9/20/2023

Password Hacking

Password Hacking

Password attacks are one of the most
common forms of corporate and
personal data breach.

Hackers steal your passwords through
a variety of methods including data
breaches, password cracking,
guessing, physical theft and malware.

1
 9/20/2023

Passwords
Authentication

User has a secret password. • How is the password stored?

• How does the system check the

System checks it to password?
authenticate the user. • How easy is it to guess the
password?
 Vulnerable to eavesdropping
– Easy-to-remember
when password is communicated
passwords tend to be
from user to system
easy to guess
– Password file is
difficult to keep secret

Passwords
Authentication

Password cracking is the process of recovering secret

passwords from data that has been stored in or
transmitted by a computer system

Password Guessing
Many passwords can be guessed either by humans or
by sophisticated cracking programs armed with
dictionaries (dictionary based) and the user's personal
information.

Not surprisingly, many users choose weak passwords,

usually one related to themselves in some way.

2
 9/20/2023

Password Guessing from the

Command Line

Accounts may lock out after too many

guesses

A Password Guessing Script

Put password – user
name pairs in a file
named credentials.txt

Tools: enum, Brutus, THC Hydra, Medusa,

Venom, TSGrinder, many more

3
 9/20/2023

Password Guessing

blank (none)

the word "password", "passcode", "admin"
and their derivatives

the user's name or login name

the name of their significant other or another
person (loved one) their birthplace or date of
birth

a pet's name

Password Guessing

a dictionary word in any language

automobile license plate number

a row of letters from a standard keyboard layout
(eg, the qwerty keyboard -- qwerty itself, asdf, or
qwertyuiop)

a simple modification of one of the preceding, such
as suffixing a digit or reversing the order of the
letters.
and so on....

4
 9/20/2023

Dictionary attack

A dictionary attack is a method used to
attack an authentication system by
trying to determine the password with
the probability of all possible words in
a dictionary.

A dictionary file (a text file full of
dictionary words) is loaded into a
cracking application (such as
L0phtCrack), which is run against user
accounts located by the application.
=

Dictionary attack

Hydra is a popular tool that is widely

used for dictionary attacks.

5
 9/20/2023

Brute force attack

An automatic tool is used that tries all
possible combination of available keys
on keyboard as victims password

A brute force attack is the most
comprehensive form of attack, though
it may often take a long time to work
depending on the complexity of the
password.

L0phtcrack can also be used in a brute
force attack.

6
 9/20/2023

Conditions that could indicate a brute-

force attack

Many failed logins from the same IP address

Logins with multiple usernames from the
same IP address

Logins for a single account coming from
many different IP addresses

Excessive usage and bandwidth
consumption from a single use Failed

login attempts from alphabetically sequential
usernames or passwords

7
 9/20/2023

Pre-computed dictionary
attack/Rainbow table attack

It is possible to achieve a time–space
tradeoff by pre-computing a list of
hashes of dictionary words and storing
these in a database using the hash as
the key.

A rainbow table is a precomputed table
for caching the outputs of a
cryptographic hash function, usually
for cracking password hashes.

Pre-computed dictionary
attack/Rainbow table attack

The pre-computed dictionary needs be generated only once, and when it is

completed, password hashes can be looked up almost instantly at any time
to find the corresponding password.

8
 9/20/2023

Hackers Get Passwords by Exploiting

Insecure Code

When an application's developers haven't

followed best practices or aren't aware of
vulnerabilities in their code, attackers can
easily steal passwords directly from an
application.

Usernames and passwords are usually
stored in databases, for example. If the SQL
code that checks or retrieves these data
doesn't properly sanitize input, attackers can
use a SQL injection attack to break into the
database itself

Demonstration

Blind SQL Injection

Show Source

Brute force Password Attack

https://www.digitalni-
sebeobrana.cz/en/brute-force-attack-
demo/#:~:text=What%20is%20a%20brute%
2Dforce,it's%20inefficient%20for%20long%2
0passwords.

9
 9/20/2023

Hybrid attack

A hybrid attack will add numbers or symbols
to the filename to successfully crack a
password.
 Many people change their passwords by simply
adding a number to the end of their current
password.

The pattern usually takes this form: first
month password is "cat"; second month
password is "cat1"; third month password is
"cat2"; and so on.

The most common combination is a
dictionary and brute force attack.

10
 9/20/2023

Hybrid attack

Countering hybrid threats requires a
comprehensive password policy that
enforces multi-factor authentication, blocks
weak words and patterns, scans for
compromised passwords, and encourages
users to create lengthy passphrases.

It was originally designed to help make up

passwords that would be easy to
remember but relatively difficult for
nefarious types to guess.

11
 9/20/2023

A phonetic password generator picks two segments

randomly for each six letter password. form is CVC.
what is the total password population?

