ITSY Ch 11.7 Password Attacks
In a variation of the brute force attack, an attacker may use a predefined list of common usernames and passwords to gain access to existing user accounts. Which countermeasure best addresses this issue?
A strong password policy A strong password policy is the best defense against dictionary attacks. The policy must be enforced, and all users must be trained to properly construct and protect strong passwords. 3DES and AES encryption alone do not protect against dictionary attacks. Encryption technologies are useless if weak passwords permit easy access to encrypted channels. VLANs allow logical segmentation of a physical network and do not prevent dictionary attacks or weak passwords.
Which of the following strategies can protect against a rainbow table password attack?
Add random bits to the password before hashing takes place Some authentication protocols send password hashes between systems during the authentication process. Rainbow table attacks apply hashing algorithms to every word in a dictionary (sometimes including hybrids or passwords accumulated in brute force techniques) in an attempt to match hashed passwords. To protect against this type of attack, you can salt the hash by adding random bits to the password before hashing takes place, thereby producing an entirely different hash value for the password. Because the hacker does not know the extra random bits, the rainbow table is of no value. The password file should be encrypted. But rainbow attacks do not work by accessing the password file, but by capturing hashed passwords being transmitted on the network. Users should be educated about social engineering attacks, but there is no connection between social engineering and rainbow table attacks. Enforcing strict password restrictions might actually weaken network security if you do not educate users about proper procedures that protect login credentials.
rcrack
After the rainbow table has been created, you are now ready to crack the passwords. This can be done using the rcrack command. The rcrack syntax is: rcrack path parameter The following table lists a few examples of how the rcrack command can be used:
Dictionary attack
Brute force password attack in which the hacker uses a list of words and phrases to try to guess the password. > Dictionary attacks work well if weak passwords are used. > Using longer and uncommon passphrases is the best way to secure data against these attacks
Offline attack
Offline attacks require the attacker to somehow steal the password file. The attacker can then run attacks against that file with no limitations, such as lock out policies. This is the ideal method for the attacker, but is more difficult because it requires the attacker to somehow steal the password file.
User manipulation
A common social engineering technique is user manipulation. This involves the attacker interacting with the user to trick the user into revealing the username and password. For example, the attacker may call the target pretending to be from tech support with a urgent problem. The attacker asks for the target's login information to remote in to resolve the issue. User manipulation is a very successful technique and is still used quite often. User training is the best prevention method.
Shoulder surfing
A eavesdropping technique where the listener obtains passwords or other confidential information by looking over the shoulder of the target.
rtsort
A rainbow table is an array of rainbow chains. Each rainbow chain has a start point and an end point. The rtsort program sorts the rainbow chains by end point to make binary search possible. To sort a rainbow table, use the following command (the period at the end is part of the command): rtsort .
Physical Access
An attacker can use social engineering to gain physical access to an office building. Once inside, the attacker can look around for login information that users have written down. Many users have a tendency to write login information on sticky notes and stick the notes on the monitor or place them under the mouse pad.
Dumpster diving
An attacker may dumpster dive (go through the trash) to find important documents or information that has been thrown out. Many users will throw out papers without realizing the importance of the information. Documents should always be shredded to prevent data loss due to dumpster diving.
Online attack
An online brute force attack requires the attacker to submit the passwords using the same user login interface while the target is up and running. For example: > An attacker targeting a website will submit login attempts to the site interface. > An attacker targeting a computer will submit login attempts to the login screen. The best defense against this method is to implement lock out policies. This means if the incorrect password is entered multiple times in a short period of time, the account will be locked for a specified amount of time.
Implementing proper password protocols is the best defense against password cracking attempts. A strong password should:
Be at least 8 characters; more is better. Contain upper and lower case letters. Contain numbers. Contain symbols. Not use common words or phrases. A passphrase is the best option to use instead of a password.
You are using a password attack that tests every possible keystroke for each single key in a password until the correct one is found. Which of the following technical password attacks are you using?
Brute force attack In a brute force attack, every password is eventually found because the technique is to test every possible keystroke for each single key in a password until the correct one is found. Keyloggers log or record every keystroke on the computer keyboard to obtain passwords and other important data. A pass-the-hash attack is a hacking technique where an attacker uses an underlying NTLM or hash of a user's password to gain access to a server without ever using the actual plaintext password. Password sniffing is a passive way for attackers to gain access to an account. The sniffer collects data that is in transit in a LAN. If access is gained on one system in a LAN, data can be gathered from data being sent from any other system in the network. The sniffer runs in the background, making it undetectable.
