CSE 4482

Computer Security Management:

Assessment and Forensics

Protection Mechanisms:
Scanning and
Analysis Tools

Instructor: N. Vlajic, Fall 2013

Required reading:

Management of Information Security (MIS), by Whitman & Mattord

Chapter 10, pp. 361 – 365

Recommended reading:

Principles of Information Security, by Whitman & Mattord

Chapter 7, pp. 328 – 341

Security+ Guide to Network Security Fundamentals, by Ciampa

Chapter 9, pp. 133 - 139

 Learning Objectives
Upon completion of this material, you should be
able to:
• List and define the major categories of scanning and
analysis tools, and describe the specific tools used
within each category.
• Describe, in more detail, the key techniques deployed
for the purposes of port scanning, OS fingerprinting and
password cracking.
Introduction
• Why Scanners and – in order to secure a network,
Analysis Tools? company needs to know
what exactly needs securing
 scanners & analysis tools can
find vulnerabilities in systems,
and security holes in individual
system components (hosts,
routers, firewalls)
 many scanners & analysis tools
are developed by hackers and
are ‘freeware’
 same tools can also be used by
network defenders to find potential
vulnerabilities in the network
• Categories of Hacking Tools

0) Public/Online Reconnaissance Tools

1) Port Scanners
2) Network Mappers
3) Operating System Detection Tools
4) Firewall Analysis Tools
5) Vulnerability Scanners
6) Packet Sniffers
7) Wireless Sniffers
8) Password Crackers
 Public Reconnaissance Tools
• Quiet Recon – hackers often don’t want to start
off by generating lots of noise that
can be picked up by IDS devices
 search engines can be a great recon tool -
they allow stealthy probing that likely won’t
be detected or traced back to the hacker
 Google-Fu
 ability to use search directives (advanced
operators) effectively in order to filter out
Google search results

http://playfulcleverness.blogspot.ca/2013/04/google-fu.html
 Public Reconnaissance Tools (cont.)
Example
Consider Company XYZ, with a
large datacenter in Atlanta.
The datacenter has been secured, www.XYZ.com
and it would be very hard for an
attacker to break into it via the
Internet.
However, the attacker has run a “link:www.XYZ.com” query
on Google and found a small Web server that links to XYZ’s
main Web server.
After further investigation, the attacker learns that the small
Web server was set up by an administrator at a remote facility.
The Web server has (via leased lines) an unrestricted internal
Access into Company ‘s corporate datacenter.
 Public Reconnaissance Tools (cont.)
• Google – keywords that enable more accurate
Directives extraction of info from Google Index
 formatting of Google directives:

<directive>:<value> <term(s) to search>

 examples of directives:
 site:<domain-name> <term(s) to search>
 intitle:<term(s) to search>
 inurl:<term(s) to search>
 filetype:<extension of the file type>
 link:<URL that searched pages point to>

http://www.googleguide.com/advanced_operators_reference.html
 Public Reconnaissance Tools (cont.)
Example
Assume Company XYZ’s main web
page is: www.XYZ.com.
www.XYZ.com
Which Google directive should have
the attacker used to narrow down
the search for remote web server
‘pointing’ to the main enterprise
web server.

link:www.XYZ.com –site:www.XYZ.com
 Public Reconnaissance (cont.)
Example
What is the intention behind the following commands:

site:www.yorku.ca inurl:login.php

site:www.yorku.ca filetype:xls inurl:"email.xls"

filetype:dat site:www.yorku.ca "password.dat"

filetype:sql intext:password

ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw |

psw | ppt | pps | xml) (intext:"confidential salary"
| intext:"budget approved")

http://www.cyberwarzone.com/cyberwarfare/massive-google-hacking-list-2012
• Categories of Hacking Tools

0) Public Reconnaissance Tools

1) Port Scanners
2) Network Mappers
3) Operating System Detection Tools
4) Firewall Analysis Tools
5) Vulnerability Scanners
6) Packet Sniffers
7) Wireless Sniffers
8) Password Crackers
 Port Scanners
• Footprinting – systematic research of IP addresses
owned by a target organization
 passive and non-intrusive process of
examples of discovering which machines are out there
‘doorknob (part of initial attack reconnaissance)
rattling’  Web is a good starting point

• Scanning – systematic scanning of a target

(Fingerprinting) organization’s IP addresses/hosts
 discovering of individual hosts as well as
services/ports running on them
 may include OS Fingerprinting –
determining which OS runs on a host
 typically done through detailed inspection
of packets crafted by the host
Port Scanners (cont.)

