IST 454
Password Cracking Team Beta
George Adams Ryan Brennan Scott Hansen Matthew Knouff James Searl Sean Soss
[Type the abstract of the document here. The abstract is typically a short summary of the contents of the document. Type the abstract of the document here. The abstract is typically a short summary of the contents of the document.] Password Cracking Poison a network to gather passwords and also dump windows passwords and then use a password cracker to find the plaintext values for all hashed passwords.
Objectives ● Poison a network. ● Use a password cracker to decrypt a hashed password ● Dump Windows NTLM passwords and decrypt them
Introduction
This lab will demonstrate how to successfully obtain and crack a password on an ARP poisoned network. This will be accomplished through the use of Cain and Abel, a password recover tool for Windows. This program allows users to perform an ARP poisoning attack. An ARP poisoning attack is when an attacker intercepts traffic between the victim and the router by spoofing himself as both the client to the router and the router to the client; ultimately performing a ‘Man-in-the-middle’ Attack. From here, all traffic must pass through the attacker whether it is coming from another user or the router. The attacker will be able to see all passwords that are going across the network. If a password is hashed, the attacker will use Cain’s hash cracker to decrypt the password to plain-text password.
http :// securitymusings . com / wp - content / uploads /2008/12/ arp - spoofing .png Technologies Used 1. Windows Operating System 2. Cain and Abel
Task Poisoning the Network 1. The first step is to download the software. Go to Google and type in “Cain and Abel password cracker”. The first result is the website we want. http :// www . oxid . it / cain .html Download the Cain and Abel v4.9.38 for Windows NT/2000/XP. Once the download is complete, open the .exe and install.
2. Now open Cain and Abel. Click the sniffer tab. Then click the ‘sniffer on’ button. This will begin the process of viewing all packets passing through the network. Then right click in the window and select ‘Scan MAC addresses’ and hit ok. This will show all available devices currently on the network.
On the bottom select APR tab and hit the plus button to add a host. Add the router on left side and the devices you wish to poison on the right side. By adding the router we will see every single packet passing through the network. 3. Click the ‘poison on’ button, which looks like a radioactive symbol. This will begin the process, which reroutes the packets to our host machine, then out to the Internet. When the packets are returned, they are first sent to our machine, then back to the target. This will allow us to see any passwords that are going across the network.
4. An example of a website that transfers their username and password information in plain text is reddit. As an example we signed in as ist454 and used the password: pass123. 5. Here there is a website we set up for demonstration purposes that has a simple log-in that will hash the password before sending it back: http://php.scripts.psu.edu/gha5004/IST%20454/TensSpace/Portal/admincp/login.php. We type in the username ‘admin’ and the password ‘pass’ (JavaScript must be enabled for client side password hashing).
6. When we go back to the sniffer tab in Cain and click the password tab on the lower taskbar, we see that it has sniffed the username and plaintext password for the reddit page and the username and the hashed password for the MCIS portal page.
Task De-Hashing Passwords
1. The password for the MCIS portal page should have been hashed in MD5 hash and requires hash cracking. To do this we copy the MD5 hash into the cracker tab under the MD5 option in the left list. Click the plus button in the top toolbar and paste in the hash to be cracked. Press ok and you will see your hash value there on the list.
2. Right click on the value and you will see several options to crack the hash value. The dictionary attack option will compare the hash value to a database of known hash values to attempt to find a match. This option is normally the best, given that you have an adequate dictionary.
3. Next, the brute force attack will simply compare the hash value to every possible value in an attempt to get a match. This can take an extraordinarily long time for some passwords. For this demonstration, we will use the brute force option. 4. Finally, we will set the search parameters to include all alpha-numeric and symbol characters. Click Start. Cain will then begin attempting to find a match against the provided hash. Given that this is a brute force attack, it may take an extended period of time.
Task Windows Passwords
1. Click cracker tab. This will bring up the password cracker tool in Cain.
2. Click LM&NTLM on the cracker list on the left. This is the section dedicated to the Local Machine and NT Lan Manager cracks.
3. Click plus button on top toolbar, click Import hashes from local system, click ok. This imports the LM hashes from the host machine; usernames and respective password hashes are dumped. 4. Find account to be cracked and proceed with NTLM brute force attack. The password recovered by Cain was an NTLM hash. These types of passwords have two hashes values. The NT is the challenge hash and the LM is the password hash.
To successfully crack the password, both hashes must cracked together using a brute force NTLM attack. Sources 1. Oxid.it - Cain & Abel." Oxid.it - Home. 2001. Web. 06 Feb. 2011.
2. Shimonski, Rob. "Hacking Techniques." IBM - United States. 1 July 2001. Web. 06 Feb. 2011.
3. "Top 10 Password Crackers." Top 100 Network Security Tools. 2006. Web. 07 Feb. 2011.
4. Hyperionics - the Best Screen Capture Software - Free Download. Hyperionics, 2011. Web. 28 Feb. 2011.