Summary: Password and user account exploitation is one of largest issues in network security. In this article Rob Shimonski will look at password cracking: the how and why of it. Rob will explain just how easy it is to penetrate a network, how attackers get in, the tools they use, and ways to combat it.
Attacks on a company or organization's computer systems take many different forms, such as spoofing, smurfing, and other types of Denial of Service (DoS) attacks. These attacks are designed to harm or interrupt the use of your operational systems. This article deals with a single wide-spread form of attack known as password cracking.
Password cracking is a term used to describe the penetration of a network, system, or resource with or without the use of tools to unlock a resource that has been secured with a password. In this article I will take a look at what password cracking is, why attackers do it, how they achieve their goals, and what you can do to do to protect yourself. I will briefly take a look at the attackers themselves: their psychological makeup and their motives. Through an examination of several scenarios, I will describe some of the techniques they deploy and the tools that aid them in their assaults, and how password crackers work both internally and externally to violate a company's infrastructure. Finally, the article provides a checklist to help protect you from password cracking.
Before exploring the methods for doing this, let's first peer into the mind of the attacker and learn why they might want access to your network and systems.
Attackers: how and why they attack
There is an on-going debate about the definition of the word hacker. A hacker can be anyone with a deep interest in computer-based technology; it does not necessarily define someone who wants to do harm. The term attacker can be used to describe a malicious hacker. Another term for an attacker is a black hat. Security analysts are often called white hats, and white-hat analysisis the use of hacking for defensive purposes.
Attackers' motivations vary greatly. Some of the most notorious hackers are high school kids in their basements planted in front of their computers looking for ways to exploit computer systems. Other attackers are disgruntled employees seeking revenge on a company. And still other attacks are motivated by the sheer challenge of penetrating a well-secured system.
.
Methods of attack
Password cracking doesn't always involve sophisticated tools. It can be as simple as finding a sticky note with the password written on it stuck right to the monitor or hidden under a keyboard. Another crude technique is known as "dumpster diving," which basically involves an attacker going through your garbage to find discarded documentation that may contain passwords.
Of course attacks can involve far greater levels of sophistication. Here are some of the more common techniques used in password cracking:
- Dictionary attack
A simple dictionary attack is by far the fastest way to break into a machine. A dictionary file (a text file full of dictionary words) is loaded into a cracking application (such as L0phtCrack), which is run against user accounts located by the application. Because the majority of passwords are often simplistic, running a dictionary attack is often sufficient to to the job.
- Hybrid attack
Another well-known form of attack is the hybrid attack. A hybrid attack will add numbers or symbols to the filename to successfully crack a password. Many people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: first month password is "cat"; second month password is "cat1"; third month password is "cat2"; and so on.
- Brute force attack
A brute force attack is the most comprehensive form of attack, though it may often take a long time to work depending on the complexity of the password. Some brute force attacks can take a week depending on the complexity of the password. L0phtcrack can also be used in a brute force attack.
Next, take a look at some of the tools attackers use to break into a system.
.
Tools of the trade
One of the most popular tools is L0phtCrack (now called LC4). L0phtCrack is a tool that allows an attacker to take encrypted Windows NT/2000 passwords and convert them to plaintext. NT/2000 passwords are in cryptographic hashes and cannot be read without a tool like L0phtCrack. It works by attempting every alphanumeric combination possible to try to crack passwords. Another commonly-used tool is a protocol analyzer (better known as a network sniffer, such as Sniffer Pro or Etherpeek), which is capable of capturing every piece of data on the network segment to which it is attached. When such a tool is running inpromiscuous mode, it can "sniff" everything going around on that segment such as logins and data transfers. As you'll see later, this can seriously damage network security allowing attackers to capture passwords and sensitive data. Let's take a look at a few scenarios and examine how attackers launch their attacks and how they might be stopped or prevented. I'll first describe a couple of scenarios involving internal attacks (that is, attacks that originate within an organization), and then take a look at a couple of scenarios involving external attacks.
.
