Much of this chapter has focused on different"likely" passwords to try when initializing an educated bruteforce attack. We can go on forever list-ing common passwords - names of pets, historical dates, room numbers " book titles - not to mention all of the above with vowels removed, backwards, and in various anagram
forms. There comes a time when you have to forget about trying to limit the number of possiblepasswords to a select few, because your "limited" number will be as infinite as before you put the restrictions in place. Besides, a password may be "easily guessable" and yet be secure enough to thwart your attempts to guess it.
The password "Smith" is not secure, and "Jones" is not secure, but"Smith@#Jones" is as ob-scure as anything. Outsiders see password guess-ing as a valiant pastime for the hacker, but in es-sence it is only the beginning of the hack. Brute force is best carried out by computers, and should really only be used when a computer is necessary to gain access (I'm thinking about Robert Morris Jr.'s worm program asan example).The thing is, the whole business of hacking has to do with skill and knowledge. Brute forcing pass-words requires little of either. But no one's going to look down on a hacker who does some educated brute force work, especially if that hacker has a good reason for doing so. But don't rely on the computer's brawn to do your dirty work: Use the ingenious computing power of your brain. And that is the topic of the following two chapters. "Computer crimes deal with people to a far greater degree than they deal with
technology.
Showing posts with label Chapter 4. Show all posts
Showing posts with label Chapter 4. Show all posts
Tuesday, 29 November 2011
Foiling The Brute Force Assault
As a youngster I remember going out to dinner with my family one night, where they had an all-you-can-eat special. Naturally I decided to do my part to see that I ate my fair share but by the third reorder, we were getting increasingly frustrated with the long waits and smaller portions. My dad explained it: "You see, that's what they do so you won't eat as much. They keep taking longer and longer to come out with the food, and they give you' less of it." I don't know how true that was, but after a while it certainly was not worth waiting around forty minutes just to shovel down another plateful of food.
The techniques used to thwart brute force at-tacks work on the same principle as that all-you-can-eat restaurant. As mentioned earlier, if one is persistent enough then it is really only a matter of time before a legal
username/password is hacked by guesswork or by chance. Therefore, the way to prevent such an attack from succeeding is to struc-ture the system prompts to frustrate the hacker into quitting early.
The most common defense is allowing only a few login attempts before disconnecting. The computer may then refuse to allow a reconnection within a certain period of time. The drawback to this is that a legitimate user might be inconvenienced - though having to wait a few minutes is much less of an inconvenience than logging on to find one's files have been tampered with by some cracker.
Another method is to increasingly slow the re-sponse time to each successive login attempt. A prospective hacker might find himself waiting thirty seconds for a response from the remote com-puter... Then a minute... Then two minutes... The long waiting periods wouldn't start until the first three or four login attempts were
tried and found unsuccessful. Then the computer would say to it-self, "Gosh, no real user would spell his name wrong that many times. Must be a hacker!" Another trick is the dummy login prompt. After a certain number of unsuccessful login attempts the system continues asking for login information, but returns an error message no- matter what the input is.
The moral of this story is, if you write a pass-word-cracking program, be sure you monitor its progress. Don't just set it to run overnight and leave it unless you've first determined that such security measures are not in place. When you wake up the next morning you may find it's been taking forty minutes for the computer to
respond to your inputs. Or you may find that every possible combi-nation has been tried to no avail, and so you know that you've been wasting time responding to dummy login prompts.
The techniques used to thwart brute force at-tacks work on the same principle as that all-you-can-eat restaurant. As mentioned earlier, if one is persistent enough then it is really only a matter of time before a legal
username/password is hacked by guesswork or by chance. Therefore, the way to prevent such an attack from succeeding is to struc-ture the system prompts to frustrate the hacker into quitting early.
The most common defense is allowing only a few login attempts before disconnecting. The computer may then refuse to allow a reconnection within a certain period of time. The drawback to this is that a legitimate user might be inconvenienced - though having to wait a few minutes is much less of an inconvenience than logging on to find one's files have been tampered with by some cracker.
Another method is to increasingly slow the re-sponse time to each successive login attempt. A prospective hacker might find himself waiting thirty seconds for a response from the remote com-puter... Then a minute... Then two minutes... The long waiting periods wouldn't start until the first three or four login attempts were
tried and found unsuccessful. Then the computer would say to it-self, "Gosh, no real user would spell his name wrong that many times. Must be a hacker!" Another trick is the dummy login prompt. After a certain number of unsuccessful login attempts the system continues asking for login information, but returns an error message no- matter what the input is.
The moral of this story is, if you write a pass-word-cracking program, be sure you monitor its progress. Don't just set it to run overnight and leave it unless you've first determined that such security measures are not in place. When you wake up the next morning you may find it's been taking forty minutes for the computer to
respond to your inputs. Or you may find that every possible combi-nation has been tried to no avail, and so you know that you've been wasting time responding to dummy login prompts.
Brute Force Methods
Brute force means manual labor for your computer and, usually, lots of it. It isn't too difficult to do, but it is time consuming. What brute force methods entail is the inputting of one password after another until finally - maybe - something hopefully works. Or just until you give up and move on to a better method.
Brute force methods are usually the first and last thing a hacker does when trying to break into a system. The first time he does it, it's a half-hearted attempt. If he can guess the password right away, or after the first seventy-five or hundred attempts or so, then that's fine. After that fails it's on to trying out other angles for
a while. If none of those more sophisticated ways work, then it's back to brute force for the big finish.
Brute force, after all, must work eventually. The "must" is what draws hackers to it; the "eventually" is what drives them crazy. Brute force takes a lot of time, but not much else. That time is spent in research, trial and error, and in writing special programs to hurl one password after another at the system.
Brute force is the least graceful way to fly, but since it eventually must be effective, eventually all hackers will resort to using it at one time or an-other. You may find yourself in a situation where you know nothing about the people who use a particu-lar system; where common names and passwords have failed; and where no trick seems to work. In these cases, you will have to try the most brutal of all brute force approaches: you will have to write a little program that will repeatedly dial the com-puter system, enter a new name/password combi-nation, and keep repeating this until something works. This could take forever.
Some hackers use a dictionary file they get from their word processing programs or off a bulletin board. This is a good idea, but only if you use it properly. Edit the dictionary file so it includes common names, each letter of the alphabet, musicians, names of cars and presidents, numbers, ce-lebrity nicknames and other common password material. Get rid of the words like "perspectives" that just seem too weird for anyone to use as pass-words.
Speaking of making things go faster for your-self, the same holds true when brute forcing non-language passwords. If you live in New York, you should begin your attack by brute forcing New York SSNs only. There are many ways to bring down the number of potential codes you have to check. The military uses what is called the TAC Access Control System (TACACS) to ensure legitimacy of usership of its network computers. The access codes that TACACS looks at are strings of alphanumeric characters - but the strings will never contain the numerals zero and one, nor the letters Q and Z. The theory behind this decision is that a user reading his or her access code off a code card can easily confuse Is, Os, Qs and Zs with other letters or numbers.
Once you have edited your dictionary of possible passwords to best suit your needs, or once you have determined which codes are the ones most likely to occur, you write yourself a little program in whatever language you know, to dial the modem, enter one word at a time as a password, and try, try again. And again. And again. This is a simple program to write, but if you don't have the expertise to do so, plenty of programs like this are available on BBSs.
There are some things to consider when writing the program. How many times will the computer system allow you to enter bad name/password combinations before it logs you off? Three? Eight? If it gives you three chances before saying bye-bye, make sure your program outputs exactly three name/password combos before redialing the number.
Often remote computers will accept characters as input even before the input prompt is put on the screen.
If this isn't the case with the system you're trying to get into, you'll have to put a delay loop in your program to make sure passwords are not being entered before the cursor is on the screen.
Finally, what happens when your program does manage to ferret out a workable usernarne and password? Unless you're sitting there, monitoring the computer as it does its thing, you need some way of knowing when a brute force attempt has been successful. Otherwise your program will continue to spit out passwords, and the system operators - who by now almost certainly have noticed what is going on - will be absolutely furious! Have the program monitor text as it is sent from the remote computer. When something other than the login prompts are received, have the program flash the screen and ring the loud bell on your printer. Either that, or have it input the logoff command, and print the usable username/password on the screen for you to see when you wake up the next morning.
If you know Joe User works for Company X, then you can have the program run through every combination of password with usernarnes Joe, User, JUser, and Joe User - not to mention other varieties like joe, JOE, and joeuse. (But from your research and experimenting you should have some idea what format the username
will be in, so you shouldn't have to try too many variations.) If, on the other hand, you don't know the name of anyone who works there, you'll have to either find out (i.e., look in company directories, call up and ask, look in annual reports, newspaper articles, or any of a hundred other places to find names) or try every
combination of possible first names. If you must resort to trying every first name, make sure you try female and foreign names. You might want to take a trip to the library and find out what the most popular first and last names are. But remember, you don't need the current popular names - you need names that were popular and common twenty or thirty years ago, when parents were naming the people who work in the company you're trying to break into.