We have 4 times C and 2 times V.

Repetition is allowed.
That sums up the possibilities:
C^4*V^2 with C=21 and V=5
= 4,862,025

Default Passwords

Many applications come with a default
password.
 VMS used to have a default super-user
password.
 Often, the default password is the same as the
default user name.
 In principle, the sys-ad changes the default
password.
 Recently, applications are no longer shipped
with default passwords.

12
 9/20/2023

Default Passwords

A moderately high number of local and
online applications have inbuilt default
passwords that have been configured by
programmers during development stages of
software.

There are lots of applications running on the
internet on which default passwords are
enabled.

So, it is quite easy for an attacker to enter
default password and gain access to
sensitive information.

Default Passwords

Often, the default password is the same as the
default user name.

In principle, the sys-ad changes the default
password.

Recently, applications are no longer shipped with
default passwords.

A list containing default passwords of some of the
most popular applications is available on the
internet.
https://datarecovery.com/rd/default-
passwords/

13
9/20/2023

14
 9/20/2023

Password-Guessing Countermeasures

The Server Message Block (SMB) Protocol is a
network file sharing protocol, and as implemented
in Microsoft Windows is known as Microsoft SMB
Protocol.

Samba: standard Windows interoperability suite of programs
for Linux and Unix.

Samba stores its encrypted passwords in a file
called smbpasswd, which by default resides in the
/usr/local/samba/private directory

Use a network firewall to restrict access to SMB
services on TCP 139 and 445

Enforce the use of strong passwords using policy

Set an account-lockout threshold and ensure that it
applies to the built-in Administrator account

Enable audit account logon failures and regularly
review Event Logs

Prevention (Brute Force Attack)

For advanced users who want to protect
their accounts from attack, give them the
option to allow login only from certain IP
addresses.

Assign unique login URLs to blocks of users
so that not all users can access the site
from the same URL.

Use a CAPTCHA to prevent automated
attacks.

Instead of completely locking out an
account, place it in a lockdown mode with
limited capabilities

15
 9/20/2023

Type of passwords
 Plain text password
– Save in text in database.
o Hackers can steal user account database and can find
password with brute force algorithms.

 Password hashing
– Password saved in 'n' bits according to hash function.
– MD5
o It is possible for hacker to steal the hashes and reverse
generate password.

 Password hash Salting

– Generate random text (salt)
– Add it in front of password and apply hashing function
– Salt is random for every password

Passwords
Windows Passwords

Set or change password  Windows generates a LM hash and a
NT hash.

Two hashing functions used to encrypt passwords
– LAN Manager hash (LM hash)
– Password is padded with zeros until there are 14 characters.
– It is then converted to uppercase and split into two 7-character
pieces
– Each half is encrypted using an 8-byte DES (data encryption
standard) key
– Result is combined into a 16-byte, one way hash value
– NT hash (NT hash)
– Converts password to Unicode and uses MD4 hash algorithm to
obtain a 16-byte value

Hashes are stored in the Security Accounts Manager database
– Commonly known as “ SAM” or “the SAM file”

SAM is locked by system kernel when system is running.
– File location: C:\WINNT\SYSTEM32\CONFIG

SYSKEY -Windows function that encrypts the data in the Security32
Accounts Manager (SAM) database

16
 9/20/2023

Passwords
Unix Passwords

Uses modified DES as if • Problem: passwords are not truly random

– Humans like to use dictionary words,
it were a hash function human and pet names ≈ 1 million
 Encrypt NULL string using common passwords
password as the key – On average each person has 8-12
passwords:
– Truncates – Different systems impose different
passwords to 8 requirements on passwords.
characters! – Passwords need to be changed often.
 Artificial slowdown: run – Some passwords are used occasionally
DES 25 times (once a year).
 Can instruct modern
UNIXes to use MD5 hash
function

33

Passwords
Hashing

Instead of user password, • Hash function H must have some

store hash of password properties

When user enters password, – One-way: given H(password),
hard to find password
compute its hash and compare
– No known algorithm better
with entry in password file
than trial and error
 System does not store actual – Collision-resistant: given
passwords! H(password1), hard to find
password2 such that
H(password1)=H(password2)
– It should even be hard to
find any pair p1,p2 s.t.
H(p1)=H(p2)

34

17
 9/20/2023

Passwords
Salting

Saltingrequires adding a random piece of data and to the password

before hashing it.
 This means that the same string will hash to different values at different
times
 Users with the same password have different entries in the password
file
 Salt is stored with the data that is encrypted

Hacker has to get the salt add it to each possible word and then
rehash the data prior to comparing with the stored password.

