Password Cracking

Lesson 10

Why crack passwords?

Where are the passwords stored?• In the security database in NT. Sometimes referred to

as the SAM (security account manager).• In \Windows-directory\system32\config\SAM• File is usually world readable, however it is not

accessible when the system is running because it is locked by the system kernel.

• Copy of it may usually be found in Windows-directory\repair\SAM._

• (rdisk run with /s argument)• then expand it

– expand sam._ sam

For UNIX/Linux, passwords stored in /etc/passwd or /etc/shadow.

Passwords should always be stored in encrypted format, why? What are the steps then in validating a correct password?

NT Password cracking

• SAM file has two separately hashed versions of the password -- the LanMan version and the NT version.

• LanMan is the weak method and can easily be cracked. It separates the password into two 7 character parts. Thus you really only have to crack two separate 7 character passwords instead of a 14 character password.

• It also converts lower case characters to upper case.• Because of poor hashing technique, for NT, a 10 character

password is actually potentially less secure than a 7 character• the second half (last 3 characters) will quickly be cracked and

then may provide clue for first part, ex: *******890

So what’s the problem with splitting it in two?

• Let’s assume lower case characters and numbers only (thus 36 possibilities). If the password can be only 7 characters then• (36 Characters) 7 characters in length = 7.8X1010 choices

• If we instead had 14 character passwords• (36 Characters) 14 characters in length = 6.1X1021 choices• Or, if split in two 2* (7.8X1010)=1.56X1011 choices

(cont)

• If I can try 1,000,000,000 passwords per day:• With two 7 character passwords it would take

156 days to crack any password

• With one 14 character password it would take 6.1X1012 days or 1.67X1010 years to crack any password.

Salts• Another issue with NT passwords is the fact that “salts”

are not used.• A salt is a random string that is combined with a password

before it is encrypted.• Used because two people who have the same password would

normally have them encrypted to the same value.• When the user enters a new password, the system first

combines the password with the salt and then computes the hashed value.• The system stores both the hash and the salt with the ID

• When a user attempts to authenticate, the system looks up the salt, combines it with the password entered, hashes it, then compares it with the stored value.

• Without a salt, the hacker only has to compute the hash once for any given password and then compare it with the stored values.

Programs to crack NT passwords

• L0phtcrack

• NTSweep

• NTCrack

UNIX password cracking

• Generally harder than NT to crack.• 3-step process used by cracking programs

• create file of possible passwords (dictionary file)• Encrypt file of possible passwords• Compare results with encrypted form of passwords

• Obvious why it is harder to guess if you don’t use simple words. Dictionary created must include combinations of words with various connectors

• There are different dictionaries for different environments/countries.

UNIX Password Encryption

• UNIX uses an encryption algorithm called crypt to encrypt passwords.

• Crypt is a hash algorithm that performs a one-way transformation.• There is thus no way to decrypt a password that

has been encrypted with crypt• Each encrypted password is 11 characters

and is combined with a 2-character salt.

UNIX Password Crackers

• CRACK

• John the Ripper

• XIT

• Slurpie

Comparison of NT crackersFeatures LC Ntsweep NTCrack PWDump2Platform NT NT NT NTPasswords NT NT NT NTDictionary Attack Yes No No N/ABrute Force Yes Yes Yes N/AHybrid Attack Yes No No N/ADistributed No No No N/aTime to perform dictionary attack 240 N/A N/A N/AEase of install (1 easiest, 4 most difficult) 1 1 1 1Ease of use 1 2 3 4most features (1=most, 4=least) 1 2 3 4

Comparison of UNIX crackersFeatures Crack John XIT SlurpiePlatform UNIX UNIX/Win Win UNIXPasswords UNIX UNIX/NT UNIX UNIXDictionary Attack Yes Yes Yes YesBrute Force Yes Yes No YesHybrid Attack Yes Yes No NoDistributed Yes No No YesUtility to merge passwd and shadow files Yes Yes No NoTime to perform Dictionary attack 150 sec 120 sec 136 sec 50 secEase of install (1 easiest, 4 most difficult) 4 3 1 2Ease of use 4 2 1 3most features (1=most, 4=least) 1 2 4 3

Passwords Cracked

User Password Crack John XIT SlurpieEric Eric X X X XJohn John1234Mike 5639421Mary #57adm7#Sue Sue X X X XLucy 12345 X X X XPat <none> XTim Password X X X XCathy 55555 XFrank Abcde X X X XTom MnopqrKaren Bbbbbbbb XTotal Cracked 8 5 5 5Accuracy 66% 42% 42% 42%

Success based on…

• Password cracker’s ability

• Dictionary chosen

• Rules selected

Where can I go to get a cracker?

Protecting against Cracking• Have a good password policy

• Change them on regular basis (how regular?)• Lock account after 3 failed attempts• Password should contain 1 alpha, 1 number, and one

special character.• Don’t allow users to reuse previous (5?) passwords.• Password should not be word found in a dictionary. -

Consider using pass-phrase.

• Consider use of one-time passwords (most common form is smart-card).

Password Cracking Lab

• Two password files, one for NT, one for Unix.• Linux shadow file• NT Sam file

• Needed to locate, choose, and download password crackers

• Needed to install programs and let them run• You will probably did not get all of the passwords

cracked.