Password cracking is an integral part of a security audit -- and can be a lot of fun. Cisco's Jimmy Ray Purser has four methods to accomplish this and the tools IT administrators can use to do it on their own.
Secret stuff really appeals to me. Movies like National Treasure and Indy Jones, coupled with books like Da Vinci Code and By Way of Deception, really hook me.
Who out there today doesn't daydream about having privileged access to some big secret that folks are chasing you down to get? Can I get a witness? If you really want to get someone's attention, start your statement with "Let me tell you a secret" I would stop eating Popeye's chicken to tune in to that OK, maybe not that drastic.
Cracking passwords is typically what most folks think of when they think about hacking. In reality, that is a last-ditch act of desperation. When security folks today conduct pen testing, they are looking to piggyback on someone else's access level to get into a system. I feel like Jimmy Ray Bond when I do have to crack a password and actually do it. It is euphoric! At many hacker shows, they have contests to see who can crack a WEP key the fastest. The fastest I have seen was eight seconds. The fastest I have done was 18 seconds. That is with a ton of luck hitting the IVs just right and at the right time. I brag on that time more than my collection of tribbles.
The Methods to the Madness
How do you actually crack a password on a system? There are really four solid methods to crack a password, not counting luck and password recovery methods designed by the vendor. Let's take a look at these four methods and the tools used to accomplish this. Keep in mind that other than the tool Hydra, these tools do not try to log in and crack a password. Your password file/hashes are grabbed and cracked offline. Understand that your hash file is the critical step one to password cracking. It must be loaded into the cracker, so it has something to crack.
Footprinting: This is the Ellery Queen part of password cracking. Time for a little bit of deductive reasoning (calabash pipe optional) to spot a place that someone actually wrote down that obnoxiously long password required by the corporate IT security team. Under keyboards, on monitor arms, under pencil trays, beneath picture frames, under telephones, and so on are great places to store passwords. Many times the password is written on a piece of paper in a locked drawer, and the key to that drawer is in an overhead cabinet or on a hook under the desk. Administrative assistants are the best targets here. They tend to be very service minded, so they have not only their own passwords but the keys to the kingdom of other team members as well. As a member of an IT security team, sweeping cubicles after hours is critical to your physical security.
Don't Miss: So, You Want to Be a Hacker
If your password scheme is so complex that folks have to write it down, then listen to your users! If not, you have a bigger security issue. Consider some form of two-factor authentication or even biometrics. Remember, all accounts are important, not just the root/administrator or power user. No self-respecting hackers are going to directly assault the root/administrator account; they are going to target a smaller user/service account and then escalate the privileges. For example, I was looking for a user account to compromise for a security audit. I searched a cubicle and came up dry. Then I noticed how the cubicle was decorated: Brett Favre posters, jersey, helmet, and so on. Hmmm I knew the user name from an e-mail tacked on the wall congratulating the user for a job well done. Could it be this easy?
User name: robbboyd;
Password: Favre
Nope. Let's try:
User name: robbboyd; Password: 4Favre
Welcome to the wide world of unrestricted data access. Bond, Jimmy Ray Bond
Next Page: Beware of Common-Use and Default Passwords
