[EAS] Password Cracking Basics

[Alex Hartman]

Good write up.

Don't forget that even with the shenanigans going on, you could
multiply it several fold. It's not unusual for a system without
intrusion detection to see several hundred login attempts a minute. My
web server at work here typically sees 10-30 requests a second, so
start compounding those attempts and the time becomes much much
shorter.

Also, the password is one thing, finding the user is another. If they
also have to guess at a username, they're typically going to guess at
basic everyday system users which should not have a login to begin
with, but "Administrator", "root", "admin", "apache", "postfix",
"sendmail", etc. just to name a few are the first attempted users
because those services are superuser accounts. A brute-force system
will only attempt those users typically, unless the attacker has a
known username from say an email address (which typically is the user
name on a base system). This will raise your number quite heavily as
you'd have to guess 79.228,162,514,264,300,0000,000,000,000 times per
user. Also what doesn't help while trying to be helpful is that
certain security organizations publish a top list of passwords from
their clients who have been breached.

No surprise the top ones are "password" or "123456"...

In reality, an unprotected system of modest capability wide open to
the world, i'd imagine you could run through the
79.228,162,514,264,300,0000,000,000,000 in under a day with multiple
processes attacking at the same time. Nobody doing brute force does it
"one at a time". Computers are good at multi-tasking. Most hackers
alone however will move on much sooner to the lower hanging fruit, but
if it's say a group of hacktivists for instance, with several thousand
zombies in their control around the world, it wouldn't take much for
them to process the probability quickly. This also will and should by
any competent IT admin set off red flags almost immediately depending
on bandwidth available on the attacked node. If it's running on a DSL
line for instance, you probably will see traffic crawl to a stop
quickly with that many attempts, but if it's a co-located host in
Chicago where a Gigabit port is available, you might not notice unless
the machine stops responding (DDoS attack essentially). Most
hacktivist folk however want in, so they'll try to not ram the front
door with a tank when they can poke and probe much easier. It might
take them a month to get an account that works, but that doesn't
matter, they're still in, and you're none the wiser until something
happens.

There's several variables involved in security, there's the "snake
oil" factor of a secure password, which is only one part of the deal
in ensuring a modestly secure system. The user name is another,
intrusion detection and local blacklists shut down attempts help as
well, which will probably do for a majority of people. Some with
sensitive data, or large records databases, etc, will need more
obviously.

Remember, this is only dealing with the front door. You can be back
doored just as easily and there typically is nothing the end user can
do in an that situation. Take the PSIP generator running windows. It's
running lsass, RPC, and if you're remoting into it some way, a form of
RDP. Those services can contain exploitable code, it's just a matter
of finding it, and then it turns into a cat and mouse game. Who can
patch faster. This is actually how most machines get compromised, not
through the front door of a login breach, but by finding someone
running a known bad version of apache for instance where a simple
mangled http request can have the web server execute a reverse shell
command (where the request turns into the command run on the host
machine). Windows sass service (handles all the security processes of
windows) at one point was highly exploited with a virus. It has been
since patched by microsoft, but human error can cause other issues as
well. When your code gets to a few thousand lines, and upgrades happen
without cleaning code, then you have problems. Programmers can be (and
typically are) lazy. They'll just comment out or leave in older code
while just adding new stuff and these are where the exploits come into
play.

This whole thread is not meant to scare anyone, it's meant to make you
aware of your surroundings. The Internet is a nameless, faceless
system. Nobody cares who you are, what you do, and stealing stuff or
using other resources to some groups means no consequence. No accuser.
And in most cases, once the damage is done, the victim is left dealing
with the aftermath and no recourse. Just keep going. If you think you
might have some issues, there's several simple tools on insecure.org
that will allow you to test your system quite easily, it's the same
basic tools everyday script kiddies and hackers alike use. If you're
confident in your network, good. Check it anyways. If you say you
don't have time, find someone who does in the station. It can take a
day or so to fully audit a typical station. (given 40ish workstations)
A simple basic security plan is never a bad thing. Think of it this
way, would you leave the front door of your house wide open while you
went on vacation for a few weeks? Most wouldn't. (some will) Why would
you let a super highway right into you with millions of people looking
through the window on their way by checking the place out and not have
at least a small lock on the front door? (and not the lock that comes
with every house sold so there's millions of keys out there)

Just some food for thought.

--
Alex Hartman