CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [39]
A hacker may first try to connect to a default Admi n$, C$, or C: \Wi ndows share. To connect to the hidden C : drive share, for example, type the following command in the Run field (Start);, Run):
Automated programs can quickly generate dictionary files, word lists, or every possible combination of letters, numbers, and special characters and then attempt to log on using those credentials. Most systems prevent this type of attack by setting a maximum number of login attempts on a system before the account is locked.
In the following sections, we'll discuss how hackers can perform automated password guessing more closely, as well as countermeasures to such attacks.
Cracking the password-hashing will be discussed later in this chapter.
Performing Automated Password Guessing
To speed up the guessing of a password, hackers us automated tools. An easy process for automating password guessing is to use the Windows shell commands based on the standard NET USE syntax. To create a simple automated password-guessing script, perform the following steps:
1. Create a simple username and password file using Windows Notepad. Automated tools such as the Dictionary Generator are available to create this word list. Save the file on the C: drive as credentials.txt.
2. Pipe this file using the FOR command:
3. Type net use \\targetlP\IPC$ %i /u: %j to use the credentials . txt file to attempt to log on to the target system's hidden share.
Defending Against Password Guessing
Two options exist to defend against password guessing and password attacks. Both smart cards and biometrics add a layer of security to the insecurity that's inherent when users create their own passwords.
A user can also be authenticated and validated using biometrics. Biometrics use physical characteristics such as fingerprints, hand geometry scans, and retinal scans as credentials to validate users.
Both smart cards and biometrics use two-factor authentication, which requires two forms of identification (such as the actual smart card and a password) when validating a user. By requiring something the user physically has (a smart card, in this instance) and something the user knows (their password), security is increased, and the authentication process isn't susceptible to password attacks.
Another example of how the FOR command can be used by an attacker is to wipe the contents of the hard with zeros using the command syntax ((i=0; i<11; i++)); do dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=dev/hda done. The wipe command could also be used to perform the wiping of data from the hard disk using the command $ wipe -fi k /dev/hdal
RSA Secure ID is a two-factor authentication system that utilized a token and password.
Offline Attacks
Offline attacks are performed from a location other than the actual computer where the passwords reside or were used. Offline attacks usually require physical access to the computer and copying the password file from the system onto removable media. The hacker then takes the file to another computer to perform the cracking. Several types of offline password attacks exist. Table 4.1 illustrates each type of attack:
A dictionary attack is the simplest and quickest of type of attack. It's used to identify a password that is an actual word, which can be found in a dictionary. Most commonly, the attack uses a dictionary file of possible words, which is hashed using the same algorithm used by the authentication process. Then, the hashed dictionary words are compared with hashed passwords as the user logs on, or with passwords stored in a file on the server. The dictionary attack works only if the password is an actual dictionary word; therefore