ECE 4883 - Internetwork Security1Password Cracking and Sniffing• Agenda! Storing Passwords on the system! Password Cracking on Windows and Linux! Defenses against Password cracking! Sniffing! Defenses against Sniffing! Address Resolution Protocol (ARP)! Man in the MiddleECE 4883 - Internetwork Security2Cracking Passwords• Passwords that can be guessed easily are a problem• Lots of tools available to figure out passwords• L0phtcrack windows password cracker• “John the Ripper” Unix password cracker• Default passwords remaining on a system are a typical vulnerabilityECE 4883 - Internetwork Security3Password storage• Password files have passwords stored in a hashed or encrypted form• Hash algorithm example is message digest 4 (MD4)• Encrypted algorithm example is Data Encryption Standard (DES)• When you use your password, it is hashed or encrypted and then compared to the stored value• Crackers use a downloaded local copy of password file on their own machineECE 4883 - Internetwork Security4Storing Passwords• Systems have a file with all hashed/encrypted passwords! Windows – SAM (Security Accounts Manager) database! UNIX - /etc/passwd or /etc/shadow• Access to these files can make it easy for a hacker to break inECE 4883 - Internetwork Security5Windows Passwords• Security Accounts Manager (SAM) has two versions for each password• LanMan (LM) password version for backward compatibility with windows workgroups• NT Hash – cryptographic hash for windows NT/2000 (Uses MD4)• SAM file is in \WINNT\system32\config\ directory which is a binary file that is hard to read• Back up copy stored in \WINNT\repairECE 4883 - Internetwork Security6Using Passwords• System has a hashed/encrypted version of the password stored in a file• On login attempt–! system hashes/encrypts the password typed in by using for example crypt() function in linux! Compares hashed/encrypted value to stored hashed/encrypted value! Idea behind password cracking is to get a copy of the hashed/encrypted passwords and then make guesses, hash/encrypt the guess and compareECE 4883 - Internetwork Security7Password Cracking• Dictionary Attack! Hackers steal a copy of the stored password file! Guess a password (may use a dictionary)! Find hash/encrypted value of the guess! Compare hash to entries from stored file! Continue this till success or out of options for password guesses.• Brute Force – Guess every possible combination of characters• Hybrid – Use dictionary but add characters to dictionary entriesECE 4883 - Internetwork Security8Password retrieval on Windows• Sniff the network for passwords being transmitted• From Administrator’s emergency repair disk• From back-up directoryECE 4883 - Internetwork Security9Password Cracking on Windows• L0phtCrack – lc4 (Windows)! Available at [email protected]/research/lc/! Password Auditing and Recovery Application! Default English dictionary 50,000 words! Does “hybrid” attacks! Our free trial version does not allow brute force (for $350 can purchase with that capability)! Works on weaker LanMan (LM) as well as NT hashes! Can sniff a network for LanMan hashed passwords! Can download from a local machine or remote computer the hashed password fileECE 4883 - Internetwork Security10L0phtCrack (lc4)• Some statistics (from the website)! L0phtCrack obtained 18% of the passwords in 10 minutes ! 90% of the passwords were recovered within 48 hours on a Pentium II/300 ! The Administrator and most Domain Admin passwords were crackedECE 4883 - Internetwork Security11ECE 4883 - Internetwork Security12Password Cracking on UNIX• John the Ripper• Available at http://www.openwall.com/john/• Supports six hashing schemes including XP• Old Unix used /etc/passwd to store passwords• Password is stored after cryptographically altered• Various algorithms (hash/encrypted) used by various Unix platforms• /etc/password is readable by everyone• Some Unix store in a shadow password file thus /etc/passwd does not contain the passwords since they are instead in /etc/shadow or /etc/secure, only root can access these files• If shadow file used, must have root to copyECE 4883 - Internetwork Security13Password retrieval on Linux• List of login names and usernames in /etc/passwd• List of encrypted passwords in /etc/shadow• Only /etc/shadow is enough to crack the passwords. • Having both files makes it easierECE 4883 - Internetwork Security14John the Ripper• Combine information from /etc/passwd and /etc/shadow into one file• Use this file as input for John the Ripper• John can create guesses by! Using built-in dictionary! Using account information! Using brute-force guessing algorithmECE 4883 - Internetwork Security15John the Ripper• Scrambling used for each guess• When a password is cracked, result displayed on screen• During execution of this tool, hitting any key will give current guess and status• Password complexity determines time needed for cracking themECE 4883 - Internetwork Security16Defenses against Password Cracking• Select good passwords (not dictionary based)• Change regularly• Use tools to prevent easy passwords• Use password cracking tests against own systems• Protect system back ups that have password files• Unix: activate password shadowing• Windows: disable weaker LM authentication if no windows 95/98 machines on networkECE 4883 - Internetwork Security17Agenda"Storing Passwords on the system"Password Cracking on Windows and Linux"Defenses against Password cracking• Sniffing• Defenses against Sniffing• Address Resolution Protocol (ARP)• Man in the MiddleECE 4883 - Internetwork Security18Sniffing• Collect information being transmitted on the network• Attacker must be either on source, destination or intermediate network• Sniffed information can be stored/loggedECE 4883 - Internetwork Security19Sniffing traditional LANS• Traditional networks! Broadcast medium – easy to sniffHUBattackerData AData AData AData AECE 4883 - Internetwork Security20Sniffing Switched LANS• Switched LANS! Difficult to do, but possible! ARP Cache Poisoning - Attacker must inject packets into the network to redirect traffic! Attacker lies about the MAC address intercepts traffic–ARP tells which MAC address corresponds to which IP addressECE 4883 - Internetwork Security21Sniffing Switched LANSSWITCHattackerData AData AECE 4883 - Internetwork Security22Sniffit• Easy to use sniffer•