Password policies designed by well-meaning system administrators dictate the required number of characters and the complexity of passwords, but is that dictated complexity enough to protect user accounts from hackers? We’re told to create passwords that are “easy to remember but hard to guess.” We’re instructed to choose passwords that contain upper- and lowercase letters, that include numbers, and that have a few alternative characters as well. And, we’re discouraged from using the same password for every account. The question is, “Is all that complexity enough to protect us from hackers?” The answer, to further complicate matters, is “Yes” and “No.”
Installing John the Ripper. First of all, most likely you do not need to install John the Ripper system-wide. Instead, after you extract the distribution archive and possibly compile the source code (see below), you may simply enter the 'run' directory and invoke John from there.
“Yes” because complex passwords prevent a hacker from guessing your password either across the network or locally on a system. Random password guesses result in account lockout after a limited number of incorrect attempts. This lockout triggers intruder detection alerts and notifies system administrators that something suspicious has happened. It’s then up to the administrator to investigate the matter.
“No” because an intruder who has attained administrative access can use some powerful tools to crack the passwords on your system. The hacker will save a system’s password and shadow files to a remote location. This procedure allows the hacker to crack the passwords at his leisure and in the safety of his own computer lab.
Once the hacker collects a system’s password files, he can now take advantage of password attack options at his disposal. To decrease the amount of time taken to crack passwords, hackers will first try dictionary word matches. Hackers know that most users will opt for simple, dictionary-type passwords. Dictionary-based passwords make the hackers life easy, and the return on investment for checking a password hash file against a password dictionary is very high. A hacker can recover dictionary-based passwords in minutes, whereas a brute force attack can take days.
Brute force is a single-character-at-a-time attack on a password file. With a powerful computer and enough time, no password can escape the hacker’s relentless attack. Time is important when cracking passwords because the hacker knows that once the victim discovers the compromise, new security measures and password changes rapidly go into effect.
System administrators need to audit passwords periodically, not only to make sure they comply with password policies, but to ensure that those that do aren’t simple enough to be guessed by an outsider.
For example, if a user chooses to use the password MarklarCo2563, you might conclude that this is a strong password. It is a strong password for someone who isn’t employed at The Marklar Company at 2563 Snarkish Way. This is a weak password because it’s easily guessed by a hacker attempting to break into The Marklar Company. Similarly, users also wouldn’t want to select a password by simply reversing the company name to RalKram2563.
Hackers are too smart for such low-level trickery as using company name permutations for passwords. As one of their first passes at cracking a password hash, they’ll use a regular expression attack with the name of the company.
One of the tools hackers use to crack recovered password hash files from compromised systems is John the Ripper (John). John is a free tool from Openwall. System administrators should use John to perform internal password audits. It’s a small (<1MB) and simple-to-use password-cracking utility.
To get started, download and install John from your Linux repository, compile and install from source, or, if you have Windows, download and install from Openwall’s website.
John is a command-line utility that does not require administrative or root privileges to run against a password hash file. However, you will need administrative privileges to obtain password hash files from your systems.
Before you begin attempting password cracks, you should check the efficiency of John on your system by running it in test mode. The report tells you how many username/password combinations per second (c/s) your system will theoretically run for each password hash encryption type.
On Linux systems that use shadow passwords, issue the following command to create a combined password hash file from your system’s passwd and shadow files.
The passfile contains username:encrypted password pairs that look like:
Once you have created the password hash file, you can direct John to launch one of several different “modes” against your password hashes. The first mode is a quick crack attempt using the supplied password list file, password.lst. This list contains more than 3,000 commonly used passwords:
This dictionary-based attack took less than one second to extract the root password (admin) and my user password (t-bone) from the password hash file. The password dictionary file used is the standard password.lst file that is packaged with John, but many more exist. A skilled hacker will use a huge password dictionary file containing thousands of possible passwords or use more than one password dictionary file to attempt an easy grab before resorting to a brute force attack.