Certainly, it is not absolutely essential to write a program to spit out passwords. If you have the time and patience, you can sit down and enter passwords yourself. But remember that this will take even longer than the already immense amount of time it takes a computer to brute force its way in. I must emphasize that no matter how many pre-cautions you take to eliminate excess work, brute force will almost always take an extremely long time to bring results. Therefore, it's important to do what you can to speed up the entry of passwords. If you have to redial the modern after every three passwords, make sure you're running your attack off a phone line with Touch Tone capabilities.
Also, before you begin a brute force approach, set yourself up with the highest baud modem you can possibly acquire, even if you need to borrow one from a friend. Moving just a few notches up the baud ladder makes a big difference in speed.
Brute force methods are usually the first and last thing a hacker does when trying to break into a system. The first time he does it, it's a half-hearted attempt. If he can guess the password right away, or after the first seventy-five or hundred attempts or so, then that's fine. After that fails it's on to trying out other angles for
a while. If none of those more sophisticated ways work, then it's back to brute force for the big finish.
Brute force, after all, must work eventually. The "must" is what draws hackers to it; the "eventually" is what drives them crazy. Brute force takes a lot of time, but not much else. That time is spent in research, trial and error, and in writing special programs to hurl one password after another at the system.
Brute force is the least graceful way to fly, but since it eventually must be effective, eventually all hackers will resort to using it at one time or an-other. You may find yourself in a situation where you know nothing about the people who use a particu-lar system; where common names and passwords have failed; and where no trick seems to work. In these cases, you will have to try the most brutal of all brute force approaches: you will have to write a little program that will repeatedly dial the com-puter system, enter a new name/password combi-nation, and keep repeating this until something works. This could take forever.
Some hackers use a dictionary file they get from their word processing programs or off a bulletin board. This is a good idea, but only if you use it properly. Edit the dictionary file so it includes common names, each letter of the alphabet, musicians, names of cars and presidents, numbers, ce-lebrity nicknames and other common password material. Get rid of the words like "perspectives" that just seem too weird for anyone to use as pass-words.
Speaking of making things go faster for your-self, the same holds true when brute forcing non-language passwords. If you live in New York, you should begin your attack by brute forcing New York SSNs only. There are many ways to bring down the number of potential codes you have to check. The military uses what is called the TAC Access Control System (TACACS) to ensure legitimacy of usership of its network computers. The access codes that TACACS looks at are strings of alphanumeric characters - but the strings will never contain the numerals zero and one, nor the letters Q and Z. The theory behind this decision is that a user reading his or her access code off a code card can easily confuse Is, Os, Qs and Zs with other letters or numbers.
Once you have edited your dictionary of possible passwords to best suit your needs, or once you have determined which codes are the ones most likely to occur, you write yourself a little program in whatever language you know, to dial the modem, enter one word at a time as a password, and try, try again. And again. And again. This is a simple program to write, but if you don't have the expertise to do so, plenty of programs like this are available on BBSs.
There are some things to consider when writing the program. How many times will the computer system allow you to enter bad name/password combinations before it logs you off? Three? Eight? If it gives you three chances before saying bye-bye, make sure your program outputs exactly three name/password combos before redialing the number.
Often remote computers will accept characters as input even before the input prompt is put on the screen.
If this isn't the case with the system you're trying to get into, you'll have to put a delay loop in your program to make sure passwords are not being entered before the cursor is on the screen.
Finally, what happens when your program does manage to ferret out a workable usernarne and password? Unless you're sitting there, monitoring the computer as it does its thing, you need some way of knowing when a brute force attempt has been successful. Otherwise your program will continue to spit out passwords, and the system operators - who by now almost certainly have noticed what is going on - will be absolutely furious! Have the program monitor text as it is sent from the remote computer. When something other than the login prompts are received, have the program flash the screen and ring the loud bell on your printer. Either that, or have it input the logoff command, and print the usable username/password on the screen for you to see when you wake up the next morning.
If you know Joe User works for Company X, then you can have the program run through every combination of password with usernarnes Joe, User, JUser, and Joe User - not to mention other varieties like joe, JOE, and joeuse. (But from your research and experimenting you should have some idea what format the username
will be in, so you shouldn't have to try too many variations.) If, on the other hand, you don't know the name of anyone who works there, you'll have to either find out (i.e., look in company directories, call up and ask, look in annual reports, newspaper articles, or any of a hundred other places to find names) or try every
combination of possible first names. If you must resort to trying every first name, make sure you try female and foreign names. You might want to take a trip to the library and find out what the most popular first and last names are. But remember, you don't need the current popular names - you need names that were popular and common twenty or thirty years ago, when parents were naming the people who work in the company you're trying to break into.
Certainly, it is not absolutely essential to write a program to spit out passwords. If you have the time and patience, you can sit down and enter passwords yourself. But remember that this will take even longer than the already immense amount of time it takes a computer to brute force its way in. I must emphasize that no matter how many pre-cautions you take to eliminate excess work, brute force will almost always take an extremely long time to bring results. Therefore, it's important to do what you can to speed up the entry of passwords. If you have to redial the modern after every three passwords, make sure you're running your attack off a phone line with Touch Tone capabilities.
Also, before you begin a brute force approach, set yourself up with the highest baud modem you can possibly acquire, even if you need to borrow one from a friend. Moving just a few notches up the baud ladder makes a big difference in speed.
Programs Are People Too
Sometimes computer systems are set up with programs that have usernames and passwords, just like any other user of the system. Thus if you login as that program, the program is executed. Programs might be a tutorial on how to use the net-work, information system, database, messaging system or just about any sort
of application program. Some sites also have accounts whose user-name is that of an elementary command, such as "time," "date" or "who" (which tells, you who is logged on). This allows people to carry out certain quickie functions without having to go through the hassle of logging on to the machine. Often these command
accounts don't have passwords associated with them, which is ironic since many are given superuser access permissions.
It's possible that you may get in to one of these program users with a name/password combination chosen from words such as these:
"Visit" or "visitor" might be the username, and "tut" the password, for example. Other possibilities are trying to get in with usernames "calendar," It cal,11 #I sched," "schedule," " whois," "ftp," "who," "Ipq," "archie," or other common command names. Many installations will have a general-usage or even public information system set up. Access may be gotten by logging in as "info," as suggested above, but other variations are possible. The fictional Wakka Doo University may require logging in as "wdu," "wduinfo," "hellowdu, "wdunews," "wdumail," " welcomewdu," or some other variation on the University's initials. If you do manage to get in this way, first of all you are to be congratulated for a very successful hack - but then what? If you are interested in gaining higher access levels or in escaping out of the program entirely, you could have a lot of
diffi-culty ahead of you. An upcoming section will offer suggestions for getting beyond limited access restrictions.
of application program. Some sites also have accounts whose user-name is that of an elementary command, such as "time," "date" or "who" (which tells, you who is logged on). This allows people to carry out certain quickie functions without having to go through the hassle of logging on to the machine. Often these command
accounts don't have passwords associated with them, which is ironic since many are given superuser access permissions.
It's possible that you may get in to one of these program users with a name/password combination chosen from words such as these:
guest demo help
info tutorial tut
menu data base
intro anonymous database
visit welcome hello
info tutorial tut
menu data base
intro anonymous database
visit welcome hello
"Visit" or "visitor" might be the username, and "tut" the password, for example. Other possibilities are trying to get in with usernames "calendar," It cal,11 #I sched," "schedule," " whois," "ftp," "who," "Ipq," "archie," or other common command names. Many installations will have a general-usage or even public information system set up. Access may be gotten by logging in as "info," as suggested above, but other variations are possible. The fictional Wakka Doo University may require logging in as "wdu," "wduinfo," "hellowdu, "wdunews," "wdumail," " welcomewdu," or some other variation on the University's initials. If you do manage to get in this way, first of all you are to be congratulated for a very successful hack - but then what? If you are interested in gaining higher access levels or in escaping out of the program entirely, you could have a lot of
diffi-culty ahead of you. An upcoming section will offer suggestions for getting beyond limited access restrictions.
Non-Random
Non-Random
Machine-Generated Passwords
Finally, let's consider randornless machine-made passwords. Often users are entered into a computer system before their first logon. Then, unless the sysops can relay information to users off-line, the password must temporarily be something that the user already knows, such as their Social Security number (SSN), date
of birth, or other personal data. Users are supposed to change this easy-to-guess password to a more secure one, but unless they're specifically shown how or required to do so, it is unlikely they will follow through.
Here's a non-computer example which demon-strates this weakness. In April of 1992, students at a New Jersey university received a memo, informing them of new over-the-telephone class registration procedures. The memo stated that the Personal Access Code (PAC) assigned to authenticate one's registration was the first four digits of one's birthdate (month and day), entered in conjunction with one's nine digit student ID number (essentially, one's social security number).
What got me was that first of all, they told students that their top secret PAC was their birth date. This violates all the security precautions they're trying to maintain. After all, how difficult is it to find out someone's birthday? But the PAC is only half of the "password" - the other part is a student ID.
Again, it's a piece of cake to find out someone's ID. lDs are publicly or semi-publicly available at the student health centers, on computer room sign-up sheets, on identification cards, class rosters, housing lists and elsewhere! The memo does say that those concerned with security can come into the registrar's office to change their PAC, but who's going to go out of their way to do that?
