Upload
jitendra-kumar-dash
View
230
Download
0
Embed Size (px)
Citation preview
8/9/2019 hacking Module 13
1/47
NMCSP
2008 Batch-I
Module XIII
Web-Based Password Cracking
Techniques
8/9/2019 hacking Module 13
2/47
Scenario
Cracking accounts, stealing files, defacing websites is just a click away for Raven. All of these
illegal activities give him a kick. He uses his skills to make money for his living. He has a
website where people can request him to do all kind of stuffs such as cracking e-mail accounts,
enumerating accounts and lots more; whatever the requester wants to get from any website. All
of this is done only after the payment is made and he charges a minimal amount. Raven is a hit
among the underground community.
However, the users have to give their e-mail ids, to get the information, on his online request
form.
Ravens first encounter with cracking was when he was a fresh graduate, but unemployed. He
had read about cracking stuff on the net and about crackers who offer services for money. This
lured Raven to be a cracker. His first victim was his friends e-mail account.
He used a brute force attack when the dictionary attack failed. After a few attempts Raven wassuccessful in cracking his friends password. Thus, Ravens journey of illegal activities began.
How far can he go?
What if he masters other activities such as generating malicious codes to disrupt systems on
the net or cracking the passwords of Government agencies?
8/9/2019 hacking Module 13
3/47
Module Objectives
Authentication Definition
Authentication Mechanisms
What is a Password Cracker? Modus Operandi of an attacker using password cracker.
How does a Password Cracker work?
Attacks - Classification
Password Cracking Tools.
Countermeasures
8/9/2019 hacking Module 13
4/47
Module Fl0w
Types ofauthentication
Authenticationdefinition
What is a passwordCracker?
Modus Operandi of attackerusing password cracker
How does a passwordcracker work?
Classificationof attacks
Passwordguessing
Query string CookiesDictionary
maker
Different passwordcrackers
Mary had a little lambformula
Countermeasures
8/9/2019 hacking Module 13
5/47
Authentication - Definition
Authentication is the process of determining the users
identity.
In private, and public, computer networks,
authentication is commonly done through the use oflogin IDs and passwords.
Knowledge of the password is assumed to guarantee
that the user is authentic.
Passwords can often be stolen, accidentally revealed, or
forgotten due to inherent loopholes in this type of
authentication.
8/9/2019 hacking Module 13
6/47
Authentication Mechanisms
HTTP Authentication
Basic Authentication
Digest Authentication
Integrated Windows (NTLM) Authentication
Negotiate Authentication
Certificate-Based Authentication
Forms-based Authentication
Microsoft Passport Authentication
8/9/2019 hacking Module 13
7/47
HTTP Authentication
There are two techniques for HTTPauthentication. They are:
Basic
Digest
8/9/2019 hacking Module 13
8/47
Basic Authentication
The most basic form of authentication
available to web applications.
It begins with a client making a request
to the web server for a protectedresource, without any authentication
credentials.
The limitation of this protocol is that it
is wide open to eavesdropping attacks.
The use of 128-bit SSL encryption can
thwart these attacks.Picture Source:
http://www.roboform.com/pics/basicauth.gif
8/9/2019 hacking Module 13
9/47
Digest Authentication
It is designed to provide a higher level of
security vis--vis basic authentication.
It is based on the challenge-response
authentication model.
It is a significant improvement over Basic
authentication as it does not send the users
cleartext password over the network.
It is still vulnerable to replay attacks, since
the message digest in the response will grantaccess to the requested resource.
8/9/2019 hacking Module 13
10/47
Integrated Windows (NTLM)Authentication
It uses Microsofts proprietary NT
LAN Manager (NTLM)
authentication program over HTTP.
It only works with Microsofts
Internet Explorer browser and IIS
Web servers.
Integrated Windows authentication
is more suitable for intranet
deployment.
In this type of authentication, no
version of the users password ever
crosses the wire.
8/9/2019 hacking Module 13
11/47
Negotiate Authentication
It is an extension of NTLM authentication.
