Penetration Testing RoadmapPenetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration Testing Pas
Trang 1/ ECSA/ LPT
Password Crackin g Pen etration Testin g
Trang 2Penetration Testing Roadmap
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social Engineering Application
Cont’d
Penetration Testing
Penetration Testing Penetration Testing Penetration Testing
Trang 3Penetration Testing Roadmap
War Dialing VPN
Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held Device
Penetration Testing
Telecommunication And Broadband Communication
Email Security
Penetration Testing
Security Patches
Penetration Testing
Trang 4Companies protect their resources by using combinations of user IDs
and passwords.
Hackers can brute force or guess the passwords of web applications.
Some system software products use weak or no encryption to store
and/or transmit their userIDs and passwords from the client to the
server.
One of the leading causes of network compromises is the use of easily
guessable or decipherable passwords.
Trang 5Common Password Vulnerabilities
Weak passwords are:
• Easily guessable, i.e pet names, car number, family member’s name, etc.
p
• Comprised of common vocabulary words.
Improper handling of strong passwords:
• Involves the need for the user to write down the password in an insecure location.
Improper handling of strong passwords:
Copyright © byEC-Council
Trang 6Password Cracking Techniques
Trang 7Types of Password Cracking
Attacks
Dictionary attacks: These attacks compare a set of words against a
password database.
Brute-force attack: This attack checks for all combination of letters and
numbers until the password is found.
H b id tt k Thi tt k k d b ddi b d
Hybrid attack: This attack cracks any password by adding numbers and
symbols to a file name.
Copyright © byEC-Council
Trang 8Steps in Password Cracking
Penetration Testing
Extract/etc/passwd and /etc/shadow files in Linux systems
Extract SAM file Windows machines
Identify the target person’s personal profile
Build a dictionary of word lists
Attempt to guess passwords
Brute force passwords
Use automated passwords crackers to break passwords protected files
Trang 9Step1: Extract /etc/passwd and /etc/shadow Files in Linux Systems
root:!:0:0:root:/root:/bin/tcshbin:!:1:1:bin:/bin:
daemon:!:2:2:daemon:/sbin:
adm:!:3:4:adm:/var/adm:
lp:!:4:7:lp:/var/spool/lpd:
sync:!:5:0:sync:/sbin:/bin/syncshutdown:!:6:0:shutdown:/sbin:/sbin/shutdownhalt:!:7:0:halt:/sbin:/sbin/halt
The password file for Linux is located in
/etc and is a text file called passwd.
By default and design, this file is world
readable by anyone on the system operator:!:0:0:operator:/root:/bin/tcsh
games:!:12:100:games:/usr/games:
man:!:13:15:man:/usr/man:
postmaster:!:14:12:postmaster:/var/spool/mail:/bin/tcshhttpd:!:15:30:httpd:/usr/sbin:/usr/sbin/httpd:
nobody:!:65535:100:nobody:/dev/null:
readable by anyone on the system.
On a Unix system using NIS/yp or nobody:!:65535:100:nobody:/dev/null:
ftp:!:404:100::/home/ftp:/bin/nologinnomad:!:501:100:Simple Nomad, 525-5252:/home/nomad:/bin/bashwebadmin:!:502:100:Web Admin Group ID:/home/webadmin:/bin/bash
On a Unix system using NIS/yp or
password shadowing the password data
may be located elsewhere This "shadow"
file is usually where the password hashes
themselves are located
Copyright © byEC-Council
thegnome:!:503:100:Simple Nomad's Old Account:/home/thegnome:/bin/tcshdorkus:!:504:100:Alternate account for Fred:/home/dorkus:/bin/tcsh
themselves are located.
Trang 10Linux Password Example
nomad:HrLNrZ3VS3TF2:501:100: Simple Nomad:/home/nomad:/bin/bash
This is what the fields actually are:
• Account or user name, what you type in at the login prompt
Trang 11Linux Shadow File Example
nomad:$1$fnffc$GteyHdicpGOfffXX40w#5:13064:0:99999:7
This is what the fields actually are:
• Account or user name, what you type in at the login prompt
Trang 12Check Other Linux & UNIX
Variants
Passwords can also be stored in these files:
• /etc/security/passwd (accessible by root only)
• / secure/etc/passwd (accessible by root only) Passwords can also be stored in these files:
• /.secure/etc/passwd (accessible by root only)
Trang 13Step 2: Extract SAM File
Trang 14Extract Backup of SAM/Emergency Repair Disk
Windows also store passwords in either a backup of the SAM file in the
Trang 15Check Registry
Windows applications store passwords in the Registry or as pp p g y
plaintext files on the hard drive.
