3 - 1 Information Assurance Foundations - SANS ©2001 1 Password Assessment and Management Security Essentials The SANS Institute This module will address password security. Although user names and passwords are a familiar technology, most people are not aware of the inherent weaknesses in many of the different password- based authentication schemes in use today. These weaknesses are important to understand since many networks would be compromised if passwords on just a few key machines (such as firewalls, DNS servers, or Windows domain controllers) were known to an attacker. Many of us remember how, in the movie Wargames, a teenager breaks into the government's super- secret WOPR computer by guessing the username and password of the scientist who created WOPR's software. The teen researched information publicly available about the scientist, and guessed that the man's password was the name of his young son -- Joshua. That familiar example illustrates exactly why it is important not to use words or names that might be associated with a person as passwords. These values can be guessed by an attacker. Further, most of us are aware that we shouldn't use passwords that are too short (because all character combinations can be easily tried) or write passwords on a sticky note and put the note under the keyboard. But beyond this basic understanding, can we quantify what makes a password difficult to guess when a computer is used as the guessing engine? It turns out that the (sometimes non-intuitive) answer depends on the particular method used to protect the sensitive information. In this module we will explore how and why we strive to protect passwords on the following two levels: • The password files should be protected from reading or theft. • It should be computationally infeasible (ideally) for an attacker to guess the password values even given the password files. If an attacker does manage to obtain a copy of a password file, we do not want him to be able to use the information contained therein to recover the password values. We will see that the methods used to achieve password protection differ between operating systems, vary in effectiveness, and in some cases have undergone recent evolution. This module will explore common password strategies in use today, how these schemes are attacked, and how administrators can maximize the strength of the password scheme they employ. 3 - 2 Password Assessment and Management - SANS ©2001 2 Agenda • What password cracking is • Why it is important • Methods of password cracking • Password cracking in Unix - Crack • Password cracking in Windows - LC3 (L0phtCrack) • Password cracking with John the Ripper Typically OS file permission schemes are employed to ensure that only privileged users (if any) can access password file information. However, attacks exist to circumvent file access restrictions and an attacker may be able to read or obtain a copy of the file. Further, an attacker may have already gained sufficient privileges to read the file and wants to harvest other username/password combinations to try on neighboring systems. Because it is possible for an attacker to get a copy of the password file, our discussion today will focus most strongly on the process of "cracking" passwords. "Cracking" is the process of attempting to "guess" passwords given password file information. We will start with a discussion of what password cracking is, why it is important, and methods of password cracking. We will then move on to Unix password cracking and concentrate on Crack. Then we will jump to the Microsoft side of the house and cover L0phtCrack (the newest version is called LC3). For both packages we will cover how to install and run the program, how to view the results, how to protect against password cracking, and features of a strong password. At the end of the module we will explore a more recent addition to the cracking toolbox called "John the Ripper". "John" is important due to the tool's speed advantages and ability to crack passwords encoded with a wide range of encryption algorithms. We will see how Crack, LC3, and John evolved to meet the increased cracking challenges posed by recent upgrades to the Unix and Windows password protection mechanisms. 3 - 3 Password Assessment and Management - SANS ©2001 3 Why Are Passwords So Important? • First line of defense • Control access • Get additional access • Create back door for future access Let's back up for a moment and think about why passwords are so important. Passwords are often the first line of defense against interactive attacks on a system. Since it is fairly easy for someone to figure out a user ID, the only thing protecting the system is a user’s password. If an attacker can gather no helpful information to aid in the attack (such as password file contents or sniffed network traffic) he must resort to either creative or "brute force" password guessing. If an attacker can at least read the password file or obtain a copy, his chances of successfully obtaining an actual password increase significantly. Even if the attacker only obtains a lowly user- level password, it is fair to assume that he will log on to the target system as the user and then break into "root" via an operating system hole. Consider this brief example. Most companies have dial-up access for remote access to their network. Unfortunately in most companies, the dial-up modems reside behind the firewall, which means once you are authenticated by the remote access server, you have access to the network. In this case, if someone has a weak password, an attacker can use a war dialer to find the remote access number, dial-up the number, guess a weak password, and within a matter of minutes, an attacker has just gained full access to the network. 