Password Hash Attacks
What is Password Hashes?
A cryptographic hash function is a oneLway function implementing an algorithm that, given an arbitrary block of data, returns a fixed-size bit string called a hash%value or message%digest. One of the most important uses of cryptographic hash functions is their application in password verification. Most systems that use a password authentication mechanism need to store these passwords locally on the machine.
This is true for operating systems, network hardware, etc. This means that during the authentication process, the password presented by the user is hashed and compared with the previously stored message digest.
what is Password Cracking in cryptanalysis?
In cryptanalysis, password cracking is the process of recovering the clear text passphrase, given its stored hash. Once the hash type is known, a common approach to password cracking is to simulate the authentication process by repeatedly trying guesses for the password and comparing the newly-generated digest with a stolen or dumped hash.
A list of common hashes that you can use for reference when trying to identify a password hash can be found on the Openwall website. There are three main hash properties you should pay attention to:
1:- The length of the hash (each hash function has a specific output length).
2:- The character-set used in the hash.
3:- Any special characters that may be present in the hash
Use of John the Ripper
Once you’ve retrieved password hashes from a target system, you will want to try cracking them so you can make use of the clear text values in further attacks. One of the most popular tools for cracking passwords is John the Ripper.
Running john in brute-force mode is as simple as passing the filename containing your password hashes on the command line. Here we can pass the –wordlist parameter to john instead.
In order to crack Linux hashes with john, you will need to first use the unshadow utility to combine the passwd and shadow files from the compromised system.
We can now take the unshadowed file and pass it to john as we normally would, and crack the password hash.
The idea behind time memory tradeoff is to perform all cracking computation in advance and store the results in a binary database, or Rainbow%Table file. It takes a long time to pre-compute these tables, but once pre-computation is finished, a time-memory tradeoff cracker can be hundreds of times faster than a traditional brute-force cracker. To increase the difficulty in password cracking, passwords are often concatenated with a random value before being hashed. This value is known as a salt, and its value, which should be unique for each password, is stored together with the hash in a database or a file to be used in the authentication process. The primary intent of salting is to increase the infeasibility of Rainbow Table attacks that could otherwise be used to greatly improve the efficiency of cracking the hashed password database.
Passing the Hash in Windows
Cracking password hashes can be very time-consuming and it is often not feasible. A different approach of making use of dumped hashes without cracking them has been around since 1997. The technique, known as Pass-The-Hash (PTH), allows an attacker to authenticate to a remote target by using a valid combination of username and NTLM/LM hash rather than a clear text password.
Consider the following scenario:
An organization uses disk-imaging technologies within its network, or otherwise has a local administrative user enabled on multiple computers. A vulnerability on one of these computers has provided us with SYSTEM privileges, through which we dumped local LM and NTLM hashes. We copy the local administrator NTLM hash and use this discovered hash instead of a password with a patched version of pth$winexe to gain a shell on a different machine, which has the same local administrator / password combination.
0 comments:
Post a Comment