It provides Kerberos-based authentication.
It uses a negotiation process to decide on the level of
security to be used.
This configuration is fairly restrictive and uncommon
except on corporate intranets.
8/9/2019 hacking Module 13
12/47
8/9/2019 hacking Module 13
13/47
Forms-Based Authentication
It does not rely on features
supported by the basic Web
protocols like HTTP and SSL.
It is a highly customizable
authentication mechanism that
uses a form, usually composed of
HTML.
It is the most popular
authentication technique
deployed on the Internet.
8/9/2019 hacking Module 13
14/47
Microsoft Passport Authentication
Single sign on is the term used to
represent a system whereby users
need only remember one username
and password, and be authenticated
for multiple services.
Passport was Microsoft's universal
single sign-in (SSI) platform.
It enabled the use of one set of
credentials to access any Passport
enabled site such as MSN, Hotmailand MSN Messenger.
Microsoft encouraged third-party
companies to use Passport as a
universal authentication platform.
8/9/2019 hacking Module 13
15/47
What Is A Password Cracker?
According to the Maximum Security definition A
password cracker is any program that can decrypt
passwords or otherwise disable password protection
Password crackers use two primary methods to identifycorrect passwords: brute-force and dictionary searches.
A password cracker may also be able to identify
encrypted passwords. After retrieving the password
from the computer's memory, the program may be able
to decrypt it.
8/9/2019 hacking Module 13
16/47
Modus Operandi of an attacker usingpassword cracker
The aim of a password cracker is mostly to obtain the
root/administrator password of the target system.
The administrator right gives the attacker access to files,
applications and also helps in installing a backdoor, such as a
trojan, for future access to the accounts.
The attacker can also install a network sniffer to sniff the internal
network traffic so that he will have most of the information passed
around the network.
After gaining root access the attacker escalates privileges of the
administrator.
In order to crack passwords efficiently the attacker should use
system which has a greater computing power .
8/9/2019 hacking Module 13
17/47
How Does A Password Cracker Work?1.
To understand well how a password cracker works, it is
better to understand the working of a password
generator. Most of them use some form of
cryptography.
Crypto stems from the Greek word kryptos.Kryptos
was used to describe anything that was hidden,
obscured, veiled, secret, or mysterious. Graph isderived from graphia, which means writing.
8/9/2019 hacking Module 13
18/47
How Does A Password Cracker Work?2.
Cryptographyis concerned with the ways in which
communications and data can be encoded to prevent
disclosure of their contents through eavesdropping or
message interception, using codes, ciphers, and other
methods, so that only certain people can see the real
message.
Distributed cracking is where the cracker runs the
cracking program in parallel, on separate processors.
There are a few ways to do this. One is to break the
password file into pieces and crack those pieces on
separate machines.
8/9/2019 hacking Module 13
19/47
8/9/2019 hacking Module 13
20/47
Attacks - Classification
The various types of attacks that are performed
by the hacker to crack a password are as
follows:
Dictionary attack
Hybrid attack
Brute force attack
8/9/2019 hacking Module 13
21/47
Attacks - Classification (contd.)
Dictionary attack- A simple dictionary attack is the
fastest way to break into a machine. A dictionary file is
loaded into a cracking application, which is then run
against user accounts located by the application.
Hybrid attack- A hybrid attack will add numbers or
symbols to the filename to successfully crack a
password.
Brute force attack- Abrute force attack is the mostcomprehensive form of attack, though it may often take
a long time to work depending on the complexity of the
password.
8/9/2019 hacking Module 13
22/47
Password guessing
Password guessing attacks canbe carried out manually or viaautomated tools.
Doing social engineering onthe victim may also
sometimes reveal passwords
Password guessing can beperformed against all types ofweb authentication
The common passwords used are: root, administrator, admin,operator, demo, test, webmaster, backup, guest, trial, member, private,beta, [company_name], or [known_username]
8/9/2019 hacking Module 13
23/47
Password guessing (contd.)
Most of the users assignpasswords that are relatedto their personal life such asfathers middle name asshown in the screenshot.
