Hackers Beware

This might seem bizarre, yet this is how most companies have their security set up. They concentrate all of their efforts in one area and forget about everything else. This is true for password security. Even though the main threat is password cracking, if your passwords are very secure and cannot be cracked, someone can still compromise your passwords. Following are some of the other methods for compromising your passwords:

•Social engineering

•Shoulder surfing

•Dumpster diving

Social Engineering

In most companies, if you trust someone, you give them access to privileged information. In the digital world we live in, you give someone a user ID and password so that someone can access sensitive information. In most cases, this means employees and trusted contractors get access and no one else.

But what if an attacker convinces someone at your company that he is a trusted entity? He can then obtain an account on your system. It’s the essence of social engineering—deceiving people to give you information you should not have access to because they think you are someone else. If you, as a help desk administrator, think I am an employee of the company and all employees need accounts on the system, you would give me an account. This technique seems very simple and easy but is extremely effective.

Let’s look at an example. Let’s say an evil attacker performs a whois on your domain name and pulls off the technical point of contact. The technical point of contact is a required field for all registered domain names. It provides contact information for the person who should be notified if you have any technical questions with that domain. In this case, her name is Sally. The attacker then calls information and asks for the general number for your company. After the operator for the company picks up, he asks to be connected to the help desk, at which point he explains that he is a new contractor at the company working for Sally. The company is having some problems with the network and he has been brought on to help fix them. This is a high-priority problem and has visibility up to the CEO. He explains that Sally told him that this is not the normal procedure, but based on the circumstance and the urgency, you can help him out. He also offers to give Sally’s number for approval.

In most cases, if the attacker has a convincing voice, he is given a user ID and password and receives access to the system. It is that simple; if you

do not believe me, get written authorization from your management and give it a try.

Shoulder Surfing

Another simple but effective way to obtain a password is to watch someone as he types his password—shoulder surfing. In an open environment with cubicles, it is fairly easy. You just walk up behind someone when he is typing his password and watch what keys he types. This is usually easier if people know who you are. Hopefully, if a total stranger walks up behind you, you would question what he was doing. However, if the person behind you isn’t a total stranger, you wouldn’t question his presence, which where a little social engineering comes in handy.

I was performing an authorized security assessment and was trying to obtain some valid passwords, so I decided to give shoulder surfing a try. It was winter in New York (20 degrees Fahrenheit), so I parked my car near a back entrance. When I saw someone get out of her car, I followed her in wearing a long coat and carrying what appeared to be a very heavy box. I asked if she could hold the door open for me and she did, without asking if I had a badge. Mission #1 accomplished—getting access to the building. I then found one of the administrator’s cubes. Because I wanted domain administrator access, I pulled his name off a document he had on his desk and waited for him to come in. When he arrived I said, “Good morning, John. I was hoping you could help me. We are running a test and I sent you an email and wanted to see if you received it.” At this point, John said “Hold on one second and let me log on to the system.” Mission #2 accomplished—I looked over his shoulder and obtained administrator access on the system. In this case, the excuse was pretty lame, but if you know more about the environment and do a little research, you can come up with an explanation that anyone would believe! And so could an attacker.

Dumpster Diving

You would be amazed at the information people throw out. They discard emails, documents, proposals, and passwords without even tearing them in half, let alone shredding them. Most companies have dumpsters where all of the trash is thrown. Most cleaning crews clean the offices in the evening so if you swing by your favorite dumpster at 2 o’clock in the morning, you might find some very useful information.

To see a great example of the power of dumpster diving, just rent the movie Sneakers.

Summary

Deciding whether or not to run password crackers at your company can be a difficult decision. On one hand, security always states that you should never share your password with anyone else and no one should know what your password is. Password cracking breaks this rule, because whoever runs the password cracker knows what everyone’s password is. Therefore, I recommend the following strategies for using password crackers at your organization:

•Always get permission from management.

•Publish a password policy that not only states what the policy is, but that it will be enforced.

•Run password crackers on a regular basis and uniformly enforce the policy.

•Run password crackers so that they only crack passwords that do not adhere to the policy.

•Passwords that adhere to the policy should not be cracked.

•Make no exceptions to the policy; even if users complain, do not allow them to keep a weak password.

•The list of cracked passwords should either be encrypted and safely stored or destroyed.

