Hacking II: Password attacks

In review, scanning networks is the foundation of any attack, as this allows us to discover our attack surface. But we yet have to talk about the most vulnerable piece of the security chain: humans. We already gleaned from the domain names of IT systems that we humans like to map complex constructs on structures that are as simple as possible. For example, we prefer using meaningful names instead of memorising sequences of numbers. So it might be the case that our target system looks to be completely secure, requiring us to resort to non-technical procedures. This fact was previously summarised by Kevin Mitnick in 2002:

Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.

Instead of getting worked up about hard-to-access IT infrastructure, we could simply drop USB sticks loaded with malware on the company grounds and wait for curious employees to do the rest. But these types of social engineering attacks during penetration testing should only be carried out in agreement with the client, as this purposefully manipulates persons. Humans are still the number 1 risk factor.

User passwords are a common entry point into IT systems. Who of us doesn’t use one of their passwords twice? This question once again illustrates that we humans continually try to make life easier. Passwords usually relate to the owner, and/or they fail to once in a while change the passwords to their user accounts. Collecting user passwords is thus particularly interesting to us, as these give us access to IT systems.

Basically, there are two ways of obtaining passwords of user accounts. The most obvious route is to try different passwords for a service until we can successfully log in as a user. As our login attempts are transmitted via a network, this methodology is referred to as online password attack. In addition to this, we may already have access to the system via vulnerability X. In this case, we may even be able to read all saved access data. It should be noted that, ideally, only the salted hashes of user passwords are saved. Our task would therefore be to reconstruct the passwords based on their hashes. As the cracking of hashes is performed on a system, this methodology is referred to as offline password attack.