/ ECSA / LPT EC Council EC - Council Module XX V Password Cracking Penetration Testing Penetration Testing Roadmap Start Here Information Vulnerability External Gathering Analysis Penetration Testing Fi ll Router and Internal Fi rewa ll Penetration Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration Testing Password Cracking Stolen Laptop, PDAs and Cell Phones Social Engineering Application Cont’d EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Penetration Testing Penetration Testin g Penetration Testing Penetration Testin g Penetration Testing Roadmap (cont ’ d) (cont d) Cont’d Physical Si Database Pii VoIP PiTi S ecur i t y Penetration Testing P enetrat i on test i ng P enetrat i on T est i n g Vi d Vi rus an d Trojan Detection War Dialing VPN Penetration Testing Log Management Penetration Testing File Integrity Checking Blue Tooth and Hand held Device Penetration Testing Telecommunication And Broadband Communication Email Security Penetration Testin g Security Patches Data Leakage Penetration Testing End Here EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Communication Penetration Testing g Penetration Testing Penetration Testing Passwords Companies protect their resources by using combinations of user IDs Companies protect their resources by using combinations of user IDs and passwords. k b f h d f b lii Hac k ers can b rute f orce or guess t h e passwor d s o f we b app li cat i ons. Some system software products use weak or no encryption to store d/ i hi ID d d f h li h an d/ or transm i t t h e i r user ID s an d passwor d s f rom t h e c li ent to t h e server. One of the leading causes of network compromises is the use of easily One of the leading causes of network compromises is the use of easily guessable or decipherable passwords. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Common Password Vulnerabilities Weak p asswords are: • Easily guessable, i.e. pet names, car number, family member’s name, etc. p • Comprised of common vocabulary words. Improper handling of strong passwords: • Involves the need for the user to write down the password in an insecure location. Improper handling of strong passwords: EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Password Cracking Techniques • Guessing • Shoulder surfing Social engineering: Using password crackers or network analyzers EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Password Cracking Attacks Attacks Dictionary attacks: These attacks compare a set of words against a password database. Brute - force attack : This attack checks for all combination of letters and Brute force attack : This attack checks for all combination of letters and numbers until the password is found. Hbid tt k Thi tt k k d b ddi b d H y b r id a tt ac k : Thi s a tt ac k crac k s any passwor d b y a ddi ng num b ers an d symbols to a file name. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steps in Password Cracking Penetration Testing Penetration Testing Extract/etc/passwd and /etc/shadow files in Linux systems Extract SAM file Windows machines Identify the target person’s personal profile Build a dictionary of word lists Build a dictionary of word lists Attempt to guess passwords Brute force passwords U d d k b k d d fil EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited U se automate d passwor d s crac k ers to b rea k passwor d s protecte d fil es Step1: Extract /etc/passwd and / etc / shadow Files in Linux S y stems // y root:!:0:0:root:/root:/bin/tcsh bin:!:1:1:bin:/bin: daemon:!:2:2:daemon:/sbin: daemon:!:2:2:daemon:/sbin: adm:!:3:4:adm:/var/adm: lp:!:4:7:lp:/var/spool/lpd: sync:!:5:0:sync:/sbin:/bin/sync shutdown:!:6:0:shutdown:/sbin:/sbin/shutdown halt:!: 7 :0:halt: / s b in: / s b in / halt The password file for Linux is located in /etc and is a text file called passwd. 7/b/b/ mail:!:8:12:mail:/var/spool/mail: news:!:9:13:INN (NNTP Server) Admin ID, 525- 2525:/usr/local/lib/inn:/bin/ksh uucp:!:10:14:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico operator:!:0:0:operator:/root:/bin/tcsh By default and design, this file is world readable by anyone on the system operator:!:0:0:operator:/root:/bin/tcsh games:!:12:100:games:/usr/games: man:!:13:15:man:/usr/man: postmaster:!:14:12:postmaster:/var/spool/mail:/bin/tcsh httpd:!:15:30:httpd:/usr/sbin:/usr/sbin/httpd: nobody:!:65535:100:nobody:/dev/null: readable by anyone on the system . On a Unix system using NIS/yp or nobody:!:65535:100:nobody:/dev/null: ftp:!:404:100::/home/ftp:/bin/nologin nomad:!:501:100:Simple Nomad, 525- 5252:/home/nomad:/bin/bash webadmin:!:502:100:Web Admin Group ID:/home/webadmin:/bin/bash h! Sil Nd' Old On a Unix system using NIS/yp or password shadowing the password data may be located elsewhere. This "shadow" file is usually where the password hashes themselves are located EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited t h egnome: ! :503:100: Si mp l e N oma d' s Old Account:/home/thegnome:/bin/tcsh dorkus:!:504:100:Alternate account for Fred:/home/dorkus:/bin/tcsh themselves are located . Linux Password Example nomad:HrLNrZ3VS3TF2:501:100: Simple Nomad:/home/nomad:/bin/bash This is what the fields actually are: • Account or user name, what you type in at the login prompt nomad: • One way encrypted password (plus any aging info) HrLNrZ3VS3TF2: •User number 501: •Group number 100: • GECOS information Simple Nomad: • Home directory /home/nomad: EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Program to run on login, usually a shell /bin/bash: [...]