Password cracking IN5290 - Ethical Hacking Bruvoll & Sørby Department of Informatics 2018 1 / 46
Agenda About passwords Cracking passwords 2 / 46
About passwords 3 / 46
Passwords as authentication Providing a user name and a password is still the most common form of logging on to computer systems. This can be seen as a two step process: 1. Identification who you are (user name) 2. Authentication proving that you are who you claim to be (password) 4 / 46
Other ways of authenticating Passwords belong to one of three categories of user authentication: knowledge-based authentication something you know passwords, passphrases ownership-based authentication something you have tokens (bank id OTP calculators, yubikeys) inherence-based authentication something you are/do biometrics (fingerprints, iris scan,... ) Multi-factor authentication (MFA) requires the use of multiple authentication mechanisms, typically from two or more of the above categories. Two-factor authentication (2FA) is the most common type of MFA, combining two different mechanisms. 5 / 46
Cracking passwords There are two major approaches for guessing passwords: Exhaustive search Trying all possible combinations Often called brute force Intelligent search The idea is to reduce the search space Guess based on personal information (names of friends, birthdays... ) Try generally popular passwords Guess based on words in a dictonary (a dictionary attack) 6 / 46
Password strength The strength of a truly random password is a function of the size of the set of symbols allowed in the password, and the length of the password. Example How many passwords are possible when the set of symbols are all alphanumerical characters (upper and lower case), and the password length is 6? 7 / 46
Password strength The strength of a truly random password is a function of the size of the set of symbols allowed in the password, and the length of the password. Example How many passwords are possible when the set of symbols are all alphanumerical characters (upper and lower case), and the password length is 6? The size of the set is 62 (A-Za-z0-9), and the possible combinations are: 62 6 = 56800235584 7 / 46
Storing passwords Storing passwords in cleartext is obviously a bad idea. Storing passwords encrypted might seem like a good idea, but: anyone with access to the keys and the encrypted passwords can impersonate any user the keys must be protected from attackers Storing the hash value of the password is the preferred method for storing passwords: the hash function is one-way, we cannot deduce the password from the hash similar passwords have totally different hashes the authentication function first computes hash of received password, then compares against stored hash value but there still are issues... 8 / 46
Lookup and Rainbow table attacks What if the attacker precomputes and stores the hash of probable passwords in a lookup table? Used to be infeasible due to the storage requirements. A rainbow table is a precomputed table of passwords and their hashes, using clever methods for reducing the storage space required. Using rainbow tables, the attacker can just lookup the stored password hash in the table and get back the password. 9 / 46
Salting the password To defend against attacks using precomputed hash tables, we can salt the password. Prepend or append random data (salt) to the password before hashing it Store the salt together with the password hash Now two instances of the same password will get different hashes, and the attacker will have to crack each and every password. Example Password Salt Hashing function call What is stored secret None sha1( secret ) e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 secret asdf sha1( asdfsecret ) ( asdf, aaba62303a3ec7983406aff8602ffbda9d346424 ) secret qwer sha1( qwersecret ) ( qwer, 038fbd19069cacc6865a66c25c0f39a663f70b8d ) 10 / 46
Bruteforcing password hashes Cryptographic hashes are designed to be fast to compute, and modern day GPUs can compute billions of hashes per second. Thus, slowing the attacker down becomes necessary. This can be done by key stretching making a weak key more secure against brute force attacks by increasing the time it takes to test each candidate key. Some popular algorithms that uses key stretching are PBKDF2 and bcrypt. Simplistically, they do several rounds of hashing, using the output of one round as the input for the next. The number of rounds are given as a parameter, and recommended number of rounds are several thousand. 11 / 46
