Top Tools Hackers Use to Crack Passwords

What’s the quickest way to a hacker’s heart? Make sure your business email password is “Password123.” Or perhaps “Summer2017” if you want to play coy. You do that and you fit into their perfect profile… of the perfect data breach victim.

In all seriousness, this blog post has the following objectives:

  • Show you how hackers prey on the presence of weak or default passwords
  • Learn the differences between password cracking and guessing, and the tools hacker use to get this done
  • Understand the importance of performing self audits (yep, hack your own company) [The live demo of password self-audit can be found here: Top five tools hackers use to crack passwords]

First off, what is penetration testing? Penetration Testing is the active exploitation of risk in applications, network devices, and systems. As it happens, the easiest way to actively exploit a system is to have the password or key. So how does an ethical hacker (and really, malicious ones, too) get a password or key? There are several ways to go about it (Hackers <3 Stealing Passwords):

  • Guessing – Using a password dictionary in an effort to guess a valid password
  • Sniffing – Man in the middle a conversation between network nodes, gather clear-text passwords and/or hashes
  • Phishing – Target end users in spear phishing attacks intended to compromise systems or harvest credentials
  • Cracking – Attempt to resolve an encrypted or hashed password to its clear-text equivalent

We’ll look at each one of this separately. Starting with password guessing.

Password Guessing

  • Requires a User List – You can’t crack a password without an account to attack.  So how do you get a user list?
    • Open source intelligence gathering
    • Guess the usernames, too! Assume one account is protected by ‘Password1’ or ‘Spring2017’, and see if it sticks (asmith, bsmith, csmith, dsmith, etc.)
    • Customize a password list to the company you’re targeting!  ‘Apple1’ or ‘nymta1234’ or ‘Comp@ny1’
  • Think simple – End users hate passwords, and will go with something that is easy to remember, and this is what attackers target

Password Guessing Limitations & Tools

  • Service Oriented
    • Password guessing attacks typically target live services such as SSH, FTP, HTTP, or web applications
  • Limited Bandwidth
    • Guessing attacks are slow, you are limited by the network and system being attacked, lucky if you can try 100 passwords/sec
  • Account Lockouts
    • This is like a security control catch-22 (a vuln-ducken?), even if an attacker fails to guess a password, they can still lock out every account on an application or server
  • Tools:
    • Medusa
    • THC-Hydra
    • Burp Suite
    • Metasploit Framework

Password Sniffing

  • Requires a condition where an attacker can induce another host on the network to route traffic through their system
  • Typically exploits a broadcast protocol (ARP, LLMNR)
  • Encrypted protocols and hashed passwords are not immune (NTLM relay attacks)
  • Tools:
    • Ettercap
    • SSLStrip
    • WireShark
    • Responder
    • SmbrelayX

Password Phishing

  • Targeted Phishing Attack
    • Sometimes the easiest way to get a password is to just ask for it, or create a pretext to trick users
  • Password complexity is not a factor as long as the victim supplies a valid password
  • Relies heavily on open source intelligence gathering to generate a list of targets, and web applications to spoof
  • Domain registration is cheap – Why not compliment this attack with a well crafted domain “microsofast.com”, “gooqle.com”, etc

 

Password Phishing Limitations and Tools

  • Victim List
    • If you can’t find a ton of information about a company via open source intelligence gathering, you’ll have less success
  • Tools
    • Web server (Apache, IIS, Python)
    • Wget (mirror a website)
    • Metasploit (host a payload listener and exploit)
    • Perl (CGI scripting to harvest credentials)
    • GoDaddy (or any domain registrar)
    • SET (Social Engineering Toolkit)
    • King Phisher (amazing all in one tool for phishing attacks)

 

Password Cracking

  • If an attacker is performing offline cracking, then you’ve already been hacked (defense in depth though, strong passwords help a lot here)
  • Attacker has access to sensitive data such as router passwords, NTLM hashes, bcrypt (linux) hashes, MSSQL hahes, MD5, wpa2, etc
  • Limited by computing power, which thanks to Amazon GPUs in the cloud is cheap and abundant.
  • Not all hashes are equal – bcrypt and wpa2 are slow, MD5 and LM are fast

 

Password Cracking Limitations and Tools

  • Limited by computing power, use GPUs in addition to CPUs
  • Brute Force – Iterate through every possible password combination in a designated keyspace
    • Slow but thorough, limited to ~8 characters max
  • Dictionary – Use a dictionary combined with a rule set to rip through weak passwords quickly.
  • Tools:
    • 0phcrack (LM rainbow tables)
    • John the Ripper
    • Hashcat (GPU cracking zen)

Hack Yourself to Protect Yourself

  • Perform Password Audits – perform a quarterly analysis of passwords, and verify that no account is protected by a weak password
  • Don’t be afraid – Pen testers have to work for admin rights, you already have them, auditing passwords is much easier than you think
  • Goal is not to crack all passwords, a strong password can be crackable but not easily guessed (weird huh?)
  • Define a list of weak passwords tailored to your company: <season>+<year>, <month>+<year>, <company_name>1234, etc.
  • Ethical Hacking is FUN
    • Dumping a domain controller is epic, and understanding how to do it helps you understand how to protect yourself
  • Dump Tools
    • SecretDump.py (Impacket example), CrackMapExec
  • Crack Tools
    • Hashcat or John the Ripper

 

This post is not as awesome as the full webcast it came from. The on-demand webinar features a live demo of password self auditing. Click here to watch the demo.

 

References