Anyway, changing just those four numbers doesn't do much to stymie the determined hacker. Following a change of PAC there are 10,000 minus one possibilities to try. This is as opposed to the mere 366 possible PACs before that security-aware person changed his or her number. Sure, ten thousand is a lot of
numbers to try, but it's certainly not impossible. A touch-tone auto-dialer can phone through all of those in about seven minutes, given unlimited PAC-entry retries per phone call. In any case, I'm using this story to illustrate the principle of least resistance: Users are not going to go out of their way to change access codes if
they don't have to. And even if they do, it doesn't matter much. After all, we are hackers.
Let's move back to our discussion of non-random passwords which are generated by computer; or rather, passwords decided upon by the programmer or administrator and selected from data files by the computer.
Computers will select passwords any time a large number of passwords must be assigned at once. During the first week of a college semester, thousands of new accounts must be created for students enrolled in computer classes. For the most part, these accounts are going to be set up with username equal to some truncation or bastardized form of one's real name, and the password will be either one's Social Security number (SSN) or student ID number.
So if you want to hack a college system, start early in the semester - before those passwords get changed by the user to something more secure. Social Security numbers may be easily hacked by brute force, especially when you know how they are distributed.
Social Security (or other ID numbers) may also be obtained through social means (see the chapter on Social Engineering) or by other forms of chican-ery. I've sat in on college classes where the instruc-tor hands around a sheet of paper, on which the students are asked to write their name and ID number. This sheet is then
handed to the teaching assistant, who enters this information as accounts into the computer system. If you happen to find some classes that operate like this, make sure you sit in the back of the class, where nobody will no-tice you copying other people's private data. A hand-held scanner/copier makes life easier at times like these.
You can also get names and SSNs from atten-dance sheets, or class rosters, which usually list both pieces of information for every individual in the class. If the professor doesn't make the roster available for student perusal, make up some excuse to swipe a look at it. For instance, say the registrar had your name incorrectly spelled on your last transcript, and you want to make sure they've corrected the problem. Professors will love any excuse that points out slip-ups in the bureaucracy of the school system. Use their mindset against them!
Several court battles have ruled that use of one's Social Security number in conjunction with one's name in a public environment is unconstitutional, as it is an invasion of personal privacy. Therefore, we may see a trend starting, with SSNs getting used less and less for identification purposes, and an organization-defined
ID number being used in its place. If that's the case, you will have to rely more on brute force to access the array of ID numbers assigned to a person.
Pre-usage passwords won't always be Social Security numbers or other ID numbers. If some non-computer communication is possible between the sysadmin and the user, other words may be as-signed as temporary passwords (to be changed when the user logs on).
There might be a generic "new user" password which is given to all accounts, which shouldn't be very hard to crack. Or the password might be something very obscure and security-conscious, like some long string of random characters. It may be necessary to intercept the new user's physical mailbox for that envelope which
contains the as-signed password.
Password Restraints
Most operating systems weren't developed with security as top priority. Indeed, password-based accounts should be all the security required on a time sharing system. As we have seen, however, too frequently passwords are chosen that are easy to guess. The UNIX operating system does restrain password selection by suggesting that passwords contain no less than five lower case characters, or only four characters if at least one of those is nonalphabetic or uppercase. However, if a user insists on a shorter password, disregarding the plea that security be maintained, that shorter password will be allowed.
Sysops know that most passwords aren't secure, so many have installed programs which disallow obvious passwords from being generated. Passwords are then forced to conform to certain characteristics, such as:
• Passwords must be of a certain length.
• Passwords must include a mixture of upper and lower cases.
• Passwords must include one or more numerals.
• Passwords must include a non-alphanumeric symbol.
One or more of these constraints might be en-forced. The program may also test the user's password against a list of known "bad" passwords, which are not allowed to be used.
Not allowing single-case passwords or strictly alphabetical passwords does add some difficulty to a guess-attack, but not much. One time I had some-one in mind who I felt certain had "popeye" for a password, due to his large collection of classic comic books and the big deal he always made about Popeye. The system software required a mix-ture of cases (which helpfully informs you, by the way, that upper and lower case are distinguished by the system), so instead of just trying "popeye",
I tried:
and also tried each of these with cases reversed, such that PopeyE became pOPEYe (in case the user thought of capital letters as normal for computer keyboards, and lower case the exception). It was highly unlikely that this particular Popeye lover would try anything so bizarre as capitalizing in the middle of a syllable, or without
some pattern to it. Indeed, when forced to capitalize, who in their right mind would?
As it turned out, his password was "OliveOyl."
If not capital letters, numbers might be forced into one's password upon first login. Again, you can hardly expect Joe User to break up syllables with a number, and the numbers that are used you should expect to be not more than one or two dig-its. After all, the user thinks of it as a password. The number will generally be slapped on as a necessary afterthought.
Thus, what you will normally find are passwords in the following forms:
Numbers will be those which are easy to remember, or easy to type, like 1 or 0. Numbers from one through 31 should be most common, along with numbers either repeating, ending in zero or nine, such as "888," "500" or "1999." It is reasonable to expect typists to use the numeral "1" substituted in for the letter "I" (lowercase
"L"), in passwords which contain that letter. Cyberspace devotees might do likewise, as well as using zero for their required number, putting it in place of the letter "O." This means that if you ever suspect a word that contains the letters "L" or "O," instead of finding something like "cool," "computer," "lucifer," "lemon," or
"colts," you may find `c001," "cOmputer," "lucifer," "Iern0n," and 'Wlts," where the digits 1 and 0 have replaced the appropriate letters. (Actually, "c001" is usually spelled 'k001.")
Many passwords that the computer generates on its own will have some flavor of randomness to them. For instance, look at this bit of imaginary program segment:
5 Randomize Timer
100 For i = 1 to 6
110 Char = Int (Rnd * 91)
120 If Char < 65 Then Goto 110
130 Password = Password + Chr$ (Char)
140 Next i
200 Print "Your new password is: "; Password
Here, six uppercase letters are selected inde-pendently and concatenated to form the password. The way the letters are selected is that a random number between 65 and 90 is chosen - this corre-lates with the ASCII code for the letters of the uppercase alphabet. The randomness of the numbers chosen is based upon the
randomizer function being used. In this case, pseudo-random numbers are generated based upon the exact time of the computer's internal clock, although randomization could also have been based on a practically infinite, hardwaredependent range of inputs. I said pseudo" random numbers because no matter how random these numbers may appear to us, to the computer they are just values plugged into a formula.
If the password-making program could be altered in the right way, then all randomly-generated passwords after the time of alteration may be yours for the taking (or deducing). If you have the ability to change the program and save the changes to disk, or the ability to reroute the password-making subroutine, then
here are some further items to consider.
The easiest thing to do would be to change the program by getting rid of the randomization factor entirely and simply inserting a "Let Password$ = "EVBIDCL8.... statement. Then every new user would be given the same seemingly random password. The problem is this is not going to go unnoticed by the system
administrators (although you might be able to restore the original program before your change is noticed).
A more logical choice is to have the program generate a random-looking password based on some information about the user that you can eas-ily determine from publicly available sources, such as the user's birth date or Social Security number.
Then you can simply plug that piece of information into your copy of the code on your home computer and reproduce the new user's password. One encoding algorithm that works well is to take the sine of the ASCII value of the first six or eight characters of the user's name, then take the second-to-last two values of the
sine, convert them to fall within a suitable range, then concatenate the corresponding ASCII characters to form a "word." Thus you have a random-seeming password that can be easily constructed, even by hand. If the username is less than six characters, the remainder could be filled in by a predetermined set.
This is just a simple example; your password would have to comply with case mingling, length, or digit sprinkling requirements where appropri-ate. Forcing a password in this way can help if you run an electronic messaging or bulletin board system: users may get so comfortable with their new, secure passwords (wouldn't you think "rueavz" was secure?) that they transfer them over to other accounts elsewhere.
Another possibility, again requiring the ability to covertly change the password generator, is to al-ter the randomizer's seed to a constant value, thus causing the program to produce the same series of random numbers each time it is run (as long as the computer stays on and the program is not reset). This is risky though, and unwanted side effects may result.
One method utilizing the flaws in pseudo-random number generators was actually accomplished, and reported on by UNIX co-creator Dennis M. Ritchie in a 1986 security bulletin en-titled "On the Security of UNIX." To increase security at a computer installation, the administrat-ors decided to provide safe, computer
generated passwords. Each password would be a string of lower case letters and digits, eight characters long. This calculates to 2,821,109,900,000 passwords which, according to Ritchie, on a PDP-11/70 would take 112 years to brute force through all those combinations. But the hacker knew that the random number
generator could only take 32,768 seeds, and so only that many possible outcomes needed to be looked at. "The bad guy did, in fact, generate and test each of these strings and found every one of the system-generated passwords using a total of only about one minute of machine time." [Emphasis added.]
Clearly, sixty seconds plus some programming time is worth spending to have access to every ac-count on a system!
