security

Password Cracking Testing

December 27, 2014

Password cracking is the process of validating password strength through the use of automated password recovery tools that expose either the application of weak cryptographic algorithms, incorrect implementation of cryptographic algorithms, or weak passwords due to human factors. This module should not be confused with password recovery via sniffing clear text channels, which may be a more simple means of subverting system security, but only due to unencrypted authentication mechanisms, not password weakness itself. [Note: This module could include manual password guessing techniques, which exploits default username and password combinations in applications or operating systems (e.g. Username: System Password: Test), or easy-to-guess passwords resulting from user error (e.g. Username: joe Password: joe). This may be a means of obtaining access to a system initially, perhaps even administrator or root access, but only due to educated guessing. Beyond manual password guessing with simple or default combinations, brute forcing passwords for such applications as Telnet, using scripts or custom programs, is almost not feasible due to prompt timeout values, even with multi-connection (i.e. simulated threading) brute force applications.

Once gaining administrator or root privileges on a computer system, password cracking may assist in obtaining access to additional systems or applications (thanks to users with matching passwords on multiple systems) and is a valid technique that can be used for system leverage throughout a security test. Thorough or corporate-wide password cracking can also be performed as a simple after-action exercise and may highlight the need for stronger encryption algorithms for key systems storing passwords, as well as highlight a need for enforcing the use of stronger user passwords through stricter policy, automatic generation, or pluggable authentication modules (PAMs). 

Expected Results

  • Password file cracked or uncracked
  • List of login IPS / IDS with user or system passwords
  • List of systems vulnerable to crack attacks
  • List of documents or files vulnerable to crack attacks
  • List of systems with user or system login IPS / IDS using the same passwords

Tasks to perform for a thorough Password Cracking verification

  • Obtain the password file from the system that stores usernames and passwords
    1. For Unix systems, this will be either /etc/passwd or /etc/shadow
    2. For Unix systems that happen to perform SMB authentication, you can find NT passwords in /etc/smbpasswd
    3. For NT systems, this will be /winnt/repair/Sam._ (or other, more difficult to obtain variants)
  • Run an automated dictionary attack on the password file
  • Run a brute force attack on the password file as time and processing cycles allow
  • Use obtained passwords or their variations to access additional systems or applications
  • Run automated password crackers on encrypted files that are encountered (such as PDFs or Word documents) in an attempt to gather more intelligence and highlight the need for stronger document or file system encryption.

Home