Friday, February 20, 2015

Password cracking 101 (and password best practices)

Had a fun little story where a friend came to me hoping I could help him break into one of his friend's computers.

Yeah... what?

Apparently the friend had some old computer she couldn't quite remember the password to. My friend's thought the best way to solve the problem was to have me crack it. Haha, works for me, sounds like fun =)

Now, there are actually a number of ways to solve this problem, since with physical access to an unencrypted harddrive, you can do pretty much whatever you want to it. There are all kinds of bootable OS tools and other utilities (such as Cain and Able) that will let you change, blank, or view passwords or whatever. So, I told him what he'd need to do.

First, you need the System and SAM files. Copies, actual files, or as they are resident in memory, doesn't matter ;)

Then, you'll need to create a key file from the System file that can be used to unlock the SAM file. This can be done with bkhive

bkhive SystemFile KeyFile

Note: The keyfile is the output, and you can call it whatever you want.

Then you use samdump2 to dump the hashes

samdump2 SAMfile KeyFile > hashes.txt

The next step is modifying your hashes file so that it doesn't confuse hashcat. For example, if you have username:passwordhash: then the trailing colon will throw a line length exception error in hashcat. The easy fix for this (especially if there are a lot of hashes,) is to use sed.

sed 's/:$//g' hashfile.txt

s means to search and replace, the :$ means look for a colon only at the end of a line, the // is normally where the replacement goes, since it's blank, it will remove the colon. The g means globally, so that it will do it to all occurrences.

Next, we get to run hashcat. For this one, I use the biggest list and rule files that come prepackaged in Kali.

hashcat -a 0 -m 1000 --username -r /usr/share/haschat/rules/d3ad0ne.rule hashfile.txt /usr/share/wordlists/rockyou.txt

-a 0 = This is the attack mode (straight, in this case)

-m 1000 = Type of hash. 1000 is NTLM, which is the hashtype Windows used.

--username = this tells hashcat to ingore the username in the username:hash format (otherwise it loads the entire line as a hash, and fails)

-r /rulepath = tells hashcat to use the specified rulelist

hashfile.txt = The file of hashes to crack

Dictionary path = Location of the wordlist you want to use (in this case, rockyou.txt, which comes compressed by default on Kali, so you have to unzip it.)

Once it cracks the passwords (which it won't show with the username,) you can run the same command as above, with an added --show switch, and it will give you a username:hash list of all the cracked passwords.

Anyways, back to the story, he grabbed the system and SAM files, but I forgot to mention the part about the bkhive on the System file, so he was trying to use the entire System file as the key... I helped him sort that out, and immediately I notice the local administrator account has a blank password. I'm like "She can just log into her admin account and change whatever she wants." But no, he STILL wanted to crack it, just to say he had, or to impress his friend, or something, whatever, no skin off my back.

 We set a clunky ol' Lenovo to cracking. About 15 minutes later another friend mentioned "Wouldn't it be cool if we could get a server cluster behind this?" And I was like "Actually... I have a version of hashcat on my laptop that will appropriate the GPU and crunch out hashes like whoa." Sure enough, we dumped that poor, single hash into my not even all that impressive laptop. 52 seconds and 1.6 BILLION hashes later it found a match, and the password was cracked! Friend of friend could now get into her computer again, yay!

It was some name with a couple numbers. This is a terrible password. Don't do it. So let's talk passwords for a second. Don't use any kind of dictionary word, don't use fictional character names from books (raistlin, gandalf, haplo, anything like that,) and don't use common number sequences, like dates. ALSO don't use character/number replacement. wH@tEv3r1! is a depressingly easy password to crack, for example. That rules file above? It takes every single entry in a dictionary list, and applies all the rules to them, effectively creating a MASSIVE and dynamic dictionary list. So it will take an entry like password, and try PaSsWoRd, Password1, password123, P@55w0rd!@12, password1969, 5password2015, so on and so forth. Keyboard patterns are also commonly added to password dictionaries. And I don't just mean asdfjkl; But other more "clever" ones as well, like 1qazXSW@ or %TGBnhy6. They look like good passwords, right? They're not.

So, random passwords are best, length over complexity, and use a password manager. I personally like to make up nonsense words, made up molecules (alister8pheNDren!te) for example (easier to remember since it's pronouncable), or a phrase. As xkcd pointed out in one of their comics, "charge horse battery staple" is not only easy to remember, but harder to crack than "complex" passwords. In this instance, it would be ok to use l33t speak to meet complexity criteria. charge h0rse Battery staple is still going to be nigh impossible to crack, and will satisfy most password requirements (spaces count as special characters in systems that accept them). I'd suggest not using that one though, as its popularity renders it not terribly secure, it's just an example.

Secondly... Security Questions. Do NOT answer them honestly. Even if you're not a celebrity. It's worse for celebrities, however, as this is how all those celebrity nudes got leaked a few months back. Their passwords were compromised by miscreants doing a password reset, and answering the security questions that the CELEBRITIES answered honestly. You may as well just make your password your significant other's name and save the badguys some trouble. Your mother's maiden name, your first car, first job, all of those kinds of things could potentially be discovered through some research and/or social engineering. So if you answer them honestly, someone could go reset your password and bam, account compromised. So I don't know about you guys, but I totally had a childhood friend named 7yU-f)!@5nMB.

And, lastly, even if you keep awesome 16 character random passwords, there's always the possibility it can get caught in plaintext somewhere, or if someone can find/capture the hash, they can pass the hash and not have to worry about what actually generated the hash in the first place. There's also the potential for a keylogger to be watching your every keystroke. So what's a person to do? Two-factor authentication. Anything that will allow you to use two-factor authentication, jump on it. Tie your gmail to your phone and require a one-time code texted to your phone when you log in from a new or portable device, tie bank accounts to something, and tie game accounts to a dongle or phone app... Or whatever. LastPass even supports the creation of a thumbdrive that will act as a sort of key, and if it isn't plugged into the computer, you can't log on. These kind of multi-factor steps are perhaps even more important than having a super password, but I'd suggest having both. Defense in layers and all that.

Well, that was longer than I expected...

tl;dr: Don't use stupid passwords

No comments:

Post a Comment