Gold Paper - Penetration Testing : Alternative to Password Cracking

Abstract

It is widely acknowledged that people, who are the weakest link in security, have a preference to use the same credentials on different computer systems, which forces us, the penetration testers, to evaluate this within our testing scenarios. Typical methods include brute-force password-guessing attacks (usually using common tools) or comparison of captured password hashes against published databases of (usually stolen) password hashes. However, system administrators usually use very strong passwords to render password-guessing attacks that are excessively time-consuming, and modern operating systems employ strong hashing algorithms with salts to prevent reverse engineering of password databases and comparison of hashes between different systems, even in cases where the attacker has obtained privileged access to the system. In this paper, an apparently novel technique for obtaining clear-text user and system accounts credentials, which can be used when privileged access has already been obtained on a UNIX family system, will be discussed. It describes a method to change the code of system demons that accept account credentials as input, so that these send the clear-text passwords back to the penetration tester via covert channels. This technique can significantly shortcut the time that might be spent in a brute-force guessing attack against very strong passwords. Passwords captured by this technique may be confirmed for “strength” against client password policy and be tested against other client systems to detect password re-use. GIAC GPEN Gold Paper Penetration Testing: Alternative to Password Cracking 2 Maxim Catanoi, maxim.catanoi@endava.com ©2015 The SANS Institute

3 Figures and Tables

Cite this paper

@inproceedings{Carbone2015GoldP, title={Gold Paper - Penetration Testing : Alternative to Password Cracking}, author={Richard Carbone}, year={2015} }