One of the key issues is enforcement. You need to take action with users who have weak passwords. Having a password policy with no authority to enforce it is of little use. Therefore, it is critical that you have senior management’s approval and full support. A typical enforcement policy is the following:

•First offense: email warning.

•Second offense: email warning with direct manager copied and a phone call.

•Third offense: email warning with direct manager and corresponding VP copied.

If the preceding enforcement does not fix the problem, you do not have proper managerial support. In all these cases, the user should be forced to change his password the next time he logs on to the system.

As you can see, it is much easier to have a system that checks passwords when users change their password; if the new password does not adhere to the policy, the user must enter a new password. These programs will be covered in Chapters 9, “Microsoft NT Password Crackers,” and 10, “UNIX Password Crackers,” because they relate specifically to the operating system that is being used.

Remember, users are smarter than you think and will come up with creative ways to have weak passwords. Only by having management’s support and a strong password policy behind you can you take a stance and enforce strong passwords.

As you can see, passwords play a key role in the security of a company, yet in most cases, they are one of the most neglected aspects of a company’s security posture. Most of the time, because an attacker takes the path of least resistance into a company, he usually tries to compromise a password to gain access. Companies that are serious about security are going to have to increase their password security.

In the following chapters, we will look at password cracking programs for specific operating systems and show how effective they really are. We will also show what a company can do to minimize the chances of a successful password attack.

Chapter 9. Microsoft NT Password Crackers

As Chapter 8, “Password Security” illustrates, there are several ways to crack a password. The most important thing to remember is that all passwords can be cracked; it is just a matter of time. The length of time it takes to crack a password changes as computers get faster and cheaper. A password that took over 50 years to crack 10 years ago can be cracked now in less than a week. This is because current desktop computers rival the high-end servers of only 5 years ago.

Although all passwords can be cracked, this chapter demonstrates how Microsoft, in its implementation of passwords in Microsoft NT (referred to as NT), made cracking passwords even easier. Microsoft’s two major design flaws are covered in detail as well as what you can do to increase the strength of your passwords. Remember, the general motto is: The password policy should be set, so that the password change interval occurs in less time than it takes to perform a brute force attack on the password.

L0phtcrack (the character “0” is a zero) is a program I recommend for testing the strength of your passwords on an NT system. Several programs can be used to test the strength of passwords on NT, but

L0phtcrack is the most versatile program with the most features, and it is also the easiest to use. In addition to L0phtcrack, this chapter covers several other programs and compares their different features. The bulk of this chapter is devoted to using these programs and learning how they can help improve and strengthen your password security.

A major theme of this book is to show companies how they can actually benefit from the hacker tools available on the Internet. First, the tools provide a quick and easy way to assess the security at your company, so you can see where your vulnerabilities are and address them. Second, if you acquire the tools and run them before an attacker does, you not only see what information an attacker can find out about your company, but you can fix the vulnerabilities, so the attacker acquires no useful information. If a company looks at the big picture, it will see that these tools can help them more than they can hurt them. As long as they are publicly available, companies should embrace these tools and run them on a regular basis.

Legal Issues

Always, under any circumstance, get permission before running these tools on your network. Unless you are the owner and CEO of the company, always check with someone above you and get written permission prior to running these tools. Even if you are the VP of security, check with the CTO, because what you think is reasonable and part of your job might be thought of very differently by senior executives. Also, never use these tools to try to embarrass senior management, because in every case that I have seen someone do this, it has always backfired.

In one such case, an individual was in charge of security, and he had no resources to accomplish his job, yet there were a large number of security vulnerabilities within the company. To make his point, without permission, he broke into the CEO’s mail account and sent an email to the entire company stating: “This is not the real CEO, but this shows you how vulnerable our company is, and next time this could be an attacker!” The next day, he was called into the CEO’s office, and he thought: “Finally, this opened their eyes and I am going to get the budget I have been requesting.” In the room were several people, including law enforcement agents, who proceeded to arrest the individual after the CEO fired him. It turned out that in the person’s employment agreement it stated that this type of activity was prohibited and the company’s policy said that not only was this activity not tolerated, but it would be prosecuted to the fullest extent of the law.

As this example points out, you could have the best of intentions and still get into a lot of trouble. I know that this information has been repeated throughout the book, but it is important enough to keep putting in reminders

Where Are Passwords Stored in NT?

The password hashes for each account are stored in the security database in NT. This is sometimes referred to as the SAM or security account manager. The location of this file is \Windowsdirectory\system32\config\SAM, where windows-directory is the directory that Windows was installed in. This file is usually world readable, however it is not accessible when the system is running because it is locked by the system kernel. During the installation of NT, a copy of the password database is copied into the Windows-directory\repair. This copy is not very useful because no other accounts have been setup yet; it only contains the default accounts. Remember, however, that the administrator is a default account. This is another reason to make sure your administrator account has a strong password. If the administrator updates the repair disk, this information is also updated.

How Does NT Encrypt Passwords?

When a user types a new plaintext password, Microsoft runs it through two hash algorithms, one for the regular NT hash and one for the LANMAN hash. To calculate the regular NT hash, Microsoft converts the password to Unicode and then runs it through a MD4 hash algorithm to obtain a 16byte value.

To calculate the LAN Manager hash, Microsoft pads the password with 0’s until it has a length of 14 characters. It is then converted to uppercase and split into two 7-character pieces. An 8-byte odd parity DES (data encryption standard) key is calculated from each half, and then the DES keys are encrypted and combined to get a 16-byte, one-way hash value

All Passwords Can Be Cracked (NT Just Makes It Easier)

As previously mentioned, all passwords can be cracked from a brute force perspective; the question is: How long does it take? The goal with encryption is to make the time needed to perform a brute force attack on a password so long that it is unfeasible for someone to attempt to crack it. Encryption can also make the time it takes to perform a brute force attack so long that the value of the information expires before the attack is complete. The method Microsoft chose to implement passwords on NT enables a perpetrator to crack passwords at a faster rate than on other systems, for example, UNIX.

LAN Manager Hashes

NT has two major design flaws in its encryption that allows someone to crack passwords faster than it takes in other operating systems. The first design flaw is in Microsoft’s LAN Manager hashing scheme. Because NT is designed to be backwards compatible with earlier versions of Windows, it uses the LAN Manager hashing scheme, which breaks a password down into two 7-character words and does not have case sensitivity. This significantly weakens the strength of a password. LAN Manager was the predecessor to NT and Windows and was one of the first network operating systems. LAN Manager came out in the late 80’s when machines were a lot slower and technology was just starting to be adapted. Therefore, for speed reasons, it was decided to break the passwords up into two pieces because it was easier to process. Also in the 80’s, 7- character passwords seemed highly secure and took a very long time to crack. Who would have thought that this technology would still be in use today when machines are so much quicker?

Now with LAN Manager passwords, instead of trying to crack a password that is 12 characters long, a hacker would just have to crack one 7- character password and one 5-character password, which is much easier

than cracking one 12-character password. The reason for this is because the longer a password is, the more possible combinations of characters a brute force attack has to try, which increases the time needed to crack a password. In any case, the longest password a hacker will ever have to crack in NT is 7 characters long. Another problem with reducing the number of characters in a password is that most people use numbers or special characters at the end of a password, which means it is very likely that one of the two 7-character passwords contains only letters. A password containing only letters is much easier to crack than passwords with numbers and special symbols. For example, cracking the password haidhji#7 would be fairly difficult and would take a long time to brute force because it has alpha, number, and special characters. With the LAN Manager hash, a hacker would have to crack haidhji, which is only alpha characters, so it is fairly easy to do, and then he would have to crack #7, which contains a number and special character. However, #7 would be very simple to crack based on the length. So as you can see, breaking up a password into two pieces makes it considerably easier to crack. A brute force attack takes considerably less time to crack two pieces compared to the time it takes to crack one piece. This is true because the two pieces can be cracked in parallel, so instead of trying every possible combination of 14 characters to crack the password, the hacker would only need to try every possible combination of 7 characters. Another reason breaking up a password makes it easier to crack is because often times if half of the password is known, the other half becomes easier to guess. For example, if the first seven characters of a password are Ilovene, the hacker might be able to figure out that the password is Ilovenewyork.

