Windows Passwords: Making them secure (Part 2)
If you missed the other parts in this article series please read:
In the last article, I went into detail on how the default Windows password is established. As a reminder, the default Windows password is established using the Default Domain Policy GPO, which is linked to the domain. This is where the password "rules" are established for length, age, and complexity. In this article, I am going to talk a little about what technologies are available to break into a Windows password. The goal here is not to make hackers out of you, but rather educate you on what other hackers are doing in order to break into a Windows password. As you will see, different Windows operating systems have different attacks that can be used against them. Dramatic improvements have been made with Windows Server 2003 and XP and beyond for protecting against hackers wanting to get information about hacking passwords.
Many of the tools that I describe in this article come from hacker sites. I would suggest that you do not download any of these products and tools on a production network or desktop. Ensure that the network and production environment is protected from anything that might come from a site containing these tools. Also, many companies have written security practices that prohibit the use of the products and tools. Ensure that you work with your security staff before downloading, installing, or using any of the products.
By far one of the most popular and successful ways that an attacker will access a user password is through a social engineering attack. Social engineering attacks might come in different methods and modes. Some might be with a barter for the password, where other attacks might just be "impersonation" of the HelpDesk, IT , or security professional within the company.
If you feel that a social engineering attack is beyond your environment, I would highly suggest that you read this report on how the IRS was put under a social engineering attack scenario and the results were quite amazing! You can read the article here. As a past consultant and hired trainer for the IRS, I am fully aware of the security awareness and technical education that they are put under. These results are scary and unfortunately, not outside of the norm for most organizations.
The only true way to defend against a social engineering attack is education. Users must be educated on how to protect their password, reset it often, keep it private, and not give it out after 10 seconds of a phone call with someone that is trying to attack the system.
Another popular method of obtaining a user's password is by guessing. Everyone reading this article has "guessed" a password on some system I the past 6 months. It is something that we do all the time. The key is to not allow passwords that are easily guessed on your network. If you want a list of easily guessed passwords, look at the list that ConFlicker used to break into the Administrator account on the last attack of this worm. The worm itself had a password cracker built into it, making it a very powerful and rogue worm.
Again, education helps go a long way here. Give users a list of good passwords that they can start from. The passwords should not have the following characteristics:
- Too complex
- One that uses routine character exhanges (IE. Password becomes [email protected]$$w0rd)
- Easy dictionary words
In addition to guessing passwords, it is a common scenario for a user to write down a password and place it somewhere that is easy to find and see. Of course, I am talking about the situation where users write their password on a sticky, and then put it on their monitor, under their keyboard, on their desk, etc. Also, I have seen where users will just write their password on their monitor or keyboard, in clear sight for anyone to see. This is a horrible practice and should be monitored and audited during a routine security audit of the company and computers. It should also be included in the written security agreement that users can not act in this way or disciplinary action will be taken against them.
Hack Tool Attacks
There are some common hack tools that exist, which all can take numerous approaches in attacking Windows passwords. What the password hacking tools are actually attacking is the password hash that is generated by the operating system. This hash is important to the different levels of Windows operating system, because the newer operating systems support better password hash algorithms. The weakest of these password hash algorithms is LanManager (LM). LM was designed for Windows for Workgroups and is extremely old and out of date. Next is NTLM, then NTLMv2, finally Kerberos. Kerberos is used between nearly all desktops and servers within an Active Directory environment, but LM is still supported and enabled! (We will discuss how to protect against the use of LM in the next article.)
Dictionary attacks are when tools, like Cain and Able, use a hackers dictionary to try and obtain the password. Dictionaries are available from nearly anywhere on the Internet and custom dictionaries can be included in Cain and Able.
Brute Force attacks are also very common. In a brute force attack the attack tool is configured to support a suite of characters that will be used to attack the password hash. Here, all variations of the characters will be used to generate a hash, which will then be compared to the hash related to the Windows password. Figure 1 illustrates the options that are available to perform a brute force attack.
Figure 1: Brute Force attacks can use any number of character combinations
Since a brute force attack must generate a hash for all combinations of the characters that you choose, it is not highly efficient. So hackers developed a way to store the different character combination hash results into a database. These are called Rainbow tables. Rainbow tables are nothing but a predetermined set of hash tables. Rainbow tables take about 1/10th the time to break a password then brute force attacks. There are tools such as the Rainbow Table Generator, shown in Figure 2, which can generate your own custom table. Tools like Cain and Able support Rainbow tables, which is illustrated in Figure 3.
Figure 2: You can use a free tool like the Rainbow Table Generator to design your own tables.
Figure 3: Rainbow tables are supported in nearly every new password hacking tool
There can be many attacks on a Windows password. Some are highly technical and others are merely manipulation of the actual user to give out their password. In most cases of social engineering and password guessing, education can go a long way. Users should be educated on how to properly create a password that is not easily guessed. They should also be instructed to never give out their password to anyone on the phone or to other colleagues. Tools such as Cain and Able (only one of many password attack tools) have many options to try and break into passwords. Dictionary attacks, brute force attacks, and Rainbow tables provide good arsenal against weak passwords and weak password hashes. Next week we will go over ways and methods that can be easily developed to protect Windows passwords against most attacks and even make the password easier to remember.
If you missed the other parts in this article series please read: