adam's notes

Password Attacks

A password attack is any attack where the attacker tries to gain unauthorized access to and use of passwords.

  • Passwords or password hashes can be captured by obtaining a password file or by sniffing the network
  • if protocol uses cleartext credentials,
    • then can simply read password from captured frames

Info

  • password could be sent in encoded form
    • e.g., Base64
    • is an ASCII representation of binary data
    • not the same as encryption
    • password value can be easily derived from the Base64 string
  • a password should be transmitted by using a cryptographic hash of the string entered by the user
    • produces a fix-length string from a variable-length string
    • plaintext cannot be recovered from the hash
  • password cracking software can crack a cryptographic hash by:
    • Dictionary
    • Brute force
  • threat actor can obtain password hashes from a protocol with no encryption
    • e.g., SMB
    • more secure to use end-to-end encryption
      • IPSec or TLS
      • means all payload data is encrypted
      • network sniffer cannot recover the password hashes

Online Password Attack

An online password attack is where the threat actor interacts with the authentication service directly (e.g., a web login form or VPN gateway).

  • the attacker typically submits passwords using a pre-compiled list
  • typically a very noisy attack
    • generates a lot of evidence in logs and packet captures
  • appears in audit logs as:
    • repeatedly failed logins and then a successful login
    • or as successful login attempts at unusual times or locations
  • mitigated by:
    • strong passwords
    • account lockouts
    • multifactor authentication
    • restricting the number or rate of login attempts
      • can be turned into a DoS attack, though
    • shunning login attempts from known bad IP addresses

Offline Password Attack

An offline password attack means that the attacker has managed to obtain a database of password hashes.

  • e.g., from:
    • %SystemRoot%\System32\config\SAM
    • %SystemRoot%\NTDS\NTDS.DIT (the Active Directory credential store)
    • or /etc/shadow
  • only indicator of this type of attack:
    • is a file system audit log that records the malicious account accessing one of these files
  • Threat actors can read credentials from host memory
    • only reliable indicator might be the presence of attack tools on a host
  • packet sniffer might be used to obtain the client response to a server challenge in an authentication protocol

Brute Force Attack

A brute force attack is a type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.

  • output space is determined by the number of bits used by the algorithm
  • short (<8 characters) and not complex (various characters) can be cracked in minutes
  • longer more complex passwords take much longer to crack
  • heavily constrained by time and computing resources

Credential Stuffing

Credential stuffing is a brute force attack in which stolen user account names and passwords are tested against multiple websites.

  • use of credentials stolen from one source and trying them against multiple other sources
  • is successful because users often use the same credentials in multiple locations

Dictionary Attack

A dictionary attack is a type of password attack that compares encrypted passwords against a predetermined list of possible password values.

  • software generates hash values from a dictionary of plaintexts to try to match one to a captured hash
  • could also be any long list of words/information

Hybrid Attack

A hybrid password attack is an attack that uses multiple attack methods, including dictionary, rainbow table, and brute force attacks when trying to crack a password.

Password Spraying

Password spraying is a brute force attack in which multiple user accounts are tested with a dictionary of common passwords.

  • attacker may be able to collect a list of usernames from a poorly protected directory
  • goal then becomes identifying accounts in the list with breakable or easy-to-guess passwords

Cracking Passwords

Linux

  • using john the ripper cli tool on Kali Linux
    • GUI tool called johnny
    • process
      • need a wordlist
        • kali stores in /user/share/john
      • linux passwords are stored in etc/shadow
      • john /etc/shadow

Windows

  • using Cain on Windows
    • aka Cain and Abel
    • process
      • when installing Cain, need to disable Firewall and AV
      • click Cracker tab
      • click Plus icon to import hashes from computer
        • loads user accounts for computer
        • “empty” means no password
        • blank means there is a password
      • using dictionary attack
        • right click a user > dictionary attack > NTLM hashes
        • right click in top white space > add to list
        • select your password list
          • check various options wanted
        • click start
      • using brute force attack
        • right click user > brute-force attack > NTLM hashes
        • can select predefined attacks with options
        • select character lengths
        • click start

Graph View

Backlinks