Comparison of Password Guessing and Cracking and How They Are Used During a Pentest
Offline Password Cracking is an attempt to recover one or more passwords from a password storage file that has been recovered from a target system. Typically, this would be the Security Account Manager (SAM) file on Windows, or the /etc/shadow file on Linux. In most cases, Offline Password Cracking will require that an attacker has already attained administrator/root level privileges on the system to get to the storage mechanism. It is possible, however, that the password hashes could also have been pulled directly from a database using SQL injection, an unprotected flat text file on a web server, or some other poorly protected source.
There is a tradeoff between having a secure password and an easy password. Having complicated passwords might cause some forgetful users to write their password down in order to remember it. Doing so defeats the purpose of having a secure password in the first place if an unauthorized user who wants to access the network were in close proximity to the password, such as an employee in an adjacent office. Another issue with forgetting more complicated passwords is that one has to use the time and resources of the IT staff to help reset or recover the password. Users need a system or method of remembering their passwords without needing to write them down and compromise the organization’s assets. An easy way to help users remember their passwords is to have a coding-type system. For example, have the user pick a phrase that is easy to remember. Once the users have their 6-10 word phrase, they can use only the letter at the beginning or the end of each word (being consistent). The password will be harder to crack since the letters will most likely not make a word, however the user will have used a phrase they know, making it easy to remember. The next step is to change the capitalization of a few letters and to add numbers anywhere to the password. The password would be complete with symbols (Microsoft). Once the password is complete, the phrase that was used could be written down, adding some security with some sort of simplicity. This type of password could still be cracked, but the amount of resources it would take to crack the password could possibly outweigh the benefits of the stolen data. Even if a coding system like this one were too impractical, having users simply change the capitalization of certain letters in their passwords, and adding a number will increase the security of passwords and help prevent cracking. However, simply just having a long password is not even the most complex way to make one. For example, if your password were all numbers, then each time you added an additional number to the length of your password, it would increase the possibilities by ten. This may seem secure, as eight characters would create 100 million possible combinations. However, the simplest of computers could guess every possibility in a little more than a day. If more than one of these computers are used, or especially a brand new home desktop or supercomputer, the results would almost be instantaneous. The best way to have a password be complex is to incorporate all types of characters. This way means using not only letters, but a mixture of uppercase and lowercase letters, numbers, and symbols. An eight character password with all four types would increase the possibilities to 7.2 quadrillion possibilities.
Moreover, it uses GECOS which contain personal information about the user, user home dictionary, also several of rules applied. It also have got the ability to crack other password hashes if guessing is success, it would try the same password for all the hashes because more likely there will be another user with the same password. Usually the administrator should have an access to the a file which contains the users information and passwords. Finally, single mode is much faster because it cracks single password at a time. The user can also use this mode in two different files at the same time. This technique of password attack That is not actually decrypt any data, but also continue trying a list of password combination eg, words, letters .A simple brute force could be dictionary of all words commn passwords. doing trying cycle until it gets the access to an account. the complex example of brute force is trying every possible combinations of numbers, letters and symbols. However, this technique is the has to be the last option for any cracker because it can take long and the bigger number of encryption bit the longer time it will take for cracking. This technique called sniff because the the crackers have the ability to sniff the authentication packets that are travelling from the client to the server among the Internet or the local area network (Sheehan, 2014). This technique can provide the cracker with hashes or other authentication data necessary for cracking process. There are verity of sniffers tools such as Wireshark,ScoopLM,KerbCrack. The NTLNv2 authentication traffic cannot be sniffed neither by ScoopLM nor Kerbcrack (D. Bisson, 2015).
On balance, before attacking any system, this work began by obtaining the proper permission from appropriate system administrators; this included a discussion and agreement on the scope for a penetration test. After obtaining background information on the Computer Science department and on student.cs.appstate.edu itself, a targeted attack was formulated, focusing on a flaw in the Linux Kernel, known as CVE-2016-5195 or Dirty COW. Ultimately, Dirty COW provided root access, through which both the /etc/passwd and /etc/shadow files were obtained. Using oclHashcat, 590 passwords, or 61.01% of all passwords present in the shadow file, were cracked.
D. Bisson, “Cracked Ashley Madison passwords consistent with years of poor security,” Graham Cluley, 16-Sep-2015. .
”The science of password selection,” Troy Hunt, 17-Jul-2011. [Online]. Available: https://www.troyhunt.com/science-of-password-selection/. [Accessed: 16-Feb-2017].
Sheehan2014, “Choosing a Password: Needle in a Haystack,” MACED Tech Resource, 15-May-2015. .
”How Long Would it Take to Crack Your Password? Find Out! – Randomize,” Random ize. [Online]. Available: http://random-ize.com/how-long-to-hack-pass/. [Accessed: 15-Feb-2017].
B. Evard, “JOHN THE RIPPER,” linuxvoice, 2015. [Online]. Available: https://www.linuxvoice.com/issues/008/john.pdf. [Accessed: 13-Feb-2017