If you can't insert code to generate machine-made passwords, you might be able to analyze them after they've been produced. This requires having access to a minimum of one password, preferably two or more, from a given system. If you have a legitimate account, there's your first password. If it's a local BBS you're hacking, or some other sort of system where multiple anonymous logons are possible, try calling back a few more
times and collect new passwords under different names. Or get ahold of the BBS software or the password-generating routine, and work that to collect various passwords.
Once I was going through some new BBSs that had started up and I came across an ad for a system that was a couple states over but still seemed worth a try. I called up, logged in as a new user, and found it wasn't all that interesting after all - run by a factory supervisor mainly to let site agents or-der inventory stock. I used the
made-up name and address Roger Eichner, 13 Stem Court, North Coast, WA 64203 to log on. The password that was generated was "roghner24." I was astounded! Obviously the program had simply taken the first three letters from my first name, the last four letters of my last name, and stuck a number at the end!
Or had it? I called back a second time, logging in as a new user with a different name. This time there seemed to be no correlation at all with any of the personal information I had given. Now I was not only astounded " but confused as well! Had the first password been simply a fluke? Was the second a fluke? Was it
programmed to only sometimes use parts of the username? I called back a third time and again logged on as a new user. Again the password was unrelated to anything I had entered. Now I was pretty positive the first password had just been an unbelievable coincidence. I wrote a message to the system operator, saying he
could delete these three new users of his (I supplied their personal info so he would not think I was playing a joke) and I didn't call back until a few weeks later.
Even though my second two passwords were unrelated to both each other and my personal data, I thought that perhaps I had missed something that first encounter, since some of the characters were repeated from one password to the next. Could these characters refer to my baud rate or computer type, or some other parameter that had stayed the same from one login to the next? Or was it possible that what was random about the passwords was which pieces of data it selected to insert into the password? This would account for my name in the first case, and one of the items (which I didn't recognize as relating to me) being repeated in the third call password.
Logging on with the same name, address, terminal characteristics and everything else as I had originally done, I received, to my disappointment,
not a computer-generated password but the following astonishing message:
Dear Member:
Sorry about having to go through this again but we've had a problem the last few days. I will have to ask that you be patient with the low access level you will receive until I get a chance to validate you. Please note, when asked to supply a password do not give the one you were previously assigned. Make up a new and totally unconnected password.
See General Posting #1 for explanation.
StRaPmAsTeR === wllLiE ===> (sysop)
Input Password ==>?
General Posting #1 said that a certain (relatively new) user of the BBS, whose handle was Mr. Joke, had kicked into action a "feature" of the BBS soft-ware that produced less-than-secure passwords. The previous year the system had "crashed, appar-ently as a result of a rogue program that was uploaded to file section by Mr. Joke." No further de-tails were given on the cause or nature of the crash, because apparently regular callers of the system al-ready knew the story.
Anyway, you can see how it's possible to occa-sionally get some good information by analyzing of random" passwords. Even if there doesn't seem to be any discernible pattern, that doesn't mean there isn't one hidden somewhere. There might be some subtlety to the pattern or, if not a pattern, a bug or strangeness that you might be able to spot. For example, in the first version of one BBS program -a program that was so godawful the board folded after about a month - the random password generator would never produce a password with the letter A or the digit 0 in it. Knowing this does help a little: for a seven character password of the form WXYZ123, where WXYZ are letters of one case and 123 are numbers, there are only 284,765,630 possible combinations of letters and numbers, instead of 456,976,000 - a difference of 172,210,370 passwords! This software was riddled with bugs, many of which have become famous as the worst blunders in the history of horrible programming.
Sysops know that most passwords aren't secure, so many have installed programs which disallow obvious passwords from being generated. Passwords are then forced to conform to certain characteristics, such as:
• Passwords must be of a certain length.
• Passwords must include a mixture of upper and lower cases.
• Passwords must include one or more numerals.
• Passwords must include a non-alphanumeric symbol.
One or more of these constraints might be en-forced. The program may also test the user's password against a list of known "bad" passwords, which are not allowed to be used.
Not allowing single-case passwords or strictly alphabetical passwords does add some difficulty to a guess-attack, but not much. One time I had some-one in mind who I felt certain had "popeye" for a password, due to his large collection of classic comic books and the big deal he always made about Popeye. The system software required a mix-ture of cases (which helpfully informs you, by the way, that upper and lower case are distinguished by the system), so instead of just trying "popeye",
I tried:
Popeye PoPeYe popeyE
PopEye popEYE popEyE
PopeyE PopEYE PoPeye
PopEye popEYE popEyE
PopeyE PopEYE PoPeye
some pattern to it. Indeed, when forced to capitalize, who in their right mind would?
As it turned out, his password was "OliveOyl."
If not capital letters, numbers might be forced into one's password upon first login. Again, you can hardly expect Joe User to break up syllables with a number, and the numbers that are used you should expect to be not more than one or two dig-its. After all, the user thinks of it as a password. The number will generally be slapped on as a necessary afterthought.
Thus, what you will normally find are passwords in the following forms:
password #
pass # word
# password
pass # word
# password
Numbers will be those which are easy to remember, or easy to type, like 1 or 0. Numbers from one through 31 should be most common, along with numbers either repeating, ending in zero or nine, such as "888," "500" or "1999." It is reasonable to expect typists to use the numeral "1" substituted in for the letter "I" (lowercase
"L"), in passwords which contain that letter. Cyberspace devotees might do likewise, as well as using zero for their required number, putting it in place of the letter "O." This means that if you ever suspect a word that contains the letters "L" or "O," instead of finding something like "cool," "computer," "lucifer," "lemon," or
"colts," you may find `c001," "cOmputer," "lucifer," "Iern0n," and 'Wlts," where the digits 1 and 0 have replaced the appropriate letters. (Actually, "c001" is usually spelled 'k001.")
Computer Generated Passwords: Fakery and Analysis of Machine-Generated Passwords
Many passwords that the computer generates on its own will have some flavor of randomness to them. For instance, look at this bit of imaginary program segment:
5 Randomize Timer
100 For i = 1 to 6
110 Char = Int (Rnd * 91)
120 If Char < 65 Then Goto 110
130 Password = Password + Chr$ (Char)
140 Next i
200 Print "Your new password is: "; Password
Here, six uppercase letters are selected inde-pendently and concatenated to form the password. The way the letters are selected is that a random number between 65 and 90 is chosen - this corre-lates with the ASCII code for the letters of the uppercase alphabet. The randomness of the numbers chosen is based upon the
randomizer function being used. In this case, pseudo-random numbers are generated based upon the exact time of the computer's internal clock, although randomization could also have been based on a practically infinite, hardwaredependent range of inputs. I said pseudo" random numbers because no matter how random these numbers may appear to us, to the computer they are just values plugged into a formula.
If the password-making program could be altered in the right way, then all randomly-generated passwords after the time of alteration may be yours for the taking (or deducing). If you have the ability to change the program and save the changes to disk, or the ability to reroute the password-making subroutine, then
here are some further items to consider.
The easiest thing to do would be to change the program by getting rid of the randomization factor entirely and simply inserting a "Let Password$ = "EVBIDCL8.... statement. Then every new user would be given the same seemingly random password. The problem is this is not going to go unnoticed by the system
administrators (although you might be able to restore the original program before your change is noticed).
A more logical choice is to have the program generate a random-looking password based on some information about the user that you can eas-ily determine from publicly available sources, such as the user's birth date or Social Security number.
Then you can simply plug that piece of information into your copy of the code on your home computer and reproduce the new user's password. One encoding algorithm that works well is to take the sine of the ASCII value of the first six or eight characters of the user's name, then take the second-to-last two values of the
sine, convert them to fall within a suitable range, then concatenate the corresponding ASCII characters to form a "word." Thus you have a random-seeming password that can be easily constructed, even by hand. If the username is less than six characters, the remainder could be filled in by a predetermined set.
A sample username is encoded into an obscure password using the method
outlined in the text. On inspection the password seems random and secure, but
a hacker can determine a user's password using publicly available information
about that user (in this case, the user's last name).
outlined in the text. On inspection the password seems random and secure, but
a hacker can determine a user's password using publicly available information
about that user (in this case, the user's last name).
This is just a simple example; your password would have to comply with case mingling, length, or digit sprinkling requirements where appropri-ate. Forcing a password in this way can help if you run an electronic messaging or bulletin board system: users may get so comfortable with their new, secure passwords (wouldn't you think "rueavz" was secure?) that they transfer them over to other accounts elsewhere.
Another possibility, again requiring the ability to covertly change the password generator, is to al-ter the randomizer's seed to a constant value, thus causing the program to produce the same series of random numbers each time it is run (as long as the computer stays on and the program is not reset). This is risky though, and unwanted side effects may result.
One method utilizing the flaws in pseudo-random number generators was actually accomplished, and reported on by UNIX co-creator Dennis M. Ritchie in a 1986 security bulletin en-titled "On the Security of UNIX." To increase security at a computer installation, the administrat-ors decided to provide safe, computer
generated passwords. Each password would be a string of lower case letters and digits, eight characters long. This calculates to 2,821,109,900,000 passwords which, according to Ritchie, on a PDP-11/70 would take 112 years to brute force through all those combinations. But the hacker knew that the random number
generator could only take 32,768 seeds, and so only that many possible outcomes needed to be looked at. "The bad guy did, in fact, generate and test each of these strings and found every one of the system-generated passwords using a total of only about one minute of machine time." [Emphasis added.]