3 - 4 Password Assessment and Management - SANS ©2001 4 How Are Passwords Stored? • User passwords must be protected against: – unauthorized disclosure – unauthorized modification – unauthorized removal • Solution: Store only the encrypted password In many companies, passwords are more than the first line of defense -- they are the only line of defense protecting internal information and servers. Since most user IDs consist of the first initial/last name of an employee (or some combination), it is fairly easy to discover valid user IDs for individuals at a company. Then, the only other piece of information needed to gain access is a user password. Therefore passwords need to be protected and very hard to guess. The key things passwords need to be protected against are unauthorized disclosure, unauthorized modification, and unauthorized removal. If users write down their passwords or share them with other people, then it is likely that a malicious party could obtain the password. An attacker able to modify a password is just as problematic, because he could set the password to a particular value without needing to know what the original password was. Note that changing the password is potentially risky for the attacker however, because if the user tries to log in and cannot, foul play may be suspected. In order to protect passwords, operating systems use encryption, which basically hides the original content so if someone gets the encrypted password they will not be able to determine what the original password was. 3 - 5 Password Assessment and Management - SANS ©2001 5 Encryption 101 • Encryption is the process of converting plaintext into ciphertext. • The goal is to make the original text unreadable. • Three basic methods: – symmetric - single key – asymmetric - two keys (public and private) – hash – one-way algorithm, no key This section will cover a brief overview of encryption so that you can understand why and how password cracking works. For additional details, there are two additional modules in this training course that cover encryption in-depth. In its most basic form, cryptography is the process of converting plaintext into ciphertext, with the goal of making the original text unreadable. Basically, plaintext is the original, human-readable message and ciphertext is the unreadable message in its encrypted form. Therefore, since the goal of passwords is to make them unreadable, they are stored in encrypted form. There are three basic types of encryption. Symmetric encryption uses a single key to encrypt and decrypt the message. Symmetric encryption is also known as secret key encryption because a single, secret key is used for encryption and decryption. If two people wanted to communicate, they would both have to have the same key. One person would use the key to encrypt the message, and the other person would use the same key to decrypt it. The security of the scheme relies on the fact that an attacker does not know the secret key. Asymmetric encryption uses two keys, a public and a private key. Asymmetric encryption is also known as public key cryptography because it uses both a private key and a public key to encrypt and decrypt information. The public key is given to everyone while the private key is only known by the owner. These keys form an "encryption-decryption pair" -- anything encrypted with the public key can be decrypted with the private key, and anything encrypted with the private key can be decrypted with the public key. Note that symmetric and asymmetric encryption mechanisms provide both for translating text into ciphertext, and for recovering the original text from the ciphertext. Hash functions are a little bit different. Hash algorithms are considered "one-way" functions because they perform a one-way transformation of information that is irreversible. Basically, given an input string, the hash function produces a fixed-length encrypted output string, and from the output string there is no way to recover the original input string. 3 - 6 Password Assessment and Management - SANS ©2001 6 What Is Password Cracking? Discovering a plain text password given an encrypted password. Encryption Algorithm clear-text password (unknown) encrypted password (known) Encryption Algorithm guesses for clear-text passwords guesses for encrypted passwords MATCH Computers use hashing algorithms to encrypt passwords for storage. This means that someone who recovers a password file cannot use the hashed values to reverse the one-way encryption function and recover the original passwords. But how does the computer use the encrypted information then to authenticate users? The technique is simple. Even though hashing functions cannot be reversed, they always produce the same output given the same input. Thus, the computer stores only the hashed passwords (rather than original passwords) on disk. When a user attempts to authenticate, the computer applies the hash algorithm to the password the user has supplied for authentication. If the hash of the user-supplied password matches the hash stored on disk, the user is successfully authenticated. Password cracking is the process of trying to guess or determine someone’s plaintext password, given only their encrypted password. The process does not actually "crack" the encryption, but rather mimics the actions that would be taken if a user tried several passwords until they guessed the right one. Each "guess" is hashed and compared to the stored value. When a match is found, the user is authenticated. "Cracking" is the process of using a computer to generate many "guesses" and quickly try them all against the hashed password value until a match is found. The cracking operation is performed "offline", against a recovered password file. The general method for cracking is the following: •Find a valid user ID •Find the encryption algorithm used •Obtain the encrypted password •Create a list of possible passwords •Encrypt each password •See if there is a match One tip for speeding up the process is to pre-compute the encrypted versions of all possible clear-text passwords. At that point the entire process reduces to comparing the encrypted password of interest with all values on the pre-computed list. When a matching encrypted value is found, we extract the clear-text password corresponding to the encrypted match to find the answer. 