Password policies Choosing good random passwords is hard, and analyses of password dumps have shown that people often do choose poor passwords. Password policies try to mitigate this by setting rules for: password length and complexity requiring at length of 8 or more requiring both upper-case and lower-case letters, one or more numeric digits requiring special characters, such as #,!, %, ;,... password duration changing every 180 days password history remembering and denying the use of old passwords password blacklisting passwords containing patterns as qwerty, password etc... passwords containing the user s personal information 12 / 46
Password policies Helping the user choose strong passwords is a good thing, but: remembering dozens of strong, random passwords doesn t scale users will be tempted to reuse their password on other systems users will be tempted to write down the password on a piece of paper the use of password managers can be problematic does the password leave the organization? what if the password manager gets compromised? users might create simple rules that technically follow the password policy, but make future passwords highly predictable given knowledge of the current one 13 / 46
Passphrases Passphrases can be a good alternative to traditional passwords, provided the words really are chosen randomly. 14 / 46
Cracking passwords 15 / 46
Password cracking tools Kali comes with several tools for password cracking: John the Ripper multiple modes, customizable, easy to get running hashcat multiple modes, can use GPUs for cracking Johnny a GUI for John the Ripper RainbowCrack for creating and using rainbow tables 16 / 46
Cracking with John the Ripper We will be cracking passwords from a Linux system. On modern systems, the relevant information is stored in two files: /etc/passwd stores user account information, but not the password hashes. Is world-readable as many programs require data from user accounts. /etc/shadow stores the password hashes, and password meta-information. Can only be accessed by root. 17 / 46
/etc/passwd $ cat / etc / passwd Ole :x :502:502::/ home / Ole :/ bin / bash Dole :x :504:504::/ home / Dole :/ bin / bash Contents of the file: User name: up to eight characters long Password: x means a shadow file is used for storing the password hash User ID (UID): user identifier for access control Group ID (GID): user s primary group ID string: user s full name Home directory: location of the user s home directory Login shell: program started after successful log in 18 / 46
/etc/shadow $ cat / etc / shadow Ole : $1$zPawRL. R$l8n1emmkWk2QJB5FEPzxI1 :14152:0:99999:7::: Dole : $1$. L9uWK48$nwAScuNaqpNuicVdwGHx10 :14152:0:99999:7::: Contents of the file: username encrypted password, really a hash days since password was changed days left before user may change password days left before user is forced to change password days to change password warning days left before password is disabled days since the account has been disabled reserved 19 / 46
/etc/shadow Ole :$1$zPawRL.R$l8n1emmkWk2QJB5FEPzxI1: 14152: 0: 99999: 7::: The password is stored on the form $id$salt$hash, where id is the hashing algorithm used (1: MD5, 5: SHA-256, 6: SHA512) 20 / 46
unshadow John provides the unshadow command for combining passwd and shadow files so John can use them. $ unshadow passwd shadow > workfile $ cat workfile Ole : $1$zPawRL. R$l8n1emmkWk2QJB5FEPzxI1 :502:502::/ home / Ole :/ bin / bash Dole : $1$. L9uWK48$nwAScuNaqpNuicVdwGHx10 :504:504::/ home / Dole :/ bin / bash 21 / 46
Single mode In single mode, John will try to crack the password using the login information as passwords. $ john -- single workfile Using default input encoding : UTF -8 Loaded 8 password hashes with 8 different salts ( md5crypt, crypt (3) $1$ [ MD5 128/128 AVX 4x3 ]) Press q or Ctrl -C to abort, almost any other key for status Borgund ( linebo ) langbein12 ( Langbein ) 2g 0:00:00:00 DONE (2018-11 -17 10:25) 11.11 g/s 30983 p/s 31055 c/s 31055 C/s dole1905.. dole1900 Use the " -- show " option to display all of the cracked passwords reliably Session completed 22 / 46
Wordlist mode In wordlist mode, John will use a file with a list of words to crack the passwords. If the option --rules is specified, John will modify or mangle word according to specified rules. $ john -- wordlist -- rules workfile Using default input encoding : UTF -8 Loaded 8 password hashes with 8 different salts ( md5crypt, crypt (3) $1$ [ MD5 128/128 AVX 4x3 ]) Remaining 6 password hashes with 6 different salts Press q or Ctrl -C to abort, almost any other key for status coffee ( Ole ) eeffoc ( Doffen ) coffee6 ( Dole ) 3g 0:00:00:14 DONE (2018-11 -17 10:32) 0.2042 g/s 10662 p/s 36788 c/s 36788 C/s Qwerting.. Sssing Use the " -- show " option to display all of the cracked passwords reliably 23 / 46