Internal attacks
Internal attackers are the most common sources of cracking attacks because attackers have direct access to an organization's systems. The first scenario looks at a situation in which a disgruntled employee is the attacker. The attacker, a veteran systems administrator, has a problem with her job and takes it out on the systems she is trusted to administer, manage, and protect.
Example: The disgruntled employee
Jane Smith, a veteran system administrator with impeccable technical credentials, has been hired by your company to run the backup tapes during the late evenings. Your company, an ISP, has a very large data center with roughly 4000+ systems all monitored by a Network Operations Center. Jane works with two other technicians to monitor the overnight backups and rotate the tapes before the morning shift comes in. They all work independently of each other: one technician works on the UNIX Servers, one technician covers the Novell Servers, and Jane has been hired to work on the Windows 2000 Servers.
Jane has been working on the job for six months now and is a rising star. She comes in early, stays late and has asked to transfer to another department within the company. One problem: there are no open positions at the time. During the last month you (security analyst) have noticed a dramatic increase in the number of attempts at Cisco router and UNIX Server logins. You have CiscoSecure ACS implemented so you can audit the attempts and you see that most of them occur at 3 a.m.
Your suspicions are aroused, but as a security analyst, you can't go around pointing fingers without proof.
A good security analyst starts by looking deeper into the situation. You note that the attacks are from someone of high caliber and occur during Jane's shift, right after she is done with her tape rotation assignment and usually has an extra hour to study or read before the day operations team comes in. So you decide to have Jane supervised at night by the night operations manager. After three weeks of heavy supervision, you notice that the attacks have stopped. You were right. Jane was attempting to log into the Cisco routers and UNIX servers.
A good security analyst also needs to employ a good auditing tool, such as Tacacs+, to log attacks. Tacacs+ is a protocol used by applications such as CiscoSecure ACS that will force Authorization, Accountability, and Authentication (AAA for short). If you have Authorization, then the person requesting access needs to be authorized to access the system. If you have Authentication, then the user accessing a resource needs to be authenticated with rights and permissions to have access. What happens when you are authorized and also authenticated? You must be held Accountable. Accounting logs alone solve many password cracking problems by forcing an attacker to be held accountable, authenticated and authorized.
Next, I'll give an example of an old (but still widely used) attack, which involves sniffing passwords right off the network. You can see how a network supervisor had his Cisco routers and switches cracked by a help desk technician within the company.
Example: The help desk technician
Tommy is hired for the position of help desk technician to work with the after hours help desk crew. The after hours help desk staff is made up of roughly 10 technicians who provide coverage for eight remote sites that the company needs to support during off hours. Tommy always brings his laptop with him to work. When questioned about the laptop by his manager, Tommy explains that he is using his break time to prepare for a certification test. This seems harmless and is approved, even though there is a company-wide security policy in place about bringing machines from the outside into the corporate network without corporate security looking the device over.
Tommy is eventually caught by a surveillance camera leaving a small wiring closet with something under his arm. But since nothing is reported missing, there is no way to prove that Tommy has done anything wrong. And when questioned by the help desk manager about why he was in the closet, Tommy says that he mistakenly entered it thinking it was a break room.
The company's security manager, Erika, sees the report filed by the guards responsible for the physical security of the building. She wonders what Tommy was doing in that closet and is not satisfied with the answer he gave to the help desk manager. Upon searching the closet, she finds an unplugged patch cable hanging from one of the patch panels and an empty hub port. When she plugs the cable back in, the link light does not come back on suggesting that this is a dead port. Cable management Velcro straps neatly hold all the other cables together. With Erika's years of experience and keen sense of security exploitation, she knows exactly what happened.
Erika assumes that Tommy has brought his laptop in the wiring closet unseen. He most likely looked for a dead port on the hub and plugged his laptop in with a packet sniffer installed on it, which promiscuously picks up traffic on a network segment. He returns later to pick up the laptop, which is caught on the surveillance camera, to take home for analysis after saving the capture file.
