Introduction to password cracking and defense methods

Source: Skynet

Let's study some solutions to analyze how attackers initiate attacks and how to stop or prevent them. I will first describe two solutions involving internal attacks (that is, attacks initiated within the Organization), and then study two solutions involving external attacks.

Internal attacks

Internal attackers are the most common source of decryption attacks because they have direct access to the organization system. The first solution is to study the situation where attackers are dissatisfied employees. The attacker, an experienced System Administrator, encountered a problem at work and vented the attack with the system she managed and protected.

Example: A dissatisfied employee

Jane Smith is an experienced and technically well-documented system administrator who is hired by the company to run backup tapes late at night. Your company, as an ISP, has a very large data Center. more than 4000 systems are monitored by a Network operation Center. Jane and two other technicians work together to monitor all-night backups and complete the tapes before the morning shift. They work independently: one technician is responsible for UNIX servers, one technician is responsible for all Novell servers, and Jane is responsible for Windows 2000 servers.

Jane has been working for six months and is an outstanding player. She came very early, went very late, and requested to transfer to another department of the company. The problem was that there was no empty seat at that time. Last month, you (Security Analyst) discovered a significant increase in the number of logon attempts on Cisco routers and UNIX servers. You have implemented CiscoSecure ACS, so you can audit the attempt and find that most of them appear at three o'clock AM.

You have doubts, but as a security analyst, you cannot testify everywhere without evidence.

An outstanding security analyst starts from in-depth research. You discovered that the attack came from a master and appeared during Jane's shift. She had an hour to study and read before the shift team arrived. So you decided to ask the night shift manager to supervise Jane at night. After three weeks of strict supervision, you find that the attack has stopped. Your doubts are correct. Jane tried to log on to the Cisco router and UNIX server.

A good security analyst also needs to use a good audit tool (such as Tacacs +) to record attacks. Tacacs + is a protocol used by applications such as CiscoSecure ACS, which enforces Authorization, Accountability, and Authentication) (AAA ). If you have authorization, You need to authorize the person requesting access to access the system. If you have authentication, You need to authenticate the users who access the resources to verify that they have access rights and permissions. What happens if both authorization and authentication are performed? You must have a billable account. Calculating the number of logins independently solves many password cracking problems by forcing attackers to keep accounts payable, authenticated, and authorized.

Next, I will give an old (but still widely used) attack example, which will sniff the password under the network. You can study how the Cisco routers and switches of the network supervisor are cracked by the Help Desk technicians in the company.

Example: Help Desk Technician

Tommy was hired as a Help Desk technician who worked with the Help Desk staff after work. The Help Desk staff after work consist of about 10 technicians responsible for the 8 remote sites that the company needs to support during off-duty periods. Tommy always takes his laptop to work. When the manager asked about the issue, Tommy explained that he had prepared a certification exam with his rest time. This seems harmless and has been approved, although the company has a security system within the company for bringing machines into the company's network from outside without the company's security checks.

Eventually, a monitor captured something that Tommy had hidden under his arm while leaving a small wiring room. However, because no one reported the loss of anything, it could not prove what mistake Tommy made. When the Help Desk manager asked why Tommy appeared in the wiring room, he said that he mistakenly treated the wiring room as a lounge.

The company's security manager Erika saw the report submitted by the Guard responsible for building security. She wanted to know what Tommy was doing in the wiring room and was skeptical about Tommy's answer to the Help Desk Manager. When checking the wiring room, she found a disconnected wiring cable and an empty hub port hanging from one of the wiring boards. When she plugged the cable back, the streetlights were still not bright, which meant it was a dead port. The cable administrator Velcro bundled all other cables neatly. With her years of experience and a keen awareness of security exploitation, Erika knows exactly what happened.

Erika assumes that Tommy brought his laptop into the wiring room without discovery. He is likely to find a dead port on the hub, and then plug in the laptop with the package sniffer installed, which can selectively pick up the traffic on the network segment. Later, he returned and took the computer away (captured by the monitor). After saving the captured file, he took it home for analysis.

Using the company's security system, she found Tommy and explained that all personal property (such as laptops and handheld computers) that had been illegally transferred to the company needed to be checked. Because Tommy shouldn't have brought in his laptop, he handed it over to Erika. After careful check, Erika found the following trace decoding, as shown in 1.

 

Figure 1 telnet traffic captured by a protocol analyzer

After strict inspection on the hexadecimal pane of the Sniffer Pro Analyzer, the ASCII data is clearly displayed on the right of the pane in Figure 2. When connecting to the switch of the wiring room, Tommy runs the configuration through the telnet session connection. Because the telnet protocol is insecure and sent in plain text, it is easy to see the password "cisco ".