Password spraying
Brute force password attack that uses the same password with multiple user accounts instead of different passwords for the same account. Password spraying is another method that allows the attacker to avoid lock out policies. > Instead of attempting multiple logins using a single user account and different passwords, the attacker will use the same password with multiple user accounts. > The attacker will continue cycling through the user accounts submitting passwords until a match is found. > Because there is a delay between submitting a password on each account, the lock out policy can be avoided.
You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled?
Dumpster diving Dumpster diving relies on finding sensitive information that has been discarded in garbage cans, dumpsters, or other unsecure places that create access for attackers. Shoulder surfing is watching and recording a password, pin, or access code that is being entered by someone nearby. Social engineering relies on human error. It works by feigning trustworthiness to convince someone to give the attacker access. Password guessing happens when someone is able to easily guess a password, typically because it is very common, like a pet's name or a hobby.
You want to check a server for user accounts that have weak passwords. Which tool should you use?
John the Ripper John the Ripper is a password cracking tool. Password crackers perform cryptographic attacks on passwords. Use a password cracker to identify weak passwords or passwords protected with weak encryption. Nessus and Retina are vulnerability scanners. While vulnerability scanners check for default user accounts and often check for accounts with blank passwords, they typically do not include password cracking features to test for weak passwords. The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system.
Some common password cracking tools that can be used to carry out brute force attacks are:
John the Ripper Hashcat Medusa Cain and Abel
Brute force attack
Password attack in which the attacker uses a cracking tool that submits every possible letter, number, and symbol combination in a short amount of time. In a brute force attack, the attacker attempts to guess the password by using a cracking tool that submits every possible letter, number, and symbol combination in a short amount of time. A brute force password attack can be a very time-consuming attack. The following table describes some of the brute force attack methods.
Password guessing
Password guessing is usually not a very efficient method to crack a password. An attacker may first attempt to use default login information, such as admin/admin or simple passwords like password123. If these don't work, the attacker can use publicly available information, such as on a target's social media, to make the process easier. Information such as the following can be used to guess a password or answer security questions and reset a user's password: > Birthday > First car > Family information -Spouse's name -Child's name -Important dates > Important locations
Which of the following techniques involves adding random bits of data to a password before it is stored as a hash?
Password salting Password salting is adding random bits of data to a password before it is stored as a hash, making password cracking much more difficult. Password sniffing is a passive way for attackers to gain access to an account. The sniffer collects data that is in transit in a LAN. A pass-the-hash attack is a hacking technique where an attacker uses an underlying NTML or hash of a user's password to gain access to a server without ever using the actual plaintext password. Keylogging is recording every stroke on the computer keyboard.
Which of the following password attacks uses preconfigured matrices of hashed dictionary words?
Rainbow table attack A rainbow table attack applies hashing algorithms to every word in a dictionary (sometimes including hybrids or passwords accumulated in brute force techniques). The algorithm then saves the results in a table or matrix. An encrypted password is compared to the pre-computed hashed passwords in the matrix until a match is found. A dictionary attack tries known words (such as from a dictionary). A brute force attack works through all possibilities until the password is cracked. A hybrid attack adds appendages to known dictionary words (for example, 1password, password07, and p@ssword1).
An encrypted plaintext password stored in a hash file can be cracked using rainbow tables. There are several types of programs that can be used to create and crack these types of passwords, such as:
Rtgen Winrtgen RainbowCrack Ophcrack As an example, the following table lists a few examples of the commands needed to create and sort a rainbow crack table:
Rainbow attack
Similar to dictionary attacks, but a rainbow attack uses special tables called rainbow tables that have common passwords and the generated hash of each password. When a plaintext password is stored, it is encrypted and a hash is generated. Rainbow attacks are similar to dictionary attacks, but instead of trying to match the words and phrases, a rainbow attack uses special tables called rainbow tables that are already filled with common passwords and their generated hashes. The attacker uses this table to match the hashes instead of the password itself. Rainbow attacks require less computing power and are much faster than brute force attacks. Storing rainbow tables requires a lot of storage. A single rainbow table can range anywhere from 30GB to over 300GB. The character set (lower and/or upper case letters, numbers, symbols) being used will greatly increase the size. A different rainbow table needs to be generated for each encryption algorithm. The best defense against rainbow attacks is salting the hashes. Salting the hash means that random characters are added at the beginning or end of the password. This generates a completely different hash. The login server is programmed to identify the part of the hash that is salted, but anyone intercepting the hash will have no idea; so, the hash can't be decrypted.
Carl received a phone call from a woman who states that she is calling from his bank. She tells him that someone has tried to access his checking account, and she needs him to confirm his account number and password to discuss further details. He gives her his account number and password. Which of the following types of non-technical password attack has occurred?