Copyright © byEC-Council
Trang 16Check the Microsoft’s Server Message Block (SMB) Protocol
Check for the vulnerability SMB protocol that is used for file and print
Trang 17Check the Active Directory
Database
Check for passwords in the active directory database file
that are stored locally or spread across domain controllers.
Copyright © byEC-Council
Trang 18Step 3: Identify the Target Person’s Personal Profile
If you are trying to guess Rebecca’s password on her desktop, y y g g p p,
then compile a list of items she likes.
• Favorite car
Example:
• Birthday, anniversary day, and other special occasions
• Movies, music, sports, drama, and arts
• Education, cartoon characters, novelists
• Parents, relatives, kids names
• Country, city, holiday resorts, etc.
• Project working on j g
Trang 19Step 4: Build a Dictionary of
Trang 20Step 5: Attempt to Guess
Passwords
Obtaining a legitimate user ID is not a easy task
Creation of user ID involves a variation of employee's first name and last name
Email address posted on the organizations website depicts a sample user ID
format
Acquiring a copy of organization’s internal telephone directory enables in
discovering and constructing a valid user ID
Many system software products are initially configured with default user IDs and passwords
User IDs and passwords designed enables vendors to perform remote
i transactions
Trang 21Step 6: Brute Force Passwords
Run a dictionary attack and brute-force to crack passwords
Trang 22Step 6: Brute Force Passwords
Trang 23Step 7: Use Automated Passwords Crackers
to Break Passwords Protected Files
Automated password cracking
Legion and NetBIOS Auditing Tool (NAT)
www.hackersclub.co m
etech.com
John the Ripper, SAMDump, PWDump, PWDump2, PWDump3
Trang 24Extract Cleartext Passwords
from the Dictionary y
Logon passwords are stored:
• (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)
Logon passwords are stored:
NT\CurrentVersion\Winlogon)
Trang 25Extract Cleartext Passwords from
an Encrypted LM hash
Use the Cain and Abel tool to extract cleartext password from an
encrypted LM hash.
Copyright © byEC-Council
Trang 26Sniff Cleartext Passwords from
Trang 27Replay Attack to Crack Password
A replay attack intercepts the data packets and resends them to p y p p
the receiving server without decryption
Intercept the communication using network analyzer or sniffer
such as Ethereal, TCP dump, or WinDump.
Copyright © byEC-Council
Trang 28Tool: SAMInside 2.5.8.0
(pwdump)
Extracts Windows NT/2000/XP/2003 users' names and
passwords in national symbol encoding
Trang 29SAMInside 2.5.8.0 (pwdump):
Screenshot
Copyright © byEC-Council
Trang 30Tool: Dictionary Maker
Dictionary Maker is a tool to compose dictionaries (word lists) for y p ( )
password recovery using multiple source text files.
Trang 31Tool: Password List Recovery 2.6
Password List Recovery shows all the passwords in the current Windows y p user's Password List (PWL) file.
They are kept in the Windows directory and have a PWL extension.
password
Copyright © byEC-Council
Trang 32Password List Recovery 2.6:
Screenshot
Trang 33Passwords protect computer resources and files from unauthorized access by
malicious users
malicious users.
A combination of passwords and UserIDs are used by companies to protect their
resources against intrusion by hackers and thieves.
The password file for Linux is located in /etc and is a text file called passwd.
By default and design, the passwd file is world readable by anyone on the system, and might be unsuccessful in rising the protection levels against any of the users SAMDUMP is a tool that simplifies migration synchronization of that system.
A word list needs to be built up using the previous slides in order to break
Copyright © byEC-Council
A word list needs to be built up using the previous slides in order to break
through the password of the victim.
Trang 35Copyright © byEC-Council