 

Figure 2 ASCII Decoding of plaintext data

 

This is one of the most basic security principles: Do not use the product name as the password. However, no matter how basic the principles are, it is strange that some people often do this.

Next, pay attention to some external threats.

External attacks

External attackers are the ones who have to break into your system through your "Deep defense. They are not as easy as internal attackers. The first scheme involves a common form of external attacks, called website alteration. This attack uses password cracking to penetrate the system that attackers want to destroy. Another possible password cracking attack is when attackers attempt to obtain the password through Social Engineering. Social engineering is a way to trick an uncertain administrator into telling the attacker the account ID and password. Let's take a look at both solutions.

Example: Modify the website homepage

Figure 3 demonstrates a common and simple example of external password cracking: modifying the homepage of a website. It does not require much effort. Generally, you only need to use the Internet Information Server (IIS) that does not correctly set its permissions. Attackers only need to go to the workstation and try to use HTML editing tools to attack the IIS server. When attempting to connect to the site over the Internet, attackers use a cryptographic Generator tool (such as L0phtCrack) to initiate brute force attacks on the server.

 

Figure 3 home page replaced by an attacker

Your company's reputation is in danger. If business suppliers and associated enterprises feel that your data is stored on insecure servers, they will no longer trust you. Be sure to look at internal and external threats at the same level.

Example: social engineering scam

Password cracking without tools is called a social engineering attack. Please read this solution for more information.

Jon is a new security analyst for a large company. His first priority is to test the company's security status. Of course, he wants the management to know what he is going to do (in this way, he will not be treated as an attacker ). He wants to know how difficult it is to break into the network without using any tools. He attempted two separate but destructive attacks.

As a new employee in a big company, many don't know Jon, which makes it easy for him to complete his first social engineering attack. His first goal is Help Desk. Jon made a regular call to Help Desk and required password resetting as a hypothetical remote user. Jon knows that the company naming convention is that the user's name is followed by the first letter of his surname, and he already has half of the information he needs. The CIO is Jeff and his surname is Ronald. Therefore, his logon ID is JeffR. This information can be easily obtained from the company's telephone catalog. Jon pretended to be a CIO who called Help Desk and asked for password reset because he forgot the password. Help Desk technicians reset hundreds of forgotten passwords every day, and then call back to let the requestor know their new passwords, which is common for them. Five minutes later, the Help Desk technician called Jon and told him that the new password was "Friday" because it happened to be Friday. Within five minutes, Jon entered the shared files and emails of CIOs on the server.

Jon's next social engineering attack involves one of his friends who work for a local phone company. Jon borrowed his clothes, belts, and badges while on vacation. Jon wore his new clothes and entered another part of the company's site for storing all disaster recovery routers and servers. This hardware contains valid copies of all the company's current data and is considered confidential. Jon entered the venue security office in his Telecom uniform and said he was sent by the Local Exchange Carrier (LEC) because it seems that the circuit formed a loop from the telephone company. He needs to be allowed to access the data center so that he can check whether there are any alarms on Smart Jack.

The onsite administrator accompanied Jon to the data center without even checking his identification. Once entered, the Administrator stood aside wisely, so Jon started his test. Several minutes later, Jon informed the Administrator that he had to call the office and ask them to run some tests to break the Smart Jack loop and try troubleshooting. Jon told the Administrator that it would take 45 minutes, so the Administrator gave Jon his pager number and asked Jon to call him out when he finished. Jon has now successfully ruled out the only obstacle between him and the 30 servers arranged on the racks of the data center along the wall.

Jon has several different opportunities. He can go to each server, find the unlocked console, or he can insert his laptop into the open port and start sniffing. He decided to find the open console because he really wanted to know how far he could go. After checking all the KVM slots in five minutes, he found that the Windows NT server runs as the Backup Domain Controller of the Domain. Jon took out a CD from the package and put it into the CD tray of the server. He installed L0phtCrack on the BDC of the Company domain and then ran dictionary attacks. The following password is generated within five minutes: Yankees. It indicates that the chief administrator is a New York Yankee fan. He now has access to the company's most important information.

Now, let's look at how this works.

 

Figure 4 Use L0phtCrack to crack the Administrator Password
 
Protection Checklist

Here is an event checklist. You can take a look at it to make password cracking more difficult:
 
Review your organization. Make sure that the password is not pasted under the monitor or keyboard.
Set a dumb account. Remove the administrator (or admin) account, or set it as a trap and