Introduction to Ethical Hacking
Straightening Out the Terminology
Most people have heard of hackers and malicious users. Many have even suffered the consequences of their criminal actions. So who are these people? And why do you need to know about them? The next few sections give you the lowdown on these attackers.
- Hackers (or external attackers) try to compromise computers, sensitive information, and even entire networks for ill-gotten gains – usually from the outside – as unauthorized users. Hackers go for almost any system they think they can compromise. Some prefer prestigious, well-protected systems, but hacking into anyone’s system increases an attacker’s status in hacker circles.
- Malicious users (or internal attackers) try to compromise computers and sensitive information from the inside as authorized and “trusted” users. Malicious users go for systems they believe they can compromise for ill-gotten gains or revenge.
- Ethical hackers (or good guys) hack systems to discover vulnerabilities to protect against unauthorized access, abuse, and misuse. Information security researchers, consultants, and internal staff fall into this category.
Understanding the Need to Hack Your Own Systems
To catch a thief, you must think like a thief. That’s the basis for ethical hacking. Knowing your enemy is absolutely critical. The law of averages works against security. With the increased number of system vulnerabilities and other unknowns, eventually all computer systems and applications will be hacked or compromised in some way. Protecting your systems from the bad guys – and not just the generic vulnerabilities that everyone knows about – is absolutely critical. When you know hacker tricks, you find out how vulnerable your systems really are.
Firewalls, encryption, and passwords can create a false feeling of safety. These security systems often focus on high-level vulnerabilities, such as basic access control, without affecting how the bad guys work. Attacking your own systems to discover vulnerabilities -especially the low-hanging fruit that gets so many people into trouble – helps make them more secure. Ethical hacking is a proven method of greatly hardening your systems from attack. If you don’t identify weaknesses, it’s only a matter of time before the vulnerabilities are exploited.
Passwords
Password hacking is one of the easiest and most common ways attackers obtain unauthorized network, computer, or application access. You often hear about it in the headlines, and study after study as such as the Verizon Data Breach Investigations Report reaffirms that weak passwords are at the root of many security problems. I have trouble wrapping my head around the fat that I’m still taking about (and businesses are suffering from) weak passwords, but it’s a reality – and as information security testing professional, you can certainly do your part to minimize the risks.
Although strong passwords – ideally, longer and stronger passphrases that are difficult to crack (or guess) – are easy to create and maintain, network administrators and users often neglect this. Therefore, passwords are one of the weakest links in the information security chain. Passwords rely on secrecy. After a password is compromised, its original owner isn’t the only person who can access the system with it. That’s when accountability goes out the window and bad things start happening.
External attackers and malicious insiders have many ways to obtain passwords. They can glean passwords simply by asking form them or by looking over the shoulders of users (shoulder surfing) while they type their passwords. Hackers can also obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, attackers can use remote cracking utilities, keyloggers, or network analyzers.
This chapter demonstrates how easily the bad guys can gather password information from your network and computer systems. I outline common password vulnerabilities and describe countermeasures to help prevent these vulnerabilities from being exploited on your systems. If you perform the tests and implement the countermeasures outlined in this chapter, you’ll be well on your way to securing your system’s passwords.
Cracking Passwords
Password cracking is one of the most enjoyable hacks for the bad guys. It fuels their sense of exploration and desire to figure out a problem. You might have not have a burning desire to explore everyone’s passwords, but it helps to approach password cracking with this mindset. So where should you start testing the passwords on your systems? Generally, any user’s password works. After you obtain one password, you can often obtain others – including administrator or root passwords.
Cracking passwords the old-fashioned way
A hacker can use low-tech methods to crack passwords. These methods include using social engineering techniques such as phishing, shoulder surfing, and simply guessing passwords from information that he knows about the user.
Social engineering
The most popular low-tech method for gathering passwords is social engineering. Social engineering takes advantage of the trusting nature of human beings to gain information that later can be used maliciously. A common social engineering technique is simply to con people into divulging their passwords. It sounds ridiculous, but is happens all the time.
Techniques
To obtain a password through social engineering, you just ask for it. For example, you can simply call a user and tell him/her that he has some important-looking e-mails stuck in the mail queue, and you need his/her password to log in and free them up. This is often how hackers and rogue insiders try to get the information!
Countermeasures
User awareness and consistent security training are great defenses against social engineering. Security tools are a good fail-safe if they monitor for such e-mails and web browsing at the host-level, network perimeter, or in the cloud. Train users to spot attacks (such as suspicious phone calls or deceitful phishing e-mails) and respond effectively.
Cracking passwords with high-tech tools
High-tech password cracking involves using a program that tries to guess a password by determining all possible password combinations. These high-tech methods are mostly automated after you access the computer and password database files.
The main password-cracking methods are dictionary attacks, brute-force attacks, and rainbow attacks. You find out how each of these work in the following sections.
Dictionary attacks
Dictionary attacks quickly compare a set of known dictionary-type words – including many common passwords – against password database. This database is a text file with hundreds if not thousands of dictionary words typically listed in alphabetical order. For instance, suppose that you have a dictionary file that you downloaded from one of the sites in the following list. The English dictionary file at the Purdue site contains one word per line starting with 10th, 1st … all the way to zygote.
Many password-cracking utilities can use a separate dictionary that you create or download from the Internet. Here are some popular sites that house dictionary files and other miscellaneous word lists:
- www.outpost9.com/files/WordLists.html
Brute-force attacks
Brute-force attacks can crack practically any password, given sufficient time. Brute-force attacks try every combination of numbers, letters, and special characters until the password is discovered. Many password cracking utilities let you specify such testing criteria as the character sets, password length to try, and known characters (for a “mask” attack). Sample Proactive Password Auditor brute-force password-cracking options are shown in figure below.
Rainbow attacks
A rainbow password attacks uses rainbow cracking to crack various password hashes for LM, NTLM, Cisco PIX, and MD5 much more quickly and with extremely high success rates (near 100 percent). Password cracking speed is increased in a rainbow attack because the hashes are pre-calculated and thus don’t have to be generated individually on the fly as they are with dictionary and brute-force cracking methods.
If you have a good set of rainbow tables, such as those offered via the ophcrack site and Project RainbowCrack (http://project-rainbowcrack.com/), you can crack passwords in seconds, minutes, or hours versus the days, weeks, or even years required by dictionary and brute-force methods.
Cracking Windows passwords with pwdump3 and John the Ripper
The following steps use two of my favorite utilities to test the security of current passwords on Windows systems:
- pwdump3 (to extract password hashes from the Windows SAM database)
- John the Ripper (to crack the hashes of Windows and Linux/UNIX passwords)
The following test requires administrative access to either your Windows standalone workstation or the server:
- Create a new directory called passwords from the root of your Windows C: drive.
- Download and install a decompression tool if you don’t already have one.
- Download, extract, and install the following software into the passwords directory you created, if you don’t already have it on your system:
- pwdump3: Windows PWDUMP tools
- John the Ripper: John the Ripper password cracker