Hackers Beware

trying to break into an account, an administrator will discover it because he will have to unlock the account. With the other method, because the account resets after a certain amount of time, the administrator might never know the account was locked. Knowing that an account has been locked is a good indicator of an attack that failed. If you wait until the attacker is successful, the chances of detecting him are extremely low.

One problem with permanent lockout is that it can be used to cause a Denial of Service attack against a company. For example, if an attacker wants to lock all of your users out of the system, he can try to log on to each account, trying five passwords. If they are right, he gains access; if they are wrong, all users are locked out of the system. In this type of attack, the attacker wins by either gaining access or disrupting service. I know some companies that have caused Denial of Service attacks against themselves (see the following sidebar).

Fortunately, with most operating systems, you can never permanently lock out the administrator account. Even with a high number of failed logon attempts, the administrator can still log on locally to the computer. This might seem like a security risk, but it is important that someone can always get back into the machine.

Beware of Vulnerability Scanners

One of my clients attempted to identify security holes by using a vulnerability scanner. A vulnerability scanner is a program that you run against a system, and it gives you a listing of all the vulnerabilities that need to be fixed. Vulnerability scanners often look deceivingly simple to run but have hidden complexities.

This particular client found a product that looked simple to use, purchased a copy, and ran it late on a Friday afternoon. Everything seemed to work fine, so everyone went home for the weekend. Monday morning, a large number of users were complaining that they could not log on to the system. Believing they were either under attack or had been attacked over the weekend, the client gave me a call.

After investigating, we noticed that the setting on their accounts was to permanently lock all accounts after five failed logon attempts in four hours and that all of the accounts were locked. At first, I thought someone launched a Denial of Service attack against them. I was partially right—they launched a Denial of Service attack against themselves. Looking at the logs, we realized that all accounts were locked at the same time and that this time correlated very closely with when they ran the vulnerability scanner.

The vulnerability scanner they used had an option to brute force attack passwords. This is where the scanner goes in and tries to manually guess the password for each account. For this particular vulnerability scanner, there were six different passwords it tried for every account. As you can imagine, this program systematically went in and locked every single password. So, if you decide to use account lockout be very careful.

The second way to perform password cracking is automated, where you obtain a copy of the encrypted passwords and try to crack them offline. This requires a little more effort because you have to acquire a copy of the encrypted passwords, which usually means that you need to have access to the system.

After you have the password file, this method is extremely quick and hard to detect, because it is an offline attack. The quickness comes from using a program that goes through a list of words to see if there is a match, which allows you to crack multiple passwords simultaneously. For example, you take a list of words and, for each word, you compute the hash of the password and run through each account to see if there is a

match. You continue this for each word in the list, until every password is cracked. If ten people have the same password, you have cracked all ten passwords at the same time, unless a salt is being used.

For these reasons, most people use automated methods. Also, to check the strength of passwords on your own system, using an automated method is more effective from a time and resource standpoint. The following is the general algorithm used for automated password cracking:

1.Find valid user IDs.

2.Find the encryption algorithm used.

3.Obtain encrypted passwords.

4.Create a list of possible passwords.

5.Encrypt each word.

6.See if there is a match for each user ID.

7.Repeat steps 1 through 6.

Looking at this, you might think that step 2, finding the encryption algorithm, would be difficult, but it is based on the philosophy of encryption algorithms. The security of an encryption algorithm is based on the key that is used and not on the secrecy of the algorithm. Because there is no way to prove whether an encryption algorithm is secure, the closest you can get to proving it is secure is to give it to a bunch of smart people; if they cannot break it, you assume it is secure. Therefore, for almost all operating systems, the encryption algorithm that is used is available and can be obtained easily.

Why Is Password Cracking Important?

From a security standpoint, password cracking can help you build and maintain a more secure system. The following are some of the reasons why password cracking is useful:

•To audit the strength of passwords

•To recover forgotten/unknown passwords

•To migrate users

•To use as a checks and balance system

The most important benefit of password cracking is to audit the strength of passwords. An administrator can create password policies and put mechanisms in place to force users to have strong passwords, but I have found they are never 100 percent, and people can always find ways around them.

