NMCSP

2008 Batch-I

Module XIII
Web-Based Password Cracking
Techniques
 Scenario
Cracking accounts, stealing files, defacing websites is just a click away for Raven. All of these
illegal activities give him a kick. He uses his skills to make money for his living. He has a
website where people can request him to do all kind of stuffs such as cracking e-mail accounts,
enumerating accounts and lots more; whatever the requester wants to get from any website. All
of this is done only after the payment is made and he charges a minimal amount. Raven is a hit
among the underground community.
However, the users have to give their e-mail ids, to get the information, on his online request
form.
Raven’s first encounter with cracking was when he was a fresh graduate, but unemployed. He
had read about cracking stuff on the net and about crackers who offer services for money. This
lured Raven to be a cracker. His first victim was his friend’s e-mail account.
He used a brute force attack when the dictionary attack failed. After a few attempts Raven was
successful in cracking his friend’s password. Thus, Raven’s journey of illegal activities began.
How far can he go?
What if he masters other activities such as generating malicious codes to disrupt systems on the
net or cracking the passwords of Government agencies?
Module Objectives

 Authentication – Definition
 Authentication Mechanisms
 What is a Password Cracker?
 Modus Operandi of an attacker using password cracker.
 How does a Password Cracker work?
 Attacks - Classification
 Password Cracking Tools.
 Countermeasures
 Module Fl0w

Authentication Types of What is a password

definition authentication Cracker?

Classification How does a password Modus Operandi of attacker

of attacks cracker work? using password cracker

Password Dictionary
Query string Cookies
guessing maker

Countermeasures Mary had a little lamb Different password

formula crackers
Authentication - Definition

 Authentication is the process of determining the user’s

identity.
 In private, and public, computer networks,
authentication is commonly done through the use of
login IDs and passwords.
 Knowledge of the password is assumed to guarantee
that the user is authentic.
 Passwords can often be stolen, accidentally revealed, or
forgotten due to inherent loopholes in this type of
authentication.
Authentication Mechanisms

 HTTP Authentication
• Basic Authentication
• Digest Authentication

 Integrated Windows (NTLM) Authentication

 Negotiate Authentication
 Certificate-Based Authentication
 Forms-based Authentication
 Microsoft Passport Authentication
HTTP Authentication

 There are two techniques for HTTP

authentication. They are:
• Basic
• Digest
 Basic Authentication

The most basic form of authentication

available to web applications.
It begins with a client making a request
to the web server for a protected
resource, without any authentication
credentials.
The limitation of this protocol is that it
is wide open to eavesdropping attacks.
The use of 128-bit SSL encryption can
thwart these attacks. Picture Source:
http://www.roboform.com/pics/basic
auth.gif
 Digest Authentication
It is designed to provide a higher level of
security vis-à-vis basic authentication.
It is based on the challenge-response
authentication model.
It is a significant improvement over Basic
authentication as it does not send the user’s
cleartext password over the network.
It is still vulnerable to replay attacks, since
the message digest in the response will grant
access to the requested resource.
Integrated Windows (NTLM)
Authentication
It uses Microsoft’s proprietary NT
LAN Manager (NTLM)
authentication program over HTTP.
It only works with Microsoft’s
Internet Explorer browser and IIS
Web servers.
Integrated Windows authentication

is more suitable for intranet

deployment.
In this type of authentication, no
version of the user’s password ever
crosses the wire.
Negotiate Authentication

 It is an extension of NTLM authentication.

 It provides Kerberos-based authentication.
 It uses a negotiation process to decide on the level of
security to be used.
 This configuration is fairly restrictive and uncommon
except on corporate intranets.
 Certificate-Based Authentication

It uses public key cryptography, and a

digital certificate, to authenticate users.
It is considered an implementation of
two-factor authentication. In addition to
something a user knows (password), he
must authenticate with a certificate.
It is possible to trick the user into
accepting a spoofed certificate or a fake
certificate.
Very few hacking tools currently
support client certificates.
Forms-Based Authentication

It does not rely on features

supported by the basic Web
protocols like HTTP and SSL.

It is a highly customizable

authentication mechanism that
uses a form, usually composed of
HTML.

It is the most popular

authentication technique
deployed on the Internet.
Microsoft Passport Authentication

Single sign on is the term used to

represent a system whereby users
need only remember one username
and password, and be authenticated
for multiple services.
Passport was Microsoft's universal
single sign-in (SSI) platform.
It enabled the use of one set of
credentials to access any Passport
enabled site such as MSN, Hotmail
and MSN Messenger.
Microsoft encouraged third-party
companies to use Passport as a
universal authentication platform.
What Is A Password Cracker?