Information Gathering Methodology

Port Scanners (cont.)
• Port Scanner – a tool used by both attackers and
defenders to identify active hosts
and services on a network
 results of a scan on a port can be:
 open or accepted: host sends reply indicating
that service is available on a port
 closed / denied / not listening: host sends
reply indicating unavailable service on a port
 filtered / dropped / blocked: there is no reply

 popular scanners:
 Nmap (UNIX / Windows) – can rapidly sweep
large networks, can bypass firewalls, IDSs, …
 SuperScan 4.0 (Windows) – GUI based
with additional tools in one interface, …
 Advanced Port Scanner (Windows) – small,
fast, straightforward GUI, …
Port Scanners (cont.)

• Nmap – Network Mapper - a security scanner

written by Gordon Lyon (aka Fyodor)
in 1997
 the most respected and well-known port scanner
in both black- and white- hat community for
its efficiency, flexibility and scanning speed
 in addition to doing host and port scanning, also
capable of determining:
 OS of the target
 name and versions of the listening services
 presence of firewall, etc.

 runs on Windows, Linux, Solaris, Mac, etc.

http://nmap.org/download.html
 Port Scanners (cont.)
Example: Nmap/Zenmap Port Scanner
 Port Scanners (cont.)
Example: Nmap/Zenmap Port Scanner (cont.)
 Port Scanners (cont.)
Example: Nmap/Zenmap Port Scanner (cont.)
 Port Scanners (cont.)
Example: Nmap/Zenmap Port Scanner (cont.)
 Port Scanners (cont.)
Example: Nmap/Zenmap Port Scanner (cont.)

https://svn.nmap.org/nmap/zenmap/share/zenmap/config/scan_profile.usp
 Port Scanners (cont.)
Example: Nmap/Zenmap Port Scanner (cont.)
 Port Scanners (cont.)
Example: Nmap/Zenmap Port Scanner (cont.)

http://nmap.org/book/man-bypass-firewalls-ids.html
Port Scanners (cont.)
• Port Scanner 1) ICMP Ping Scan
Techniques  not really port scanning, as ICMP is Layer 3
protocol, but useful for probing of all active
hosts in a network – host scanning
 scanner sends a single ICMP request to a
destination; an ICMP response will arrive
back unless the destination is not available
or ICMP protocol is filtered
 potentially faster than other footprinting
technique – only one sent packet per
machine
 does not provide lots of information …

ICMP Ping scan to an active/on and inactive/off machine

http://www.networkuptime.com/nmap/page3-8.shtml
 Port Scanners (cont.)
• Port Scanning 2) TCP connect() Scan
Techniques  most basic form of TCP scanning
 performed from ‘application layer’ - OS’s
connect() function is used to connect to a
desired port
 easy to implement; however, very slow and
detected (loged) by most sites/firewalls

TCP connect() scan to an open and to a closed port

http://www.networkuptime.com/nmap/page3-3.shtml
According to TCP RFC (specification):

TCP to a closed port => TCP RST arrives back

(SYN=0, ACK=0 or RST=0)

TCP to an open port => nothing back

(SYN=0, ACK=0 and RST=0)

UDP to a closed port => ICMP unreachable

arrives back
 Port Scanners (cont.)
• Port Scanning 3) TCP SYN Scan
Techniques  ‘half-open’ scanning
 instead of using OS’ network function,
scanner itself generates TCP-SYN packets;
upon receiving a TCP-ACK, scanner imme-
diately sends a RST to close the connection
⇒ handshake is never completed!
 most popular form of TCP scan since most
sites do not log half-open connections -
much ‘quieter’ than connect() scan 
 requires programming at OS level 

TCP SYN scan to an open and to a closed port

http://www.networkuptime.com/nmap/page3-2.shtml
Port Scanners (cont.)
• Port Scanner 4) TCP FIN Scan (Stealth Scan)
Techniques  stealth scan = scan that sends a single
frame to a TCP port without any TCP
handshaking / additional packets
 TCP FIN scan sends a FIN packet; a closed
port will reply with a proper RST, an open
port will ignore the packet
 silence indicates an open port!!!
 UNIX vulnerable, but Microsoft is immune
to this type of attack – RST sent regardless
of the port state