For example, I know of a company that required users to have eightcharacter passwords, not reuse the last five passwords, and change passwords every 60 days. The administrator overheard people saying that

they had the same password for the last six months. After further investigation, they realized that users were changing their passwords to new passwords, immediately changing the passwords five times to overcome the restriction, finally changing them back to the old passwords. In other words, users figured out how to bypass the security restrictions. The administrator fixed this by having a minimum password age of ten days. Because users will actively try to have weak passwords, the only true way to know the strength of a password is to see how long it takes to crack it.

Password cracking also lets you track your difficult users over time. If over the last six months, the same users are always having their password cracked in less than five minutes, you might want to spend some time educating those users. One major drawback to cracking passwords for auditing is that there is a file on your system that contains the plaintext password of every user. Also, there is a least one person (the security administrator) who knows everyone’s password. Based on this, there are some people who shy away from password cracking.

In my opinion, you have to weigh the strengths and weaknesses. The weakness is that knowing everyone’s password could lead to compromise. In my opinion, because the security administrator usually knows and has root/domain administrator access to most systems, knowing the passwords is not a threat. If you cannot trust your security administrator, who can you trust (some pun intended)?

Auditing the Strength of Passwords

There are ways you can use password cracking programs to audit the strength of passwords without knowing users’ passwords. It takes a little creativity, but it works. Let’s assume that your password policy states that all passwords must contain letters, numbers, and special characters. If you run the password cracker with the following options, which will set the cracker to “brute force,” or guess and keep guessing, passwords until it finds all the ones that meet the following criteria, you can determine if users are following your policy, without cracking their passwords:

•Brute force passwords that contain only letters.

•Brute force passwords that contain only numbers.

•Brute force passwords that contain only special characters.

•Brute force passwords that contain only letters and numbers.

•Brute force passwords that contain only letters and special characters.

•Brute force passwords that contain only special characters and numbers.

For more information about using brute force on passwords, see the “Brute Force Attack” section later in this chapter. Using this technique, if a password is cracked, it means the password did not follow the policy and would have to be changed. If a user did follow the policy, her password would not be cracked, and there is less of a security risk.

Another way around having an analyst know all the users’ passwords is to break up responsibilities so that only certain security personnel know certain information. Also, the cracked file should never reside on a server in plain text. It should always be reencrypted and stored in a safe place, possibly even on a floppy or Zip disk and locked away in a safe.

The benefit of password cracking is that you get a clear picture of the security of passwords and what needs to be fixed. In my opinion, the strengths outweigh the weaknesses, but it is a decision that you have to make for your company.

Recovering Forgotten/Unknown Passwords

I frequently receive calls where a client needs to know how to get into a machine because the administrator is either on vacation or left on bad terms. As you have seen in this chapter, because most passwords are weak, even the administrator password can be cracked in a relatively short period of time. By extracting the password hashes and cracking the passwords, you can gain access to a system.

To avoid these kinds of problems, it is important to have a master list of administrator passwords for systems, secured and locked away somewhere in case of an emergency. Again, even though some people view this as a risk or a security violation, if it is controlled properly, it can be well worth it, especially in a crisis.

Migrating Users

Being able to crack passwords so that you can seamlessly migrate users from one system to another is usually a very bad idea. I do not recommend it, but I include it for completeness because I’ve seen so many companies use password cracking for this purpose.

In some cases, companies switch operating systems or change their domain structure and have to migrate users from one system to another. One way to migrate users is to move accounts, give users a default password, and have them change it the next time they log on. Most administrators shy away from this for two reasons. First, because every user temporarily would have the same password, people could log on to each other’s account and cause problems. Second, whenever you have a large number of users change their passwords at the same time, the

potential increases for users to make mistakes or not be able to successfully change their passwords.

For these reasons, when administrators move user accounts, they would like a way to keep everyone’s password the same. One way to do this is to crack everyone’s password, create new accounts on the system, and type in everyone’s new password.