Clearly, sixty seconds plus some programming time is worth spending to have access to every ac-count on a system!
If you can't insert code to generate machine-made passwords, you might be able to analyze them after they've been produced. This requires having access to a minimum of one password, preferably two or more, from a given system. If you have a legitimate account, there's your first password. If it's a local BBS you're hacking, or some other sort of system where multiple anonymous logons are possible, try calling back a few more
times and collect new passwords under different names. Or get ahold of the BBS software or the password-generating routine, and work that to collect various passwords.
Once I was going through some new BBSs that had started up and I came across an ad for a system that was a couple states over but still seemed worth a try. I called up, logged in as a new user, and found it wasn't all that interesting after all - run by a factory supervisor mainly to let site agents or-der inventory stock. I used the
made-up name and address Roger Eichner, 13 Stem Court, North Coast, WA 64203 to log on. The password that was generated was "roghner24." I was astounded! Obviously the program had simply taken the first three letters from my first name, the last four letters of my last name, and stuck a number at the end!
Or had it? I called back a second time, logging in as a new user with a different name. This time there seemed to be no correlation at all with any of the personal information I had given. Now I was not only astounded " but confused as well! Had the first password been simply a fluke? Was the second a fluke? Was it
programmed to only sometimes use parts of the username? I called back a third time and again logged on as a new user. Again the password was unrelated to anything I had entered. Now I was pretty positive the first password had just been an unbelievable coincidence. I wrote a message to the system operator, saying he
could delete these three new users of his (I supplied their personal info so he would not think I was playing a joke) and I didn't call back until a few weeks later.
Even though my second two passwords were unrelated to both each other and my personal data, I thought that perhaps I had missed something that first encounter, since some of the characters were repeated from one password to the next. Could these characters refer to my baud rate or computer type, or some other parameter that had stayed the same from one login to the next? Or was it possible that what was random about the passwords was which pieces of data it selected to insert into the password? This would account for my name in the first case, and one of the items (which I didn't recognize as relating to me) being repeated in the third call password.
Logging on with the same name, address, terminal characteristics and everything else as I had originally done, I received, to my disappointment,
not a computer-generated password but the following astonishing message:
Dear Member:
Sorry about having to go through this again but we've had a problem the last few days. I will have to ask that you be patient with the low access level you will receive until I get a chance to validate you. Please note, when asked to supply a password do not give the one you were previously assigned. Make up a new and totally unconnected password.
See General Posting #1 for explanation.
StRaPmAsTeR === wllLiE ===> (sysop)
Input Password ==>?
General Posting #1 said that a certain (relatively new) user of the BBS, whose handle was Mr. Joke, had kicked into action a "feature" of the BBS soft-ware that produced less-than-secure passwords. The previous year the system had "crashed, appar-ently as a result of a rogue program that was uploaded to file section by Mr. Joke." No further de-tails were given on the cause or nature of the crash, because apparently regular callers of the system al-ready knew the story.
Anyway, you can see how it's possible to occa-sionally get some good information by analyzing of random" passwords. Even if there doesn't seem to be any discernible pattern, that doesn't mean there isn't one hidden somewhere. There might be some subtlety to the pattern or, if not a pattern, a bug or strangeness that you might be able to spot. For example, in the first version of one BBS program -a program that was so godawful the board folded after about a month - the random password generator would never produce a password with the letter A or the digit 0 in it. Knowing this does help a little: for a seven character password of the form WXYZ123, where WXYZ are letters of one case and 123 are numbers, there are only 284,765,630 possible combinations of letters and numbers, instead of 456,976,000 - a difference of 172,210,370 passwords! This software was riddled with bugs, many of which have become famous as the worst blunders in the history of horrible programming.
Monday, 28 November 2011
Password Studies
If you think all of this talk about easily guessed passwords is balderdash, think again. A good number of formal and informal studies have been done to see just how good people are at picking safe passwords.
One such experiment found that out of 3,289 passwords
• 15 were a single ASCII character,
• 72 were two characters,
• 464 were three characters,
• 477 were four characters long,
• 706 were five letters, all of the same case, and
• 605 were six letters, all lower case.
The point being this: That hackers can simply sit down and guess passwords is FACT not FIC-TION. It can be done, and sometimes quite easily.
Another example of the ease with which passwords can be hacked is the Internet worm which squirmed through the net, disabling much of it, in 1988. The worm had two tactics it used to spread itself, one of which was attempting to crack user passwords. It would first try inputting the typical passwords, like login name, a
user's first and/or last names, and other variations of these. If that didn't work, the worm had an internal dictionary of 432 common passwords to try. Finally, both of these methods failing, the worm went to the UNIX system dictionary, attempting each word in turn, until something hopefully worked. As we know, the worm's method worked superbly.
By the way, if you're ever on a UNIX system and need to do a brute force attack to gain higher access, the system dictionary is very helpful. You can find it in a subdirectory called Vusr/dict." The file is called "words." You can also download this file or capture it to another computer, if you need a plaintext dictionary file for use
on other machines. < One problem with using the UNIX dictionary "straight from the box" is that the words it contains do not genuinely reflect words in common English usage. There is a high preponderance of scientific words, due to the manner in which the dictionary was constructed >
One such experiment found that out of 3,289 passwords
• 15 were a single ASCII character,
• 72 were two characters,
• 464 were three characters,
• 477 were four characters long,
• 706 were five letters, all of the same case, and
• 605 were six letters, all lower case.
The point being this: That hackers can simply sit down and guess passwords is FACT not FIC-TION. It can be done, and sometimes quite easily.
Another example of the ease with which passwords can be hacked is the Internet worm which squirmed through the net, disabling much of it, in 1988. The worm had two tactics it used to spread itself, one of which was attempting to crack user passwords. It would first try inputting the typical passwords, like login name, a
user's first and/or last names, and other variations of these. If that didn't work, the worm had an internal dictionary of 432 common passwords to try. Finally, both of these methods failing, the worm went to the UNIX system dictionary, attempting each word in turn, until something hopefully worked. As we know, the worm's method worked superbly.
By the way, if you're ever on a UNIX system and need to do a brute force attack to gain higher access, the system dictionary is very helpful. You can find it in a subdirectory called Vusr/dict." The file is called "words." You can also download this file or capture it to another computer, if you need a plaintext dictionary file for use
on other machines. < One problem with using the UNIX dictionary "straight from the box" is that the words it contains do not genuinely reflect words in common English usage. There is a high preponderance of scientific words, due to the manner in which the dictionary was constructed >
Possible Password Investigation
One of the sources I used to research this book was an unofficial manual for a popular fee-based information service. Throughout that book, the author continuously made references to her pet cat, her love of Philadelphia soft pretzels, her favorite football team, her husband and children, and her newly acquired
interest in computers. Not only did references to these aspects of her life abound in the text, they also appeared in illustrations of the serv-ice's "Find" command, sample messages and sam-ple letters.
I knew the author's name, of course. I knew she had a membership on this system, and I knew about her life. It was insanely simple to get her per-sonal ID number on the system and, yes, within two dozen password guesses, to access the service under her account. She has since taken my advice and changed her password.
This isn't an isolated example! Every day you and I read newspaper articles, magazine columns, and books - in which the authors give away their computer addresses so readers can respond. Yesterday I heard a radio talk show host give out his CompuServe address for the large listening audience who didn't get the chance to speak out on the air! We know enough about many of these authors and others to be able to make educated guesses of their passwords. Even if an author doesn't mention personal details in the book, there's usually an "About the Author" section to turn to for facts. Many computer books are written by college professors;
naturally you'll know what college they're at, and so you have a lead to an account. If the sample program segments they list en-tail baseball trivia, you've got a good idea where to begin a brute force siege.
With all of this said, I want you to realize this is for informational purposes only. I made the above remarks only to point out some of the lax security around anyone in the public eye. Don't get any funny ideas about breaking my passwords!
Another trick is to look in Who's Who books. Almost all industries have a yearly Who's Who published. Many of these are vanity affairs: people pay to get a writeup about themselves listed. You can get good data from these, and if you can't get enough good data, print up your own official-looking Who's Who form and mail it to the person you have in mind at the company. Make sure the accompanying letter states that once they fill out the form, their entry will be included free of charge in the eventual book, and they will receive one copy of the book, free. This will help ensure that they mail you back the form. It also ensures you get good data to help you crack their passwords.
One more helpful subterfuge, this one involv-ing socializing with cronies at the company. Call up an office and talk to a receptionist or anyone who knows everyone's gossip. Say you're from a new trade magazine specializing in that business's field of endeavor. Ask for the names of all the major department heads, and their secretaries, so you can send them a free trial subscription. Then call back and talk to each of their secretaries. Have them fill out "market research" cards, again for some prize, like a free subscription or a clock radio or something. Typical marketing questions for trade magazine subscribers include inquiries about schooling, degrees held, industry awards, trade association memberships, military service, salary range, and length of service at the company. As the conversation continues, start asking about hobbies and outside interests, favorite sports, names of kids and spouse, and home address. These too are acceptable questions for a
market research surveyor to ask; they are also valuable possible password leads.
