CCIS2400: Security Essentials

Lab 3.1 --- Cracking Windo s !ass ords "Cain # $bel%

&b'ecti(e An understanding of what makes a Strong password, by using software programs created to crack password security using both dictionary and brute force attacks. !ass ord Security Most accounts on a computer systems usually have some method of restricting access to that account, usually in the form of a password. On most systems, the password is stored encrypted, so it can not be read easily. ypically the password is ran through some type of algorithm to generate a hash. he hash is usually more than !ust a scrambled version of the original te"t that made up the password, it is usually a one#way hash. he one#way hash is a string of characters that cannot be reversed into its original te"t. Most systems do not $decrypt$ the stored password during authentication, they store only the hash. %uring the login process, you supply an account and password. he password is ran through an algorithm that generates a one#way hash. his hash is compared to the hash stored on the system. &f they are the same, it is assumed the proper password was supplied. here are several different types of encryption methods used to store passwords. Microsoft 'indows () uses * +M hashes when storing a users password. o crack a password re,uires getting a copy of the one#way hash stored on the computer, and then using the same * +M algorithm to generate your own hash. -eep doing that until you get a match. 'hen you get a match, whatever word you used to generate your hash is in fact the stored password. Since this can be rather time#consuming, programs have been written to automate the process. here are freeware password crackers available for 'indows, *etware, and .ni".

Copyright Center for Systems Security and Information Assurance

1 &nformation Assurance / & +ab Manual 012.34 5eleased6 7837 )age 9.:.: #:#

$c)uire and Install Cain (2.*.+ &f Cain # $bel is not already present on your computer, you will need to download and install it. his is a free product. he installation program 0ca;setup.e"e4 will want to install Win!Ca, 0drivers8dll<s for packet#capturing4. &f you<ve installed =thereal or similar software, your )> already has these drivers, but reinstalling them now won<t hurt anything. ?ou will find the installation file here6 http688ca.htc.mnscu.edu8ccis2@33 he installation is pretty straight forward###you can accept all the defaults. Create test users and $ssign a eak ,ass ords

:. Open the >omputer Management tool. here are several ways to do this, but the easiest is probably to right#click on -y Co.,uter and click -anage. 2. ="pand Local /sers and 0rou,s. 5ight#click the /sers folder, and click 1e /ser. 9. >reate a user named User2400d. Aive this user a password 0again, use whatever you like, but use an actual word and keep it to @ characters or less4. .ncheck the /ser .ust c2ange ,ass ord at ne3t login bo", and click >reate. @. >reate another new user named User2400bf. Assign this user a password of aaaa. Crack a eak ,ass ord it2 Cain4s 5ictionary $ttack

:. +aunch >ain. >lick on the >racker tab. 5ight#click in the center of the workspace and select $dd to list. 2. >lick *e"t to %ump * Bashes from local machine. Note: If an error message pops up and forces you to reboot your PC, you will need to disable the Data Execution Prevention feature of WindowsXPs Service Pack ! "his is done via the Advanced tab of the System control panel! 9. All user accounts on the local )> will all appear on the cracking list. 5ight# click User2400d, and click Start 5ictionary $ttack "L-%.

Copyright Center for Systems Security and Information Assurance

2 &nformation Assurance / & +ab Manual 012.34 5eleased6 7837 )age 9.:.: #2#

@. Select a dictionary file. A dictionary based attack uses a word list, containing every word in the dictionary, plus names and some other miscellaneous terms. Cor this e"ercise, click $dd and use ordlist.t3t. >lick Start to begin cracking your users password. 7. &f you assigned your user a weak password, it should be cracked in a matter of seconds. Since programs like >ain can usually run through an entire list in less than a minute on a local machine, using a word from the dictionary is not a good choice for a password. %id >ain crack the password for User2400dD

Crack a

eak ,ass ord

it2 Cain4s 6rute-7orce $ttack

:. 5ight#click User2400bf and run a dictionary attack on this user<s password. his attack will fail###notice that test is locked, the dictionary based attack could not produce a matching hash. aaaa is not on the wordlist. 2. 5ight#click User2400bf and click 6rute-7orce $ttack "L-%. Erute#Corce attacks simply try all possible passwords until it gets the password. &t will use every letter and number combination possible. >lick Start to begin the attack. he password should be cracked in a few seconds 0or less4. 9. Obviously, aaaa would not be a strong password. Crom a cracker<s perspective, brute#force attacks are usually very time consuming. Bowever, given enough time and >). power, the password eventually gets cracked. he only real variable is the length of the password. A four character password may only take a few minutes, but longer passwords could take hours, weeks, or even years to crack. @. >hange User2400bf<s password to )s3,l.. 7. 5emove all user accounts from the >ain window. 5e#dump the password hashes 0click the blue 89:4. F. Attempt another brute#force attack. patient and let >ain work. G. %id >ain crack this passwordD his may take a few minutes, so be

Copyright Center for Systems Security and Information Assurance

3 &nformation Assurance / & +ab Manual 012.34 5eleased6 7837 )age 9.:.: #9#

Crack a stronger ,ass ord "or at least try% :. >hange User2400D<s password to ;<=abc. 2. 5emove all user accounts from >ain, then re#dump the password hashes. 9. 5un a brute#force attack on the test user. Again, you will have to be patient and let >ain work. @. ?ou will notice that after running for several minutes, >ain has not yet cracked the password. >lick the Sto, button to abort the attack. 7. 5ight#click User2400D and select Erute#Corce Attack again, but don<t start the attack yet. F. &n the C2arset portion of the dialog bo", change the option to Custo.. >reate your own custom list of :7 characters, but be sure to include the si" characters in the actual password. >lick Start to begin the attack. Note: "his is only done in the interest of time! #ormally, youd probably have to include $%&, a%', (%), plus symbols and other *funky+ characters! ,oing such a brute%force attack could take many days -or weeks or even months.! G. 'ithin a few minutes, >ain should have been able to crack the password. &f its has taken more then a few minutes, check the brute#force options, clear the user list, reset the password, and try it again. $,,endi3: his lab was developed using >ain version 2.G.7, which can be obtained from6 http688www.o"id.it .se the pro!ects link. An online manual is also available. he OS environment for this lab was 'indows () )rofessional, 1ersion 2332, Service )ack 2 0H83@4.

Copyright Center for Systems Security and Information Assurance

4 &nformation Assurance / & +ab Manual 012.34 5eleased6 7837 )age 9.:.: #@#