Social engineering Social engineering relies on human error. It works by feigning trustworthiness to convince someone to share information. Shoulder surfing is watching and recording a password, pin, or access code that is being entered by someone nearby. Dumpster diving relies on finding sensitive information that has been discarded in garbage cans, dumpsters, or other unsecure places that create access for attackers. Password guessing happens when someone is able to easily guess a password, typically because it is very common, like a pet's name or a hobby.
Social engineering
Social engineering uses manipulation of people or situations to gain access to sensitive information. Social engineering is the art of manipulation. In most networks, the weakest link is the human element. Hackers can take advantage of this to gain access to sensitive information, including passwords. The following table explains some social engineering techniques to be aware of and protect against. User education is the best defense against any form of social engineering. Users should be trained that no one will ever ask for their login information and to always be aware of their surroundings.
Which of the following best describes shoulder surfing?
Someone nearby watching you enter your password on your computer and recording it. Shoulder surfing is watching and recording a password, pin, or access code that is being entered by someone nearby. Password guessing happens when someone is able to easily guess a password, typically because it is very common, like their pet's name or their hobby. Dumpster diving relies on finding sensitive information that has been discarded in garbage cans, dumpsters, or other unsecure places that create access for attackers. Social engineering relies on human error. It works by convincing someone to give the attacker access because he or she tricks them into trusting him or her.
rcrack . -h hash_value
The -h parameter loads and displays the results for a single hash. Example command: rcrack . -h 590cb9bZaC590/5b9b4b0/152d2321117 Example output: 590cb9bZaC590/5b9b4b0/152d232111a P@ssw0rd hex:444387
rcrack . -l /root/hashes.txt
The -l parameter loads the hashes from a file and each hash is shown on its own line. The hash is shown followed by the cracked password. Example output: plaintext of 590cb9bZaC590/5b9b4b0/152d2321117 P@ssw0rdplaintext of 400238780e6c41f8f790161e6ed4aafc21 Test_Out@11_Lastplaintext of 89BF04763BF91C9EE2DDBE23D735C73OBDD41FF2 NeverLAnd5
rtgen
This command generates a rainbow table based on the parameters specified by the user. The parameters are: rtgen hash_algorithm charset plaintext_len_minplaintext_len_max table_index chain_len chain_num part_index Example: rtgen md5 ascii-32-95 1 7 0 1000 1000 0 > hash_algorithm - A hashing algorithm is a mathematical algorithm which can convert an input data array of a certain type and arbitrary length to an output bit string of a fixed length. Rainbow table must be generated for the type of hash algorithm used. Although there are may hash algorithms that can be use, some of the more common are; ntlm, md5, and sha1. > charset - A charset specifies all the possible characters for the plaintext. Some of the possible charset that can be used include: Numeric = [0123456789] alpha = [ABCDEFGHIJKLMNOPQRSTUVWXYZ] alpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] loweralpha = [abcdefghijklmnopqrstuvwxyz] loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789] ascii-32-95 = ascii-32-95 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_'abcdefghijklmngpqrstuvwxyz{|}~] > plaintext_len_min and plaintext_len_max - These two values, such as 1 7, specifies length of the plaintext. The next four parameters are advanced values and are beyond the scope of this lesson. Therefore, only a brief explanation is given here: table_index - Specifies the reduction function. Examples are: 0, 1, 2, 3, 4. Zero is often used as the default. chain_len - This specifies the rainbow chain length. chain_num - This specifies the number of rainbow chains to generate. part_index - The number of files used to store the rainbow table. If a value greater than zero is use, the rainbow table is saved in the number of smaller files specified by the value. As shown in the example above, common values for these four parameters are: 0 1000 1000 0
A user named Bob Smith has been assigned a new desktop workstation to complete his day-to-day work. When provisioning Bob's user account in your organization's domain, you assigned an account name of BSmith with an initial password of bw2Fs3d. On first login, Bob is prompted to change his password. He changes it to the name of his dog, Fido. What should you do to increase the security of Bob's account? (Select two.)
Use Group Policy to require strong passwords on user accounts. Train users not to use passwords that are easy to guess. In this scenario, a weak password that is easy to guess has been used. To prevent this type of password, you should: Use Group Policy to require strong passwords on user accounts. In this example, Fido is a weak password because it is short and doesn't contain numbers or other non-alphabetic characters. Train users not to use passwords that are easy to guess. In this example, the user's password could very likely be guessed using basic reconnaissance techniques on social media websites. You should allow users to set their own passwords. If you don't, both the administrator and the user know the password, which is a poor security practice. Using a stronger initial password does not prevent the user from using a weak password if the appropriate Group Policy settings aren't in force. Creating user account names such as the one shown in this scenario is generally considered an acceptable security practice. Requiring users to use assigned passwords, even if they are complex, is not secure because passwords should not be known by anyone but the user.