3 - 7 Password Assessment and Management - SANS ©2001 7 Methods of Password Cracking • Dictionary attack • Hybrid attack • Brute force attack There are three general methods for cracking passwords. The main difference between the alternatives is the speed of performing the crack vs. the complexity of passwords that can be cracked. For example, one method that is extremely quick will only crack passwords with a low complexity such as passwords that contain only alpha characters. More complex passwords might contain alpha characters, numbers, and special characters, but will take longer to crack. The fastest method for cracking passwords is a dictionary attack. This is done by testing all the words in a dictionary or word file against the password hashes. When it finds the correct password, it displays the result. There are lots of sites that have downloadable dictionaries you can use. These attacks are quite effective because people tend to choose dictionary words for passwords. The second method to crack passwords is called a hybrid attack. This attack builds upon the dictionary method by adding numeric and symbol characters to dictionary words. Many users choose passwords such as "bogus11" or ”he11o!!” (where the letter L’s are replaced by numeric ones). These passwords are just dictionary words slightly modified with additional numbers and symbols. The hybrid attack rapidly computes these passwords. These are the types of passwords that will pass through many password filters and policies, yet still are easily crackable. Several tools have configurable rulesets that allow the attacker to specify the combinations and permutations of dictionary words that should be tried. The final and most powerful cracking method is the brute force method. This method will always recover the password no matter how complex. It is just a matter of time. Really complex passwords that use characters that are not directly available on the keyboard may take so much time that it is not feasible to crack them on a single machine using today's hardware. But most complex passwords can be cracked in a matter of days. This is usually much shorter than the time most administrators set their password policy expiration time to. Using a real-world cracking tool is the only good way to know what time one should set for password expirations. 3 - 8 Password Assessment and Management - SANS ©2001 8 Why Is Password Cracking Useful? • Auditing strength of passwords • Recovering a forgotten password • Recovering an unknown password • Migrating users • Checks and balances There are many reasons for computing users’ passwords. First and foremost is for a system administrator to audit the strength of the passwords that their users are using. There are password filters for Unix, but how do you know how well you have chosen a filter? Without testing the passwords generated by users against a real-world password cracker, you are guessing at the time it will take an external attacker or malicious insider to uncover the passwords. Other uses include recovering a forgotten password, retrieving the password of a user in order to impersonate them, or migrating Windows NT users to another platform such as Unix. Migrating users from one platform to another is included for completeness, but is not recommend. In every case where I saw companies attempt to do this, it never worked and always resulted in a security violation. An example of this would be a company that currently has 2 NT domains and they want to migrate to a single domain. Instead of moving half of the accounts to one domain, giving those users a new temporary password that is the same for all users, and have all users logon and change their password, a company might want to make this process transparent to them. One way to do this is to crack all of the passwords on one domain and then manually enter the new account with the old password for each user on the new system. This way when the users come in, they can logon with their old password and not even know that their account has been migrated. The negative side is several users besides the end user now know the user’s password. As you can imagine, this could lead to a lot of potential problems. Some could also argue that cracking user’s passwords also results in a potential security violation, because once the password is cracked others will know that user’s password. As we all know this is not an issue because everyone trusts security. ☺ (Sorry, there I go with geek humor again.) Since this is a concern, password cracking can be used for checks and balances, where strong passwords are never cracked. For example, if the password policy for a particular company says all passwords must contain alpha characters, numbers, and special characters, then a customized cracking scheme can be developed. We can use our password cracker to crack passwords that only contain alpha characters, or numbers, or special characters, or alpha characters and numbers, or alpha characters and special characters, or numbers and special characters. In this case if the password adheres to the policy, which means it contains alpha characters, numbers, and special characters, then it will not be cracked. Only passwords that do not follow the policy will be cracked and seen by the administrator. Users with cracked passwords would be instructed to change their passwords immediately and the administrator never sees the new values. 3 - 9 Password Assessment and Management - SANS ©2001 9 Unix Password Cracking - Crack • Name: Crack • Operating System: Unix • Brief Description: Crack is a "password guessing" program that is designed to quickly identify accounts having weak passwords given a Unix password file. Crack is a freely available program designed to break Unix encrypted passwords by standard guessing techniques. Crack was originally developed for passwords encrypted using the DES-based crypt() function that is typically included in the Unix standard C libraries. Over time, Crack evolved to support crypt() versions that use non-DES hash algorithms (such as MD5), and to use alternate DES implementations on OS installations where the crypt() function is not available. The Crack program is written to be flexible, configurable and fast, and can make use of several networked hosts via the Berkeley rsh program (or similar), where possible. Note: According to Crack's author Alec Muffet, of all the possible encryption implementations that Crack can use, the program usually runs fastest with Eric Young's "libdes". This fact will become more interesting when we discuss John the Ripper. Note: Each of the