Thursday, December 30, 2010

bench3

Spotting Weak Passwords Using Offline Attacks | Security Audit

When a user logs on to a server, he or she first has to submit their password. This password is passed through a hashing function, a mathematical process that converts it into a completely different string of characters, known as the password hash.

The server consults a list that contains passwords hashes of all its users, and checks that the one it has received fromthe usermatches the one in its password list. The beauty of this system is that since hash functions are one-way (meaning that it is not possible to convert a password hash back to the original password) a hacker that gets access to the list of password hashes by breaking in to a server has no direct way to get at the passwords themselves: all they have is a list of password hashes, which have no instant value in themselves.

The only way to use the password hashes to get at the original passwords is by feeding different guesses into the hashing function and waiting until a password hash comes out that matches one of the hashes in the password list. Since the hacker has the password hash list in their possession, there is no need to submit guesses to the server (using a tool like Hydra) to see if they are correct.

Instead, they can run the whole process of passing guesses through a hashing function and comparing the results with the password hashes on the stolen password list on their own computer – a so-called "offline attack."

An offline attack is many times faster than an online attack, limited by the power of the computer carrying out the attack, not the server under attack. The server can't detect an offline attack itself, as it is being carried out on a completely unconnected system.

As well as using a list of guesses to try, it is also possible to attempt to "brute-force" the password hashes. This involves trying every combination of one, two, three, four (and so on) character passwords. Given enough time brute-force attacks are bound to be successful. A brute-force attack will find short passwords very quickly indeed, but a password made up of eight random characters could take hundreds of years to brute-force, and a nine character password could take thousands of years.

To test whether any of your users are using easily guessable or short passwords, you need an offline password-cracking tool like John the Ripper – known simply as John - which is included in BackTrack 3. Unlike many of the open source tools in BackTrack3, John has no built-in GUI, but fortunately it is very simple to use
An offline attack is many times faster than an online attack, limited by the power of the computer carrying out the attack, not the server under attack.

bench3

About bench3 -

Haja Peer Mohamed H, Software Engineer by profession, Author, Founder and CEO of "bench3" you can connect with me on Twitter , Facebook and also onGoogle+

Subscribe to this Blog via Email :