35

Passwords
Salting Advantages

Without salt, attacker • With salt, attacker

can pre-compute must compute hashes
hashes of all of all dictionary
dictionary words words once for each
once for all password entry
– With 12-bit random salt, same
password entries password can hash to 212
 Same hash function different hash values
– Attacker must try all
on all UNIX machines dictionary words for each salt
 Identical passwords value in the password file
hash to identical
values; one table of
hash values can be
used for all password
files 36

18
 9/20/2023

Passwords
Iteration Count

The same password can be rehashed many times over

to make it more difficult for the hacker to crack the
password.

This means that the precompiled dictionary hashes are
not useful since the iteration count is different for
different systems
 Dictionary attack is still possible!

37

Passwords
Shadow

Utilized in UNIX systems

Store hashed passwords in

/etc/shadow file which is only
readable by system administrator
(root)

Add expiration dates for passwords

Early Shadow implementations on

Linux called the login program
which had a buffer overflow!
38

19
 9/20/2023

Passwords
Authentication Protocols

Set of rules that governs the • TIME STAMP

communication of data related to – The authentication from the
authentication between the client to server must have time-
server and the user stamp embedded

TRANSFORMED PASSWORD – Server checks if the time is
 Password transformed using reasonable
one way function before – Protects against replay
transmission – Depends on synchronization of
 Prevents eavesdropping but clocks on computers
not replay • ONE-TIME PASSWORD

CHALLENGE-RESPONSE – New password obtained by
 Server sends a random value passing user-password through
(challenge) to the client along one-way function n times which
with the authentication keeps incrementing
request. This must be
included in the response
– Protects against replay as well
as eavesdropping
 Protects against replay

39

Passwords
Improving Security

Add biometrics • Rely on the difficulty of computer

vision
 For example, keystroke – Face recognition is easy for
dynamics or voiceprint humans, hard for machines
 Revocation is often a – Present user with a sequence
problem with biometrics of faces, he must pick the

Graphical passwords right face several times in a
row to log in
 Goal: increase the size of • Other examples
memorable password space – Click on a series of pictures in
order
– Drawing a picture
– Clicking four correct points
on a picture

40

20
 9/20/2023

Google AI Image Recognition

With a simple Captcha question,

Google is training it’s Artificial
Intelligence engine. Through the help
of hundreds of Captchas, the people
taking the Captcha test will validate if
an image is showing a certain scene

Google AI Image Recognition

21
 9/20/2023

Passwords
Fingerprint Authentication

Unique patterns in peoples

fingerprints are used for
unique identification

Most tested of all biometric
systems

Commonly used in crime labs
for forensic investigations

43

Passwords
Iris Authentication

The scanning process takes

advantage of the natural
patterns in people's irises,
digitizing them for identification
purposes.
 Probability of two irises
producing exactly the same
code: 1 in 10 to the 78th power
 Independent variables (degrees
of freedom) extracted: 266
 IrisCode record size: 512 bytes
 Operating systems compatibility:
DOS and Windows (NT/95)
 Average identification speed
(database of 100,000 IrisCode
records): one to two seconds 44

22
 9/20/2023

Passwords
Protection/Detection
Protection:
 Disable storage of LAN Manager hashes.
 Configure both Local and Domain Account Policies
(Password & Account Lockout Policies).
 Audit access to important files.
 Implement SYSKEY security on all systems.
 Set BIOS to boot first from the hard drive.
 Password-protect the BIOS.
 Enforce strong passwords!
 Change your passwords frequently.
 Use two or three factor authentication.
 Use one time passwords.

45

Bios Password

Stored in CMOS
 Remove power from CMOS and CMOS is
reset.

Looses valuable forensic data such as the
system clock.
 Some BIOS can be programmatically
cleaned.

Looses valuable forensic data such as the
system clock.

23
 9/20/2023

Windows 9x

Windows 9x stores the login password
 in .pwl file
 in the c:\windows directory
 in encrypted form.

Obtain the password from the file.

Use an offline password cracker that
attacks the weak encryption.

Windows 9x

Windows screen saver password is
stored in user.dat file in c:\windows.

Password is in simple ASCII
encryption.

The screen saver password is very
often the system password.

24
 9/20/2023

Windows NT and up
Unix

Only hash of password is stored.

Computationally impossible to
calculate password from the hash.

Can use the hash for a dictionary or
brute force attack.

HACKING PASSWORD

C:\ cd windows
C:\ cd windows> ren *.pwl *.xyz
Or
Delete memory by
C:\window>del *.pwl *.xyz.
You can enter by typing any thing

25
 9/20/2023

SCREEN SAVER PASSWORD

C:\> cd windows
C:\> cd windows > dir *.scr/p
Find screen saver password
C:\>windows>edit/70
or open in notepad.
 Now search for the string using CTRL F

: verify screen savepwd or you don't find.

Search for: Verify screen save
This is the line that direct the
windows to prompt for the screen saver
password

Windows Password Management

The Security Accounts Manager
(SAM) is a database stored as a
registry file in Windows NT, Windows
2000, and later versions of Windows.

