/
ECSA
/
LPT
EC
Council
EC
-
Council
Module XX
V
Password Cracking
Penetration Testing
Penetration Testing Roadmap
Start Here
Information
Vulnerability External
Gathering
Analysis Penetration Testing
Fi ll
Router and
Internal
Fi
rewa
ll
Penetration Testing
Router

and

Switches

Penetration Testing
Internal

Network
Penetration Testing
IDS
Penetration Testing
Wireless
Network
Penetration Testing
Denial of
Service
Penetration Testing
Password
Cracking
Stolen Laptop, PDAs
and Cell Phones
Social
Engineering
Application
Cont’d
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing
Penetration Testin
g
Penetration Testing
Penetration Testin
g

Penetration Testing Roadmap

(cont
’
d)
(cont d)
Cont’d
Physical
Si
Database
Pii
VoIP
PiTi
S
ecur
i
t
y
Penetration Testing
P
enetrat
i
on test
i
ng
P
enetrat
i
on
T

est
i
n
g
Vi d
Vi
rus an
d

Trojan
Detection
War Dialing
VPN
Penetration Testing
Log
Management
Penetration Testing
File Integrity
Checking
Blue Tooth and
Hand held
Device
Penetration Testing
Telecommunication
And Broadband
Communication
Email Security
Penetration Testin
g
Security

Patches
Data Leakage
Penetration Testing
End Here
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication

Penetration Testing
g
Penetration Testing
Penetration

Testing
Passwords
Companies protect their resources by using combinations of user IDs
Companies protect their resources by using combinations of user IDs
and passwords.
k b f h d f b lii
Hac
k
ers

can
b
rute
f
orce


or

guess

t
h
e

passwor
d
s

o
f
we
b
app
li
cat
i
ons.
Some system software products use weak or no encryption to store
d/ i hi ID d d f h li h
an
d/
or

transm
i
t


t
h
e
i
r

user
ID
s

an
d
passwor
d
s
f
rom

t
h
e

c
li
ent

to

t

h
e

server.
One of the leading causes of network compromises is the use of easily
One of the leading causes of network compromises is the use of easily
guessable or decipherable passwords.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Common Password Vulnerabilities
Weak
p
asswords are:
• Easily guessable, i.e. pet names, car number, family member’s
name, etc.
p
• Comprised of common vocabulary words.
Improper handling of strong passwords:
• Involves the need for the user to write down the password in an
insecure location.
Improper handling of strong passwords:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Password Cracking Techniques
• Guessing
• Shoulder surfing
Social engineering:
Using password crackers or network analyzers

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Password Cracking
Attacks
Attacks
Dictionary attacks: These attacks compare a set of words against a
password database.
Brute
-
force attack
: This attack checks for all combination of letters and
Brute
force attack
: This attack checks for all combination of letters and
numbers until the password is found.
Hbid tt k
Thi tt k k d b ddi b d
H
y
b
r
id
a
tt
ac
k
:
Thi
s


a
tt
ac
k
crac
k
s

any

passwor
d b
y

a
ddi
ng

num
b
ers

an
d
symbols to a file name.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps in Password Cracking

Penetration Testing
Penetration Testing
Extract/etc/passwd and /etc/shadow files in Linux systems
Extract SAM file Windows machines
Identify the target person’s personal profile
Build a dictionary of word lists
Build a dictionary of word lists
Attempt to guess passwords
Brute force passwords
U d d k b k d d fil
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
U
se

automate
d
passwor
d
s

crac
k
ers

to
b
rea
k

passwor
d
s

protecte
d fil
es
Step1: Extract /etc/passwd and
/
etc
/
shadow Files in Linux S
y
stems
// y
root:!:0:0:root:/root:/bin/tcsh
bin:!:1:1:bin:/bin:
daemon:!:2:2:daemon:/sbin:
daemon:!:2:2:daemon:/sbin:
adm:!:3:4:adm:/var/adm:
lp:!:4:7:lp:/var/spool/lpd:
sync:!:5:0:sync:/sbin:/bin/sync
shutdown:!:6:0:shutdown:/sbin:/sbin/shutdown
halt:!:
7
:0:halt:
/
s
b
in:

