcrack: Ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms.
- Cain & Abel: It allows recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks.
- RainbowCrack: RainbowCrack cracks hashes with rainbow tables. It uses time-memory tradeoff algorithm to crack hashes.
- It capture the security pattern used to access the phone itself and crack the passcode used to unlock the iPhone, plus the actual passwords they use for social messaging.
- It allows you to login to their Facebook, Skype, Twitter, Pinterest, LinkedIn, GMail and other Email accounts directly from your own computer.
How to Defend against Password Cracking
- Enable information security audit to monitor and track password attacks.
- Do not use the same password during password change.
- Do not share passwords.
- Do not use passwords that can be found in a dictionary.
- Do not use cleartext protocols and protocols with weak encryption.
- Set the password change policy to 30 days.
- Avoid storing passwords in an unsecured location.
- Do not use any system’s default passwords.
- Make passwords hard to guess by using 8-12 alphanumeric characters in combination of uppercase and lowercase letters, numbers, and symbols.
- Ensure that application neither store passwords to memory nor write them to disk in clear text.
- Use a random string (salt) as prefix or suffix with the password before encrypting.
- Enable SYSKEY with strong password to encrypt and protect the SAM database.
- Never use passwords such as date of birth, spouse, or child’s or pet’s name.
- Monitor the server’s logs for brute force attacks on the users accounts.
- Lock out an account subjected to too many incorrect password guesses.
Is password cracking illegal?
Depending on the location, password cracking may or may not be legal. It is generally based on intent. For instance, it might be acceptable to retrieve one’s own password using a password cracking program. However, it will almost always be prohibited if the intention is to willfully steal, harm, or otherwise abuse someone else’s data.
Unauthorized access to another individual’s device can be grounds for criminal charges. Even guessing someone’s password without the use of a password cracker can lead to criminal charges. Under U.S. state and federal laws, more charges can be added depending on what threat actors do once they gain unauthorized access.
In short, using a password cracking method to access one’s own password is legal. Using these methods or tools to gain access to someone else’s password can lead to criminal charges.