This was a paper I wrote for a college course. It's just a basic introduction to password guessing. This document is also displayed on Dr. Fred Cohen's all.net site: (http://all.net/CID/Attack/papers/PasswordGuessing2.html).

Abstract

Passwords, passphrases and security codes are used in virtually every interaction between users and information systems, [1]. Unfortunately, with such a central role in security, easily guessed passwords are often the weakest link. They grant attackers access to system resources; and bring them significantly closer to being able to access other accounts, nearby machines, and perhaps even administrative privileges, [1]. The purpose of this research is to introduce the concept and methodology, follow it by some real-life examples, and scare organizations into implementing stronger password policies.

Password Guessing

Passwords are sequences of symbols usually associated with a user name. The combination provides a mechanism for identification and authentication of a particular user. If all was right with the world, they would be more or less unique and grant privileges only to the account's owner (or other intended user). Alas, the world is not all right. Attackers have several venues of guessing passwords and overcoming this obstacle.

Fairly low on the difficulty scale, we have attacks against default passwords. These are established by the vendor and built into many applications and operating systems, allowing attackers an almost effortless point of entry. The vulnerability exists because overworked, uninformed, or lazy administrators fail to change them; and crackers maintain large databases. Exploits of this nature are easy to implement and either succeed or fail within a matter of seconds (or probably longer if the target device must be identified first). For an example database of default passwords see [3] [4] and [5].

A dictionary-based attack usually consists of parsing a word file, encrypting or hashing that word (according to a particular algorithm), and comparing the result to the encrypted or hashed password from the victim machine. If the comparison matches, we have the original password. Of course, this could be far more difficult if we do not know the correct algorithm or do not have access to the encrypted system file. We can also use this attack to login to network services. By examining the server's response (i.e. the text string "Password Incorrect" or "Successful Login") to each argument we send, we can determine which accounts are vulnerable to dictionary-based attacks. Duration and probability of success vary depending on a system's processing efficiency and quality of the dictionary file, though attacks with small dictionaries often have success rates near 20%, [11].

We also have hybrid attacks, which append, prepend, or insert numerical (0-9) and special (!@#$%*, etc.) characters to dictionary terms. Passwords guessed at this level might be something like "129good45guess" or "pa55w0rd." Finally, the most complex and time consuming method is implementing brute force. With this attack we can expect every possible keystroke character in every possible sequence to be tried until the correct combination (and order) is chosen. It is not abnormal for a brute force attack against an NT (MD4) Hash, MD5 Hash, or algorithm of similar strength to last for weeks, months, or even years. Mathematically, an 8-symbol passwords chosen uniformly and at random from an alphabet of 100 symbols would require 5 quadrillion guesses, [10].

Though the terminology of each mode may differ (i.e. brute-force in L0phtcrack is equivalent to incremental mode in John the Ripper), the concepts remain the same. Advanced programs also allow user-specified character sets and customized functions for generating password guesses. Furthermore, if an attacker is educated in a user's interests, hobbies, family names, and other personal information, they may build on the dictionary file with such terms.

How Vulnerabilities Originate

We've already discussed the impact that default passwords have on a system's security. Additionally, on almost all machines, the users themselves choose the passwords. This places the burden of security on end users who either do not know, or, sometimes do not care about sound security practices, [2]. Possible reasons include ignorance, carelessness, and inconvenience. As a general rule, passwords that are simple to remember, are, likewise, easy to guess. We can also expect many users to use the same password for more than one account on possibly more than one system (what could be more convenient than only having to remember one password?).

A system's cryptographic protocol also plays a roll in security (or lack thereof). For instance, Unix machines might rely on crypt, a one-way hashing algorithm based on a modified DES algorithm, to transform passwords into ciphertext, [14]. Since crypt, algorithms such as MD5 were found to provide a more secure and attack-resistant representation of passwords; yet many systems have not upgraded.

Likewise, Windows machines are troubled by something similar. By default, several versions of Windows store two representations of each password on the local disk, [1]. One of these representations (the LM hash) is simply for backward compatibility with older, less sophistcated machines. The LM passwords are extremely weak compared to the stronger representation (the NT hash) and they can be guessed by force in a very short amount of time, [1].