The next fastest mode is to use the single-crack mode. This mode uses a simple rules-based algorithm and a small word list:
• At the 'License Agreement' dialog, read the agreement, then, if you agree, click 'I Agree' to continue with the installation. 10.0.5.804' screen, click 'Next'. • At the 'Finished' screen click 'Finish'. Sony vaio corel windvd bd download.
Finally, the brute force attack might be your only refuge if passwords are more complex. The sub-modes allow you to specify which type of algorithms to use for the attack.
Your choices are:
• alpha – Letters only.
• digits – Numbers only.
• lanman – Letters, numbers, and some special characters.
• all – All possible characters.
You can check on John’s progress during a crack attempt by pressing the space bar to view the elapsed time, combinations per second, and most recent combinations.
This example brute force incremental attack shows three checks during an ongoing crack session:
At the time of these checks, the crack session has run for more than one full day.
The two passwords the system is attempting to crack are:
You clearly see that at more than 10,000 c/s, these passwords aren’t easily cracked by brute force.
Eventually, any password can be cracked. Your job is to make it so difficult for the hacker that he gives up and moves on to easier prey. He won’t enjoy having so many resources tied up in cracking passwords that take more than a few hours to extract.
Using very strong passwords buys you the time necessary to secure your systems, plug the hacker-exploited security hole(s), and force a password change in your environment.
As a system administrator, you must educate users on how to create good passwords. You must also educate your management to establish password policies and to enforce them. Here are some guidelines to use for establishing and enforcing password policy.
• Contain at least 10 characters.
• Use mixed-case letters.
• Use numbers.
• Use special characters.
• Not use dictionary words unless they are part of a passphrase.
A great example of a passphrase is [email protected].
Passphrases that are sufficiently long and that include special characters and numbers are very difficult to crack.
Now that you have a better understanding of password complexity and why passwords need to be complex, you can explain this to your users and management with ease. Your prime directive as a system administrator is to protect your systems. Very strong passwords are but one method to that end.
You can’t stop passwords from being cracked, but you can make the process very slow and unpleasant for the hacker when he returns to take further advantage of your compromised system. Strong passwords might be a pain for users, but they will be even more painful for the hacker who wants to steal data and continue to wreak havoc on your systems. Don’t make it easy for them.
- Discovering indicators of compromiseOpen source pen testing tools help you view an attack from the perspective of both the attacker and the defender.
- Opera’s Password Sync Service Compromised
- BackTrack Linux: The Ultimate Hacker's Arsenal
Penetration Testing and security auditing are now part of every system administrator's 'other duties as assigned.' BackTrack Linux is a custom distribution designed for security testing for all skill levels from novice to expert.
- Safe Files
Encrypting your data is becoming increasingly important, but you don’t always have to use an encrypted filesystem. Sometimes just encrypting files is enough.
- New Report Exposes the Prevalence of Lame Passwords
Forgot the password to your Windows admin account? There are a lot of different reasons why one would want to hack a Windows password. This tutorial will show you how to use John the Ripper to crack Windows 10, 8 and 7 password on your own PC.
Step 1: Extract Hashes from Windows
Security Account Manager (SAM) is a database file in Windows 10/8/7/XP that stores user passwords in encrypted form, which could be located in the following directory:
The first thing we need to do is grab the password hashes from the SAM file. Just download the freeware PwDump7 and unzip it on your local PC.
Open a Command Prompt. Navigate to the folder where you extract the PwDump7 app, and then type the following command:
PwDump7.exe > d:hash.txt
Once you press Enter, PwDump7 will grab the password hashes from your current system and save it into the file d:hash.txt.
Step 2: Cracking Passwords with John the Ripper
As you can see the password hashes are still unreadable, and we need to crack them using John the Ripper. John the Ripper is one of the most popular password cracking tools available that can run on Windows, Linux and Mac OS X.
Just download the Windows binaries of John the Ripper, and unzip it.
Open a Command Prompt and change into the directory where John the Ripper is located, then type:
john --format=LM d:hash.txt
It will start cracking your Windows password. In my example, you can clearly see that John the Ripper has cracked the password within matter of seconds.
John the Ripper is probably the world’s best known password cracking tool. But its lack of a GUI interface makes a bit more challenging to use. Don’t use it for illegal purposes.