In this situation, I believe the weaknesses outweigh the strengths, which is why I don’t recommend it. There is one level of risk to cracking passwords to audit their strength. There is a whole other risk to cracking passwords, creating lists, and using them to create new accounts. In my experience, whenever I have seen a company try to accomplish this, it always backfires and causes problems.

All Mistakes Are Big Mistakes

Company X was migrating from multiple NT domains to a single NT domain and needed to migrate more than 1,200 user accounts. The help desk had grave concerns about all of these users logging on with default passwords and then changing their passwords on the same morning. So, the company cracked everyone’s password and created a list that contained everyone’s user ID and their password and gave it to 12 people. Each person had to change 100 passwords. One of the people that was changing the passwords thought it would be very helpful and kept a copy for his records. Shortly after the migration, this person was let go and no one thought anything of it.

Three months later, I was hired by the company to perform a security assessment, because they were having a lot of issues. As part of my assessment, I searched on various hacker newsgroups to see if there was any information on this company. After some searching, I found a copy of the password list. Evidently, the person who made a copy of the passwords posted it to various newsgroups and now everyone had a copy of the password file. More than 85 percent of the passwords were still valid.

In this example, the company could have been more careful, but the bottom line is that mistakes get made, and in this game, mistakes are very costly.

Checks and Balances

From a checks and balances standpoint, you can run a password cracker to check the strengths of passwords without ever cracking the passwords.

For example, in most companies, there are separate administrators who are responsible for certain machines. In these cases, you might not want the security administrator to know the password for every machine because the risk factor is too high. The security administrator can still audit the strength of the passwords without knowing what they are. This is similar to the example that was given in the Auditing the Strength of Passwords section earlier.

Types of Password Attacks

If an attacker can guess or determine a user’s password, he can gain access to a machine or network and have full access to any resources that user has access to. This can be extremely detrimental if the user has special access such as domain administrator or root privileges.

One of the most common ways of obtaining a password is by cracking it. This involves getting the encrypted version of the password and, based on the system that it was extracted from, determine the encryption that was used. Then by using one of the methods listed below, an attacker can take a plain text password, encrypt it, and see if there is a match. The following are three main types of password cracking attacks:

•Dictionary attacks

•Brute force attacks

•Hybrid attacks

Dictionary Attack

Because most people use common dictionary words as passwords, launching a dictionary attack is usually a good start. A dictionary attack takes a file that contains most of the words that would be contained in a dictionary and uses those words to guess a user’s password. Why bother going through every combination of letters if you can guess 70 percent of the passwords on a system by just using a dictionary of 10,000 words? On most systems, a dictionary attack can be completed in a short period of time compared to trying every possible letter combination.

Another nice thing about using a dictionary attack to test the security of your system is that you can customize it for your company or users. If there is a word that a lot of people use in your line of work, you can add it to the dictionary. If there are a lot of sports fans that work at your company, you can append a sports dictionary to your core dictionary. There are a large number of precompiled dictionaries available on the Internet, including foreign language dictionaries and dictionaries for certain types of companies.

In most cases, when I perform a security assessment, I can crack most of the passwords using a straight dictionary attack. I usually like to walk around the office space and look in people’s offices to get a better idea of their interests and hobbies. Based on what I find, I update the dictionary.

For example, in one company, I was performing an assessment where I was authorized to crack passwords. I noticed that a lot of people liked one of the local sports teams and were big fans of the upcoming Olympics. I did a little research and added terms relating to the local team, its mascot, and the names of the all-stars. I did the same thing for the Olympics. Over 75 percent of the passwords were cracked with a dictionary attack. What makes this so interesting is that 35 percent of the passwords that were cracked were derived from the new terms that I added.

By carefully understanding an environment, your chances of successfully cracking a password increase. From a security standpoint, it is so important to urge users not to pick passwords that can be easily derived from their surroundings.

Brute Force Attack

A lot of people think that if you pick a long enough password or if you use a strong enough encryption scheme, you can have a password that is unbreakable. The truth is that all passwords are breakable; it is just a matter of how long it takes to break or crack it. For example, it might take 200 years to crack a high-grade encryption, but the bottom line is that it is breakable, and the time to break it decreases every day as computer speeds increase. A password ten years ago that would take 100 years to crack can be cracked in under a week today. If you have a fast enough computer that can try every possible combination of letters, numbers, and special characters, you will eventually crack a password. This type of password cracking is known as a brute force attack.

