2/11/2016

Password cracking

Source : xkcd
When I was a young IT manager, in the 90s, there was a "tradition" between network admins at that time: testing the users' passwords to check the security and safety of the network environment we were in charge of.

This is how I discovered the software named "crack", freely and widely distributed on the Internet.

It is also at that moment I realized how useful it was to share useful knowledge for those who want to protect themselves, based on the fact those who attack already have this knowledge.

This is a blog entry on the tools I use today in the forensic analysis I have to deal with, either in a legal affair, either in the professional world (who, as an admin, never had to workaround a root or a BIOS password?). I hope it can help any new legal expert, or anyone who want to test their personal or professional IT network.

Reminder: any illegal use of that kind of tool can lead to legal consequences. If you're trying to get your boss' password or prank a colleague, please move along. If you're a network admin, please confirm you have the approval of your management team, which is not always the case. Finally, dear parents or dear children, password cracking of other family members to use them against their will is prohibited by the law.

Long story short: bad is bad, illegal is illegal...
If he weren't dead, he would still be envied.

Note to readers already working or aware of computer security, don't expect any major discovery or incredible technique in what comes next. Please consider this note as an introduction to my "watishesayin" or the curious.

---------------------------------------
0) The magic tool, the one which impresses the friends: Ophcrack

Get on the Ophcrack download page, download the LiveCD that suits your needs (e.g. Vista/7), burn it and boot your Windows 7 computer with it. Look and admire, it's plug and play.

Ophcrack works pretty well on virtual machines, for examples with disk images created with "dd" and mounted using LiveView.

For those of you who want to go further, there are "rainbow tables" available for download more or less freely on the Internet, improving the performance on the password recovery.  Be careful, those table can weigh a couple gigabytes. You can also create them yourself (e.g. using RainbowCrack), using a VERY powerful computer and a few months of calculation...

Ophcrack is a precious tool during searches, where Windows XP or 7 are often met.

Advise to newbie IT admins: block the "Boot on CD" mode on the desktop systems you are managing...


---------------------------------------
1) The eldest, the one that will give you the geeky beard : crack

Crack is a software that searches for password based of dictionary words found in flat files. I own this software my best collection of "dictionaries", the word meaning here "list of words" (with no definition). I have dictionaries of words in a large number of languages, dictionaries of words written in phonetic alphabet, some rules of coding/decoding SMS language (1to for into), etc. I also gathered, when they became available on the Internet, all the password files from anonymous users (sometimes millions)...

As I've said before, it's the first program I used in the context of my network's security, to validate the password chosen by the students. Let me say here that I am moderately bearded. 20% from the students' passwords were found in less than 5mn, 80% in less than 1 hour. I displayed in the corridor of the lab the password list in order of discovery (without the associated account), with the formal order for the students to change their passwords... The old days ;-)

Crack is a tool created for and working in UNIX. The "Troll" category of the FAQ has details about this. For those who have a bit more time, read the most curious emails sent to the developer of crack.

It's an educational tool, which can still be useful, even if I have to admit I haven't used it for a long time.


---------------------------------------
2) The must-have: John The Ripper

John The Ripper (JTR) is one of the most well-known in the world of password cracking. While being a bit old now, it evolved to use different methods.

It has the big advantage of working in multiple environments: Windows, Linux, Mac OS, etc. It is also a dictionary based tool.

I tell here the story of this software being present on the workstation of an employee having his boss' password in a textfile...


---------------------------------------
3) The remote multi-protocol attack: Hydra

If you have to audit a bundle of servers, workstations, protocols, services, remote stuff, or even a single computer, without moving from your chair, here is what you need: THC-Hydra.

I copy/paste here the description of the product coming from the manual:
THC-Hydra is a very fast (multi-threaded) network logon cracker which supports many different services: afp, cisco, cisco-enable, cvs, firebird, ftp, http-get, http-head, http-proxy, https-get, https-head, https-form-get, https-form-post, icq, imap, imap-ntlm, ldap2, ldap3, mssql, mysql, ncp, nntp, oracle-listener, pcanywhere, pcnfs, pop3, pop3-ntlm, postgres, rexec, rlogin, rsh, sapr3, sip, smb, smbnt, smtp-auth, smtp-auth-ntlm, snmp, socks5, ssh2, svn, teamspeak, telnet, vmauthd, vnc.

This software has two ways of working: brute-force attack or dictionary-based. By the way, don't forget the features less known of the network swiss-knife tool: nmap and its ways of brute-fore attacks.

---------------------------------------
4) The forgotten BIOS password: PC CMOS Cleaner

Everything is in the title. Here again, a liveCD to download to boot on. Quick, efficient, but modifies the sealed computer, so forbidden.

Another way, the old method of "removing the BIOS battery" still works, but you need to know where to find it, especially on laptops. Again, forbidden if working on a seal.


---------------------------------------
5) Efficient but slow: emails

The best of all methos is a simple fact I often make: the vast majority of perople ony use one or two passwords for all authentication systems they face.

It is highly probably that the user of the computer chose his "default" password to sign up on any shopping, webmail or download website. Amongst all those sites, it is frequent that at least one of them will send the signup password in CLEAR TEXT in an email.

You just have to analyse email accounts (Outlook, Thunderbird, log traces of browsers, etc), to find emails saying "your password is ZorroFromHell, thank you for not deleting this email" (yes, thank you indeed). When you list the passwords you found using this method, you rarely have more than 3 or 4. You only have to test them on the targeted account to find the one.

This is basic social engineering...

---------------------------------------
Conclusion

The privacy lover that I am will start by an advice on passwords  choose them so that they can't appear in a password list, and make them long enough so that they can resist a brute-force attack. I usually give the example of the first letters of a song or a poem, with a mix of upper-case and lower-case letters. E.g.: LsLdvdLBmCdULm, to which you can add some numbers (upper-case, of course...): LsLdvdL1844BmCdULm1896. It's nice, it's long, it's good, it's hard to guess when watching you type on the keyboard (unless you're singing).

Be careful thought, it's not unbreakable (cf first point on Ophcrack and the CD-ROM boot).

Then, another advice, a bit more painful: use a different password for every account you have. Ten accounts, ten password. 50 accounts, 50 passwords. One for twitter, another for Facebook, another for Gmail, etc. Of course, human nature is made in a way that the memorization of all those passwords becomes complicated. I would recommend of software such as Keepass to store them securely. This software is even certified by the ANSSI, which means a lot. It can also generate long random passwords, with the option of copy/pasting them, which leads to not even knowing your own passwords.

So you only have to remember one password, which you will never write down: the one that opens the Keepass database. Moreover, this software is double authentication based (file + password). You can even upload it on the cloud to have access from anywhere !

Password cracking is a fun activity, a small technical challenge accessible to anyone. It is a bit harder for some students to remember that this technical challenge and knowledge must remain on the light side of the Force. No matter what: sit vis vobiscum !

--------------------------------------
Translation by Wobak
Photo credit xkcd