/
s
b
in
/
halt
The password file for Linux is located in
/etc and is a text file called passwd.
7/b/b/
mail:!:8:12:mail:/var/spool/mail:
news:!:9:13:INN (NNTP Server) Admin ID, 525-
2525:/usr/local/lib/inn:/bin/ksh
uucp:!:10:14:uucp login
user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
operator:!:0:0:operator:/root:/bin/tcsh
By default and design, this file is world
readable by anyone on the system
operator:!:0:0:operator:/root:/bin/tcsh
games:!:12:100:games:/usr/games:
man:!:13:15:man:/usr/man:
postmaster:!:14:12:postmaster:/var/spool/mail:/bin/tcsh
httpd:!:15:30:httpd:/usr/sbin:/usr/sbin/httpd:
nobody:!:65535:100:nobody:/dev/null:
readable by anyone on the system
.
On a Unix system using
NIS/yp
or
nobody:!:65535:100:nobody:/dev/null:
ftp:!:404:100::/home/ftp:/bin/nologin

nomad:!:501:100:Simple Nomad, 525-
5252:/home/nomad:/bin/bash
webadmin:!:502:100:Web Admin Group
ID:/home/webadmin:/bin/bash
h! Sil Nd' Old
On a Unix system using
NIS/yp
or
password shadowing the password data
may be located elsewhere. This "shadow"
file is usually where the password hashes
themselves are located
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
t
h
egnome:
!
:503:100:
Si
mp
l
e
N
oma
d'
s
Old
Account:/home/thegnome:/bin/tcsh

dorkus:!:504:100:Alternate account for
Fred:/home/dorkus:/bin/tcsh
themselves are located
.
Linux Password Example
nomad:HrLNrZ3VS3TF2:501:100: Simple Nomad:/home/nomad:/bin/bash
This is what the fields actually are:
• Account or user name, what you type in at the login prompt
nomad:
• One way encrypted password (plus any aging info)
HrLNrZ3VS3TF2:
•User number
501:
•Group number
100:
• GECOS information
Simple Nomad:
• Home directory
/home/nomad:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Program to run on login, usually a shell
/bin/bash:
Linux Shadow File Example
nomad:$1$fnffc$GteyHdicpGOfffXX40w#5:13064:0:99999:7
This is what the fields actually are:
• Account or user name
,
what

y
ou t
yp
e in at the lo
g
in
p
rom
p
t
nomad:
,yyp gpp
nomad:
• Password
$1$fnffc$GteyHdicpGOfffX
X40w#5:
• Last password changed
13064:
• Minimum number of days required between password
changes
0:
changes
• Maximum number of days the password is valid
99999:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• The number of days the user warned before the expiration
date of password
7:

Check Other Linux & UNIX
Variants
Variants
Passwords can also be stored in these files:
• /etc/security/passwd (accessible by root only)
•
/ secure/etc/passwd (accessible by root only)
Passwords can also be stored in these files:
•
/
.
secure/etc/passwd (accessible by root only)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Extract SAM File
W
indows Machines
Windows 2000/XP passwords are stored in
Windows 2000/XP passwords are stored in
c:\winnt\system32\etc\SAM.
The file is named SAM (locked when WINNT is running).
SAMDUMP
Extraction tools:
•
SAMDUMP
•PWDUMP
•L0phtcrack
EC-Council
Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited
Extract Backup of
SAM/Emergency Repair Disk
SAM/Emergency Repair Disk
Windows also store passwords in either a backup of the SAM file in the
c:\winnt\repair directory or on an emergency repair disk.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check Registry
Windows a
pp
lications store
p
asswords in the Re
g
istr
y
or as
pp p g y
plaintext files on the hard drive.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check the Microsoft’s Server
Message Block (SMB) Protocol
Message Block (SMB) Protocol
Check for the vulnerability SMB protocol that is used for file and print
hi
s

h
ar
i
ng
Run NetBIOS Auditing Tool (NAT) and extract the passwords using the
fll i d
f
o
ll
ow
i
ng