The short version of this is to call up, say you're one of the assistant editors for a trade magazine, and you're trying to find interesting people in the field. "Do you know of anyone there who has done anything at all spectacular, or has any particularly unusual hobbies?" You might get a "no," but keep pressing: "Anyone
with special talent? Musical tal-ent, for instance?" Keep going like this; eventually you'll hit upon something, and you can use the above tricks to find out more about that person than you ever thought you could.
Uncovering a subject's interests is called making up a personality profile or, for hackers, a password profile. The technique is done whenever the hacker has a specific individual in mind, whose computers the hacker wants to crack. If you wanted to read the e-mail and other private files of some head honcho at a corporation, you would go find reports of said honcho in the media, see what he or she likes, and go from there. One popular strata-gem, mentioned by Hugo Cornwall in his Hacker's Handbook, recognizes the fact that often a chief per-son in an organization is given an account to dem-onstrate the new computer system, under the as-sumption that setting up a new account is too diffi-cult or time consun-dng for the busy leader to do on his or her own. This account will of course have a natural English password, something of either the
easily-guessed variety, or something from the boss's list of interests. ("Say, Mr. Larsen likes fishing, doesn't he? Put in 'FISH' as the password!") So let's suppose you know a person's hobbies or interests: From there, how do you proceed?
To start, you could go to a library and get all the books you can on that subject. Then make up word banks from the glossaries and indices. People like to use big and (they think) obscure names/words from their coveted subject which they think no one else would ever think of. So you get students of literature using names for passwords, like "Euripides," "Aeschylus," and in general, a mess of lengthy technical terms.
Make up word lists, try them out, and if all else fails you can go on to a new password type. Just because someone's a doctor doesn't mean his pass-word will be "pericardiocentesis." People's lives are composed of many subjects, their occupation being just one.
interest in computers. Not only did references to these aspects of her life abound in the text, they also appeared in illustrations of the serv-ice's "Find" command, sample messages and sam-ple letters.
I knew the author's name, of course. I knew she had a membership on this system, and I knew about her life. It was insanely simple to get her per-sonal ID number on the system and, yes, within two dozen password guesses, to access the service under her account. She has since taken my advice and changed her password.
This isn't an isolated example! Every day you and I read newspaper articles, magazine columns, and books - in which the authors give away their computer addresses so readers can respond. Yesterday I heard a radio talk show host give out his CompuServe address for the large listening audience who didn't get the chance to speak out on the air! We know enough about many of these authors and others to be able to make educated guesses of their passwords. Even if an author doesn't mention personal details in the book, there's usually an "About the Author" section to turn to for facts. Many computer books are written by college professors;
naturally you'll know what college they're at, and so you have a lead to an account. If the sample program segments they list en-tail baseball trivia, you've got a good idea where to begin a brute force siege.
With all of this said, I want you to realize this is for informational purposes only. I made the above remarks only to point out some of the lax security around anyone in the public eye. Don't get any funny ideas about breaking my passwords!
Another trick is to look in Who's Who books. Almost all industries have a yearly Who's Who published. Many of these are vanity affairs: people pay to get a writeup about themselves listed. You can get good data from these, and if you can't get enough good data, print up your own official-looking Who's Who form and mail it to the person you have in mind at the company. Make sure the accompanying letter states that once they fill out the form, their entry will be included free of charge in the eventual book, and they will receive one copy of the book, free. This will help ensure that they mail you back the form. It also ensures you get good data to help you crack their passwords.
One more helpful subterfuge, this one involv-ing socializing with cronies at the company. Call up an office and talk to a receptionist or anyone who knows everyone's gossip. Say you're from a new trade magazine specializing in that business's field of endeavor. Ask for the names of all the major department heads, and their secretaries, so you can send them a free trial subscription. Then call back and talk to each of their secretaries. Have them fill out "market research" cards, again for some prize, like a free subscription or a clock radio or something. Typical marketing questions for trade magazine subscribers include inquiries about schooling, degrees held, industry awards, trade association memberships, military service, salary range, and length of service at the company. As the conversation continues, start asking about hobbies and outside interests, favorite sports, names of kids and spouse, and home address. These too are acceptable questions for a
market research surveyor to ask; they are also valuable possible password leads.
The short version of this is to call up, say you're one of the assistant editors for a trade magazine, and you're trying to find interesting people in the field. "Do you know of anyone there who has done anything at all spectacular, or has any particularly unusual hobbies?" You might get a "no," but keep pressing: "Anyone
with special talent? Musical tal-ent, for instance?" Keep going like this; eventually you'll hit upon something, and you can use the above tricks to find out more about that person than you ever thought you could.
Uncovering a subject's interests is called making up a personality profile or, for hackers, a password profile. The technique is done whenever the hacker has a specific individual in mind, whose computers the hacker wants to crack. If you wanted to read the e-mail and other private files of some head honcho at a corporation, you would go find reports of said honcho in the media, see what he or she likes, and go from there. One popular strata-gem, mentioned by Hugo Cornwall in his Hacker's Handbook, recognizes the fact that often a chief per-son in an organization is given an account to dem-onstrate the new computer system, under the as-sumption that setting up a new account is too diffi-cult or time consun-dng for the busy leader to do on his or her own. This account will of course have a natural English password, something of either the
easily-guessed variety, or something from the boss's list of interests. ("Say, Mr. Larsen likes fishing, doesn't he? Put in 'FISH' as the password!") So let's suppose you know a person's hobbies or interests: From there, how do you proceed?
To start, you could go to a library and get all the books you can on that subject. Then make up word banks from the glossaries and indices. People like to use big and (they think) obscure names/words from their coveted subject which they think no one else would ever think of. So you get students of literature using names for passwords, like "Euripides," "Aeschylus," and in general, a mess of lengthy technical terms.
Make up word lists, try them out, and if all else fails you can go on to a new password type. Just because someone's a doctor doesn't mean his pass-word will be "pericardiocentesis." People's lives are composed of many subjects, their occupation being just one.
Passwords Supplied By The User
Most passwords are of the choose-it-yourself variety, and due to security awareness most con-temporary programs which ask for a password to be supplied will not accept words of a certain short length which the program deems to be too easily "hackable." Most passwords will be more than four or five characters long. Other measures to protect users from their own lack of password creativity might be taken as well. For example, systems may force passwords to contain a mixture of upper and lower case, numbers, and perhaps disallow obvious passwords (such as "computer").
Software is available for most operating sys-tems which looks through the computer's pass-word files, analyzes user passwords and decides how secure they are. Unsecure passwords will be changed, or prevented in the first place. This is one area where your prior research should help you. Generally you will know which of these programs your target has installed, and what passwords the software will not allow.
Regardless of how clumsy-brained or brilliant a person is, all people tend to think alike. It is only through learning that they begin to think in crea-tive ways. Even then, initial assumptions and first conclusions are similar for a given peer group. What this means is that when a person logs onto a computer for the first time, and is prompted for a password - especially if that person is under stress of time or place - that password is likely going to be a variation on some common themes. Imagine some of the situations people are in when they are asked to create a secret password for themselves. They may be calling a remote com-puter over a long distance phone line, or sur-rounded by a group of technicians who are there to teach them to use the system. In any case, the prompt is there on the screen and with it, a sense of urgency is brought to mind.
People type the first thing they think of, the first thing they see, or hear, or are hoping to do once they get past the login procedure. The password is entered quickly, and rarely is it changed to a better, more secure one.
Thus, many passwords relate to top-of-the-mind thoughts, such as job, family, possibly current events, possessions, environment, hobbies or interests. If you can either find out or guess any of these traits of a valid system user, the number of potential passwords you will have to guess will decrease significantly. Get catalogs from the companies that make wall posters, humorous mugs and other novelty items one finds around offices. How many times have you seen that tired phrase, "You don't have to be crazy to work here... But it helps!"? I guarantee the word "crazy" gets picked off that mug every day as a password. Think about the age and life-styles of the average user whose account you are attempting to breach. An office in a corporate set-ting probably wouldn't have a nudie poster hang-ing up - but a college dorm would, and so you may get passwords such as "playmate," Nictoria," "body," or "month."
The easiest way to get a password is to enter it yourself for the user, or to supply the password to the user who is logging on for the first time. You might be acting the role of computer tutor to a novice, and while showing him or her the ropes, downplay the security aspects and allow him or her to tell you the password as they type it, either because they spell it out loud, or because you watch the person's eyes light up as his or her gaze falls upon the wall poster with the word It surfboard" written across the top. (Or they say, "Gee, what's a good secret password? Oh, I know - " and proceed to spell it out to you as they hunt and peck at the keyboard.) Most often you will be hacking away at user ac-' counts that have been long-established. On these ou will have to use some kind of either brute force method, observation, social or technical method of password retrieval. Most passwords are dictionary words, like "subway," "table," "chocolate" or "hotdog." Hon-estly, can you imagine any computer novice sitting down and entering "fMm6Pe#" as a password? Of course not!