Using the company's security policy, she confronts Tommy and explains that all personal property, such as laptops and palm pilots, are subject to search if on the premises illegally. Since Tommy never should have had his laptop there in the first place, he hands it over to Erika. Upon careful examination, Erika finds the following trace decode as seen in Figure 1.
Figure 1. Captured telnet traffic with a protocol analyzer
A close examination of the Hex pane of the Sniffer Pro analyzer in Figure 2 reveals ASCII data in clear view on the right side of the pane. While attached to a switch in the closet, Tommy ran the configuration while connected via a telnet session. Since the telnet protocol is unsecure and sent via cleartext, it is easy to see the password: "cisco."
Figure 2. ASCII decode of plaintext data
This is one of the most basic principles of security: Never use a product name as a password. But in spite of how basic a principle it is, it's remarkable how often it is still done.
Next, turn your attention to some external threats.
.
External attacks
External attackers are those who must traverse your "defense in depth" to try and break into your systems. They don't have it as easy as internal attackers. The first scenario involves a fairly common form of external attack known as Web site defacing. This attack uses password cracking to penetrate the systems that the attacker wants to deface. Another possible password cracking attack is when an attacker tries to obtain passwords via Social Engineering. Social Engineering is the tricking of an unsuspecting administrator into giving the account ID and passwords over to an attacker. Lets take a look at both.
Example: Web site home page defacing
Figure 3 demonstrates a fairly common and simple example of external password cracking: defacing a Web site's home page. It takes little effort and is usually accomplished by simply exploiting an Internet Information Server (IIS) that has its permissions set incorrectly. The attacker simply goes to a workstation and tries to attack the IIS server with an HTML editing tool. When trying to attach over the Internet to the site, the attacker uses a password generator tool, such as L0phtCrack, which launches a brute force attack against the server.
Figure 3. Home page replaced by an attacker
Your company's reputation is on the line. Business vendors and associates will lose faith in you if they perceive that your data is kept on unsecured servers. Make sure you look at inside and outside threats equally.
Example: Social engineering tricks
Non-tool related tricks to crack passwords are called social engineering attacks. Read this a scenario to learn more.
Jon is the new security analyst for a large company. His first job is to test his company's security stance. He of course lets management know what he is about to do (so he doesn't get labeled as an attacker himself). He wants to see how hard it is to crack into the network without even touching a single tool. He tries two separate but equally devastating attacks.
As a new employee in a large organization, John isn't known to many people yet, which makes it easy for him to pull off his first social engineering attack. His first target is the help desk. Jon makes a routine call to the help desk and asks for a password reset as a supposed remote user. Jon already has half the information he needs since he knows that the company's naming convention is simply first name and the first initial of the user's last name. The CIO's name is Jeff and his last name is Ronald, so JeffR is his login ID. This information is readily available from the company's phone directory. Masquerading as the CIO, Jon calls the help desk and asks for a password reset because he has forgotten his password. This is a normal ritual for the help desk technician who resets forgotten passwords 100 times a day and calls the requestor back letting them know what their knew password is. The help desk technician calls Jon back five minutes later and lets him know that his new password is "friday" because it happens to be Friday. Within another 5 minutes, Jon is in the CIO's shared files on the server and in his e-mail.
Jon's next social engineering attack involves a good friend of his who works for the local telephone company. Jon borrows some of his gear and his belt and badge on his friend's day off. Jon takes his new gear and heads to another part of the organizations campus where all the disaster recovery routers and servers are located. This hardware contains a working copy of all the company's current data and is considered confidential. Jon walks into the campus security office in his Telco costume and explains that he has been called out by the Local Exchange Carrier (LEC) because a circuit appears to be looped from the Telco. He needs to be let into the data center so he can check out if there are any alarms on the Smart Jack.
The onsite administrator escorts Jon to the data center not even checking his ID. Once inside, the administrator wisely sticks around, so Jon starts his test. After a few minutes, Jon informs the administrator that he will have to call his office and have them run some more tests so he can loop off the Smart Jack and try to troubleshoot. Jon lets the administrator know that this will take about 45 minutes, so the administrator gives Jon his pager number and asks that he page him when he is done to let him out. Jon has now successfully eliminated the only obstacle between him and the 30 servers all lined up in racks along the back wall of the data center.