It stores users' passwords in a hashed
format (in an LM hash and an NTLM
hash).

In the case of online attacks, it is not
possible to simply copy the SAM file to
another location.

26
 9/20/2023

Windows Password Management

The SAM file cannot be moved or copied
while Windows is running, since the
Windows kernel obtains and keeps an
exclusive file system lock on the SAM file,
and will not release that lock until the
operating system has shut down

However, the in-memory copy of the
contents of the SAM can be dumped using
various techniques, making the password
hashes available for offline brute-force
attack.

Cracking Windows NT
Passwords

The key to cracking Windows NT
passwords lies in SAM (security
account manager) file.

This file contains and stores all
information on both local and remote
accounts including the password
details in encrypted form.

27
 9/20/2023

Cracking Windows NT
Passwords

The SAM file is equivalent of the
/etc/passwd file of the Unix operating
system.

If an attacker is able to some how gain
access to the SAM file, the process of
extracting and cracking passwords
becomes a lot easier.

Cracking Windows NT Passwords

Attackers can crack Windows NT

passwords by following the two steps:
 Gain access to the Security Accounts
Manager or SAM file
 Crack the stored passwords using
already known methods.

28
 9/20/2023

Obtaining Access to SAM file

SAM file is stored on the Windows NT
system at the location:
%systemroot%\system32\config

The original source of the data stored
in this file can also be found in the
registry key:
HKEY_LOCAL_MACHINE\SAM

29
 9/20/2023

Obtaining Access to SAM file

Both of the above locations containing the
SAM information are locked and no user is
allowed to access them.

Each time Windows boots, the above two
files are automatically locked.

It should almost impossible for an attacker
to be able to access the SAM file

Common ways to gain illicit

access to the SAM file

Getting the SAM from the Backup
Directory
 Many system administrators run the
Windows NT repair utility (rdisk) with the
/s to backup important system
information.

30
 9/20/2023

Common ways to gain illicit

access to the SAM file
 When a system administrator runs rdisk
to backup the important system
configuration information to a flopy disk,
then a compressed copy of the SAM data
file is automatically created in the
%systemroot%\repair directory with the
filename: “SAMW”.

Common ways to gain illicit

access to the SAM file
 Most system administrator always
remember to delete this backup copy of
the SAM file from the above location.
 Since backup copy of the SAM file is in
compressed form, an attacker expand it
with the command:
C:/>expand sam._sam

31
 9/20/2023

Common ways to gain illicit

access to the SAM file

Getting the SAM via another Operating
system
 Firstly, an attacker needs to create a
bootable floppy running the MSDOS O.S.
It is important to make sure that the
floppy contains the COPY utility.
 Then the attacker edits the BIOS setting
and enables the ‘Boot from floppy’ option.

Common ways to gain illicit

access to the SAM file
 The attacker then restarts the system and
boots from the floppy disk.
 Once the attacker reaches the command
line prompt of the MSDOS o.s. running
on the floppy disk, the COPY utility can
then be used to obtain the SAM file.
 Since Windows NT is not currently
running, access to the SAM file is not
blocked.

32
 9/20/2023

Hacking Truth

The NTFSDOS tool allows attackers to
access all files on the NTFS partition.

If an attacker wants to write to the
vulnerable system, the NTrecover and
NRLocksmith tools can be used.

Both these tools can be downloaded
from http://www.sysinternals.com .

Cracking the Password from the

SAM file

An attacker can easily crack the
account passwords with the help of the
L0phtcrack tool.

33
 9/20/2023

Countermeasures

One simple countermeasure to prevent
attackers from obtaining the SAM file
from the backup directory is to delete
the backup copy of the SAM file.

Corporations should disable the boot
from floppy drive option in the BIOS.

34
 9/20/2023

Countermeasures

Until service Pack 2 was released,
windos NT used an extremely unsafe
40-bit encryption key to encrypt
passwords. Attackers could easily
crack such an encryption.

With the release of service Pack 2, an
enhanced 128-bit encryption standard
called SYSKEY was introduced

Countermeasures

One can run SYSKEY by following
process:
(a) Click on Start > Run
(b) Type ‘syskey’ in the space provided and
press enter

35
 9/20/2023

Countermeasures

L0phtcrack is unable to display
nonprintable. This mean that if a
password has any nonprintable
character L0phtcrackwill not able to
display it

Attack Scenario

When user provide credentials to login to a
particular website

After clicking on login button a popup window
shows a message ”To remember user name and
password”.

If user selects this option remember the user
name and password.

The attacker can get access to password by
executing JavaScript code as shown in address
bar of the browser that shown in

The attacker can retrieve victim’s password along
with an alert box as

36
9/20/2023

37
9/20/2023

38