Scrabble rules do not apply here: proper names are allowed in password creation, as are misspellings, abbreviations, non-words and foreign terms. Thus a person who likes watching Star Trek may have the password "enterprize" instead of the cor-rect "Enterprise." Whether that's due to bad spell-ing habits or because he or she simply likes it better that way is unimportant. What is important is that you have to be aware that misspelled words exist in passwordland. You are going to find the letter "k" used in place of hard "c," as in "koka kola." You will find N" for "ks" (thanx), and other phonetic substi-tutions, like "lether," 'Tone" and "stryker." Some hackers will go through every word in the English language until they find something that works as a password. If the password they seek is a real word, but isn't spelled correctly, they are going to be wasting vast amounts of time. Complete brute force dictionary attacks are often fruitless, useless, adolescent ways of doing things.
Many words recur frequently as passwords, and examples are given in the appendices. However, there are many words that you would almost never expect to find as a password on a system. Is it reasonable to suspect a person will enter an adverb for a password? Words of this sort would be the last ones to try. Real-word passwords will generally be nouns, ("eyeball," "drums," "kitchen"), verbs, (usually obscene ones), and perhaps adjectives ("purple," of great, " "happy").
Girl friends, boy friends, and the cute pet names they give each other are popular passwords; these you would have found out from prior re-search. Also semipopular are passwords with the word "sure" embedded inside them, as in "forsure" or "fursure," "surething" or "asb" (short for "a sure bet"). Besides dictionary words,
you can expect to find names of relations, streets, pets, sports teams and foods; important dates and ID numbers, such as social security numbers, anniversaries, or birth-days; and keyboard patterns. Examples of key-board patterns include 'Akjkjk," 700u," 11WXYZ,11 it ccccccc," "0987654321," "asdfgh" or 'I qazwsx." Look at the location of these letters on a keyboard if you are confused about these last two examples. Keyboard patterns will usually be simple repetitions of characters, portions of columns or rows or every-other-letter designs. Keyboard patterns may be wholly unguessable and yet fully logical when you know what's going on at the other end of the phone line. For example, "05AP may seem a funny thing to pick
up from a keyboard, but when you know the computer in question has a special hexadecimal keypad attached, the whole thing starts to make sense.
Some keyboard patterns I've actually seen being used on systems: "abcdef," "qwerty," "12345," foxxxxxx " "opopopopp." If you know the minimum password length is six characters, don't expect patterned passwords to go much beyond that minimum.
On the other hand, you can't reasonably try out every possible pattern: there's an infinite number. Beyond a certain point, guessing keyboard patterns is strictly reserved for amateur hour.
Software is available for most operating sys-tems which looks through the computer's pass-word files, analyzes user passwords and decides how secure they are. Unsecure passwords will be changed, or prevented in the first place. This is one area where your prior research should help you. Generally you will know which of these programs your target has installed, and what passwords the software will not allow.
Regardless of how clumsy-brained or brilliant a person is, all people tend to think alike. It is only through learning that they begin to think in crea-tive ways. Even then, initial assumptions and first conclusions are similar for a given peer group. What this means is that when a person logs onto a computer for the first time, and is prompted for a password - especially if that person is under stress of time or place - that password is likely going to be a variation on some common themes. Imagine some of the situations people are in when they are asked to create a secret password for themselves. They may be calling a remote com-puter over a long distance phone line, or sur-rounded by a group of technicians who are there to teach them to use the system. In any case, the prompt is there on the screen and with it, a sense of urgency is brought to mind.
People type the first thing they think of, the first thing they see, or hear, or are hoping to do once they get past the login procedure. The password is entered quickly, and rarely is it changed to a better, more secure one.
Thus, many passwords relate to top-of-the-mind thoughts, such as job, family, possibly current events, possessions, environment, hobbies or interests. If you can either find out or guess any of these traits of a valid system user, the number of potential passwords you will have to guess will decrease significantly. Get catalogs from the companies that make wall posters, humorous mugs and other novelty items one finds around offices. How many times have you seen that tired phrase, "You don't have to be crazy to work here... But it helps!"? I guarantee the word "crazy" gets picked off that mug every day as a password. Think about the age and life-styles of the average user whose account you are attempting to breach. An office in a corporate set-ting probably wouldn't have a nudie poster hang-ing up - but a college dorm would, and so you may get passwords such as "playmate," Nictoria," "body," or "month."
The easiest way to get a password is to enter it yourself for the user, or to supply the password to the user who is logging on for the first time. You might be acting the role of computer tutor to a novice, and while showing him or her the ropes, downplay the security aspects and allow him or her to tell you the password as they type it, either because they spell it out loud, or because you watch the person's eyes light up as his or her gaze falls upon the wall poster with the word It surfboard" written across the top. (Or they say, "Gee, what's a good secret password? Oh, I know - " and proceed to spell it out to you as they hunt and peck at the keyboard.) Most often you will be hacking away at user ac-' counts that have been long-established. On these ou will have to use some kind of either brute force method, observation, social or technical method of password retrieval. Most passwords are dictionary words, like "subway," "table," "chocolate" or "hotdog." Hon-estly, can you imagine any computer novice sitting down and entering "fMm6Pe#" as a password? Of course not!
Scrabble rules do not apply here: proper names are allowed in password creation, as are misspellings, abbreviations, non-words and foreign terms. Thus a person who likes watching Star Trek may have the password "enterprize" instead of the cor-rect "Enterprise." Whether that's due to bad spell-ing habits or because he or she simply likes it better that way is unimportant. What is important is that you have to be aware that misspelled words exist in passwordland. You are going to find the letter "k" used in place of hard "c," as in "koka kola." You will find N" for "ks" (thanx), and other phonetic substi-tutions, like "lether," 'Tone" and "stryker." Some hackers will go through every word in the English language until they find something that works as a password. If the password they seek is a real word, but isn't spelled correctly, they are going to be wasting vast amounts of time. Complete brute force dictionary attacks are often fruitless, useless, adolescent ways of doing things.
Many words recur frequently as passwords, and examples are given in the appendices. However, there are many words that you would almost never expect to find as a password on a system. Is it reasonable to suspect a person will enter an adverb for a password? Words of this sort would be the last ones to try. Real-word passwords will generally be nouns, ("eyeball," "drums," "kitchen"), verbs, (usually obscene ones), and perhaps adjectives ("purple," of great, " "happy").
Girl friends, boy friends, and the cute pet names they give each other are popular passwords; these you would have found out from prior re-search. Also semipopular are passwords with the word "sure" embedded inside them, as in "forsure" or "fursure," "surething" or "asb" (short for "a sure bet"). Besides dictionary words,
you can expect to find names of relations, streets, pets, sports teams and foods; important dates and ID numbers, such as social security numbers, anniversaries, or birth-days; and keyboard patterns. Examples of key-board patterns include 'Akjkjk," 700u," 11WXYZ,11 it ccccccc," "0987654321," "asdfgh" or 'I qazwsx." Look at the location of these letters on a keyboard if you are confused about these last two examples. Keyboard patterns will usually be simple repetitions of characters, portions of columns or rows or every-other-letter designs. Keyboard patterns may be wholly unguessable and yet fully logical when you know what's going on at the other end of the phone line. For example, "05AP may seem a funny thing to pick
up from a keyboard, but when you know the computer in question has a special hexadecimal keypad attached, the whole thing starts to make sense.
A hexadecimal keypad, used by some computerprogrammers to allow fast entry of numbers in
base 16. The keypad illustrates a principlesmart hackers will follow: That what you
see on your side may be different fromwhat they see on theirs.
base 16. The keypad illustrates a principlesmart hackers will follow: That what you
see on your side may be different fromwhat they see on theirs.
Some keyboard patterns I've actually seen being used on systems: "abcdef," "qwerty," "12345," foxxxxxx " "opopopopp." If you know the minimum password length is six characters, don't expect patterned passwords to go much beyond that minimum.
On the other hand, you can't reasonably try out every possible pattern: there's an infinite number. Beyond a certain point, guessing keyboard patterns is strictly reserved for amateur hour.
Passwords
The cheapest and easiest way to protect any kind of computer system is with that old standby: the password. Even computers that under normal circumstances have no need for security features o . ften come equipped with password protection simply because it feels good to use and doesn't cost much in terms of time, effort or
storage space to implement. Furthermore, systems which are pro-tected by other means - by magnetic cards or by software alternatives such as encryption - will double or triple the security of their assets through the use of a password system.
Thus, on practically all computer setups you are likely to encounter passwords of one form or another.
Passwords are usually thought of as the en-trance keys to a computer system, but they are also used for other purposes: to enable write access to drives, as encryption keys, to allow decompression of files, and in other instances where it is important to either ensure that it is the legitimate owner or user who is attempting an action.
There are seven main classifications of passwords.
They are:
• User supplied passwords
• System generated random passwords
• System generated random passcodes
• Half and halves
• Pass phrases
• Interactive question-and-answer sequences
• Predetermined by code-indicating coordinates
If you intend to hack a computer installation you will first have to figure out which of these seven password
types are used by that system. The first type is the most common; generally users are asked to think up a personal password for themselves.
