Users/systems and passwords that they set are one of the most commonly exploited factors when it comes to security concerns for an individual or an organization.
Password cracking is the process in which we can guess a password that is either at rest (stored) or in motion. Password cracking can be a simple process or a tedious job, based on the complexity of the set password and the tool used to crack it.
In today’s environment we are all asked to set password for 8 character or more, in alpha numeric format. This does not guarantee that the password we set are safe from any kind of cracking. All that is required for the password to be cracked is the intend and patience of the person who is trying to crack the password.
But, first things first, why do we need to crack any password?
Passwords are normally cracked to recover a forgotten password. This is highly useful in cases where we cannot reset the old password, due to system limitations or the need of old password to validate the authenticity of the person requesting the password reset.
In some scenarios it’s used to check the complexity of the set password. Many security policies mandates that the password complexity is checked to make sure that a complex password is set or used. This type of cracking needs to be done with full consent of the owner. This is an outdated way of checking complexity as we have methods to force users to set complex passwords that’s a mix of alphabets, numbers and special characters.
An unethical, and maybe the most common, use of cracking password is for gaining unauthorized access to systems. The word “cracking” suggest an unauthorized access to stored passwords.
We are all told to configure complex passwords and we mostly end up configuring passwords that we don’t remember the next moment. We follow the “hard to guess” format of setting password, but end up with “hard to remember” passwords. When we setup passwords, it has to be one which is “hard to guess” but “easy to remember”.
Many systems and accounts were hacked or accessed because they used common or default passwords, which are common words predefined by the system providers. Many of systems exposed over the internet do not follow the baseline security requirement; change default passwords. Some common passwords used by systems and users are; admin, password, cisco, pass123, Pass@123, admin123, default, guest, user etc.
All security conscious application, database or website should store the passwords in one-way hashed format. Encryption protocols like MD5 and SHA-1 can be used for hashing. Encrypting a password and converting it to a one-way hash is useful in case of a security breach where the hacker gets hold of the password database. Hacker will now need to de-crypt the hashed data to get hold of the exact password.
Methods to Crack a Password
Passwords are mostly cracked with help of tools, and in some cases we need to feed in a database or list of passwords that needs to be checked against the actual password. This can be a simple tool or some complex ones to crack really complex passwords, with the help of best in class algorithms.
1) Password Guessing
I am sure that we all have used this method of Password cracking at least once in our life, if not more. This is the most common method of cracking a password. This is mostly used in case where we have forgotten our password and want to try the ones that we remember to check if it fits in. Password guessing method is basically not done with a malicious intend, but even hackers do try guessing passwords. There is no tool in particular can be used for guessing. Password can be guessed based on the users’ information known to hacker or the users’ mode of password configuration.
In case of WiFi, a WPA password should be at least 10 digits. And what is the most common 10 digit numbers? Mobile Numbers!! So a hacker can easily try a users’ mobile number in such scenarios.
2) Dictionary Method
In dictionary method of password cracking, a tool is used to try passwords from a list of custom password list (also called as wordlist) of that is most likely to be the ones to succeed. This custom list can be the commonly used passwords, and its still a success because most of us would like to set up a password that is simple and easy to remember. Dictionary method is not the guaranteed method to crack a password. It is only as good as the list fed to the tool. This method usually does not take long time to finish. Time to go through the entire list of password is directly proportional to the database of password list.
One counter measure to safe-guard from dictionary attack is setting account lockouts. If a hacker tries wrong password more times than a set number of times (in most cases, 3; but can vary from company to company), the account gets locked and in some cases, the administrator alerted about the account lockout.
3) Hybrid Method
Hybrid attacks takes the Dictionary method to the next level. If the Dictionary method looks at a list of words, Hybrid method adds characters to these dictionary list of words. Hybrid thus takes more time to crack a password; but we might get better results. Its common scenario in many cases where users add numbers at the end of a word or replace some characters with similar looking numbers. If “Password” is your password then it can be converted to Passw0rd or Pa55word or P@ssw0rd etc.
One countermeasure to Hybrid crack method is called “adding salt”, where a random word or characters are automatically added to the password, making it more secure.
4) Brute Force Method
This is the most comprehensive method to crack a password. This cracking process may last weeks or even months. This is also very resource intensive on the computer doing the cracking and also on the person cracking a password.
In this method, the tool tries every combination of characters till the password is cracked.
There are countermeasure for this kind of attack. A One Time Code is one such measure, where the password is encrypted with this code and it becomes very difficult to reverse the process.
5) Rainbow Table Method
A rainbow table is a list of pre-computed hashes. It makes use of two functions, a hashing function and a reduction function. The hashing function for a given set of tables must match the hashed password you wish to recover and the reduction function must transform a hash into something usable as a password.
