Password Attacks

# Password Attacks ## What is a password? * Passwords are used as an authentication method for individuals to access computer systems or applications. * Using passwords ensures the ownwer of the account is the only one who has access. However,if the passwords is shared or falls into the wrong hands,unauthorized changes to a given system could occur. * Passwords are typically comprised of a combination of characters such as letters,numbers and symbols. * A collection of passwords is often reffered to as a dictionary or wordlist. Password with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches. For example,an easy-to-guess password could be 11111 ,123456, password. and much more. Choosing a strong password is a good practice,making it hard to guess or crack. #### Password Attacking Techniques * There are various techniques such as dictionary attack, brute-force,rule-base and guessing attacks. ##### Password guessing vs. Password cracking * Password cracking is a technique used for discovering passwords from encrypted or hashed data to plaintext data. Attackers may obtain the encypted or hashed passwords from a compromised computer or capture them from transmittingg data over the network. * Once passwords are obtained,the attacker can utilize password attacking techniques to crack these hashed passwords using various tools. * Password guessing is a method of guessing passwords for online protocols and services based on dictionaries. ##### Password profiling 1 * Its important to know how you can generate username lists and password list ###### Default Passwords * Before performing password attacks, it is worth trying a couple of default passwords against the targeted service. Manufacturers set default passwords with products and equipment such as switches, firewalls, routers. There are scenarios where customers don't change the default password, which makes the system vulnerable. Thus, it is a good practice to try out admin:admin, admin:123456, etc. * If we know the target device,we can look up the default passwords and try them out. For example,suppose the target server is a Tomcat ,lightweight,open-source Java application server. In that case, there are a couple of possible default passwords we can try: admin:admin or tomcat:admin. Here are some website lists that provide default passwords for various products. https://cirt.net/passwords https://default-password.info/ https://datarecovery.com/rd/default-passwords/ ##### Weak Passwords * Professionals collect and generate weak password list over time and often combine them into one large wordlist. * Lists are generated based on their experience and what they see in pentesting engagements. * These lists may contain leaked passwords that have been published publically.Here are some of the common weak lists: 1. https://wiki.skullsecurity.org/index.php?title=Passwords 2. https://github.com/danielmiessler/SecLists/tree/master/Passwords ##### Leaked Passwords * Sesitive data such as passwords or hashes maybe publicly disclosed or sold as a result of breach. ##### Combined wordlists * Let's say that we have more than one wordlist.Then,we can combine these wordlists into one large file. This can be done as follows: ``` cat file1.txt file2.txt file3.txt > combined_list.txt ``` * To clean up the generated combined list to remove duplicated words,we csn use sort and uniq as follows ``` sort combined_list.txt | uniq -u > cleaned_combined_list.txt ``` ##### Customized Wordlists * Customizing password lists is one of the best ways of finding valid credentials.We can create custom password list from the target website.Often, a company's website contains valuable inforamtion about the company and its employees,inclusing emails and names.In addition,the website may contain keywords specific to what the company ofers,including product and service names. * Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords. ``` cewl -w list.txt -d 5 -m 5 http://target.com ``` -w will write the contents to a file. In this case, list.txt. -m 5 gathers strings (words) that are 5 characters or more -d 5 is the depth level of web crawling/spidering (default 2) http:://target.com is the URL that will be used ##### Offline Attacks * Dictionary * Brute-force * rule-based ###### Dictionary attack * A dictionary attack is a technique used to guess passwords by using well-known words or phrases. * The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. * We will showcase an offline dictionary attack using haschcat,which is a popular tool to crack hashes. Imagine we obtain the following hash *f806fc5a2a0d5ba2471600758452799c*, and want to perform a dictionary attack to crack it. First we need to know the following at minimum: 1. What type of hash is this? 2. What wordlist will we be using? Or what type of attack mode could we use? To identify the type of hash,we could a tool such as hashid or haiti. lets use haiti :+1: ![](https://i.imgur.com/6eXDyYi.png) The possible hashing method is MD5 :100: no Cap fr :-1: > Please note the time to crack a hash will depend on the hardware you are using (CPU and/or GPU) ![](https://i.imgur.com/6WZMgCZ.png) -a 0 sets the attack mode to a dictionary attack -m 0 sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes. f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes. /usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack We run hashcat with --show option to show the cracked value if the hash has been cracked: ![](https://i.imgur.com/gwKjGPk.png) As a result, the cracked value is *rockyou*. ###### Brute-Force attack * Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim's password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords. ###### Rule-Based attacks * Rule-Based attacks are alsoknown as hybrid attacks. * Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords