lptv4 module 25 password cracking penetration testing_norestriction

35
/ ECSA/LPT EC Council EC-Council Module XXV Password Cracking Penetration Testing

Upload: mahmoud-eladawi

Post on 08-Nov-2014

147 views

Category:

Documents


6 download

DESCRIPTION

LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

TRANSCRIPT

Page 1: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

/ECSA/LPT

EC CouncilEC-Council Module XXV

Password Cracking Penetration Testing

Page 2: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Page 3: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Communication Penetration Testing

gPenetration Testing

Penetration Testing

Page 4: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Passwords

Companies protect their resources by using combinations of user IDs Companies protect their resources by using combinations of user IDs and passwords.

k b f h d f b li iHackers can brute force or guess the passwords of web applications.

Some system software products use weak or no encryption to store d/ i h i ID d d f h li h and/or transmit their userIDs and passwords from the client to the

server.

One of the leading causes of network compromises is the use of easily One of the leading causes of network compromises is the use of easily guessable or decipherable passwords.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 5: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Common Password Vulnerabilities

Weak passwords are:

• Easily guessable, i.e. pet names, car number, family member’s name, etc.

p

• Comprised of common vocabulary words.

Improper handling of strong passwords:

• Involves the need for the user to write down the password in an insecure location.

Improper handling of strong passwords:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 6: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Password Cracking Techniques

• Guessing • Shoulder surfing Social engineering:

Using password crackers or network analyzers

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 7: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Types of Password Cracking AttacksAttacks

Dictionary attacks: These attacks compare a set of words against a password database.

Brute-force attack: This attack checks for all combination of letters and Brute force attack: This attack checks for all combination of letters and numbers until the password is found.

H b id tt k Thi tt k k d b ddi b d Hybrid attack: This attack cracks any password by adding numbers and symbols to a file name.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 8: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Steps in Password Cracking Penetration TestingPenetration Testing

Extract/etc/passwd and /etc/shadow files in Linux systems

Extract SAM file Windows machines

Identify the target person’s personal profile

Build a dictionary of word listsBuild a dictionary of word lists

Attempt to guess passwords

Brute force passwords

U d d k b k d d fil

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Use automated passwords crackers to break passwords protected files

Page 9: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Step1: Extract /etc/passwd and /etc/shadow Files in Linux Systems/ / y

root:!:0:0:root:/root:/bin/tcsh

bin:!:1:1:bin:/bin:

daemon:!:2:2:daemon:/sbin:daemon:!:2:2:daemon:/sbin:

adm:!:3:4:adm:/var/adm:

lp:!:4:7:lp:/var/spool/lpd:

sync:!:5:0:sync:/sbin:/bin/sync

shutdown:!:6:0:shutdown:/sbin:/sbin/shutdown

halt:!:7:0:halt:/sbin:/sbin/halt

The password file for Linux is located in /etc and is a text file called passwd.

7 / b / b /

mail:!:8:12:mail:/var/spool/mail:

news:!:9:13:INN (NNTP Server) Admin ID, 525-2525:/usr/local/lib/inn:/bin/ksh

uucp:!:10:14:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico

operator:!:0:0:operator:/root:/bin/tcsh

By default and design, this file is world readable by anyone on the system operator:!:0:0:operator:/root:/bin/tcsh

games:!:12:100:games:/usr/games:

man:!:13:15:man:/usr/man:

postmaster:!:14:12:postmaster:/var/spool/mail:/bin/tcsh

httpd:!:15:30:httpd:/usr/sbin:/usr/sbin/httpd:

nobody:!:65535:100:nobody:/dev/null:

readable by anyone on the system.

On a Unix system using NIS/yp or nobody:!:65535:100:nobody:/dev/null:

ftp:!:404:100::/home/ftp:/bin/nologin

nomad:!:501:100:Simple Nomad, 525-5252:/home/nomad:/bin/bash

webadmin:!:502:100:Web Admin Group ID:/home/webadmin:/bin/bash

h ! Si l N d' Old

On a Unix system using NIS/yp or password shadowing the password data may be located elsewhere. This "shadow" file is usually where the password hashes themselves are located

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

thegnome:!:503:100:Simple Nomad's Old Account:/home/thegnome:/bin/tcsh

dorkus:!:504:100:Alternate account for Fred:/home/dorkus:/bin/tcsh

themselves are located.

