Tools Hackers Use to Crack Passwords - dummies

Tools Hackers Use to Crack Passwords

By Kevin Beaver

High-tech password hacking involves using a program that tries to guess a password by determining all possible password combinations. These high-tech methods are mostly automated after you access the computer and password database files.

You can try to crack your organization’s operating system and application passwords with various password-cracking tools:

  • Brutus cracks logons for HTTP, FTP, telnet, and more.

  • Cain & Abel cracks LM and NT LanManager (NTLM) hashes, Windows RDP passwords, Cisco IOS and PIX hashes, VNC passwords, RADIUS hashes, and lots more. (Hashes are cryptographic representations of passwords.)

  • Elcomsoft Distributed Password Recovery cracks Windows, Microsoft Office, PGP, Adobe, iTunes, and numerous other passwords in a distributed fashion using up to 10,000 networked computers at one time. Plus, this tool uses the same graphics processing unit (GPU) video acceleration as the Elcomsoft Wireless Auditor tool, which allows for cracking speeds up to 50 times faster.

  • Elcomsoft System Recovery cracks or resets Windows user passwords, sets administrative rights, and resets password expirations all from a bootable CD.

  • John the Ripper cracks hashed Linux/UNIX and Windows passwords.

  • ophcrack cracks Windows user passwords using rainbow tables from a bootable CD. Rainbow tables are pre-calculated password hashes that can help speed up the cracking process. See the nearby sidebar “A case study in Windows password vulnerabilities with Dr. Philippe Oechslin” for more information.

  • Proactive Password Auditor runs brute-force, dictionary, and rainbow cracks against extracted LM and NTLM password hashes.

  • Proactive System Password Recovery recovers practically any locally stored Windows password, such as logon passwords, WEP/WPA passphrases, SYSKEY passwords, and RAS/dialup/VPN passwords.

  • pwdump3 extracts Windows password hashes from the SAM (Security Accounts Manager) database.

  • RainbowCrack cracks LanManager (LM) and MD5 hashes very quickly by using rainbow tables.

  • THC-Hydra cracks logons for HTTP, FTP, IMAP, SMTP, VNC and many more.

Some of these tools require physical access to the systems you’re testing. You might be wondering what value that adds to password cracking. If a hacker can obtain physical access to your systems and password files, you have more than just basic information security problems to worry about, right?

True, but this kind of access is entirely possible! What about a summer intern, a disgruntled employee, or an outside auditor with malicious intent? The mere risk of an unencrypted laptop being lost or stolen and falling into the hands of someone with ill intent should be reason enough.

To understand how the preceding password-cracking programs generally work, you first need to understand how passwords are encrypted. Passwords are typically encrypted when they’re stored on a computer, using an encryption or one-way hash algorithm, such as DES or MD5. Hashed passwords are then represented as fixed-length encrypted strings that always represent the same passwords with exactly the same strings.

These hashes are irreversible for all practical purposes, so, in theory, passwords can never be decrypted. Furthermore, certain passwords, such as those in Linux, have a random value called a salt added to them to create a degree of randomness. This prevents the same password used by two people from having the same hash value.

Password-cracking utilities take a set of known passwords and run them through a password-hashing algorithm. The resulting encrypted hashes are then compared at lightning speed to the password hashes extracted from the original password database. When a match is found between the newly generated hash and the hash in the original database, the password has been cracked. It’s that simple.

Other password-cracking programs simply attempt to log on using a predefined set of user IDs and passwords. This is how many dictionary-based cracking tools work, such as Brutus and SQLPing3.

Passwords that are subjected to cracking tools eventually lose. You have access to the same tools as the bad guys. These tools can be used for both legitimate security assessments and malicious attacks. You want to find password weaknesses before the bad guys do.

When trying to crack passwords, the associated user accounts might be locked out, which could interrupt your users. Be careful if intruder lockout is enabled in your operating systems, databases, or applications. If lockout is enabled, you might lock out some or all computer/network accounts, resulting in a denial of service situation for your users.

Password storage locations vary by operating system:

  • Windows usually stores passwords in these locations:

    • Security Accounts Manager (SAM) database (c:winntsystem32config) or (c:windowssystem32config)

    • Active Directory database file that’s stored locally or spread across domain controllers (ntds.dit)

    Windows may also store passwords in a backup of the SAM file in the c:winntrepair or c:windowsrepair directory.

    Some Windows applications store passwords in the Registry or as plain-text files on the hard drive! A simple registry or file-system search for “password” may uncover just what you’re looking for.

  • Linux and other UNIX variants typically store passwords in these files:

    • /etc/passwd (readable by everyone)

    • /etc/shadow (accessible by the system and the root account only)

    • /etc/security/passwd (accessible by the system and the root account only)

    • /.secure/etc/passwd (accessible by the system and the root account only)