 According to the Maximum Security definition “A

password cracker is any program that can decrypt
passwords or otherwise disable password protection”
 Password crackers use two primary methods to identify
correct passwords: brute-force and dictionary searches.
 A password cracker may also be able to identify
encrypted passwords. After retrieving the password
from the computer's memory, the program may be able
to decrypt it.
Modus Operandi of an attacker using
password cracker
 The aim of a password cracker is mostly to obtain the
root/administrator password of the target system.
 The administrator right gives the attacker access to files,
applications and also helps in installing a backdoor, such as a
trojan, for future access to the accounts.
 The attacker can also install a network sniffer to sniff the internal
network traffic so that he will have most of the information passed
around the network.
 After gaining root access the attacker escalates privileges of the
administrator.
 In order to crack passwords efficiently the attacker should use
system which has a greater computing power .
How Does A Password Cracker Work?
1.
 To understand well how a password cracker works, it is
better to understand the working of a password
generator. Most of them use some form of
cryptography.
 Crypto stems from the Greek word kryptos. Kryptos
was used to describe anything that was hidden,
obscured, veiled, secret, or mysterious. Graph is
derived from graphia, which means writing.
How Does A Password Cracker Work?
2.
 Cryptography is concerned with the ways in which
communications and data can be encoded to prevent
disclosure of their contents through eavesdropping or
message interception, using codes, ciphers, and other
methods, so that only certain people can see the real
message.
 Distributed cracking is where the cracker runs the
cracking program in parallel, on separate processors.
There are a few ways to do this. One is to break the
password file into pieces and crack those pieces on
separate machines.
How Does A Password Cracker Work?
3.
 The wordlist is sent through the encryption process,
generally one word at a time. Rules are applied to the
word and, after each such application, the word is again
compared to the target password (which is also
encrypted). If no match occurs, the next word is sent
through the process.
 In the final stage, if a match occurs, the password is
then deemed cracked. The plain-text word is then piped
to a file.
Attacks - Classification

 The various types of attacks that are performed

by the hacker to crack a password are as
follows:
• Dictionary attack
• Hybrid attack
• Brute force attack
Attacks - Classification (contd.)

 Dictionary attack - A simple dictionary attack is the

fastest way to break into a machine. A dictionary file is
loaded into a cracking application, which is then run
against user accounts located by the application.
 Hybrid attack - A hybrid attack will add numbers or
symbols to the filename to successfully crack a
password.
 Brute force attack - A brute force attack is the most
comprehensive form of attack, though it may often take
a long time to work depending on the complexity of the
password.
Password guessing

 Password guessing attacks can

be carried out manually or via
automated tools.
 Doing social engineering on
the victim may also
sometimes reveal passwords
 Password guessing can be
performed against all types of
web authentication

The common passwords used are: root, administrator, admin,

operator, demo, test, webmaster, backup, guest, trial, member, private,
beta, [company_name], or [known_username]
 Password guessing (contd.)
 Most of the users assign
passwords that are related
to their personal life such as
father’s middle name as
shown in the screenshot.
 An attacker can easily fill
in the form for forgotten
passwords and retrieve the
same.
 This is oneof the
simplest way of password
guessing.
Query String

 The query string is the extra bit of data in the URL after
the question mark (?) that is used to pass variables.
 The query string is used to transfer data between client
and server.
Example:
http://www.mail.com/mail.asp?
mailbox=sue&company=abc%20com
Sue’s mailbox can be changed by changing the URL to:
http://www.mail.com/mail.asp?
mailbox=joe&company=abc%20com
Cookies

 Cookies are a popular

form of session
management.
 Cookies are often used to
store important fields
such as usernames and
account numbers.
 All of the fields can be
easily modified using a
program like CookieSpy
 Dictionary Maker

Dictionary files can be downloaded from the Internet or can be generated

manually
Password Crackers Available

L0phtCrack WebCracker
John The Ripper Munga Bunga
Brutus PassList
Obiwan ReadCookies.html
Authforce SnadBoy
Hydra WinSSLMiM
Cain And Abel RAR
Gammaprog
L0phtCrack

LC4 is one of the most

popular password
crackers available.
LC4 recovers Windows
user account passwords
to access accounts whose
passwords are lost or to
streamline migration of
users to other
authentication systems.
 John The Ripper
John the Ripper is a password
cracker for UNIX, DOS, WinNT
and Win95.
John can crack the following
password ciphers:
• standard and double-
length DES-based
• BSDI's extended DES-
based
• FreeBSD's MD5-based
• OpenBSD's Blowfish-
based
John the Ripper combines
several cracking modes in one
program, and is fully
configurable.
 Brutus

Brutus is an online,
or remote, password
cracker.

Brutus is used to
recover valid access
tokens (usually a
username and
password) for a given
target system.
ObiWaN

 ObiWaN is based on the simple challenge-response

authentication mechanism.

 This mechanism does not provide for intruder lockout

or impose delay times for wrong passwords.