To illustrate this, let’s look at an example. To brute force a password, an attacker would have to try all possible combinations of characters until they find the correct word. In this example, let’s assume that passwords can consist of lower case letters (26 possible combinations) and numbers (10 combinations). If the password can only be 7 characters long, then that means there is only 78 E9 (78,000,000,000) different possible combinations of passwords. Now, if we increase the length to 14 character passwords, there are 36 E20 (or 36 with 20 zeros) possible combinations of passwords. If our system could try 1 billion passwords a day, it would be able to crack any 7-character password in 78 days. On the other hand, it would take 61 E11 or 6,100,000,000,000 days to crack any 14-character password. As you can see, the length of the password tremendously increases the amount of time it takes to crack a password.

No Salts

Now lets look at the second reason why NT passwords can be cracked in a shorter period of time. To make passwords harder to guess, they are often randomized. This way two users who have the same password have different hashes. When you encrypt a password, there is something used

called a salt, which is meant to make passwords a little harder to guess by randomizing the password. A salt is a random string that is combined with a password before it is encrypted. The second design flaw in NT is that it does not use a salt. Normally, when the user enters a new password, the system computes the hash and stores it. The problem with this is that if two people have the same password, the hash is the same. The way the system uses a salt is that for each user it calculates a random number— the salt. When the user enters a new password, the system first combines the password with the salt and then computes the hash. The system not only stores the hash, but also the salt with the user ID. Now, when a user authenticates to the system and she types her password, the system looks up the salt and combines it with the password, calculates the hash, and determines whether there is a match. This way, if two people have the same password, they will have different salts, and their passwords will be stored differently. This makes it a lot harder to brute force a password. Without a salt, an attacker can compute the hash of each word once and scan the entire list of user’s passwords to see if there is a match. Because ten users with the same password using NT will have the same hash, you can crack their password with one attempt. With a salt, you have to compute the hash of each word for each user using their unique salt. Now, instead of computing the hash once and scanning the list, all the work has to be repeated for each user. As you can see, using a salt makes it increasingly difficult, from a time perspective, to crack a series of passwords. For example, without a salt, it might take 5 days to perform a brute force attack against all of the passwords. With a salt, it would take 5 days per user. This is because you have to find the salt for each user and compute the hash using that unique salt, and because each user has a different salt, the resulting hashes are different for each user. This assumes that the cracking is done one account at a time. If multiple accounts could be cracked simultaneously, then the time factor decreases a little. For example, the following shows two users’ passwords that are the same in a system where salts are not used:

John:.D532YrN12G8c mike: D532YrN12G8c

As you can see, because a salt was not used to randomize the password, the two encrypted passwords are exactly the same. A password cracker would only have to compute the password once and he would be able to crack both accounts at the same time. The following shows two users’ passwords that are the same in a system where salts are used:

John:.D532YrN12G8c

mike:WD.ADWz99Cjjc

Although the passwords are the same, because the salts are different, the resulting encrypted passwords are different. As you can see, a password cracker would have to compute the hash twice, once for each password and using a different salt each time. As we have pointed out, this does increase the time, especially if there are a lot of accounts on the system.

Microsoft does not use a salt, so if two users have the same password, they are encrypted the same way. Without salts, the computer only has to encrypt each word once, and if another user has that password, there is a match. If salts were used, the attacker would have to find out the salt for the user and then encrypt all possible passwords with that salt to see if there was a match. Once there was a match, the attacker would have to move on to the next user and do the same thing. As you can see, this would take a much longer time to perform. This is not a big deal if there are only 5 accounts on the system, but imagine if there are 5,000 accounts, each with a different salt. With that many users, you can start to see the benefit of using a salt. It drastically increases the amount of effort and resources an attacker has to use to crack your passwords.

To summarize, from a security perspective, the two things that Microsoft does to make cracking passwords even easier are:

•Utilizing LAN Manager hashes, which break passwords into two 7- digit passwords.

•Not using salt (or randomness), so two identical passwords are encrypted the same way

NT Password-Cracking Programs

Several programs can be used to crack passwords in an NT environment. In this section, we look at the following programs:

•L0phtcrack

•NTSweep

•NTCrack

•PWDump2

L0phtcrack is by far the most powerful and feature-rich of the programs listed. Also, PWDump2 is not a password cracking program, but rather a utility used to extract password hashes. It is included in this section to make it complete.

L0phtcrack

L0phtcrack (with “0” being the number zero) is an NT password-auditing tool that computes NT passwords based on the cryptographic hashes stored on the operating system. For security reasons, and as covered in