TCP FIN scan to an open and to a closed port

http://www.networkuptime.com/nmap/page3-4.shtml#3.3.1
Port Scanners (cont.)
• Port Scanner 5) Xmas-Tree Scan (Stealth Scan)
Techniques  scanner sends a TCP frame with URG, PUSH
and FIN flags set – Xmas tree packet (flags:
00101001, ‘supper case’ of FIN TCP packet)
 as in TCP FIN scan, silence indicates an
open port!!!
 as TCP FIN scan, Xmas-Tree scan can ‘sneak
through’ some non-statefull firewalls; but
should not be used on Microsoft hosts

Xmas-Tree scan to an open and to a closed port

http://www.networkuptime.com/nmap/page3-5.shtml
Port Scanners (cont.)
• Port Scanner 6) UDP ICMP Scan
Techniques  previous scans find TCP ports/services;
this scan looks for UDP ports/services
 scanner sends empty UDP datagrams – if
port is listening, system sends back an error
UDP message or nothing; if port is closed
system sends an ‘ICMP Port Unreachable’
 both UDP and ICMP are not guaranteed
to arrive – lots of false positives possible
 also, a rather slow scan, as some systems
limit the ICMP error message rate

UDP ICMP scan to an open and to a closed port

http://www.networkuptime.com/nmap/page3-10.shtml
 Port Scanners (cont.)

• Port Scanner 7) Idle Scan by Nmap

Techniques
Used to:
1) hide the identity of the attacker (scanning machine); and/or
2) scan behind a firewall.

Requires the access to (communication with) at least one

zombie/dumb host that can communicate directly with the
target machine and sends/receives little traffic.
Exploits the fact that in many OSs, for every IP packet sent,
the value in packet’s IP ID filed is incremented by one.
 Port Scanners (cont.)

Example Idle Scan (cont.)

Idle scan of an open port:

F F F
I I I
R R R
E E E
W W W
A A A
L L L
L L L

trusted host/IP

Source IP = Zombie IP
Destination Port = open

Zombie’s IP ID increased by 2!
 Port Scanners (cont.)

Example Idle Scan (cont.)

Idle scan of a closed port:

F F F
I I I
R R R
E E E
W W W
A A A
L L L
L L L

Source IP = Zombie IP
Destination Port = closed

Zombie’s IP ID increased by 1!
 Port Scanners (cont.)
• Ethic and Legality – fuzzy issue!
of Port Scanning  scan itself is not an attack, but is
often prelude to an attack, like
ringing the doorbell to see if any-
body is home
 line between scanning maliciously
and scanning for administrative
purposes is very vague
 makes creating laws regarding
scanning difficult

 in USA and Canada the Law is

not explicit, in Germany and
England scanning is illegal
http://nmap.org/book/legal-issues.html
http://en.wikipedia.org/wiki/Port_scanner
• Categories of Hacking Tools

0) Public Reconnaissance Tools

1) Port Scanners
2) Network Mappers
3) Operating System Detection Tools
4) Firewall Analysis Tools
5) Vulnerability Scanners
6) Packet Sniffers
7) Wireless Sniffers
8) Password Crackers
 Network Mappers
• Network Mappers – software tools that identify
all systems connected to a
network
 most mappers use ICMP Ping …
 most port scanners can be used
as network mappers
 examples of network mappers:
 Nmap
 LanState
 SolarWinds’ LanSurveyor

http://finaldownload.com/graphicsfile/screenshotimages/lansurveyor-101102.jpg
 Network Mappers (cont.)
Example: Network mapping using Nmap
Target: IP/24, Profile: Ping scan
• Categories of Hacking Tools

0) Public Reconnaissance Tools

1) Port Scanners
2) Network Mappers
3) Operating System Detection Tools
4) Firewall Analysis Tools
5) Vulnerability Scanners
6) Packet Sniffers
7) Wireless Sniffers
8) Password Crackers
Operating System Detection Tools
• OS Detection – aka OS Fingerprinting Tools -
Tools aim to detect target host’s OS
 knowing a host’s OS is critical if one
is to exploit the host’s vulnerabilities
(e.g. known bugs of that OS)
 active fingerprinting – directly query
host machine; replies are matched
against database on known responses
 passive fingerprinting – occurs without
obvious querying of host machine (e.g.
obtain information through sniffing)
 examples of OS detection tools:
 Nmap
 Xprobe
Operating System Detection Tools (cont.)

