hacking Module 13

8/9/2019 hacking Module 13

1/47

NMCSP

2008 Batch-I

Module XIII

Web-Based Password Cracking

Techniques


2/47

Scenario

Cracking accounts, stealing files, defacing websites is just a click away for Raven. All of these

illegal activities give him a kick. He uses his skills to make money for his living. He has a

website where people can request him to do all kind of stuffs such as cracking e-mail accounts,

enumerating accounts and lots more; whatever the requester wants to get from any website. All

of this is done only after the payment is made and he charges a minimal amount. Raven is a hit

among the underground community.

However, the users have to give their e-mail ids, to get the information, on his online request

form.

Ravens first encounter with cracking was when he was a fresh graduate, but unemployed. He

had read about cracking stuff on the net and about crackers who offer services for money. This

lured Raven to be a cracker. His first victim was his friends e-mail account.

He used a brute force attack when the dictionary attack failed. After a few attempts Raven wassuccessful in cracking his friends password. Thus, Ravens journey of illegal activities began.

How far can he go?

What if he masters other activities such as generating malicious codes to disrupt systems on

the net or cracking the passwords of Government agencies?


3/47

Module Objectives

Authentication Definition

Authentication Mechanisms

What is a Password Cracker? Modus Operandi of an attacker using password cracker.

How does a Password Cracker work?

Attacks - Classification

Password Cracking Tools.

Countermeasures


4/47

Module Fl0w

Types ofauthentication

Authenticationdefinition

What is a passwordCracker?

Modus Operandi of attackerusing password cracker

How does a passwordcracker work?

Classificationof attacks

Passwordguessing

Query string CookiesDictionary

maker

Different passwordcrackers

Mary had a little lambformula

Countermeasures


5/47

Authentication - Definition

Authentication is the process of determining the users

identity.

In private, and public, computer networks,

authentication is commonly done through the use oflogin IDs and passwords.

Knowledge of the password is assumed to guarantee

that the user is authentic.

Passwords can often be stolen, accidentally revealed, or

forgotten due to inherent loopholes in this type of

authentication.


6/47

Authentication Mechanisms

HTTP Authentication

Basic Authentication

Digest Authentication

Integrated Windows (NTLM) Authentication

Negotiate Authentication

Certificate-Based Authentication

Forms-based Authentication

Microsoft Passport Authentication


7/47

HTTP Authentication

There are two techniques for HTTPauthentication. They are:

Basic

Digest


8/47

Basic Authentication

The most basic form of authentication

available to web applications.

It begins with a client making a request

to the web server for a protectedresource, without any authentication

credentials.

The limitation of this protocol is that it

is wide open to eavesdropping attacks.

The use of 128-bit SSL encryption can

thwart these attacks.Picture Source:

http://www.roboform.com/pics/basicauth.gif


9/47

Digest Authentication

It is designed to provide a higher level of

security vis--vis basic authentication.

It is based on the challenge-response

authentication model.

It is a significant improvement over Basic

authentication as it does not send the users

cleartext password over the network.

It is still vulnerable to replay attacks, since

the message digest in the response will grantaccess to the requested resource.


10/47

Integrated Windows (NTLM)Authentication

It uses Microsofts proprietary NT

LAN Manager (NTLM)

authentication program over HTTP.

It only works with Microsofts

Internet Explorer browser and IIS

Web servers.

Integrated Windows authentication

is more suitable for intranet

deployment.

In this type of authentication, no

version of the users password ever

crosses the wire.


11/47

Negotiate Authentication

It is an extension of NTLM authentication.

It provides Kerberos-based authentication.

It uses a negotiation process to decide on the level of

security to be used.

This configuration is fairly restrictive and uncommon

except on corporate intranets.


12/47


13/47

Forms-Based Authentication

It does not rely on features

supported by the basic Web

protocols like HTTP and SSL.

It is a highly customizable

authentication mechanism that

uses a form, usually composed of

HTML.

It is the most popular

authentication technique

deployed on the Internet.


14/47

Microsoft Passport Authentication

Single sign on is the term used to

represent a system whereby users

need only remember one username

and password, and be authenticated

for multiple services.

Passport was Microsoft's universal

single sign-in (SSI) platform.

It enabled the use of one set of

credentials to access any Passport

enabled site such as MSN, Hotmailand MSN Messenger.

Microsoft encouraged third-party

companies to use Passport as a

universal authentication platform.


15/47

What Is A Password Cracker?

According to the Maximum Security definition A

password cracker is any program that can decrypt

passwords or otherwise disable password protection

Password crackers use two primary methods to identifycorrect passwords: brute-force and dictionary searches.

A password cracker may also be able to identify

encrypted passwords. After retrieving the password

from the computer's memory, the program may be able

to decrypt it.