... at the login p , y yp g prompt p • Password • Last password changed • Minimum number of days required between password changes • Maximum number of days the password is valid • The number of days the user warned before the expiration date of password Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Check Other Linux & UNIX Variants Passwords can also be stored in these... Reserved Reproduction is Strictly Prohibited Tool: Password List Recovery 2.6 Password List Recovery shows all the p y passwords in the current Windows user's Password List (PWL) file They are kept in the Windows directory and have a PWL extension password EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Password List Recovery 2.6: Screenshot EC-Council Copyright... http://www.outpost9.com/files/WordLists.html EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 7: Use Automated Passwords Crackers to Break Passwords Protected Files www.antifork.org/ho obie.net Brutus Automated password cracking p g tools systematically guess passwords Crack www.users.dircon.co uk/~crypto www.nai.com Inactive Account Scanner www.waveset.com Legion and NetBIOS Auditing... configured with default user IDs and passwords User IDs and passwords designed enables vendors to perform remote transactions i EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 6: Brute Force Passwords Run a dictionary attack and brute-force to crack passwords brute force Tools: • • • • EC-Council Brutus L0phtcrack Munga bunga Password cracker Copyright © by... is Strictly Prohibited Extract Cleartext Passwords from the Dictionary y Logon passwords are stored: • (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon) EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Extract Cleartext Passwords from an Encrypted LM hash Use the Cain and Abel tool to extract cleartext password from an encrypted LM hash EC-Council... All Rights Reserved Reproduction is Strictly Prohibited Sniff Cleartext Passwords from the Wire FTP, HTTP POP SMTP FTP HTTP, POP3, SMTP, IMAP send passwords d d as cleartext Run a sniffer to capture them Tool: EC-Council • dsniff Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Replay Attack to Crack Password A replay attack intercepts the data p p y p packets and resends... Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Summary Passwords protect computer resources and files from unauthorized access by malicious users users A combination of passwords and UserIDs are used by companies to protect their resources against intrusion by hackers and thieves The password file for Linux is located in /etc and is a text file called passwd By default... Extract SAM File Windows Machines Windows 2000/XP passwords are stored in c:\winnt\system32\etc\SAM The file is named SAM (locked when WINNT is running) Extraction tools: • SAMDUMP • PWDUMP • L0phtcrack EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Extract Backup of SAM/Emergency Repair Disk Windows also store passwords in either a backup of the SAM file in... users' names and users passwords in national symbol encoding EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited SAMInside 2.5.8.0 (pwdump): Screenshot EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Tool: Dictionary Maker Dictionary Maker is a tool to compose dictionaries ( y p (word lists) for ) password recovery using... applications store p pp passwords in the Registry or as g y plaintext files on the hard drive EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Check the Microsoft’s Server Message Block (SMB) Protocol Check for the vulnerability SMB protocol that is used for file and print sharing h i Run NetBIOS Auditing Tool (NAT) and extract the passwords using the following . and Internal Fi rewa ll Penetration Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration. / ECSA / LPT EC Council EC - Council Module XX V Password Cracking Penetration Testing Penetration Testing Roadmap Start Here Information Vulnerability External Gathering Analysis Penetration Testing Fi ll Router. Penetration Testing Penetration Testin g Penetration Testing Penetration Testin g Penetration Testing Roadmap (cont ’ d) (cont d) Cont’d Physical Si Database Pii VoIP PiTi S ecur i t y Penetration