Specific Tools and Exploits

• An Evening with Berferd - as told by several security experts, cracker(s) tried to exploit the old DEBUG hole in sendmail for a copy of the /etc/passwd file - presumably on which to run a password cracking program, [11] [12]. Later, attempts were made to add null-password accounts to the machine, change those passwords, and alter other system files, [11] [12].
• A large segment of the 1988 Internet Worm's code was a function devoted to massive password guessing attacks against computer systems on the Internet, [12]. As such, the worm penetrated security mechanisms with ease, especially when the system passwords were weak or comprised of one or several of the most commonly used terms (love, god, password, secret, sex, etc.), [12].
• Default SNMP Community Strings - SNMP v1 and the unextended v2 uses an unencrypted "community string" as its only authentication mechanism, [9]. A majority of devices from various vendors set this string to either public or private, [9]. Attackers use this vulnerability for network reconnaissance or reconfiguration of the SNMP device or host computer system.
• Passwords sent via SSH encrypted with RC4 can easily be cracked by an attacker who is able to capture and replay the session, [13]. This occurs for three reasons: SSH sessions can be played back, RC4 algorithm has some specific weaknesses, and the SSH daemon leaks unnecessary information during the authentication phase of the protocol, [13]. The attacker can then login with the stolen account. This teaches us to not take anything for granted - if SSH (Secure Shell) exposes our passwords, we might as well use clear text services such as FTP or Rlogin.
• L0phtcrack - a Windows 9x/NT/2000 password guesser developed by Mudge that implements dictionary, hybrid, and brute-force attacks, [6]. The program must be fed a password file; which can be obtained from the local registry, a remote machine's registry, or the integrated network capture tool.
• John the Ripper - a password guesser by Solar Designer with support for several flavors of Unix, DOS, Win32, BeOS, and OpenVMS. It also supports Kerberos AFS and Windows NT/2000/XP LM hashes, [7].
• Crack - a password guesser by Alec Muffet for use on Unix systems. Like others, Crack is capable of using several methods to generate guesses and distributing the process load among hosts on a network. Concerning duration, the typical audit will last for "at least hours, probably days, possibly weeks," [8].
• A more comprehensive collection of events can be found by searching www.cert.org or www.sans.org for "password"

Summary, Conclusions, and Further Work

The SANS Institute ranked weak or nonexistent passwords the third (Windows) and fourth (Unix) most critical Internet security vulnerabilities, [1]. If ever an ounce of prevention was worth a pound of cure - this is it. From a technical point of view, defending against password attacks is very simple: declare and enforce policies with complexity and length requirements, minimum and maximum password ages, and strong cryptography. For a full list of recommendations see [1]. Keep in mind that passwords can also be acquired via scavenging (dumpster diving), social engineering, coercion, and even the simplest form of password guessing - the educated guess.

Bibiography
[1] The SANS Institute Top Twenty Most Critical Internet Security Vulnerabilities, October 2003. www.sans.org/top20 [This document provides an ordered list of the top 10 vulnerabilities on both Windows and Unix based systems].
[2] Skoudis, Ed. Couter Hack. New Jersey: Prentice-Hall, Inc., 2002. [This text provides a step-by-step guide to computer attacks and effective defenses].
[3] A default password list available on the Internet. www.astalavista.com/library/auditing/password/lists/defaultpasswords.shtml
[4] A default password list available on the Internet. www.phenoelit.de/dpl/dpl.html
[5] A default password list available on the Internet. www.wiresplice.com/html/default_passwords.html
[6] L0phtcrack www.atstake.com/research/lc/ [This link displays documentation for the award-winning password auditing and recovery application, LC4].
[7] John the Ripper http://www.openwall.com/john/ [This is the homepage for JtR project].
[8] Crack http://www.crypticide.org/users/alecm/ [This is the homepage for Alec Muffet's Crack program].
[9] Northcutt, Steven, Mark Cooper, Matt Fearnow, and Karen Frederick. Intrusion Signatures and Analysis. Indiana: New Riders Publishing, 2001. [This text is part of the SANS GIAC series and provides in depth attack descriptions, mechanisms, network traces, and defense recommendations].
[10] The Security Database at www.all.net Attack #32 Password Guessing [This is a database of threats, attacks, and defenses maintained by Fred Cohen].
[11] Cheswick, William R., Steven M. Bellovin, and Aviel D. Ruben. Firewalls and Internet Security, 2nd Edition: Repelling the Wily Hacker. Boston: Addision-Wesley, 2003. [This text introduces the philosophy of Internet security, dissects possible attacks on hosts and networks, and describes the tools and technques used to perpetrate - and prevent - such attacks].
[12] Denning, Dorothy E and Peter J. Denning. Internet Besieged - Countering Cyberspace Scofflaws. Boston: ACM Press, 1988. [This text describes in-depth several break-ins on the Internet, assualts on privacy, and thefts of information].
[13] The Computer Emergency and Response Team (CERT) Vulnerability Note VU#565052 www.kb.cert.org/vuls/id/565052 [This link describes the weakness in SSH and the RC4 algorithm that allows attackers to capture and exploit system passwords].
[14] Unix man pages for crypt, available by typing 'man crypt' into a Unix terminal.