With a brute force attack, you start with the letter a and try aa, ab, ac, and so on; then you try aaa, aab, aac, and so on. I think you get the point.

It’s important to note that with brute force attacks, some administrators unknowingly do some things that make it easier to crack a password. One of these things is minimal length passwords. If an attacker knows that the minimum length for a password is six characters, the brute force attacks can start with aaaaaa and go from there. Why try all possible one-, two-, three-, four-, and five-character passwords when an attacker knows that they are not allowed on the system?

On the other hand, an administrator has to determine which is the greater risk— having a minimum length password and possibly making the attacker’s job a little easier or having no minimum length but allowing users to pick any length password they want. In this case, if users pick four-character passwords, this presents a greater risk to the system. I have found that it is better to have passwords be a minimum length, because otherwise users will pick short passwords and you will be even worse off.

With a brute force attack, it is basically a battle between the speed of the CPU and the time it takes to crack a password. Current desktop computers that are on most desks rival the high-end servers that most companies had ten years ago. This means that as memory becomes cheaper and processors become faster, things that used to take a long time to accomplish can be done in a very short period of time.

Another important thing to point out is distributed attacks. If an attacker wants to crack passwords in a short period of time, he does not necessarily have to buy a large number of expensive computers. He could break into several other sites that have large computers and use those to crack your company’s passwords.

Taking all of these possibilities into consideration, in the next couple of years, companies that want strong security will have to rely on operating system vendors to put better encryption and password protection into their systems, use one-time passwords for authentication, or use other forms of authentication like biometrics.

Here is a general rule of thumb I like to follow: The password change interval should be less than the time it would take to brute force a password. This way, even if someone can brute force a password, by the time he accomplishes the attack, the password has been changed. For example, if I can brute force your password in 60 days, your password change policy should be 45 days. Unfortunately, not only do most companies not follow this rule, they take it to the other extreme. Most companies I have seen can have their passwords cracked in less than five days, yet their password change interval is more than nine months. In these cases, even if it takes an attacker three months to crack the password, he has six months of access. With the current state of passwords and security, having a change interval less than 90 days is unacceptable.

It is important to note that there are pros and cons to any decision. Initially, if you alter the password change interval for your company from 12 months to 60 days, you are going to have potential issues, ranging from disgruntled employees to the help desk getting overloaded with requests to people writing down their passwords. In these cases, you

might be better off slowly decreasing your password policy. Go from 12 months to 11 months, then 10 months, and slowly wean users into the new policy.

Also, make sure you inform users of what is occurring. The biggest drawback you have to decreasing the password change interval is that, because their passwords change so often, users will feel that the only way they can remember their passwords is to write them down. This is where training and user awareness come in.

Hybrid Attack

Dictionary attacks find only dictionary words but are quick, and brute force attacks find any password but take a long time. Unfortunately, as most administrators crack down on passwords and require users to have letters and numbers, what do most people do? They just add a couple of digits to the end of a password—for example, my password goes from ericgolf to ericgolf55. By doing this, you get a false sense of security because an attacker would have to do a brute force attack, which would take a while, yet the password is weak. In these cases, there is an attack that takes dictionary words but concatenates a couple of letters or numbers to the end—the hybrid attack. The hybrid attack takes your dictionary word and adds a couple of characters to the end. Basically, it sits between the dictionary and the brute force attack.

Table 8.2 shows the relationship between the different types of attacks.

Table 8.2. Comparison of the Types of Password Attacks

Other Types of Password Attacks

The focus of this chapter has been on password cracking, because that is the main security threat posed to most companies. The key to remember is that an attacker will take the path of least resistance, to acquire the information that he is after.

For example, if I want to secure my house, one way to accomplish this is to heavily secure the front of my house. I put bars on the front windows and have a big steel door with a guard dog chained to the lamppost. From most perspectives, this is fairly secure. Unfortunately, if you walk around to the back of the house, the back door is wide open and anybody can walk in.