Password Penetration testing
In this article we will get to know about passwords and various ways to pen test them. We will also cover things like where passwords are stored in windows/linux, common attacks and good password hygiene to follow. Also, some points to consider in a password pentest.
What is a password:
A password is a secret series of characters allowing a user to access a computer, program or a file. A super secure password has all of following features:
- Letters: Can be English or other language and mixture of small and capital letters. A-Z and a-z
- Numbers: any combination from 0–9
- Special characters: @!#$?>- and many more
Another thing to note is that password shouldn’t be a dictionary word and keep as long as possible to make password cracking difficult. And having MFA enabled can make hackers rethink about their target.
Need for a secure password:
- Weak/guessable passwords have a very big impact leading to full system/ company takeover.
- Users personal data can be fully leaked just by having a weak password.
- User can suffer financial losses and metal issues following the impact.
- It can help categories different users for proper access control.
Passwords can be stored in system in following ways: Clear text (self explanatory), obfuscated(password can be revereted back to plain text) and hashed(no way to get original text even if attacker has it).
Password cracking techniques:
Following are some of the ways in which an attacker can try to crack your passwords:
- Dictionary attack: A user’s account is tried for various passwords from a dictionary file, which is a list of dictionary words.
- Brute Forcing attack: Tool tries to use all possible combinations to break password.
- Hybrid attack: add numbers and symbols to a dictionary file and we have a hybrid attack.
- Syllable attack: this attack is composed by mixing dictionary and brute force attacks.
- Rule-based attack: This attack is possible once an attacker has some clues as to the pattern which his victim uses in password creation or due to site restrictions.
Tools: Cain & Abel
Categorization of password attacks:
Passive online attacks:
Wire sniffing
MitM
Replay attack
Active online attacks:
Password guessing
Keyloggers/spyware/malware
Hash injection attack
Offline attacks:
Rainbow attack
Pre-computed hashes
Distributed network attack
Non-digital attacks:
Shoulder surfing
Dumpster diving
Social engineering
Tools: wireshark, tcpdump, Ettercap, fgdump, RainbowCrack, elcomsoft distributed password recovery
Windows password storage:
Windows users passwords are hashed and then stored in Security Accounts manager (SAM) db. LM and NTLM authentication protocols were used in past, now Microsoft has shifted to more secure Kerberos.
SAM file can be accessed from C:\windows\system32\config\sam
Linux password storage:
Previously, linux would store user info and hashed passwords in file called “\etc\passwd” readable by non-root users. Nowadays, linux stores ‘x’ in place of hashed passwords in “\etc\passwd” and another file, readable by only root, “\etc\shadow” or “\etc\security\passwd” includes hashed passwords and other details.
Password penetration testing:
We have already covered what’s pentesting in our previous blogs so refer that if you haven’t already. Following are some of the steps to be followed while doing a pentest, mainly dealing with passwords.
1.Id target’s personal profile.
Gain targets personal details from social media sites like facebook, Instagram, twitter, google and from job searching sites like LinkedIn, naukari.com, monster, internshala. Other people searching site like pipl.com, intelius.com, searchbug.com, 411.com, 123people.com can also be used but they are either paid or not effective.
2.Non-digital attacks (refer above)
3.Build a custom wordlist specific to target
After collecting details about target, we use dictionary builder tools to create wordlist or make one manually of possible passwords.
4.Password guessing
Try to use the default creds associated with that particular device/service.
Also, having custom wordlist try to use it to see if we gain access using automation.
5.Perform each of the password attacks mentioned before.
6.Extract and decipher sam and shadow file.
7.Use automated/online tools to crack passwords: l0phtcrack, john the ripper, ophcrack, LSASecretsView
Good Password management hygiene:
- Following are some of the measures to follow to keep passwords safe and strong:
- Have policies for password creation, management and expiration.
- Use multi factor authentication(MFA) and auto account lockouts after some idle time.
- Storage and transmission of only salted hashed passwords.
- Implement proper authorization controls to prevent data leaks.
- Use onscreen keyboards to defeat keyloggers.
- Prevent account logins after certain number of failed attempts or from unknown locations/time without MFA.
Original Source- https://securiumsolutions.com/blog/password-penetration-testing/
