P1: JDW
WL040C-01 WL040/Bidgoli-Vol III-Ch-01 June 24, 2003 10:39 Char Count= 0
PASSWORDCRACKINGTOOLS 512 characters. Passwords are also, in general, not just
random strings of symbols. Because users need to re-
member them, passwords are usually words or phrases
of significance to the user. This is an opportunity for the
attacker to reduce the search space.
An attacker might steal a password file–or sniff the
wire and capture the user ID/password hash pairs dur-
ing logon–and then run a password-cracking tool on it.
Because it is impossible to decrypt a hash back to a pass-
word, these programs will try a dictionary approach first.
The program guesses a password—say, the word “Dilbert.”
The program then hashes “Dilbert” and compares the
hash to one of the hashed entries in the password file. If
it matches, then that password hash represents the pass-
word “Dilbert.” If the hash does not match, the program
takes another guess. Depending on the tool, a password
cracker will try all the words in a dictionary, all the names
in a phone book, and so on. Again, the attacker does not
need to know the original password–just a password that
hashes to the same value.
This is analogous to the “birthday paradox,” which ba-
sically says, “If you get 25 people together in a room, the
odds are better than 50/50 that two of them will have the
same birthday.” How does this work? Imagine a person
meeting another on the street and asking him his birthday.
The chances of the two having the same birthday are only
1/365 (0.27%). Even if one person asks 25 people, the prob-
ability is still low. But with 25 people in a room together,
each of the 25 is asking the other 24 about their birth-
days. Each person only has a small (less than 5%) chance
of success, but trying it 25 times increases the probability
significantly.
In a room of 25 people, there are 300 possible
pairs (25*24/2). Each pair has a probability of success
of 1/ 365 = 0 .27%, and a probability of failure of 1−
0 .27%= 99 .726%.Calculating the probability of failure:
99 .726%^300 =44%. The probability of success is then
100%−44%=56%.So a birthday match will actually be
found five out of nine times. In a room with 42 people,
the odds of finding a birthday match rise to 9 out of 10.
Thus, the birthday paradox is that it is much easier to find
two values that match than it is to find a match to some
particular value.
If a wave of dictionary guesses fails to produce any
passwords for the attacker, the cracking program will next
try a hybrid approach of different combinations—-such
as forward and backward spellings of dictionary words,
additional numbers and special characters, or sequences
of characters. The goal here again is to reduce the cracker’s
search space by trying “likely” combinations of known
words.
Only after exhausting both of these avenues will the
cracking program start in on an exhaustive or brute-force
attack on the entire password space. And, of course, it re-
members the passwords it has already tried and will not
have to recheck these either during the brute-force search.Approaches to Retrieving Passwords
Most password-cracking programs will first attempt to re-
trieve password hashes to begin their cracking processes.
A sophisticated attacker will not try to guess passwords
by entering them through the standard user interfacebecause the time to do so is prohibitive, and most sys-
tems can be configured to lock a user out after too many
wrong guesses.
On Microsoft Windows systems, it typically requires
the “Administrator” privilege to read the password hashes
from the database in which they are stored. This is usu-
ally somewhere in the system registry. In order to access
them, a cracking tool will attempt to dump the password
hashes from the Windows registry on the local machine
or over the network if the remote machine allows network
registry access. The latter requires a target Windows ma-
chine name or IP address.
Another method is to access the password hashes di-
rectly from the file system. On Microsoft Windows sys-
tems, this is the SAM. Because Windows locks the SAM
file where the password hashes are stored in the file sys-
tem with an encryption mechanism known as SYSKEY, it
is impossible to read them from this file while the system
is running. However, sometimes there is a backup of this
file on tape, on an emergency repair disk (ERD), or in the
repair directory of the system’s hard drive. Alternately, a
user may boot from a floppy disk running another operat-
ing system such as MS-DOS and be able to read password
hashes directly from the file system. This is why security
administrators should never neglect physical security of
systems. If an attacker can physically access a machine,
he or she can bypass the built-in file system security mech-
anisms (see Recovering Windows NT Passwords).
Todd Sabin has released a free utility called PWDUMP2
that can dump the password hashes on a local machine
if the SAM has been encrypted with the SYSKEY util-
ity that was introduced in Windows NT Service Pack 3.
Once a user downloads the utility, he or she can follow
the instructions on the Web page to retrieve the password
hashes, load the hashes into a tool such as L0phtCrack,
and begin cracking them.Password Sniffing
Instead of capturing the system user file (SAM on Win-
dows or /etc/passwd or /etc/shadow on Unix/Linux), an-
other way of collecting user IDs and passwords is through
sniffing network traffic. Sniffing uses some sort of soft-
ware or hardware wiretap device to eavesdrop on network
communications, usually by capturing and deciphering
communications packets. According to Peiter “Mudge”
Zatko, who initially wrote L0phtCrack: “Sniffing is slang
for placing a network card into promiscuous mode so that
it actually looks at all of the traffic coming along the line
and not just the packets that are addressed to it. By doing
this one can catch passwords, login names, confidential
information, etc” (Zatko, 1999b).
L0phtCrack offers an “SMB Packet Capture” function
to capture encrypted hashes transmitted over a Windows
network segment. On a switched network, a cracker will
only be able to sniff sessions originating from the local
machine or connecting to that machine. As server mes-
sage block (SMB) session authentication messages are
captured by the tool, they are displayed in the SMB Packet
Capture window. The display shows the source and des-
tination IP addresses, the user name, the SMB challenge,
the encrypted LAN manager hash, and the encrypted
NT LAN manager hash, if any. To crack these hashes,