The classic way to gain access to a computer system is to find out the password and log in. An intruder who gains interactive entry to a system can employ other techniques to build system privileges. Therefore, finding a password—any password—is often the first step in cracking a network. Methods for getting passwords range from very high-tech (password-cracking dictionary scripts and de-encryption programs) to extremely low-tech (digging around in trash cans and peeking in users' desk drawers). Some common password attack methods include
Looking Outside the Box
No matter how secure your system is, your network won't be safe unless users protect their passwords. A major source of password compromise is the inattentiveness of users. The earliest hackers often obtained passwords by looking for clues in discarded computer printouts. Since that time, operating system vendors thankfully have become more sophisticated about protecting password information. However, a significant percentage of password-compromise cases still results from offline detection. Users tell their passwords to other users or write down their passwords in some easily accessible place. The physical security of a workplace often is far less rigid than network security. Janitorial staff, disgruntled co-workers, or even unauthorized outsiders are often free to slip into the office unsupervised and look for password clues. When a worker quits or is dismissed, the worker's account is deactivated, but what about other user accounts belonging to users who have shared their passwords with the former employee?
Some experienced hackers are skilled at getting users to reveal their passwords or getting network admins to tell them passwords. They'll call the help desk, act a little lost, and say, "Uhh, I forgot my password." This sounds silly, but it saves the intruder a lot of effort, and it is often the first thing he tries. Every organization should clearly instruct computer professionals not to reveal password information to any user without taking precautions to ensure that the request is legitimate.
As you'll learn later in this hour, the ultimate goal of the intruder is to achieve administrative-level privileges. Every password should be protected, because any access can often lead to administrative access, but it is especially important to protect administrative accounts from compromise. The administrative username is another line of defense against intrusion that should also be protected. Most computer systems come with a well documented and well known default administrative account. An intruder who is familiar with the operating system has a head start in gaining administrative privileges if she knows the username of the administrative account. Experts therefore recommend changing the username of the administrative account.
A common tool of computer intruders is the so-called Trojan horse. In general, a Trojan horse is a computer program that purports to do one thing but actually takes other unseen and malicious actions behind the scenes. One early form of the Trojan horse was a fake login screen. The screen looks just like the login screen used for the system, but when the user attempts to log in, the username and password are captured and stored in some secret location accessible to the intruder (see Figure 19.1).
As you might guess, this technique for stealing passwords is designed for a public setting such as a computer lab in which multiple users might use a common set of terminals or workstations. In recent years, operating systems have gotten better at preventing or detecting this form of password capture. Microsoft claims that NT and post-NT Windows systems are immune from this form of password-capture attack because the security subsystem suspends all background processes. However, immune is a bold word in the field of network security. Many Trojan horses exploit subtleties in the actual operating system code, and a great many attack methods have been developed that don't appear possible according to the documentation of the OS vendor.
Unix systems are still vulnerable to this form of password-capture attack. In the book Hacking Exposed by Joel Scambray, Stuart McClure, and George Kurtz (Osborne), the authors state that, after an intruder has obtained root access to a Unix system, he can "Trojanize" almost any Unix command, including the Unix login command. Password-capturing Trojan horse programs are often uploaded to a compromised system to catch new passwords and expand the hacker's hold on the network.
By the Way
Not all Trojan horses capture passwords, and not all password Trojans are as blatant as the example described in this section. Many other types of Trojan horse programs are available on the Internet. Some take the form of games or false system utilities. Many of these Trojan horse programs are distributed as freeware or shareware over the Internet. The best defense against this kind of attack is to be careful what you download. Free software is often worth every penny you pay for it. Or, to paraphrase the princess Cassandra, who prophesized the arrival of a particularly virulent Trojan horse at the gates of her city in 800 B.C., "Beware of geeks bearing gifts."
Some passwords are so simple or poorly formed that they can easily be guessed by the intruder. You would be surprised how many users use a password that is the same as their username. Some users use a street name, a maiden name, or the name of a child for a password, and some use easily guessable character combinations, such as 123456, abcde, or zzzzzz.
An intruder who knows a little about the user can often guess bad passwords the user might choose. In fact, the intruder doesn't even have to guess anymore, because tools now exist that automate the process of guessing passwords. These tools simply start trying to log in to a given user account by guessing common bad passwords. The attack tools guess through a list of obvious character combinations. Some tools even use a dictionary to guess every possible word or name in the language. This might require thousands of attempts, but computers can guess very quickly.
Unix systems are particularly vulnerable to these so-called brute force attacks. Brute force attacks can be used not only for the initial login but also for new shells and password-protected services. Several tools exist for logging unsuccessful login attempts and alerting network personnel when an attack is taking place.
Windows systems are also susceptible to brute force attacks, although the Windows password policy feature makes it easy to disable the system after a predetermined number of unsuccessful login attempts.
The best defense against password-guessing attacks is to force the users to use good passwords. See the section "What to Do About Password Attacks," later in this hour, for more on good password policy.
Packet sniffers and other tools that monitor network traffic can easily capture passwords transmitted over the network in clear text (unencrypted) form. Many classic TCP/IP utilities such as Telnet and the r* utilities (see Hour 15, "Remote Access Utilities") or SNMP (see Hour 21, "Network Management Protocols") were designed to transmit passwords in clear text form. Some later versions of these utilities offer password encryption or operate through secure channels (see Hour 20, "TCP/IP Security"). In their basic form, however, the clear text password security of these applications makes them hopelessly ill-suited for an open and hostile environment such as the Internet.
By the Way
Even in a closed environment such as a corporate network, clear text passwords are not really safe. Some experts estimate that one corporate employee in a hundred is actively engaged in trying to thwart network security. One percent is a small fraction, but when you consider a network with 1,000 users, that one percent amounts to 10 users who would love to get their hands on someone else's clear text password.
Several methods exist for encrypting passwords. These password-encryption methods are much better than the clear text option, but password encryption still has some limitations. Tools such as the L0phtcrack utility capture encrypted NT logons and decode them offline through brute force techniques.
Recent developments in encrypted channel technologies, such as SSL and IPsec (see Hour 20), raise the bar considerably higher for intruders who want to eavesdrop on TCP/IP to obtain sensitive information such as passwords.
What to Do About Password Attacks
The best defense against password attacks is eternal vigilance. Networks have employed a number of strategies for reducing the incidence of password compromise. A few of the more obvious guidelines are as follows:
Some systems have methods for controlling the number of passwords that each user must remember. Microsoft networks feature a passwords cache and a unified network logon through the domain security system. Unix systems offer Kerberos authentication (see Hour 20). These methods are very useful for controlling password proliferation in some environments. The downside of these unified logon methods is that, once an intruder gets one password, she has unlocked access to all the user's resources.
See Hour 20 for more on protecting passwords through encryption.