• OS Detection – TCP/IP stack is pretty much a

Techniques fixed standard (given in RFC-s),
in Active but different OS vendors interpret
Fingerprinting the standard differently
 (active) fingerprinting takes advantage
of differences in TCP/IP implementation
 a crafted packet is sent to a remote
system to elicit a unique response from
the TCP/IP stack of the underlying OS
 the unique response is referred to as an
OS fingerprint or signature
 the attacker than carefully analyzes and
and compares the fingerprint to a data-
base – comprising a wide range of known
OS fingerprints …
Operating System Detection Tools (cont.)
• Nmap Fingerprint Methods
 TCP FIN Probing

 TCP RFC 793 requires that a system with an open port ignores
(not respond to) a FIN packet if received at the start of a connect.
 Microsoft Windows (Windows 7, Windows 2000, Vista) disregard
this requirement and replies to the FIN packet with a RST packet
In Windows always response!
open port

closed port

Probe a machine with a FIN packet on a port that is KNOW to be open.

If you receive a response ⇒ Windows OS!
Operating System Detection Tools (cont.)
• Nmap Fingerprint Methods (cont.)
 TCP Initial Sequence Number (ISN)

 when receiving a request to establish a connection, an OS must

choose an ISN to respond and continue the 3-way handshake
 some OS choose ISN based on randomized values, while others
(Windows) generate the ISN based on system’s internal clock
(ISN is incremented by a small fixed amount each time period)

http://www.tcpipguide.com/free/diagrams/tcp3waysynch.png
Operating System Detection Tools (cont.)

• Nmap Fingerprint Methods (cont.)

 TCP Initial Window Size
 some OSs are known to use a unique Window size
 e.g. Linux 2.4 IWS=5840 bytes, Linux 2.2 IWS=32120 bytes

 IP ID Sampling
 Windows OS usually use a predictable IP ID sequence numbers,
such as increasing the number by 1 or 256 for each packet
 other OS, e.g. Linux, randomize IP ID numbers
Operating System Detection Tools (cont.)

• Nmap Fingerprint Methods (cont.)

 ICMP Error Message Quoting
 according to ICMP RFC, OS must quote some parts of the original
(ICMP) message - first 8 bytes - when generating an ICMP error
message
 Linux and Solaris include much more information than required

e.g. UDP packet to a closed port

Operating System Detection Tools (cont.)

• Nmap Fingerprint Methods (cont.)

 ICMP Error Message Quenching
 some operating systems follow the RFC 1812 suggestion to limit
the rate at which various error messages are sent
 e.g. Linux limits destination unreachable message generation to
80 per 4 seconds, with a ¼ second penalty if that is exceeded
 to test a machine, send a bunch of packets to some random
high UDP port and count the number of unreachables received

For more see: http://nmap.org/nmap-fingerprinting-article.txt

Operating System Detection Tools (cont.)

• OS Detection – less intrusive way to gather info

Techniques in about the OS of a remote host
in Passive  instead of actively querying, attacker
Fingerprinting (only) sniffs remote host’s packets
 generally less precise/effective than
active fingerprinting because:
 have to accept whatever communication
happens - there may not be much of it!
 has fewer header parameters/options
to work with than active fingerprinting
 some of those parameters often get
modified by firewall or proxy
 Nmap does not passive fingerprinting
per se – Idle Scan, the closest …
Operating System Detection Tools (cont.)

• Passive Fingerprint Methods

 Time-to-Live (TTL) in IP packets
 normally Linux sets TTL = 64, and Windows TTL = 128

 Don’t Fragment Bit in IP packet

 Most systems set it to 1; in OpenBSD set to 0

 Type of Service (TOS)

 Normally set to 0; a few OS reported using different value.
(Generally not reliable as the TOS value is often set by application.)
Operating System Detection Tools (cont.)
Example Passive Fingerprinting
Assume a sniffer/attacker has capture a packet with the
following parameters:

Time-to-Live (TTL): 51
TCP Window Size: 57344
Don’t Fragment Bit: 1
Type of Service (TOS): 0

How would you go about determining the host’s OS?

Solution:
Use Traceroute to determine the actual number of hops
between itself and the host – say you have observed 13.
Hence, original TTL = 51 + 13 = 64.
Host’s OS: (likely) Linux
Operating System Detection Tools (cont.)
• OS Detection – to reduce chances of an OS being
Counter- ‘fingerprinted’, OS’s responses to
measures various network requests/packets
must be modified
 IP Personality – a patch for Linux
kernel – allows changes to TCP/IP stack
 IP ID field, TCP Initial Window, TCP initial
Sequence Number … values can be changed
http://ippersonality.sourceforge.net/

 Morph and IP Scrubber – operate in

firewall manner
 any traffic traveling from local net. will be
‘scrubbed’ & any OS-related information
will be removed
http://www.synacklabs.net/projects/morph/
• Categories of Hacking Tools

0) Public Reconnaissance Tools

1) Port Scanners
2) Network Mappers
3) Operating System Detection Tools
4) Firewall Analysis Tools
5) Vulnerability Scanners
6) Packet Sniffers
7) Wireless Sniffers
8) Password Crackers
Firewall Analysis Tools
• Why Firewall – help to understand / detect
Analysis? current set of a firewall’s rules
 Firewalk – detects a firewall and its
respective rules, in two phases
 phase 1: network discovery
through a traceroute-like procedure on
ANY host inside firewall’s network,
TTL count to the target firewall is found
 phase 2: firewalking / scanning
TCP/UDP probe packets with TTL of 1-hop
past firewall are sent
(a) if firewall does NOT allow packets in - packet
will be dropped & firewall sends no message
message back
(b) if firewall DOES allow packets in, ICMP TTL
Expired message is sent by the binding host
 Firewall Analysis Tools
Example
We want to test whether
the firewall allows traffic
for host H on port P in.

Hence, we send a UDP

packet to H and port P
with a very big TTL.

No response comes back.

What can we conclude?!

a) Firewall blocks packets
intended for port P on H.

b) Firewall does not block

such packet, but port P on
on H is open.
 Firewall Analysis Tools (cont.)

Now, assume we send the

same UDP packet (to H,
port P), but with
TTL=TTLfirewall+1.

Possible outcomes:
a) Firewall blocks packets
intended for port P on H,
thus no response arrives
back.
b) Firewall lets packet(s),
in but the network-layer
module of H’s OS sends an
ICMP TTL Expired error TTL
message back. expired

Outcomes a) and b) are

different!!!
 Firewall Analysis Tools (cont.)
Example: Firewalk (http://www.e-cq.net/wp/scanning-encored.pdf)

firewall /
gateway router
one known host
on target network
• Categories of Hacking Tools

0) Public Reconnaissance Tools

1) Port Scanners
2) Network Mappers
3) Operating System Detection Tools
4) Firewall Analysis Tools
5) Vulnerability Scanners
6) Packet Sniffers
7) Wireless Sniffers
8) Password Crackers
Vulnerability Scanners
• Vulnerability – software tools that assess security
Scanners vulnerabilities in networks & hosts
& produce a set of scan results
 functionality of port scanners and more!
 e.g. tell you not only which ports are open,
but also the name and version of software
running on the port, and its vulnerabilities
 components of a scanner:

http://www.infosec.gov.hk/english/technical/files/vulnerability.pdf
 Vulnerability Scanners (cont.)

Example:

 Leader in vulnerability scanners – used by over 75,000 companies.

 Freeware!

 Can scan for vulnerabilities on either a local or a remote host.

 Comes in different flavors for UNIX, Mac and Windows.