password cracking programs we will discuss operates by checking the users' passwords against "guessable" values. The method is illustrated in the previous slide. The program works by encrypting a list of likely passwords and seeing if the result matches any of the encrypted passwords contained in the password file. The tools are surprisingly effective and easy to use. 3 - 10 Password Assessment and Management - SANS ©2001 10 Crack • Available from ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack •Features – Configurable password cracking – Modular approach with various scripts – Combining and extracting password files – Works with any crypt() implementation Crack’s main function is to crack passwords on a Unix machine. There are some versions that have been ported to other operating systems, but the original program works only on Unix. Crack also has a modular approach where Crack is used only to crack user passwords. But what makes Crack so useful is that it comes with various other scripts. For example, one script is used to view the results of running Crack. Another script is used to combine password files. This is very useful because it makes it very flexible and adaptable to be used in various environments. One of the distinguishing strengths of Crack is the huge number of rules (over 2000) it uses to create permutations of password guesses. Each time Crack is run it uses supplementary information from the password file's comment fields to create a new wordlist (in addition to using the standard dictionaries and permutations thereof). Often users will put information about themselves, such as their full name, in the comment field and then use some permutation of this information as their password. Crack takes advantage of the comment information to create a list of password guesses specifically tailored for each user. [...]... Eric password eric John password john1234 Mike password 5369421 Mary password #57adm7# Sue password sue Lucy password 12345 Pat no password Tim password password Cathy password 55555 Frank password abcde Tom password mnopqr Karen password bbbbbbbb Password Assessment and Management - SANS ©2001 15 To show you how effective Crack is at cracking passwords, this is a sample password file that was used and. .. password #57adm7# Sue password sue - CRACKED Lucy password 12345 - CRACKED Pat no password - CRACKED Tim password password - CRACKED Cathy password 55555 - CRACKED Frank password abcde - CRACKED Tom password mnopqr Karen password bbbbbbbb - CRACKED Password Assessment and Management - SANS ©2001 17 As you can see, Crack guessed eight of the passwords All of the passwords that were guessed were either simple... to better understand some of the options that are available to protect against password guessing 3 - 24 Use passwd+ • Passwd+ makes several checks – user must enter password twice – minimum length password – password must be a mixture of letters, numbers, and special characters – password is not the user’s name – new password differs from previous password Password Assessment and Management - SANS... a Strong Password Policy (continued) • Password should not contain: – birthdays, names, sports teams, etc • Tips for picking good passwords – pick a phrase and use the first letter of each word – example - When I stub my toe I say !@#$% 5 times – password - WIsmtIs!@#$%5t Password Assessment and Management - SANS ©2001 20 Choose a hard to guess password (the "do's"): Use a mixture of upper and lower... on they use a different password • Password is only good for one session • Example – smart cards – challenge/response – SKEY • Biometrics Password Assessment and Management - SANS ©2001 24 One-time passwords are very effective against password guessing because the passwords change each time the user logs in, so there is really no password to guess If you want to overcome the password guessing problem,... one-time passwords • Use passwd to enforce strong passwords Password Assessment and Management - SANS ©2001 18 There is no one set way to protect your site from someone guessing your passwords, but there are steps you can take to minimize the chances A key to protecting passwords is a strong password By having a strong password, you can make it very difficult for someone to crack Also, by using shadow password. .. attempts – All passwords must contain one alpha, one number, and one special character – Can’t re-use previous 5 passwords Password Assessment and Management - SANS ©2001 19 A password policy is critical for a secure system A few general guidelines are given in the slide above Additional suggestions for users, taken from the "passwd" man page, are below and on the next notes page Protect your password: ... -done Password Assessment and Management - SANS ©2001 16 Basically by typing /Reporter, the above results are displayed to the user to show you which passwords were cracked 3 - 16 Effectiveness of Crack • • • • • • • • • • • • User User User User User User User User User User User User Eric password eric - CRACKED John password john1234 Mike password 5369421 Mary password #57adm7# Sue password sue... NT/2000 • Methods: dictionary attack, brute force attack, and hybrid attack • Brief Description: A powerful password cracker that can be used to audit Windows passwords Password Assessment and Management - SANS ©2001 28 LC3 is the latest version of L0phtCrack (zero, not the letter O) and is a Windows password auditing tool It will compute Windows user passwords from the cryptographic hashes that are stored... password schemes employ a salt which is meant to make passwords a little harder to guess A salt is a random string that is combined with a password before it is encrypted This is meant to randomize the password This way, if two people have the same password, they would have different salts and their passwords would be stored differently Microsoft does not use a salt, so if two users have the same passwords . ©2001 1 Password Assessment and Management Security Essentials The SANS Institute This module will address password security. Although user names and passwords. 3 - 2 Password Assessment and Management - SANS ©2001 2 Agenda • What password cracking is • Why it is important • Methods of password cracking • Password