An attacker can easily fillin the form for forgottenpasswords and retrieve thesame.
This is one of thesimplest way of passwordguessing.
8/9/2019 hacking Module 13
24/47
Query String
The query string is the extra bit of data in the URL afterthe question mark (?) that is used to pass variables.
The query string is used to transfer data between clientand server.
Example:
http://www.mail.com/mail.asp?mailbox=sue&
company=abc%20com
Sues mailbox can be changed by changing the URL to:http://www.mail.com/mail.asp?mailbox=joe&
company=abc%20com
8/9/2019 hacking Module 13
25/47
Cookies
Cookies are a popular
form of session
management.
Cookies are often used tostore important fields
such as usernames and
account numbers.
All of the fields can beeasily modified using a
program like CookieSpy
8/9/2019 hacking Module 13
26/47
Dictionary Maker
Dictionary files can be downloaded from the Internet or can be generated
manually
8/9/2019 hacking Module 13
27/47
Password Crackers Available
L0phtCrack
John The Ripper
Brutus
ObiwanAuthforce
Hydra
Cain And Abel
WebCracker
Munga Bunga
PassList
ReadCookies.htmlSnadBoy
WinSSLMiM
RAR
Gammaprog
8/9/2019 hacking Module 13
28/47
L0phtCrack
LC4 is one of the mostpopular passwordcrackers available.
LC4 recovers Windows
user account passwordsto access accounts whosepasswords are lost or tostreamline migration ofusers to other
authentication systems.
8/9/2019 hacking Module 13
29/47
John The Ripper
John the Ripper is a passwordcracker for UNIX, DOS, WinNTand Win95.
John can crack the followingpassword ciphers:
standard and double-length DES-based
BSDI's extended DES-based
FreeBSD's MD5-based
OpenBSD's Blowfish-
basedJohn the Ripper combinesseveral cracking modes in oneprogram, and is fullyconfigurable.
8/9/2019 hacking Module 13
30/47
Brutus
Brutus is an online,or remote, passwordcracker.
Brutus is used torecover valid accesstokens (usually a
username andpassword) for a giventarget system.
8/9/2019 hacking Module 13
31/47
ObiWaN
ObiWaN is based on the simple challenge-response
authentication mechanism.
This mechanism does not provide for intruder lockoutor impose delay times for wrong passwords.
ObiWaN uses wordlists and alternations of numeric or
alpha-numeric characters as possible passwords.
8/9/2019 hacking Module 13
32/47
Authforce
Authforce is HTTP Authentication brute force attack
software.
Using various methods, it attempts to brute force
username and password pairs for a site.
It is used to test both the security of a site and to prove
the insecurity of HTTP Authentication based on the fact
that users usually do not choose good passwords.
8/9/2019 hacking Module 13
33/47
Hydra
Supports several protocols like TELNET, FTP, HTTP,
HTTPS, LDAP, SMB, SMBNT, MYSQL, REXEC,
SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, Cisco
auth, Cisco enable, Cisco AAA.
Utilizing the parallel processing feature, this password
cracking tool can be fast, depending on the protocol.
This tool allows for rapid dictionary attacks and
includes SSL support.
8/9/2019 hacking Module 13
34/47
Cain And Abel
Cain & Abel is a password recovery tool for Microsoft
Operating Systems.
It allows for the easy recovery of various kinds of
passwords by sniffing the network and crackingencrypted passwords using Dictionary, Brute-Force,
Cryptanalysis attacks, etc.
It contains a feature called APR (ARP Poison Routing)
which enables sniffing on switched LANs by hijacking
IP traffic of multiple hosts at the same time.
8/9/2019 hacking Module 13
35/47
RAR
This program isintended to recover lostpasswords forRAR/WinRAR archivesof versions 2.xx and 3.xx.
The program crackspasswords by bruteforcemethod, or wordlist ordictionary method.
The program is able to
save a current state.Estimated timecalculator allows theuser to configure theprogram more carefully.