comman
d
:
nat -u userlist.txt -p passlist.txt testing IP_address
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check the Active Directory
Database
Database
Ch k f d i th ti di t d t b fil
Ch
ec
k f
or

passwor

d
s
i
n
th
e

ac
ti
ve
di
rec
t
ory
d
a
t
a
b
ase
fil
e

that are stored locally or spread across domain controllers.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Identify the Target
Person
’

s Personal Profile
Person s Personal Profile
If
y
ou are tr
y
in
g
to
g
uess Rebecca’s
p
assword on her deskto
p,
y
yg
g
p
p,
then compile a list of items she likes.
El
• Favorite car
E
xamp
l
e:
• Birthday, anniversary day, and other special occasions
• Movies, music, sports, drama, and arts
• Education, cartoon characters, novelists
• Parents, relatives, kids names

• Country, city, holiday resorts, etc.
•Pro
j
ect workin
g
on
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
jg
Step 4: Build a Dictionary of
Word Lists
Word Lists
B
u
il
d
a
w
o
r
d
li
st
based
o
n
t
h
e

inf
o
rm
at
i
o
nfr
o
m
t
h
e
p
r
e
vi
ous
ud
a
od
st
based
o
te
oato
o
te
pe ous
slide.
•Dictionary maker

• Pass list
Tools:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Attempt to Guess
Passwords
Passwords
Obtaining a legitimate user ID is not a easy task
Obtaining a legitimate user ID is not a easy task
Creation of user ID involves a variation of employee's first name and last name
Email address posted on the organizations website depicts a sample user ID
format
Acquiring a copy of organization’s internal telephone directory enables in
discovering and constructing a valid user ID
Many system software products are initially configured with default user IDs and
Many system software products are initially configured with default user IDs and
passwords
User IDs and passwords designed enables vendors to perform remote
i
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
transact
i
ons

Step 6: Brute Force Passwords
Run a dictionary attack and brute
-

force to crack passwords
Run a dictionary attack and brute
force to crack passwords
Tools:
•Brutus
• L0phtcrack
•Munga bunga
• Password cracker
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Brute Force Passwords
(cont
’
d)
(cont d)
Resources:
• www.antifork.org
• www.bindview.com
• www.cerberus-infosec.co.uk
• www.hackersclub.com
• www.hoobie.net
• www.intrusion.com
• www.nai.com
•
www.nmrc.org
www.nmrc.org
•
• www.phenoelit.de
• www.securitysoftwaretech.com

•
www.users.dircon.co.uk/
~
crypto
www.users.dircon.co.uk/ crypto
• www.waveset.com
• />• />•
packetstormsecurity nl/Crackers/wordlists
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
•
packetstormsecurity
.
nl/Crackers/wordlists
• />Step 7: Use Automated Passwords Crackers
to Break Passwords Protected Files
Automated
p
assword crackin
g

Brutus
www.antifork.org/ho
obie.net
Cb It tS
b
pg
tools systematically guess
passwords.

C
er
b
erus
I
n
t
erne
t

S
canner
www.cer
b
erus-
infosec.co.uk
Crack
www.users.dircon.co
.uk/~crypto
CyberCop Scanner
[a]
www.nai.com
Tools:
Inactive Account Scanner
www.waveset.com
Legion and NetBIOS Auditing Tool
(NAT)
www.hackersclub.co
m
LOphtcrack

www.securitysoftwar
etech.com
John the Ripper SAMDump
www nmrc org
John

the

Ripper
,
SAMDump
,
PWDump, PWDump2, PWDump3
www
.
nmrc
.
org
SecurityAnalyst
www.intrusion.com
TeeNet
www.phenoelit.de
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
WebCrack
www.packetstorm.de
cepticons.org
Extract Cleartext Passwords
from the Dictionar

y
y
Logon passwords are stored:
• (HKLM\SOFTWARE\Microsoft\Windows
NT
\
CurrentVersion
\
Winlogon)
Logon passwords are stored:
NT
\
CurrentVersion
\
Winlogon)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Extract Cleartext Passwords from
an Encrypted LM hash
an Encrypted LM hash
Use the Cain and Abel tool to extract cleartext password from an
encrypted LM hash.
encrypted LM hash.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited