Wednesday, July 20, 2011

Password Sniffing: How to sniff passwords from LAN

Password Sniffing

Password guessing is hard work. Why not just sniff credentials off the wire as users log in to a server and then replay them to gain access?

Most networks use the broadcast technology; which means that every message emanating from any computer on the network can be captured by every other computer on the network. Normally, the message is not taken by other computers as the intended recipient's mac address does not match their mac address. Therefore, all the computers except the recipient of the message will notice that the message is not meant for them, and ignore it. However, if a system has a sniffer program running on it, it can scan all the messages which traverse the network looking for passwords and other sensitive information. For instance, if a user logs into a computer across the network, and the attacker's system is running a sniffer program, the attacker can sniff out the login information such as user name and its corresponding password. This will make it easy for the attacker to login to the target system as an authentic user and compromise it further. This technique is called password sniffing.

This is a serious threat to users — such as remote users - who login to computers from remote sites. Therefore, the password security of a remote user is as good as the network he/she uses to access the remote computer.

Hacking Tool: LOphtcrack

  • LC4 is a password auditing and recovery package distributed by @stake software. SMB packet capture listens to the local network segment and captures individual login sessions.

  • With LOphtcrack password cracking engine anyone can sniff the ire for extended periods is most guaranteed to obtain Administrator status in matter of days.

Windows operating systems based on the LAN Manager networking protocols use an authentication system that consists of transmitting a hashed twenty four byte password across the network from client to server in a challenge/response format. The hashed password from the client is compared with the hash of the same password in the server's database. A match results in authentication. However, the problem lay in the weak hash algorithm and the conversion of the hash into uppercase (thereby eliminating case sensitivity). The algorithm divided the password into seven-character segments and hashed then individually. This allowed the attacker to restrict the password cracking to seven letters and also easier. The weakness of the password hash, coupled with the transmission of the hash across the network in the challenge/response format, made LM-based systems highly susceptible to password interception and brute-force attack by LOphtcrack.

In Windows NT however, case sensitivity was included to strengthen the password, but coupling LM authentication with the NTLM authentication scheme to facilitate backward compatibility with LAN Manager-based systems, resulted in both hashes being sent across the network for authentication and being stored in the password databases. This resulted in LOphtcrack capturing and cracking the much simpler LM password and then applying the results of that broken hash to the NTLM hash to determine any differences.

Hacking Tool: KerbCrack

  • KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a bruteforce attack or a dictionary attack.

KerbCrack demonstrates the possibility of obtaining user passwords by simply listening to the initial Kerberos logon exchange. Let us explore how this can also be vulnerable to brute force attacks.

In general, encryption protocols such as Kerberos can be circumvented under the following four scenarios:

  • The attacker is able to steal the encrypted key — by any means possible.

  • The attacker finds a flaw in the implementation of the protocol - attributable to the vendor.

  • The attacker finds a flaw in the protocol itself — which is highly unlikely.

  • The attacker tries all possible keys in a brute-force approach. This is a possibility.

---Regards,
Amarjit Singh

No comments:

Post a Comment