Page 10: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Linux Password Example

nomad:HrLNrZ3VS3TF2:501:100: Simple Nomad:/home/nomad:/bin/bash

This is what the fields actually are:

• Account or user name, what you type in at the login prompt nomad:

• One way encrypted password (plus any aging info) HrLNrZ3VS3TF2:

• User number 501:

• Group number 100:

• GECOS information Simple Nomad:

• Home directory /home/nomad:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

• Program to run on login, usually a shell /bin/bash:

Page 11: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Linux Shadow File Example

nomad:$1$fnffc$GteyHdicpGOfffXX40w#5:13064:0:99999:7

This is what the fields actually are:

• Account or user name, what you type in at the login prompt nomad: , y yp g p pnomad:

• Password$1$fnffc$GteyHdicpGOfffX

X40w#5:

• Last password changed13064:

• Minimum number of days required between password changes0: changes

• Maximum number of days the password is valid99999:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

• The number of days the user warned before the expiration date of password7:

Page 12: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Check Other Linux & UNIX Variants Variants

Passwords can also be stored in these files:

• /etc/security/passwd (accessible by root only)• / secure/etc/passwd (accessible by root only)

Passwords can also be stored in these files:

• /.secure/etc/passwd (accessible by root only)

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 13: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Step 2: Extract SAM File Windows Machines

Windows 2000/XP passwords are stored in Windows 2000/XP passwords are stored in c:\winnt\system32\etc\SAM.

The file is named SAM (locked when WINNT is running).

SAMDUMP

Extraction tools:

• SAMDUMP• PWDUMP• L0phtcrack

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 14: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Extract Backup of SAM/Emergency Repair Disk SAM/Emergency Repair Disk

Windows also store passwords in either a backup of the SAM file in the c:\winnt\repair directory or on an emergency repair disk.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 15: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Check Registry

Windows applications store passwords in the Registry or as pp p g yplaintext files on the hard drive.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 16: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Check the Microsoft’s Server Message Block (SMB) ProtocolMessage Block (SMB) Protocol

Check for the vulnerability SMB protocol that is used for file and print h isharing

Run NetBIOS Auditing Tool (NAT) and extract the passwords using the f ll i dfollowing command:

nat -u userlist.txt -p passlist.txt testing IP_address

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 17: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Check the Active Directory Database Database

Ch k f d i th ti di t d t b fil Check for passwords in the active directory database file that are stored locally or spread across domain controllers.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 18: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Step 3: Identify the Target Person’s Personal ProfilePerson s Personal Profile

If you are trying to guess Rebecca’s password on her desktop,y y g g p p,then compile a list of items she likes.

E l

• Favorite car

Example:

• Birthday, anniversary day, and other special occasions• Movies, music, sports, drama, and arts• Education, cartoon characters, novelists• Parents, relatives, kids names• Country, city, holiday resorts, etc.• Project working on

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

j g

Page 19: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Step 4: Build a Dictionary of Word ListsWord Lists

Build a word list based on the information from the previousu d a o d st based o t e o at o o t e p e ousslide.

• Dictionary maker• Pass list

Tools:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 20: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Step 5: Attempt to Guess PasswordsPasswords

Obtaining a legitimate user ID is not a easy taskObtaining a legitimate user ID is not a easy task

Creation of user ID involves a variation of employee's first name and last name

Email address posted on the organizations website depicts a sample user ID format

Acquiring a copy of organization’s internal telephone directory enables in discovering and constructing a valid user ID

Many system software products are initially configured with default user IDs and Many system software products are initially configured with default user IDs and passwords

User IDs and passwords designed enables vendors to perform remote i

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

transactions

Page 21: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Step 6: Brute Force Passwords

