Social Engineering - Christopher Hadnagy [157]
You will notice that the Time Left box says 3.03909 days. To most hackers, three days is a short time to wait to be given clear access to the servers. Is three days really that long to wait for the administrator password?
To make this information really hit home, look at Figure 7-28, which shows the difference made if the same user were to use a 14–16 character password containing upper and lower case as well as non-alphanumeric characters.
Figure 7-27: Only three days to crack a simple password.
Figure 7-28: The Time Left box has increased to trillions of years.
Does more than 5 trillion years seem a little long to wait? By just increasing the characters to 14 and using some non-basic characters (that is, *, &, $, %, and ^) the odds of a hacker obtaining the password through brute force become next to impossible.
Because many users don’t use this level of complexity, identifying the weakness in many users’ passwords is not difficult. Certain tools (a couple of which are described in the next section) help profile potential passwords a user may have chosen.
Common User Password Profiler (CUPP)
Profiling a person is one of the main aspects of a successful social engineering audit. As previously discussed, Tonu’s research shows that out of 734,000 people, more than 228,000 of them used only six characters in their passwords. More than 17,000 of those chose to use the password of “123456” and close to 4,600 chose the word “password” as their password.
Common User Password Profiler (CUPP) is a tool that was created to make password profiling an easy task.
Murgis Kurgan, also known as j0rgan, created this amazing little tool. It runs as a script in the leading penetration testing distribution, BackTrack, or you can download it from www.social-engineer.org/cupps.tar.gz.
The most common form of authentication is the combination of a username and a password or passphrase. If both match values stored within a locally stored table, the user is authenticated for a connection. Password strength is a measure of the difficulty involved in guessing or breaking the password through cryptographic techniques or library-based automated testing of alternate values.
A weak password might be very short or only use alphanumeric characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money, or password.
Because most users have weak passwords that can be easy to guess, CUPP is a perfect tool for profiling. It can be used for legal penetration tests or forensic crime investigations.
The following is a copy/paste from a session using CUPP in BackTrack 4:
root@bt4:/pentest/passwords/cupp# ./cupp.py -i
[+] Insert the information about the victim to make a dictionary [low cases!]
[+] If you don’t know all the info, just hit enter when asked! ;)
> Name: John
> Surname: Smith
> Nickname: Johnny
> Birthdate (DDMMYYYY; i.e. 04111985): 03031965
> Wife’s(husband’s) name: Sally
> Wife’s(husband’s) nickname: Sals
> Wife’s(husband’s) birthdate (DDMMYYYY; i.e. 04111985): 05011966
> Child’s name: Roger
> Child’s nickname: Roggie
> Child’s birthdate (DDMMYYYY; i.e. 04111985): 05042004
> Pet’s name: Max
> Company name: ABC Paper
> Do you want to add some key words about the victim? Y/[N]: Y
> Please enter the words, separated by comma. [i.e. hacker, juice, black]: christian,polish,sales person
> Do you want to add special chars at the end of words? Y/[N]: N
> Do you want to add some random numbers at the end of words? Y/[N]n
> Leet mode? (i.e. leet = 1337) Y/[N]: Y
[+] Now making a dictionary...
[+]