16/47

Modus Operandi of an attacker usingpassword cracker

The aim of a password cracker is mostly to obtain the

root/administrator password of the target system.

The administrator right gives the attacker access to files,

applications and also helps in installing a backdoor, such as a

trojan, for future access to the accounts.

The attacker can also install a network sniffer to sniff the internal

network traffic so that he will have most of the information passed

around the network.

After gaining root access the attacker escalates privileges of the

administrator.

In order to crack passwords efficiently the attacker should use

system which has a greater computing power .


17/47

How Does A Password Cracker Work?1.

To understand well how a password cracker works, it is

better to understand the working of a password

generator. Most of them use some form of

cryptography.

Crypto stems from the Greek word kryptos.Kryptos

was used to describe anything that was hidden,

obscured, veiled, secret, or mysterious. Graph isderived from graphia, which means writing.


18/47

How Does A Password Cracker Work?2.

Cryptographyis concerned with the ways in which

communications and data can be encoded to prevent

disclosure of their contents through eavesdropping or

message interception, using codes, ciphers, and other

methods, so that only certain people can see the real

message.

Distributed cracking is where the cracker runs the

cracking program in parallel, on separate processors.

There are a few ways to do this. One is to break the

password file into pieces and crack those pieces on

separate machines.


19/47


20/47

Attacks - Classification

The various types of attacks that are performed

by the hacker to crack a password are as

follows:

Dictionary attack

Hybrid attack

Brute force attack


21/47

Attacks - Classification (contd.)

Dictionary attack- A simple dictionary attack is the

fastest way to break into a machine. A dictionary file is

loaded into a cracking application, which is then run

against user accounts located by the application.

Hybrid attack- A hybrid attack will add numbers or

symbols to the filename to successfully crack a

password.

Brute force attack- Abrute force attack is the mostcomprehensive form of attack, though it may often take

a long time to work depending on the complexity of the

password.


22/47

Password guessing

Password guessing attacks canbe carried out manually or viaautomated tools.

Doing social engineering onthe victim may also

sometimes reveal passwords

Password guessing can beperformed against all types ofweb authentication

The common passwords used are: root, administrator, admin,operator, demo, test, webmaster, backup, guest, trial, member, private,beta, [company_name], or [known_username]


23/47

Password guessing (contd.)

Most of the users assignpasswords that are relatedto their personal life such asfathers middle name asshown in the screenshot.

An attacker can easily fillin the form for forgottenpasswords and retrieve thesame.

This is one of thesimplest way of passwordguessing.


24/47

Query String

The query string is the extra bit of data in the URL afterthe question mark (?) that is used to pass variables.

The query string is used to transfer data between clientand server.

Example:

http://www.mail.com/mail.asp?mailbox=sue&

company=abc%20com

Sues mailbox can be changed by changing the URL to:http://www.mail.com/mail.asp?mailbox=joe&

company=abc%20com


25/47

Cookies

Cookies are a popular

form of session

management.

Cookies are often used tostore important fields

such as usernames and

account numbers.

All of the fields can beeasily modified using a

program like CookieSpy


26/47

Dictionary Maker

Dictionary files can be downloaded from the Internet or can be generated

manually


27/47

Password Crackers Available

L0phtCrack

John The Ripper

Brutus

ObiwanAuthforce

Hydra

Cain And Abel

WebCracker

Munga Bunga

PassList

ReadCookies.htmlSnadBoy

WinSSLMiM

RAR

Gammaprog


28/47

L0phtCrack

LC4 is one of the mostpopular passwordcrackers available.

LC4 recovers Windows

user account passwordsto access accounts whosepasswords are lost or tostreamline migration ofusers to other

authentication systems.


29/47

John The Ripper

John the Ripper is a passwordcracker for UNIX, DOS, WinNTand Win95.

John can crack the followingpassword ciphers:

standard and double-length DES-based

BSDI's extended DES-based

FreeBSD's MD5-based

OpenBSD's Blowfish-

basedJohn the Ripper combinesseveral cracking modes in oneprogram, and is fullyconfigurable.


30/47

Brutus

Brutus is an online,or remote, passwordcracker.

Brutus is used torecover valid accesstokens (usually a

username andpassword) for a giventarget system.


31/47

ObiWaN

ObiWaN is based on the simple challenge-response

authentication mechanism.

This mechanism does not provide for intruder lockoutor impose delay times for wrong passwords.

ObiWaN uses wordlists and alternations of numeric or

alpha-numeric characters as possible passwords.


32/47

Authforce

Authforce is HTTP Authentication brute force attack

software.

Using various methods, it attempts to brute force

username and password pairs for a site.

It is used to test both the security of a site and to prove

the insecurity of HTTP Authentication based on the fact

that users usually do not choose good passwords.


