JTR: KING OF THE PASSWORD CRACKERS: It is hard to imagine discussing a topic like the basics of hacking without discussing passwords and password cracking. No matter what we do or how far we advance, it appears that passwords remain the most popular way to protect data and allow access to systems. With this in mind, let us take a brief detour to cover the basics of password cracking.
There are several reasons why a penetration tester would be interested in cracking passwords. First and foremost, this is a great technique for elevating and escalation privileges. Consider the following example: assume that you were able to compromise a target system but after logging in, you discover that you have no rights on that system. No matter what you do, you are unable to read and write in the target’s files and folders and even worse, you are unable to install any new software. This is often the case when you get access to a low-privileged account belonging to the “user” or “guest” group.
If the account you accessed has few or no rights, you will be unable to perform many of the required steps to further compromise the system. I have actually been involved with several Red Team exercise where seemingly competent hackers are at a complete loss when presented with an unprivileged account. They grow up their hands and say “Does anyone want unprivileged account to this machine? I don’t know what to do with it.” In this case, password cracking is certainly a useful way to escalate privileges and often allows us to gain administrative rights on a target machine.
Another reason for cracking passwords and escalating privileges is that many of the tools we run as penetration testers require administrative-level access in order to install and execute properly. As a final thought, on occasion, penetration testers may find themselves in situation where they were able to crack the local administrator password (the local admin account on a machine) and have this password turn out to be the exact same password that the network administrator was using for the domain administrator account.
Password hint #1: Never, never, never use the same password for your local machine administrator as you do for your administrator account.
If we can access the password hashes or a target machine, the changes are good that with enough time, JtR, a password-cracking tool, can discover the plaintext version of a password. Password hashes are the encrypted and scrambled versions of a plaintext password. These hashes can be accessed remotely or locally. Regardless of how we can access the hash file, the steps and tools required to crack the passwords remain the same. In its most basic form, password cracking consists of two parts:
- Locate and download the target system’s password hash file.
- Use a tool to convert the hashed (encrypted) passwords into a plaintext password.
Most systems do not store your password as the plaintext value you enter, but rather they store an encrypted version of the password. This encrypted version is called a hash. For example, assume you pick “qwerty” (which is obviously a bad idea). When you log into your PC, you type password “qwerty” to access the system. However, behind the scenes your computer is actually calculating, creating, passing, and checking an encrypted version of the password you entered. This encrypted version or hash of your password appears to be random string of character and numbers.
Different systems use different hashing algorithms to create their password hashes. Most system store their password hashes in a single location. This hash file usually contains the encrypted password for several users and system accounts. Unfortunately, gaining access to the password hashes is only half the battle because simply viewing or even memorizing a password hash (if such a thing were possible) is not enough to determine the plaintext. This is because technically it is not supported to be possible to work backward from a hash to plaintext. By its definition, a hash, once encrypted, is never meant to be decrypted.
Consider the following example. Assume that we have located a password hash and we want to discover the plaintext value. It is important to understand that in most cases we need the plaintext password, not the hashed password. Entering the hashed value into the system will not get us access because this would simply cause the system to hash the hash (which is obviously incorrect).
There is an attack called “Pass the hash” which allows you to replay or resent the hashed value of a password in order to authenticate with a protected service. When a pass-the-hash attack is used, there is no need to crack the password and discover its plaintext value.
In order to discover the plaintext version of a password, we need to circle through series of steps. First we select a hashing algorithm, second we pick a plaintext word, third we encrypted the plaintext word with the hashing algorithm, and finally we compare the newly hashed word with the hash from our target. If the hashes match, we know the plaintext password because no two different plaintext words should produce the exact same hash.
Although this may seem like clumsy, awkward, or slow process for human, computer specialize in tasks like this, Given the computing power available today, completing the four-step process outlined above is trivial for a modern machine. The speed at which JtR can generate password hashes will vary depending on the algorithm being used to create the hashes and the hardware that is running JtR. It is safe to say that even an average computer is capable of generating million of Windows (Lan Manager (LM)) password guesses every second. JtR includes a nifty feature that allows you to benchmark your computer’s performance. This benchmark will be measured in cracks per second (c/s). you can run this by opening a terminal and navigating to the JtR directory as show below:
Once you are in the John directory, you can issue the following command to test your c/s metric. Note that you do not need to be in the John directory. The John executable is located under /usr/sbin/ so it can be executed in any directory.
This will provide you with a list of performance metrics and let you know how efficient your system is at generating guesses based on your hardware and the algorithm being used to hash the passwords.
As previously mentioned, password cracking can be performed as either a local attack or a remote attack. In our initial discussion below, we will focus on password cracking from the local perspective. That is, how an attacker or penetration tester would crack the passwords if they had physical access to the machine. Examining the attack from local perspective will allow you to earn the proper techniques. We will wrap up this section by discussing how this attack can be performed remotely.