 Able to detect:
 open ports / available services
 misconfigurations (e.g. missing patches)
 default passwords
 presence of viruses and back-door programs, etc.
 Vulnerability Scanners (cont.)
Example: Nessus (cont.)
 Employs client-server architecture:
 Nessus server includes a vulnerability database & a scanning engine.
 Nessus client includes a user config. tool and a report-gener. tool.
 Client & server can run on same or different machines (e.g. in case
of a slow link).
• Categories of Hacking Tools

0) Public Reconnaissance Tools

1) Port Scanners
2) Network Mappers
3) Operating System Detection Tools
4) Firewall Analysis Tools
5) Vulnerability Scanners
6) Packet Sniffers
7) Wireless Sniffers
8) Password Crackers
Packet Sniffers
• Packet Sniffers – aka network protocol analyzers –
collect copies of packets from a
network and decode their content
 common use:
 troubleshooting – e.g. diagnose protocol
configuration mistakes
 network traffic characterization – obtain
a picture of type and make of network
traffic to fine-tune/manage bandwidth
 security analysis – e.g. detect DoS attacks
by observing a large number of specific-
type packets

 to be able to ‘sniff’ all LAN packets

packet sniffer should be put into
promiscuous mode
Packet Sniffers (cont.)

• Packet Sniffers (cont.)

 warning! – simply tapping into an
Internet connection constitutes a
violation of the wiretapping act
 to use a packet sniffer legally, one
must:
 be under direct authorization of the
owners of the network
 have knowledge and consent of the
content creators
 Packet Sniffers (cont.)
Example: Wireshark
• Categories of Hacking Tools

0) Public Reconnaissance Tools

1) Port Scanners
2) Network Mappers
3) Operating System Detection Tools
4) Firewall Analysis Tools
5) Vulnerability Scanners
6) Packet Sniffers
7) Wireless Sniffers
8) Password Crackers
Wireless Sniffers
• Wireless Sniffers – software / hardware capable of
capturing & decoding packets
as they pass over airwaves
 wireless sniffing is much easier
than wired sniffing
 wireless medium is broadcast medium:
everybody sees everything
 in a wired network, the attacker must
find a way to install a sniffer on a host
or in a target subnet
 detection of wireless sniffing is
extremely difficult – leaves no
traceable evidence
 name typically refers to WiFi (IEEE
802.11) sniffers
 Wireless Sniffers (cont.)

Example: NetStumbler
• Categories of Hacking Tools

0) Public Reconnaissance Tools

1) Port Scanners
2) Network Mappers
3) Operating System Detection Tools
4) Firewall Analysis Tools
5) Vulnerability Scanners
6) Packet Sniffers
7) Wireless Sniffers
8) Password Crackers
 Password Crackers
• Password – a critical (sometimes only) defense
against intruders!
 in most systems, passwords are stored in a
protected (hash) form ⇒ snooper that gains
internal access to system cannot easily
retrieve/steal passwords
 every time a user logs in, password handling
software runs the hash algorithm
 if (new hash = stored hash), access is granted
 Password Crackers (cont.)

Example: Password hashes

Storing hash instead

of password
Testing a password
against stored hash

http://unixwiz.net/techtips/iguide-crypto-hashes.html
 Password Crackers (cont.)

• Password – password hashes are stored in

Management Security Account Manager (SAM) file
in Windows  stored in C:\Windows\System32\config
or HKEY_LOCAL_MACHINE\SAM registry
- cannot be accessed while computer
running (file used by OS)

• Accessing SAM – requires additional software

File in Windows  install and run LCP, pwdump,
or FGDUMP with Administrator
privileges
 Password Crackers (cont.)

• Accessing Hash – text file: /etc/passwd

File in Unix  readable by system administrator
only
 Password Crackers (cont.)

• Advantages of Using Password Salt – in case of

a compromised Password File
 prevents duplicate passwords from being visible in the password file
 becomes impossible to find out whether a person has used the same
password on multiple systems
 Password Crackers (cont.)
• Password – a method of gaining unauthorized
Cracking access to a computing system by
(Guessing) using computers and dictionaries or
large word lists to try likely passwords
 online cracking
 try every password at the login prompt in real
time
 very slow!
8-character password of 76 possible characters
(upper & lower case, digits, common symbols) =
1.1x1015 possibilities
2 to 3 passwords a second ⇒ 5,878,324 years
to guess a password

 extremely noisy!
most systems block the victim account after several
failed login attempts
 Password Crackers (cont.)

Password Search Space

a) On 26-letter alphabet, password of length 1/2/n:
S1-Letter=261
S2-Letter=262
Sn-Letter=26n

b) On A-character alphabet, password of length n:

Sn-character=An

c) On A-character alphabet, passwords up-to n characters

 Password Crackers (cont.)