 ObiWaN uses wordlists and alternations of numeric or

alpha-numeric characters as possible passwords.
Authforce

 Authforce is HTTP Authentication brute force attack

software.
 Using various methods, it attempts to brute force
username and password pairs for a site.
 It is used to test both the security of a site and to prove
the insecurity of HTTP Authentication based on the fact
that users usually do not choose good passwords.
Hydra

 Supports several protocols like TELNET, FTP, HTTP,

HTTPS, LDAP, SMB, SMBNT, MYSQL, REXEC,
SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, Cisco
auth, Cisco enable, Cisco AAA.
 Utilizing the parallel processing feature, this password
cracking tool can be fast, depending on the protocol.
 This tool allows for rapid dictionary attacks and
includes SSL support.
Cain And Abel

 Cain & Abel is a password recovery tool for Microsoft

Operating Systems.
 It allows for the easy recovery of various kinds of
passwords by sniffing the network and cracking
encrypted passwords using Dictionary, Brute-Force,
Cryptanalysis attacks, etc.
 It contains a feature called APR (ARP Poison Routing)
which enables sniffing on switched LANs by hijacking
IP traffic of multiple hosts at the same time.
RAR
This program is
intended to recover lost
passwords for
RAR/WinRAR archives
of versions 2.xx and 3.xx.
The program cracks
passwords by bruteforce
method, or wordlist or
dictionary method.
The program is able to
save a current state.
Estimated time
calculator allows the
user to configure the
program more carefully.
Gammaprog

 Gammaprog is a bruteforce password cracker for web

based e-mail address.
 It supports POP3 cracking as well.
 It provides for piping support. If the wordlist name is
stdin the program will read from stdin rather than from
a file.
 It consists of Wingate support for POP3 cracking.
 Hacking Tool: WebCracker

WebCracker is a simple
tool that takes text lists of
usernames and passwords
and uses them as
dictionaries to implement
Basic authentication
password guessing.
It keys on "HTTP 302
Object Moved" response to
indicate successful guesses.
It will find
all successful
guesses given in a
usernames/passwords
combination.
Hacking Tool: Munga Bunga

It is Brute Force software that uses the HTTP protocol to

establish its connections
Hacking Tool: PassList

PassList is another character based password generator.

Hacking Tool: Read Cookies

Reads cookies stored on the computer. This tool can be

used for stealing cookies or cookie hijacking.
 Hacking Tool: SnadBoy
http://www.snadboy.com
"Snadboy Revelation" turns back the asterisks in password
fields to plain text passwords.
Hacking Tool: WinSSLMiM

http://www.securiteinfo.com/outils/WinSSLMiM.shtml
 WinSSLMiM is an HTTPS, man-in-the-middle,
attacking tool. It includes FakeCert, a tool to make fake
certificates.
 It can be used to exploit the Certificate Chain
vulnerability in Internet Explorer. The tool works under
Windows 9x/2000.
 Usage:
  - FakeCert: fc -h
  - WinSSLMiM: wsm -h
“Mary Had A Little Lamb” Formula

Consider a sentence:
“Mary had a little lamb. The
lamb had white fleece”.
1. Consider the first letter of
each word, i.e. :
MHALLTLHWF
2. Every second letter of the
abbreviation can be put in
the lower case, i.e.:
MhAlLtLhWf
3. Replace ‘A’ with ‘@’ and ‘L’
with ‘!’. Thus a new
alphanumeric password,
more than 8 characters will
be formed.
Picture Source:
4. New Password: Mh@l!t!hWf
http://www.gypcnme.com/ceramic%20arts
%20Mary%20Had%20Lamb.gif
Countermeasures

 Passwords chosen should have at least eight characters.

 Passwords should have a combination of small and
capital letters, numbers, and special characters.
 Words which are easily found in a dictionary should not
be used as passwords.
 Public information such as social security number,
credit card number, ATM card number, etc. should not
be used as passwords.
 Personal information should never be used as a
password.
 Username and password should be different.
Countermeasures

 Managers and administrators can enhance the security

of their networks by setting strong password policies.
Password requirements should be built into
organizational security policies.
 System administrators should implement safeguards to
ensure that people on their systems are using
adequately strong passwords.
 When installing new systems, default passwords must
be set to pre-expire and need changing immediately.
Countermeasures

 The user can use the SRP protocol. SRP is a secure

password-based authentication and key-exchange

protocol. It solves the problem of authenticating clients

to servers securely as a user of the client software is

required to memorize a small secret (like a password)

and carries no other secret information.

Summary
 Authentication is the process of checking the identity of
the person claiming to be the legitimate user.
 HTTP, NTLM, Negotiate, Certificate-Based, Forms-
based and Microsoft Passport are the different types 0f
Authentications.
 Password crackers use two primary methods to identify
correct passwords: brute-force and dictionary searches.
 L0phtCrack, John The Ripper, Brutus, Obiwan, etc. are
some of the most popular password cracking tools
available today.
 The best technique to prevent the cracking of passwords
is to have passwords which are more than 8 characters
and incorporate alphanumeric as well as special
characters into it.