For many years I have had trouble with people thinking that passwords were the answer to security. Granted they make it so that joe user can not log onto your computer without knowing or guessing your password. But for anyone with skills passwords are circumventable and the circumvention gets quicker / easier all the time. I am going to focus on cracking windows passwords for this article but the techniques are the same in almost any situation.
NT based opperating systems store your password in an encrypted hash on the disk. This used to be done by taking the password and storing it in two hashes. The first is the Lan Manager hash which has been around for ages and is broken into two hashes that are seven bytes each. If your password is under seven characters only the first hash will be filled but if it is ten characters the first hash will have seven characters and the second will have three characters in it. This is a weakness in itself as now you can take one of the two hashes and crack it and guess the second part quite easily (e.g. if the first hash is cracked to “waterme”. I would guess that the password is “watermellon”). The second hash is the NTLM (Nt Lan Manager) hash which is an MD4 encrypted hash that should hold about 128 characters. Much stronger method of storing the password Most servers implement both for backwards compatibility with win9x clients but LM passwords can be disabled.
1. Guess and test method. Basically try things like kids names, birthdays, etc. supprisingly effective still
2. Brute force. Throw a dictionary at it (note: throwing a physical dictionary does not work). L0phtCrack was the most famous one and could crack simple passwords in seconds and then start brute forcing random letter / word combinations.
3. Resetting the password. If you have physical access to the server there are some tools out there that allow you to boot and change the password. I have used the offline password & registry editor for this before with mixed success.
4. If you just want the data and have access to the hardware simply put the drive into a computer that supports NTFS and ta-da you have access to the data
5. Use a rainbow table (the whole point of this article).
Brute Forcing and Rainbow Tables
Brute forcing means that you take a password, hash it, then compare it to the hash on the computer you are trying to crack. If they match then you have found the right password. While an effective way of getting a password it is quite slow even with todays computing to crack complicated passwords.
Rainbow tables is basically a huge database of pre-compiled hashes so to find a password all you have to do is query the table based on the hash you are trying to crack and there is the password. It is sooo fast that I just cracked a complicated password Righ46sdf943 for example in 10 seconds using ophcrack. Granted I needed physical access but it just shows how quickly a password can be cracked using this technique. I beleive the rainbow table I was using was 400mb so that is quite a large database but easy to fit on a cd.
Salting a password is basically the practice of adding a random bit of data to the password so that if two people have the password of “tomatoe” by adding a random salt to each the hashes will be different.
||Hash w/o salt
||Hash w/ salt
By adding a salt value we effectivley change the hash which makes it harder to get it out of the database. If we were to run the salted hashes (that sounds tasty for some reason) we would get out a password of tomatoe2457j5476 for our first record so it is easy to spot the salt added onto the string. Now rainbow tables are only going to have hashes in them for average length passwords to keep size down and speed up. Therefore, if you add a large enough salt you should be able to create a hashed password that is too long to be in most rainbow tables yet allow the user to have a short password. It will just be a matter of time before someone builds a larger database though.
Passwords are not the be-all end-all solution which is becomming more apparent everyday. Migrating towards a biometric or smart card solution seems to be the next step but those are also circumventable but usually harder than getting around a password.