Example: Password Search Space

Some computer systems set a minimum length for passwords.
Compare two systems in which the maximum password length is
16 characters, and passwords may contain any printable ASCII
characters. One system allows passwords to be any length, while
The other requires passwords to be at least eight characters long.
Calculate the search space for these two systems.

A=94

System one:

System two:

Almost the same!

 Password Crackers (cont.)

Example: Number of Password

Tina has to create a password for the security of a software
program file. She wants to use a password with 3 letters.

How many passwords are allowed if no letter are repeated

and the password is not case sensitive?

L1 L2 L3 : A (B-Z) (C-Z)
26 25 24

26*25*24 = 15,600
𝒏!
n choose k, order does not matter: 𝒏−𝒌 !
 Password Crackers (cont.)

Example: Number of Password

A password consists of 4 lower-case letters followed by 3 digit
numbers.
How many passwords are possible if there are no restrictions.

L1 L2 L3 L4 D1 D2 D4
any combination any combination

264 *103 = 456,976,000

Password Crackers (cont.)
• Password  off-line dictionary attack
Cracking  assumes the possession of passwd/hash file
(Guessing)  users often create passwords using common
dictionary words
 instead of trying every password, dictionary
attack probes only common dictionary words
 faster than brute force, as it uses smaller
(more likely) search space
 still might take long time …
 Password Crackers (cont.)

Example: Dictionary attacks work!

Many studies on effectiveness of dictionary attack have
been conducted.
Not 100% effective, but enough passwords were cracked
to make the use of this attack worthwhile.

Research or Incident % Guessed

Morris worm, estimated success (1988) ~50%
Klein’s Study (1990) 24.2%
Spafford’s Study (1992) 20%
CERT Incident 1998-03 25.6%
Cambridge study by Yan, et al. (2000) 35%
Lulz and Anonymous, estimated success (2011) 30%

Elementary Information Security, R. E. Smith, pp. 253

Password Crackers (cont.)
• Password  pre-computed dictionary attack
Cracking  achieves a time-space tradeoff by pre-computing
(Guessing) a list of hashes of dictionary words
 pre-computed hashes are compared against
those in a stolen password file
 rainbow tables – effective-to-use pre-generated
sets/lists of hashes – n*Gbyte size!!!
Password Crackers (cont.)

• Password – Windows-based computers utilize

Hashing two hashing methods
in Windows  LAN Manager (LM)
 used in earlier versions – up until
Windows 2000, XP, Vista, and 7

 NT LAN Manager (NTLM)

 much stronger and harder to crack than
LM hash
 used in Windows 2000, XP, Vista, and 7
 Windows 2000 and XP are also backward
compatible – hash with both, to be able
operate with older clients/servers*
* feature that should be disabled if not necessary
Password Crackers (cont.)

• LM Password Hashing – not really a hash, but a

a cryptographic value
1) user password is converted to all uppercase
2) password has null characters added to it until it
equals 14 characters
3) new password is split into two 7 character halves
4) two 7-byte halves are used to create two 64-bit
(8-byte) long DES encryption keys, by inserting a
null bit after every seven bits
5) each key is used to DES-encrypt the constant
ASCII string “KGS!@#$%”, resulting in two
16-byte long ciphertext values
6) finally, two 16 byte hashes are concatenated
to form the 32-byte long hash
Password Crackers (cont.)

• LM Password Hashes (cont.)

 drawbacks:

1) case insensitive – significantly reduces

character set that attacker must use
(A - from 95 down to 69)
2) 14-character long passwords split into
two 7-character long halves – search
space dramatically reduced
(from A14 to 2*A7)
total reduction in search space:
from 9514 to 2*697
3) DES encryption algorithm not considered
safe anymore
Password Crackers (cont.)

• NTLM Hashing – much simpler in terms of OS

operations than LM
 applies MD4 hash algorithm 3 times
 advantages: much ‘stronger’ than LN
 allows for distinction between upper
and lower case
 does not split password into smaller,
easier to crack, chunks

 disadvantages: does not use ‘salting’

like in UNIX and Linux
 salt – random combination of 0 & 1
added to a password
 every bit of salt doubles password-
cracking demands on storage and
computation
 Password Crackers (cont.)

Example: CAIN & ABEL