How I Cracked Your Password

Vinh Tang
Adventures in Consumer Technology
6 min readJun 30, 2019

The concept of a passphrase being the key element in access control dates back centuries. It’s an old system but the fact that it’s so simple and widely adopted in modern technology means that it’s here to stay (And so are its vulnerabilities!).

Passwords are broadly considered a form of Single Factor Authentication (SFA) which can be categorised as follows:

  • Something you know (Password)
  • Something you have (Access pass)
  • Something you are (Fingerprint ID)

It is common knowledge that the majority of authentication systems in place today employ passphrases as their primary means of validating identities of account holders. That isn’t to say that Multi Factor Authentication (MFA) type setups are not widely implemented. For the sake of today’s discussion, we’re excluding MFA.

Today, we’ll be exploring the basics of password cracking and how simple it could be to break weak passwords.

Image Credit: NBC

Password Hashing

Firstly, we need to understand how passwords can be processed and stored for later use by the authentication engine. This is via one of the following methods:

  • Plain text form i.e. stored in a clearly human-readable form.
  • Encrypted or “hashed” so it’s not readily readable.

It is only in the case of the former that the observed phrase can be directly input into the authentication field. A hashed value will be considered incorrect as it is not the true password (And only a jumbled form of it). When a user enters their password, the system will run the password through a one-way hashing algorithm and compare it to the stored hash value. If they are consistent, the login is considered successful.

Comparison Between Plaintext and an MD5 Hash

So you’re thinking:

“Surely no service stores their passwords in plain text form. That’s just idiotic”

Hate to burst your bubble but Facebook did. It’s best practice and, in many cases, is mandatory to hash passwords to meet standards for data security.

A good example of hashed passwords is what is stored on your Windows PC at home:

Navigating to C:\Windows\System32\config\ yields a registry file containing the user account passwords hashed by the NTLM security function (Windows Vista, 7, 8 and 10).

How Do You Get The Hashes?

You’re probably thinking that if I can prevent the hashes from being stolen from my computer in the first place, I’m safe? Good luck with that.

There are a variety of tools out there which you could use to extract the hashes from a target computer. In this piece, we’re going to outline two methods: one involving siphoning the hashes over the network, the other uses a local tool to dump the hashes from the target machine.

Network Based Attack

Ettercap is a tool which we’ll be using to perform a “Man-in-the-Middle” (MitM) attack and fool the target computer into believing we are a legitimate server. This tool is used in conjunction with the http_ntlm module contained within Metasploit to fool the user to enter their login credentials on a false prompt.

In essence, we are masquerading as a fake DNS server on the network serving this login prompt whenever the user attempts to navigate to a web page. Specifically, we’re using an Address Resolution Protocol (ARP) poisoning attack.

We first set our IP address as the malicious DNS server by editing the etter.dns file found in /etc/ettercap/

We then develop our hosts list by scanning the network.

MAC Addresses blurred ;)

After selecting our target, we enable the dns_spoof plugin which establishes our phony DNS server. From there, we commence our ARP poisoning and sniffing.

Firing up Metasploit, we use our http_ntlm exploit to lift the NTLM hashes.

So this works by directing HTTP traffic from our target to our attack machine. Now if the user were to navigate to a HTTP website, they’d be served with a login prompt asking for their user account details.

Note this is the HTTP version of Google.com.au

And surprise surprise, look at what shows up on our malicious server.

This is saved in a text file on /root/Desktop which will be useful for subsequent cracking.

Now keep in mind, this will not fool too many people but you’d be surprise at who will be willing to enter their login details like this.

Local Attack Vector

For our second tool, we’re turning to all-time classic pwdump7. This will however, require that you have access to your target machine. Compared to the above network attack vector, this is considerably simpler. Just run the program via command line and it’ll do the rest.

Outputting Hashes into .txt File for Processing
Hashes Ready for Cracking

Cracking Password Hashes

The most common way to crack these hashes is what’s known as a brute force dictionary attack whereby a list of millions of passwords (With associated hashes) are compared to the NTLM hash of interest. Once a match is found, the password the relevant lookup is done in the list to yield the successful password.

Rainbow Lookup Tables are a very comprehensive source for this data. You pick your tables based on the hashing algorithm (In our case NTLM), the maximum length of password you’ll be expecting to crack and the types of characters expected (Uppercase, lowercase, numbers, symbols).

Be mindful that these tables span the Terrabytes (TB) and will take up lots of space.

For this example, we’ve purposely made our password easier to save time. Hence, we’re only using the ntlm_loweralpha-numeric-space#1–8 which contains hashes for passwords of up to 8 characters in length containing lowercase letters and digits from 0–9.

rcracki_mt is a command line based tool which uses Rainbow Tables in an attempt to crack our hashes. Noting, you’d need to clean up the file containing the dumped password hashes to ONLY contain the hashes and no other useless information.

From this:

To this:

Whilst you can input a whole file for multiple hash cracking, we simply copy-pasted our hash in as an argument to the command line shown below:

This yielded our password: nbmtr69.

Another all time favourite password cracking utility is John The Ripper. It’s as easy as:

Yielding our plain text password: nbmtr69.

Final Thoughts

The limitations of the current Rainbow Tables indicate that you’ll make it exponentially more difficult for attackers to crack your password if it is longer. A bit of extra complexity wouldn’t hurt either. You may not be able to prevent attackers from getting your NTLM hashes but at least you can make it uneconomical to crack. For good measure, if you change your password frequently to something equally as long and complex, you’re making yourself a VERY unattractive target.

Now the question is: How are you supposed to remember an incredibly long and complex password which is periodically having to be changed? That’ll be our next discussion topic!

Enjoy what you’ve read? Please hit the clap button. Drop us a line via Facebook or Twitter.

--

--

Vinh Tang
Adventures in Consumer Technology

Adelaide Based PC Hardware, Software and IT Security Content Producer.