8/9/2019 hacking Module 13
36/47
Gammaprog
Gammaprog is a bruteforce password cracker for web
based e-mail address.
It supports POP3 cracking as well.
It provides for piping support. If the wordlist name is
stdin the program will read from stdin rather than from
a file.
It consists of Wingate support for POP3 cracking.
8/9/2019 hacking Module 13
37/47
Hacking Tool: WebCracker
WebCracker is a simpletool that takes text lists ofusernames and passwordsand uses them as
dictionaries to implementBasic authenticationpassword guessing.
It keys on "HTTP 302Object Moved" response to
indicate successful guesses.It will find all successfulguesses given in ausernames/passwordscombination.
8/9/2019 hacking Module 13
38/47
Hacking Tool: Munga Bunga
It is Brute Force software that uses the HTTP protocol toestablish its connections
8/9/2019 hacking Module 13
39/47
Hacking Tool: PassList
PassList is another character based password generator.
8/9/2019 hacking Module 13
40/47
Hacking Tool: Read Cookies
Reads cookies stored on the computer. This tool can beused for stealing cookies or cookie hijacking.
8/9/2019 hacking Module 13
41/47
Hacking Tool: SnadBoy
http://www.snadboy.com
"Snadboy Revelation" turns back the asterisks in passwordfields to plain text passwords.
8/9/2019 hacking Module 13
42/47
Hacking Tool: WinSSLMiM
http://www.securiteinfo.com/outils/WinSSLMiM.shtml
WinSSLMiM is an HTTPS, man-in-the-middle,
attacking tool. It includes FakeCert, a tool to make fake
certificates.
It can be used to exploit the Certificate Chain
vulnerability in Internet Explorer. The tool works under
Windows 9x/2000.
Usage:- FakeCert: fc -h
- WinSSLMiM: wsm -h
8/9/2019 hacking Module 13
43/47
Mary Had A Little Lamb Formula
Consider a sentence:
Mary had a little lamb. Thelamb had white fleece.
1. Consider the first letter ofeach word, i.e. :
MHALLTLHWF2. Every second letter of the
abbreviation can be put inthe lower case, i.e.:MhAlLtLhWf
3. Replace A with @ and L
with !. Thus a newalphanumeric password,more than 8 characters willbe formed.
4. New Password: Mh@l!t!hWf Picture Source:
http://www.gypcnme.com/ceramic%20arts%20Mary%20Had%20Lamb.gif
8/9/2019 hacking Module 13
44/47
Countermeasures
Passwords chosen should have at least eight characters.
Passwords should have a combination of small andcapital letters, numbers, and special characters.
Words which are easily found in a dictionary should not
be used as passwords.
Public information such as social security number,credit card number, ATM card number, etc. should not
be used as passwords.
Personal information should never be used as apassword.
Username and password should be different.
8/9/2019 hacking Module 13
45/47
Countermeasures
Managers and administrators can enhance the security
of their networks by setting strong password policies.
Password requirements should be built into
organizational security policies. System administrators should implement safeguards to
ensure that people on their systems are using
adequately strong passwords.
When installing new systems, default passwords must
be set to pre-expire and need changing immediately.
8/9/2019 hacking Module 13
46/47
Countermeasures
The user can use the SRP protocol. SRP is a secure
password-based authentication and key-exchange
protocol. It solves the problem of authenticating clients
to servers securely as a user of the client software is
required to memorize a small secret (like a password)
and carries no other secret information.
8/9/2019 hacking Module 13
47/47
Summary
Authentication is the process of checking the identity ofthe person claiming to be the legitimate user.
HTTP, NTLM, Negotiate, Certificate-Based, Forms-based and Microsoft Passport are the different types 0fAuthentications.
Password crackers use two primary methods to identifycorrect passwords: brute-force and dictionary searches.
L0phtCrack, John The Ripper, Brutus, Obiwan, etc. aresome of the most popular password cracking toolsavailable today.
The best technique to prevent the cracking of passwordsis to have passwords which are more than 8 charactersand incorporate alphanumeric as well as specialcharacters into it.