Run a dictionary attack and brute-force to crack passwordsRun a dictionary attack and brute force to crack passwords

Tools:

• Brutus• L0phtcrack• Munga bunga• Password cracker

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 22: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Step 6: Brute Force Passwords (cont’d)(cont d)

Resources:

• www.antifork.org • www.bindview.com • www.cerberus-infosec.co.uk • www.hackersclub.com • www.hoobie.net • www.intrusion.com • www.nai.com • www.nmrc.org www.nmrc.org • http://packetstorm.decepticons.org • www.phenoelit.de • www.securitysoftwaretech.com • www.users.dircon.co.uk/~crypto www.users.dircon.co.uk/ crypto • www.waveset.com • ftp://ftp.cerias.purdue.edu/pub/dict• ftp://ftp.ox.ac.uk/pub/wordlists• packetstormsecurity nl/Crackers/wordlists

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

• packetstormsecurity.nl/Crackers/wordlists• http://www.outpost9.com/files/WordLists.html

Page 23: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Step 7: Use Automated Passwords Crackers to Break Passwords Protected Files

Automated password cracking Brutus www.antifork.org/ho

obie.net

C b I t t S bp g

tools systematically guess passwords.

Cerberus Internet Scanner www.cerberus-infosec.co.uk

Crack www.users.dircon.co.uk/~crypto

CyberCop Scanner[a] www.nai.com

Tools: Inactive Account Scanner www.waveset.com

Legion and NetBIOS Auditing Tool (NAT)

www.hackersclub.com

LOphtcrack www.securitysoftwaretech.com

John the Ripper SAMDump www nmrc orgJohn the Ripper, SAMDump, PWDump, PWDump2, PWDump3

www.nmrc.org

SecurityAnalyst www.intrusion.com

TeeNet www.phenoelit.de

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

WebCrack www.packetstorm.decepticons.org

Page 24: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Extract Cleartext Passwords from the Dictionaryy

Logon passwords are stored:

• (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)

Logon passwords are stored:

NT\CurrentVersion\Winlogon)

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 25: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Extract Cleartext Passwords from an Encrypted LM hashan Encrypted LM hash

Use the Cain and Abel tool to extract cleartext password from an encrypted LM hash.encrypted LM hash.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 26: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Sniff Cleartext Passwords from the Wirethe Wire

FTP HTTP POP SMTP IMAP d d FTP, HTTP, POP3, SMTP, IMAP send passwords as cleartext.

Run a sniffer to capture them.

• dsniffTool:

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 27: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Replay Attack to Crack Password

A replay attack intercepts the data packets and resends them to p y p pthe receiving server without decryption.

Intercept the communication using network analyzer or sniffer such as Ethereal, TCP dump, or WinDump.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 28: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Tool: SAMInside 2.5.8.0 (pwdump)(pwdump)

Extracts Windows NT/2000/XP/2003 users' names and Extracts Windows NT/2000/XP/2003 users names and passwords in national symbol encoding

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 29: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

SAMInside 2.5.8.0 (pwdump): ScreenshotScreenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 30: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Tool: Dictionary Maker

Dictionary Maker is a tool to compose dictionaries (word lists) for y p ( )password recovery using multiple source text files.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 31: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Tool: Password List Recovery 2.6

Password List Recovery shows all the passwords in the current Windows y puser's Password List (PWL) file.

They are kept in the Windows directory and have a .PWL extension.

password

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 32: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Password List Recovery 2.6: ScreenshotScreenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 33: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

Summary

Passwords protect computer resources and files from unauthorized access by malicious usersmalicious users.

A combination of passwords and UserIDs are used by companies to protect their resources against intrusion by hackers and thieves.

The password file for Linux is located in /etc and is a text file called passwd.

By default and design, the passwd file is world readable by anyone on the system, and might be unsuccessful in rising the protection levels against any of the users.

SAMDUMP is a tool that simplifies migration synchronization of that system.

A word list needs to be built up using the previous slides in order to break

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

A word list needs to be built up using the previous slides in order to break through the password of the victim.

Page 34: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 35: LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited