Common Network Attack Strategies: Password Attacks
Sometimes, people attempt password attacks on a running network system; but with passwords that lock accounts out after a few failed logon attempts, this network attack strategy isn't very productive. More typically, password attacks capture RAW logon traffic from the network or break into a backup of a domain controller or workstation on the network.
If an attacker reboots a workstation on a network from a CD or USB key, he can quickly grab a copy of the Windows SAM and security files from the Windows directory.
With these files in hand, the attacker can spend as much time as he wants trying to guess the passwords that are found in these files. In the case of the workstation, these security files give an attacker the local passwords on a computer, such as the local Administrator account; which he can then use to get a hold of network passwords which will provide more access to the network.
From the SAM file, an attacker can attempt to use two methods to crack these passwords:
Brute force attack: With this attack or password-guessing technique, the cracking software goes through every password possibility from a through to zzzzzzzzzz, including all possible numbers or punctuation characters. This process of finding a password can take a very long time, longer for every extra character put into the password.
Dictionary attack: This password-guessing technique can be done much faster, and it makes use of dictionary or word list files. These files are readily available on the Internet and include dictionaries such as the standard Oxford dictionary, every word found in the works of William Shakespeare, and even obscure or made-up language dictionaries such as Klingon.
With these word lists in hand, the attacker can quickly compare these words to the hash values for the Windows passwords found in the SAM file. To speed things up even more, he can have his computer go through the dictionary files and create a password hash for every word, and then he just needs to compare the pregenerated hash values with those found in the SAM file.
This process can give the attacker even more speed in finding these passwords. Despite warnings not to, many people still use standard dictionary words for their passwords.
To protect your network from these possibilities, you need to provide some level of protection to the local OS installations, especially for workstations that are in the public or in areas of high public access. Workstations that must be in those areas should have physical security preventing them from being rebooted from custom media.
Passwords used on these systems should be different from main domain client systems. Finally, use a strong password policy, which includes regular changes to the passwords and a requirement that the passwords should not be dictionary words.