Jon has a few different opportunities now. He can go to every server and start looking for unlocked consoles, or he can plug his laptop into an open port and start sniffing. Since he really wants to see how far he can go, he decides to look for open consoles. After five minutes of looking through all the KVM slots, he finds a Windows NT server running as the Backup Domain Controller for the Domain. Jon pulls a CD out of his bag and enters it into the CD tray of the server. He installs L0phtCrack onto a BDC for the companies Domain and runs a dictionary attack. Within five minutes produces the following password: Yankees. It turns out the lead administrator is a New York Yankees fan. He now has access to the company's most vital information.
Now look at how this was done.
Figure 4. Using L0phtCrack to break the Administrator password
.
A protection check list
Here is a checklist of things you can do to make password cracking more difficult:
- Audit your organization! Do a walk through and make sure passwords are not stuck to monitors or under keyboards.
- Set up dummy accounts. Get rid of the administrator (or admin) account or set it up as a trap and audit it for attempts.
- Use strong, difficult to guess passwords, and never leave a console unlocked.
- Backups are necessary in case you are compromised. You need a working set of data, so make sure you have it. Keep the tapes secure too, or the data there will be compromised as well.
- Prevent dumpster diving. Don't throw sensitive information away; shred it or lock it up.
- Check IDs and question people you don't know. When you have visitors, check them out and make sure they belong.
- Educate your end users. Make sure they aren't prone to social engineering and educate and remind internal users of the company's security policies.
.
Summary
In this article I've described some of the psychology behind an attacker's motivation and some of the low-tech and high-tech methods used to crack passwords. You've looked at several attack scenarios, including attacks against major companies by a veteran administrator, a help desk technician, and an outside vandal. You also saw how password crackers use techniques both internally and externally to your infrastructure. Finally, some ideas on how to properly secure yourself and your systems from the possibility of a password cracking attack were offered. Combating these attacks ultimately requires a conscious effort, trained individuals, useful tools, and sound security policies. Hopefully, as a proactive security analyst, you can make a difference in helping to slow down this malicious activity within your organizations as well as outside of them. Otherwise, you may find Jon in your server room with a smirk on his face and your data in his hands.
- Read the developerWorks article Protecting Passwords: authenticating users, this article is a great read to get your mind around how to protect your passwords in the first place.
- See also the developerWorks article Setting up a security policy, also a must read.
- The CERT Coordination Center is a center of Internet security expertise at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. They study Internet security vulnerabilities, handle computer security incidents, and publish security alerts.
- Check out the following article available from the CERT organization on Protecting Yourself from Password File Attacks.
- Password Cracking Activity discovered by the CERT organization can be researched athttp://www.cert.org/incident_notes/IN-98.03.html.
- Password cracking tools are available worldwide over the Internet. Check out http://www.pwcrack.com for security and cracking resources available on the Internet.
- Sans.org is the leading source of Internet and Network security administration worldwide. You can research many topics in their extensive library of information.
- General Security information can be found and researched on the Security Focus Web site.
About the author
Robert J. Shimonski (Truesecure TICSA, Cisco CCDP, CCNP, Nortel NNCSS, Microsoft MCSE, MCP+I, Novell Master CNE, CIP, CIBS, IWA CWP, Prosoft CIW, SANS GSEC, GCIH, CompTIA Server+, Network+, Inet+, A+, e-Biz+, Symantec SPS and NAI Sniffer SCP) is a Lead Network and Security Engineer for a leading manufacturer company. Robert's specialties include network infrastructure design with the Cisco and Nortel product line, network security design and management with CiscoSecure and PIX firewalls, network management and troubleshooting with CiscoWorks, CiscoSecure, Sniffer-based technologies, and HPOV. Robert is the author of many security-related articles and published books, including the upcoming Sniffer Network Optimization and Troubleshooting Handbook from Syngress Media, Inc. You can contact Robert at rshimonski@rsnetworks.net.
Posts
