Password Review

Hacking passwords has always been a popular activity for cyber attackers, although the newer methods have evolved from simple password guessing.
A password can be any acceptable set of characters that the authentication system accepts. For example, on a Microsoft Windows system, the local Security Accounts Management (SAM) database or the networked Active Directory authentication system (NTDS) can accept thousands of different characters, many of which require special keystroke combinations (for example Alt+0128)
to create.

Authentication Databases
Passwords are stored in a local and/or networked database known as the authentication database. The authentication database is usually protected or encrypted, and it is rarely directly accessible by non-privileged users. Passwords are also often stored in local and/or remote memory (if networked) while the user or device is active.

Password Hashes
Most typed passwords are converted into some other intermediary form for security reasons. In most traditional operating systems, passwords get converted into a cryptographic hash. The hash can be used in the authentication sequence itself or simply stored for later authentication purposes. Common password hashes on Windows systems are LANManager (LM), NTLANManager (NT), and PBKDF2 for local password cache storage. Linux systems often use MD5, Blowfish (created by Bruce Schneier, profiled in Chapter 3), SHA-256, or SHA-512. The best hashes create and use a random value (called the “salt”) during the creation and storage of the password hash. This makes it harder for a hacker obtaining the password hash to convert it back to its plaintext original value.

Authentication Challenges
Secure network authentication scenarios do not pass the password or the password hash across a network link. Instead, an authentication challenge is performed. Usually the remote server, which already knows the client’s password or password hash, creates a random value and performs a cryptographic operation that only the legitimate client, with the same legitimate password or hash, can also correctly perform. The server sends the random value to the client, and the client uses the password (or intermediate representation) to perform the expected calculations and sends the result back to the server. The server compares the result sent by the client to its own internally
expected result for the client, and if the two agree, the client is successfully authenticated. This way if an intruder captures the packets used in network authentication, they will not immediately have the password or the password hash, although it is often possible with cryptographic analysis to sometimes work back to one or the other over time.

Authentication Factors
Because passwords can easily be stolen (and sometimes guessed), authentication systems are increasingly asking for additional “factors” for a subject to prove ownership of a logon label.
There are three basic types of factors:
1.something you know (such as a password, PIN, passphrase, or screen pattern)
2.something you have (such as a security token, cell phone, or smart card)
3.something you are (such as a bio-metric identity, like a finger print, retina print, or hand geometry).
In general, the more factors required to authenticate, the better. The idea is that it is harder for an attacker to steal two or more factors than it is to steal just one factor. Using two factors is known as two-factor authentication (or 2FA), and using more is known as multi-factor authentication (or MFA). Using two or more of the same factors is not as strong as using different types of factors.

Passwords Hacking
There are many ways to hack passwords, including the methods described in the following sections.

Password Guessing
Just like in the movies, hackers can simply guess a person’s password. If the password is simple and the hacker knows something about the person, they can try guessing a password based on the person’s interests. It’s well known that users often create passwords named after themselves, loved ones, or their favorite hobbies. The hacker can manually try to guess a person’s password at a logon screen or use one of the many hacker tools for automating password guessing. If the automated password guesser blindly tries every possible password combination, it is known as a “brute force” guessing attack. If it uses a predefined set of possible password values, which is often a dictionary of words, then the password guessing tool is known as a “dictionary” password guessing attack. Most password guessers use a tool that begins with a dictionary set of words that then supplements the plaintext words with different combinations of numbers and special characters to guess at more complex passwords.

The hacker can also use a realistic-looking, but fraudulent, online request (via web site or email) to trick the user into revealing their password. This is known as “phishing.” If the phishing attempt uses what was previously private or internal information, it’s known as “spearphishing.” Hackers can also use a phone or show up in person to attempt to trick users out of their passwords. It works far more often than you would think.

If the hacker already has elevated access to the victim’s computer, they can install a program called a “keylogger,” which captures typed keystrokes. Keyloggers are great for capturing passwords, and they don’t care if the password is long or complex.

Hash Cracking
If the hacker can access the victim’s authentication database, they can access the stored password, or more likely, password hashes. Strong hashes are cryptographically resistant to converting back to their original plaintext forms. Weaker hashes, unsalted hashes, and even strong hashes of short passwords are subject to “hash cracking.” A hash cracker tries (either using brute force or dictionary methods) to input every possible password, converts it to a hash, and then compares the newly created hash to the stolen hash. If they match, then the hacker now has the plaintext password. “Rainbow tables” are related to traditional hash crackers, only their hash table stores an intermediate form used for password or hash comparison that significantly speeds up the cracking. There are many free passwords guessing and cracking programs available on the Internet. If you’re interested in trying a password hash cracker, the open source John the Ripper ( is a great one to learn with.

Credential Reuse
If the hacker already has elevated access, they can steal the user’s password hash or other credential representation from computer memory or the stored authentication database, and then replay it to other computers that accept authentication using the stolen credentials. This type of attack, and in particular one known as “Pass-the-Hash” (or PtH), has become quite popular over the last decade. In a traditional PtH scenario, the attacker first breaks into one or more regular end-user computers, locates the local elevated account hashes, and then uses that access to eventually access the computer’s or network’s storage of all credentials, which essentially compromises the whole IT environment. PtH attacks have happened to nearly every company and entity connected to the Internet over the last decade.

Hacking Password Reset Portals
Many times, the quickest way to hack a password is to hack the password’s related reset portal. Many authentication systems, especially the big, online systems, allow the end-user to answer a series of predefined questions to reset their password. Hackers have found that it is far easier to guess or research the answer to a particular victim’s reset questions (such as “What is your mother’s maiden name?” “What is the first elementary school you went to?” “What was your first car?” “What is your favorite color?” and so on) than it is to guess at their password. Many big celebrity hacks have occurred using this method.

Hacking: Tips and Tricks to Get Past the Beginner's Level (Password Hacking, Network Hacking, Wireless Hacking, Ethical versus Criminal Hacking, Hacker Mindset Book 2) 

Throughout These Chapters You Will Learn

  • How to become an ethical hacker
  • The Evil Sides of Criminal Hacking
  • How to circumvent passwords not only on a computer but from other devices as well
  • Getting into a network through different means
  • Active Hacking Versus Passive Hacking
  • Frequent mistakes made with Hacking and How to avoid them
  • Developing the right Hacker mindset

No comments

Powered by Blogger.