System generated random passwords and codes may be of several kinds. The system software may supply a completely random sequence of characters - random to the point of cases, digits, punctuation symbols and length all being deter-mined on the fly - or restraints may be used in the generating procedures, such that each
passcode conforms to a prearranged constitution (like "abc-12345-efgh" where letters and numbers are randomly generated). Or, computer-produced passwords may be taken randomly from a list of words or nonsense syllables supplied by the pro-gram authors, thus creating passwords like nah.foop" or "car-back-tree".
Half and halves are partially user-supplied, while the rest is composed by some random proc-ess. This means that even if a user supplies the eas-ily-guessed password "secret," the computer will tack on some abstruse gibberish at the end, forming a more secure password such as "secret/5rhll".
Pass phrases are good in that they are long and hard to guess, but easily remembered. Phrases may be coherent, such as It we were troubled by that," or they may be nonsensical: "fished up our nose." Pass phrases are used when the manager of a site is particularly security-conscious. Usually you don't see pass
phrases required by a system, although the programming required to enforce a pass phrase rule is trivial.
Related to the pass phrase concept is the phrase acronym, which security experts have been ap-plauding as a short but equally safe form of pass-word. In a phrase acronym, the user takes an easily remembered sentence, phrase, line from a song or poem or other such thing, and uses the first letter of each word as the password.
For example, the acro-nyms for the two pass phrases above would be wwtbV and "fuon." You can see that innovations in password theory such as this will greatly increase the difficulty hackers will encounter in fu-ture electronic espionage.
The sixth password type, question-and-answer sequences, requires the user to supply answers to several (usually personal) questions: "Spouse's maiden name?", "Favorite color?", etc. The com-puter will have stored the answers to many such questions, and upon login will prompt for the an-swer to two or three of them.
These ques-tion/answer sessions can be delicious to the hacker who is intimately familiar with the user whom he or she is attempting to impersonate. Systems which use question-and-answer sequences also tend to be programmed to interrupt users while online every X minutes, and require them to answer a question to
reaffirm their validity. This can get pretty annoy-ing, especially if someone's in the middle of an ex-citing online game when it happens. Q&A is used only rarely nowadays. When it was first proposed it seemed like a good idea, but the bothersome fac-tor has resulted in this method being pretty much phased out.
Passwords which are predetermined by code-indicating coordinates usually rely on some external device, such as the code wheels used to de-ter software piracy. In any case, a set of key prompts are offered by the computer, and the user is required to return the appropriate responses to them. You'll often see this type of
password being used on a system with once-only codes.
Once-only codes are passwords valid for only one access. Sometimes they are used as temporary guest accounts to demonstrate a system to potential clients. Onceonly codes may also be employed by the system to allow actual users to log in for the first time; the users will then be expected to change their password from the one provided to a more se-cure, personal code. In situations where groups of people must log in, but security must be main-tained, a list of once-only codes may be provided. Users then extract one code at a time, depending on external factors such as time, date or day. Maybe you can find a list of codes by going through the garbage of a place? The codes won't work anymore, but you'll get a sense of what the system expects from you.
storage space to implement. Furthermore, systems which are pro-tected by other means - by magnetic cards or by software alternatives such as encryption - will double or triple the security of their assets through the use of a password system.
Thus, on practically all computer setups you are likely to encounter passwords of one form or another.
Passwords are usually thought of as the en-trance keys to a computer system, but they are also used for other purposes: to enable write access to drives, as encryption keys, to allow decompression of files, and in other instances where it is important to either ensure that it is the legitimate owner or user who is attempting an action.
There are seven main classifications of passwords.
They are:
• User supplied passwords
• System generated random passwords
• System generated random passcodes
• Half and halves
• Pass phrases
• Interactive question-and-answer sequences
• Predetermined by code-indicating coordinates
If you intend to hack a computer installation you will first have to figure out which of these seven password
types are used by that system. The first type is the most common; generally users are asked to think up a personal password for themselves.
System generated random passwords and codes may be of several kinds. The system software may supply a completely random sequence of characters - random to the point of cases, digits, punctuation symbols and length all being deter-mined on the fly - or restraints may be used in the generating procedures, such that each
passcode conforms to a prearranged constitution (like "abc-12345-efgh" where letters and numbers are randomly generated). Or, computer-produced passwords may be taken randomly from a list of words or nonsense syllables supplied by the pro-gram authors, thus creating passwords like nah.foop" or "car-back-tree".
Half and halves are partially user-supplied, while the rest is composed by some random proc-ess. This means that even if a user supplies the eas-ily-guessed password "secret," the computer will tack on some abstruse gibberish at the end, forming a more secure password such as "secret/5rhll".
Pass phrases are good in that they are long and hard to guess, but easily remembered. Phrases may be coherent, such as It we were troubled by that," or they may be nonsensical: "fished up our nose." Pass phrases are used when the manager of a site is particularly security-conscious. Usually you don't see pass
phrases required by a system, although the programming required to enforce a pass phrase rule is trivial.
Related to the pass phrase concept is the phrase acronym, which security experts have been ap-plauding as a short but equally safe form of pass-word. In a phrase acronym, the user takes an easily remembered sentence, phrase, line from a song or poem or other such thing, and uses the first letter of each word as the password.
For example, the acro-nyms for the two pass phrases above would be wwtbV and "fuon." You can see that innovations in password theory such as this will greatly increase the difficulty hackers will encounter in fu-ture electronic espionage.
The sixth password type, question-and-answer sequences, requires the user to supply answers to several (usually personal) questions: "Spouse's maiden name?", "Favorite color?", etc. The com-puter will have stored the answers to many such questions, and upon login will prompt for the an-swer to two or three of them.
These ques-tion/answer sessions can be delicious to the hacker who is intimately familiar with the user whom he or she is attempting to impersonate. Systems which use question-and-answer sequences also tend to be programmed to interrupt users while online every X minutes, and require them to answer a question to
reaffirm their validity. This can get pretty annoy-ing, especially if someone's in the middle of an ex-citing online game when it happens. Q&A is used only rarely nowadays. When it was first proposed it seemed like a good idea, but the bothersome fac-tor has resulted in this method being pretty much phased out.
Passwords which are predetermined by code-indicating coordinates usually rely on some external device, such as the code wheels used to de-ter software piracy. In any case, a set of key prompts are offered by the computer, and the user is required to return the appropriate responses to them. You'll often see this type of
password being used on a system with once-only codes.
Once-only codes are passwords valid for only one access. Sometimes they are used as temporary guest accounts to demonstrate a system to potential clients. Onceonly codes may also be employed by the system to allow actual users to log in for the first time; the users will then be expected to change their password from the one provided to a more se-cure, personal code. In situations where groups of people must log in, but security must be main-tained, a list of once-only codes may be provided. Users then extract one code at a time, depending on external factors such as time, date or day. Maybe you can find a list of codes by going through the garbage of a place? The codes won't work anymore, but you'll get a sense of what the system expects from you.
Passwords And Access Control
Three dominant classes of access control have developed to protect computer installations.
They are:
• knowledge-based controls (passwords)
• possession-based controls (keys)
• controls based on personal characteristics (biometric devices)
Possession-based controls have to do with things the user owns, like a physical key or mag-netic card. Sometimes there is a metal clip of a pe-culiar shape that must fit into a hole in the com-puter before the computer will operate. A "key" could also be an identification badge, or a signed letter from a person of high status in the company, granting permission to access a site.
Biometric devices are those which look at some trait of a potential user and compare it to traits previously recorded, such as fingerprints, signa-ture, or geometry of the hand.
These two forms of computer security may be designed for remote access control, although usu-ally they are implemented at the site where the computers are located to limit access to either the computer room or the computer itself. Thus, de-scriptions of biornetric and physical keys will be further developed in the on-site
hacking section of this book.
The first class of access control - also the most common - is knowledge-based. That is, control is limited to those persons who can prove they have knowledge of something secret, usually a pass-word. Discovering that password constitutes a large portion of hacking. Here, then, is everything you need to know about
passwords: how they work, how they are stored, and how they are bro-ken.
They are:
• knowledge-based controls (passwords)
• possession-based controls (keys)
• controls based on personal characteristics (biometric devices)
Possession-based controls have to do with things the user owns, like a physical key or mag-netic card. Sometimes there is a metal clip of a pe-culiar shape that must fit into a hole in the com-puter before the computer will operate. A "key" could also be an identification badge, or a signed letter from a person of high status in the company, granting permission to access a site.
Biometric devices are those which look at some trait of a potential user and compare it to traits previously recorded, such as fingerprints, signa-ture, or geometry of the hand.
These two forms of computer security may be designed for remote access control, although usu-ally they are implemented at the site where the computers are located to limit access to either the computer room or the computer itself. Thus, de-scriptions of biornetric and physical keys will be further developed in the on-site
hacking section of this book.
The first class of access control - also the most common - is knowledge-based. That is, control is limited to those persons who can prove they have knowledge of something secret, usually a pass-word. Discovering that password constitutes a large portion of hacking. Here, then, is everything you need to know about
passwords: how they work, how they are stored, and how they are bro-ken.
Subscribe to:
Posts (Atom)