Incremental mode Incremental mode is the most powerful cracking mode, as John will try all possible character combinations as passwords. This mode does not terminate on itself (unless you configure a small search space), but will continue cracking until interrupted. We can define mode definitions for Incremental mode in John s configuration file 1 what symbols to use minimum and maximum lengths 1 On Kali: /etc/john/john.conf 24 / 46
Managing the search space Successful password cracking is mostly about managing and reducing the search space. Knowledge of your targets username, full name language and culture password requirements/policy Relevant dictionaries customized with target specific information Good rules customized with target specific information 25 / 46
Additional resources John comes with extensive documentation: on Kali it is located under /usr/share/doc/john/ (use zless to read) online documentation: https://www.openwall.com/john/doc/ The John wiki: https://openwall.info/wiki/john A nice John cheat sheet: https://countuponsecurity.files.wordpress.com/2016/09/ jtr-cheat-sheet.pdf 26 / 46
Passwords in Windows 27 / 46
How are passwords stored in Windows? Passwords are stored in the SAM: The registry: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users SAM in file on disk: C:\Windows\System32\config 28 / 46
Passwords in the registry Command line to open regedit as SYSTEM: Psexec.exe s i regedit.exe Psexec is part of the SysInternals suite. 29 / 46
Passwords in the registry 30 / 46
Extract password hashes from the file on disk The SAM in file on disk, C:\Windows\System32\config, is not readable while Windows is running To extract the file, boot the machine from Linux on USB (or CD), if possible Linux USB and physical access 31 / 46
Extract the password hashes from the registry Use a tool to extract the hashes. Possible if you are admin user. Extract them manually by learning the format of the registry values. Read more: http://www.beginningtoseethelight.org/ntsecurity/index.htm 32 / 46
Possible tool: fgdump 33 / 46
Possible tool: fgdump 34 / 46
Extracted password hashes User name:number:lm hash:ntlm hash 35 / 46
LM hash LM hashes are insecure and out of date. Capitalize Pad with zeros to length of 14 Divide into two parts of length 7 Each part used as DES key to encrypt KGS!@#$% Concatenate https://en.wikipedia.org/wiki/lan_manager#lm_hash_details 36 / 46
NTLM hash MD4 of the little endian UTF-16 Unicode password More secure than LM hash Not of much use as long as LM hashes were stored as well Now normally only NTLM hashes are stored 37 / 46
Why crack passwords if you are already admin? Passwords may be reused. Access to other files. Step by step towards more access. 38 / 46
Which users are present on the machine? wmic useraccount 39 / 46
Recommended reading A good article on salted password hashing: https://crackstation.net/hashing-security.htm A series of articles from Ars Technica: https://arstechnica.com/information-technology/2012/08/ passwords-under-assault/ https://arstechnica.com/information-technology/2013/03/ how-i-became-a-password-cracker/ https://arstechnica.com/information-technology/2013/05/ how-crackers-make-minced-meat-out-of-your-passwords/ 40 / 46
Exercise Task Part 1: Password length Assume that a password can only contain the 26 characters from the alphabet. How many different passwords are possible if a password is at most n, n = 4,6,8, characters long and there is no distinction between upper case and lower case characters? How many different passwords are possible if a password is at most n, n = 4,6,8, characters long and passwords are case sensitive? 41 / 46
Exercise Task Part 2: Brute force Assume that passwords have length six and all alphanumerical characters, upper and lower case, can be used in their construction. How long will a brute force attack take on average if: it takes one tenth of a second to check a password? it takes a microsecond to check a password? 42 / 46
Exercise Task Part 3: Hashes and salts 1. What is the advantage of storing password databases as hash values instead of in plaintext? 2. What is the advantage of storing passwords as salted hash values instead of just as hash values? 43 / 46
Exercise Task Part 4: More hashes and salts Create a text file (c:\pw.txt) on your Windows 7 VM, and write a random string (without any linebreaks). Open a command prompt and use the command certutil to hash the file: certutil -hashfile c:\pw.txt SHA1. Make note of the hash value. Add a single character to the text file. Hash the file again, and note the hash value. Is it similar to the previous hash? Substitute the string with the word secret, and rehash the file. Do you get the same result as in the lecture slides? Try rehashing after appending the salt used in the slides. 44 / 46
Exercise Task Part 5: Crack passwords Crack the passwords 45 / 46
Questions? 46 / 46