This is the latest method to crack a password. It does not require high end systems or built-in tables and sophisticated technology. It is all about tricking the user in giving away his password, without the user’s knowledge.
In this type of password cracking, a malicious mail is sent to the user; mainly claiming to be from a bank, asking the user to reset the username and password via the link provided. If a user believes this mail and click on the link, they are taken to a bogus or site looking similar to the actual bank’s website. When the user puts in the user name and password, it is actually getting stored in the malicious users’ database; thus capturing the user’s credentials without the use of any tools.
User awareness is the method to curb this type of cracking.
7) Social Engineering and Shoulder Surfing
Social Engineering method of password cracking is all about “sweet talk”. The target user may get a call from the malicious user claiming to be calling from IT Helpdesk, Bank, Credit Card department etc. During the course of the call, the bogus caller will try and get the required username and password out of you. Excuses may be as common as cross-verifying the username and password, re-building of database etc.
Shoulder Surfing is all about looking at someone typing the password, over his/her shoulder.
User awareness is again the method to curb this type of cracking.
Key loggers are another common method to capture passwords. On this method a software or a hardware is used to capture data that a user types in. The key loggers are installed to the target system via email attachments or is sometimes a part of genuine softwares. Once installed these tools as ways in which they evade detection from scanners and it sends the captured data to the malicious user or in cases on hardware key loggers, stores in its database. Hardware key loggers are now gaining traction, where they are used to capture ATM card PINs.
Tools used for Password Cracking.
There are so many paid and free tools available to crack passwords. Some common tools that can be used are listed below:-
Cain and Abel
It’s a tool developed by Microsoft, and can be used to crack passwords by different methods, like dictionary attack, brute force method and sniffing network traffic. This tool is commonly used by administrators, penetration testers, forensic engineers and other security vendors. It requires a Windows 2000/XP/NT system for installation.
Some Features of Cain and Abel:-
Reveals locally stored passwords.
Enables sniffing and Man-in-the-Middle attacks.
Sniff passwords, hashes and authentication information while they are transmitted on the network.
Allows you to capture all data sent in a Remote Desktop Protocol (RDP), SSH-1, HTTPS and other common protocols.
Can act as a Wireless Scanner giving information like SSID, authentication mechanism, MAC address, signal strength, vendor details etc.
John the Ripper
This tool was originally developed for Unix, but now it is available for many different flavors of OS. This tool is capable of not just dictionary but supports a lot of other cracking methods, as it combines several cracking methods in one single program.
Some features of John the Ripper
Supports Unix crypt(3) hash types, like DES and extended DES based hash.
Supports Kerberos and Windows LM hashes.
Pro version supports Windows NTLM and Mac OS X 10.4+ salted SHA-1 hashes.
This is an open source program, used to crack passwords. This is mainly used to crack Windows based passwords, based on rainbow tables. This tools can be run on various flavors of OS like Windows, Linux, MAC etc.
Some features of Ophcrack
Supports LM and NTLM hashes.
Supports Brute-force module for simple passwords.
Free tables are available for download.
Different kinds of Crackers
Malicious intend and source of attack can be many. In a corporate environment, the malicious user is almost always an insider. An insider has the best chance to gain access to guarded resources and they may not have to worry about perimeter security controls like Intrusion Detection and Prevention systems or Next Generation Firewalls. The insider knows the network, may also have knowledge of the other security measures in place and will think twice before attempting a hack.
Another band of malicious users are disgruntled employees. An ex-employee removed or resigned from an organization with any grudge against an individual or the organization itself will initiate an attack. It is therefore very important that an organization de-activate any account related to that employee.
The third kind of malicious users are the ones who attack/crack for financial gain. Its very common in today’s environment to crack into accounts and steal credit card details and other data which can fetch money in many thriving underground markets.
Log Analysis, a Counter Measure to track access.
In the event of an unauthorized access, it is very important that a security analyst goes through the logs in all relevant places before pin-pointing on the reason or source of attack. The Security Analyst can start from them the perimeter devices and track the access path till its actual destination, which can be encrypted passwords stored in databases or any other data that the malicious user wants to steal.
There has been a case where an organization discovered that its system were hacked and data stolen. On analyzing the logs, it was observed that the hack happened via a particular users’ id. On questioning the user, it came to light that on the days when the hack happened the user was in certain circumstance from where there was no access to the organization’s network. Then how did this hack happen?? On further analysis, of the users’ activity, it was observed that this user had re-set the system password with the help of a helpdesk engineer, who after couple of days had resigned. The user continued to use the simple password reset by the helpdesk engineer, and the helpdesk engineer in turn took advantage of this.
Whatever password we chose, do not make it simple for the tool trying to crack it.