33/47

Hydra

Supports several protocols like TELNET, FTP, HTTP,

HTTPS, LDAP, SMB, SMBNT, MYSQL, REXEC,

SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, Cisco

auth, Cisco enable, Cisco AAA.

Utilizing the parallel processing feature, this password

cracking tool can be fast, depending on the protocol.

This tool allows for rapid dictionary attacks and

includes SSL support.


34/47

Cain And Abel

Cain & Abel is a password recovery tool for Microsoft

Operating Systems.

It allows for the easy recovery of various kinds of

passwords by sniffing the network and crackingencrypted passwords using Dictionary, Brute-Force,

Cryptanalysis attacks, etc.

It contains a feature called APR (ARP Poison Routing)

which enables sniffing on switched LANs by hijacking

IP traffic of multiple hosts at the same time.


35/47

RAR

This program isintended to recover lostpasswords forRAR/WinRAR archivesof versions 2.xx and 3.xx.

The program crackspasswords by bruteforcemethod, or wordlist ordictionary method.

The program is able to

save a current state.Estimated timecalculator allows theuser to configure theprogram more carefully.


36/47

Gammaprog

Gammaprog is a bruteforce password cracker for web

based e-mail address.

It supports POP3 cracking as well.

It provides for piping support. If the wordlist name is

stdin the program will read from stdin rather than from

a file.

It consists of Wingate support for POP3 cracking.


37/47

Hacking Tool: WebCracker

WebCracker is a simpletool that takes text lists ofusernames and passwordsand uses them as

dictionaries to implementBasic authenticationpassword guessing.

It keys on "HTTP 302Object Moved" response to

indicate successful guesses.It will find all successfulguesses given in ausernames/passwordscombination.


38/47

Hacking Tool: Munga Bunga

It is Brute Force software that uses the HTTP protocol toestablish its connections


39/47

Hacking Tool: PassList

PassList is another character based password generator.


40/47

Hacking Tool: Read Cookies

Reads cookies stored on the computer. This tool can beused for stealing cookies or cookie hijacking.


41/47

Hacking Tool: SnadBoy

http://www.snadboy.com

"Snadboy Revelation" turns back the asterisks in passwordfields to plain text passwords.


42/47

Hacking Tool: WinSSLMiM

http://www.securiteinfo.com/outils/WinSSLMiM.shtml

WinSSLMiM is an HTTPS, man-in-the-middle,

attacking tool. It includes FakeCert, a tool to make fake

certificates.

It can be used to exploit the Certificate Chain

vulnerability in Internet Explorer. The tool works under

Windows 9x/2000.

Usage:- FakeCert: fc -h

- WinSSLMiM: wsm -h


43/47

Mary Had A Little Lamb Formula

Consider a sentence:

Mary had a little lamb. Thelamb had white fleece.

1. Consider the first letter ofeach word, i.e. :

MHALLTLHWF2. Every second letter of the

abbreviation can be put inthe lower case, i.e.:MhAlLtLhWf

3. Replace A with @ and L

with !. Thus a newalphanumeric password,more than 8 characters willbe formed.

4. New Password: Mh@l!t!hWf Picture Source:

http://www.gypcnme.com/ceramic%20arts%20Mary%20Had%20Lamb.gif


44/47

Countermeasures

Passwords chosen should have at least eight characters.

Passwords should have a combination of small andcapital letters, numbers, and special characters.

Words which are easily found in a dictionary should not

be used as passwords.

Public information such as social security number,credit card number, ATM card number, etc. should not

be used as passwords.

Personal information should never be used as apassword.

Username and password should be different.


45/47

Countermeasures

Managers and administrators can enhance the security

of their networks by setting strong password policies.

Password requirements should be built into

organizational security policies. System administrators should implement safeguards to

ensure that people on their systems are using

adequately strong passwords.

When installing new systems, default passwords must

be set to pre-expire and need changing immediately.


46/47

Countermeasures

The user can use the SRP protocol. SRP is a secure

password-based authentication and key-exchange

protocol. It solves the problem of authenticating clients

to servers securely as a user of the client software is

required to memorize a small secret (like a password)

and carries no other secret information.


47/47

Summary

Authentication is the process of checking the identity ofthe person claiming to be the legitimate user.

HTTP, NTLM, Negotiate, Certificate-Based, Forms-based and Microsoft Passport are the different types 0fAuthentications.

Password crackers use two primary methods to identifycorrect passwords: brute-force and dictionary searches.

L0phtCrack, John The Ripper, Brutus, Obiwan, etc. aresome of the most popular password cracking toolsavailable today.

The best technique to prevent the cracking of passwordsis to have passwords which are more than 8 charactersand incorporate alphanumeric as well as specialcharacters into it.

Documents

hacking Module 13