how to hack password

The art of guessing other people's passwords



To come up with an effective password guessing strategy, an ethical hacker must try to get into the heads of users and administrators.

What factors influence our choice of passwords?

You can name at least the following three:

  • ease of memorisation;
  • restrictions on the choice of password imposed by the system;
  • the number of people using this password in their activities.

What can users easily remember?

Let's take a look at the things that are easiest for us to remember:

1) What is in front of your eyes.

Most often, we see trademarks of monitors, laptops, computer mice and keyboards, the inscriptions "password:" It is said that the choice by Hillary Clinton's campaign manager for such a trivial password as “password” had a disastrous effect on the results of the American elections.

2) What's important.

Important for a person:

fond memories and related dates: for example, wedding date;
relationship: the name of the beloved. Napoleon would have chosen the sweet Josephine;
ownership: car brand. James Bond would not change himself and choose Aston, and if he did, then bmw;
affection: the name of the pet. Emil from Lederberg would have immortalised the nickname of his little friend: svinushok;
dream: a vacation in a certain place. The temperamental girl from the movie would probably choose the wonderful bail;
job: the name of the organisation or its type. The Lehman brothers would have made an unambiguous choice - bank.
hobbies: sports, collecting, music. Who doesn't love Beatles?

3) What the fingers remember:

geometric figure on the keyboard: qwerty;
sequence of characters: 12345678.


4) What kind of system / site:

system name;
words associated with the business process that it automates. For example, in the summer of 2020, the passwords of go-to-left users looking for hot companions and companions through the Ashley Madison website were leaked. Among passwords, you often come across options like: qwerty,123456, 68cougar, love69pussies, lovesex.

How do password restrictions affect users' choice of passwords?


To protect users in many systems, developers provide a password policy mechanism, which, unfortunately (for ethical hackers, fortunately), is not always used. Let's take a look at constraints and how they are implemented / worked around by creative users.
Typical restrictions on password policy:

password length (usually at least 8);
use of characters in different cases;
using combinations of letters and numbers;
use of special characters;
prohibition to use the previous password.

It is not difficult to come up with a password longer than 8 characters, but using characters in different cases is already difficult, since you need to remember for which character you chose uppercase in your password. The most obvious and likely solution is to choose the first or last character.


If the system forces you to add numbers, then here users are a little more inventive:

Add numbers to the beginning or end. As a rule, from one to four. Accordingly, it can be just one number, as in the common password "Password1", if two, then the user will most likely choose a year or age, as in the password "68cougar" from our erotic example. If there are three digits, then they can just be the string "123". If the user wants to add 4 digits, then it will already be a year in full spelling: "Alexander2018".
Replace letters with similar numbers: A = 4, E = 3, I = 1, O = 0. Especially creative users can make full use of l33t
. If special characters are needed, users usually use one of the most famous special characters, as you can see in the following illustration:

Nothing is more annoying than a ban on using the old password, and users have learned to bypass this restriction by making minimal changes, for example, increasing the number at the end of their password by 1: it was “Alexander2019”, it became “Alexander2020”.

Understanding these little user tricks, it is easy for an ethical hacker to narrow down the candidate password words.

Number of password users

If the password will be used by many users, for example, system administrators or students in the classroom, then, as a rule, it is specially made not very difficult (for example, the same as the account name), and often left as it was set by the vendor default.
Password guessing strategy

Having dealt with the nuances of users choosing a password, we can develop a strategy for guessing a password during penetration testing.
Let's fix the initial conditions:

we conduct penetration testing (exclusively ethical hacking);
there are systems with an authorisation mechanism for a login-password pair;
want to compromise the maximum number of user accounts on the maximum number of systems;
we consider only online password guessing (we do not consider breaking hashes).

Step 1. Determine the names of user accounts

For successful authorisation, one password is usually not enough, you also need to know the account name. Let's figure out how to get it.

Option 1. Obtaining a list of accounts using a vulnerability in the system.
For example, a Windows domain controller can be configured to allow an anonymous user to get a list of user accounts.
Anyone can check their domain controller for this possibility, for example, using the rpcclient command line utility from Scanner-VS :

We connect to the domain controller and when asked to enter the password, just press Enter:
rpcclient -U "" IP-address of the domain controller
Run the built-in command enumerators
rpcclient $> enumerators

Option 2. Formation of the list based on "intelligence" and analysis.

Usernames, even in small organisations, are set by administrators based on some standard. The most common options are: the first letter of the first name + last name: adorofeev, the same, but through the dot a.dorofeev, full name + last name: alexander.dorofeev. Also, the names of internal accounts often coincide with the e-mail account, respectively, the rule for forming a username can be determined simply by "googling" the addresses of employees who have appeared on the Internet, and a complete list can be formed based on the list of employees, which can be obtained from the internal telephone directory, as well as social networks. As a last resort, you can form combinations of the most common first and last names according to the most common rules for forming account names.

Option 3. The most common accounts and default accounts.

Many systems have default accounts. At least this is admin or administrator. In some systems, there are quite a few of them, so in the Oracle DBMS you can find SYSTEM, SYS, ANONYMOUS, CTXSYS, DBSNMP, LBACSYS, MDSYS, OLAPSYS, ORDPLUGINS, ORDSYS, OUTLN, SCOTT, WKSYS, WMSYS, XDB. Accordingly, it makes sense to look into the guides of the system administrators that you want to test.

Often, accounts appear in systems that are very easy to figure out, for example, if the company has a classroom, then the probability of having teacher and student accounts is quite high. Are there many systems in which someone has not yet created a test account?

Step 2. Initial guessing of passwords

By understanding which accounts on which systems in the tested IT infrastructure we plan to compromise, we can determine the sequence of systems for attack:

No.System classAccountsPasswords
1 Domain controller Employee accounts, administrative, typical. The most common.
2 Business applications Employee accounts, administrative, typical. The most common.
3 DBMS Employee Accounts, Administrative, Typical, Default. Most common, default

4 Special systems and services: backup, ftp, etc. Administrative, by default. Most common, default.
five Active network equipment Administrative, by default. Most common, default.


f account locking is enabled in the systems after several unsuccessful attempts (as a rule, the number 5 is chosen), and the time for testing is limited, and we cannot set a timeout between attempts to reset the counter, then it makes sense to "run" through all users, checking the following likely passwords:

qwerty;
matching the account name;
empty.

Step 3. Expansion of the zone of influence


Having picked up the passwords for the accounts, the first thing an ethical hacker should do is to log in and see what he got access to.
If access is obtained to the file system, then it is necessary to search for the following files:

configuration files, which may contain information about IP addresses and accounts;
system backups, OS images for rolling onto new machines. It is often possible to extract password hashes from them;
SQL scripts that often contain useful information as well.
Matching passwords and accounts for one system should be verified for others as well, as users, including administrators, like to use the same passwords on different systems.

For an ethical hacker, take a note: In large organisations, it is common to find test environments that use data recovered from a not-so-old backup of the combat system database. However, test environments are usually poorly secured, for example, there may be multiple administrative administrator accounts and simple passwords. A compromise of such a system leads to the fact that testers gain access to user password hashes, which are often relevant to the combat system.

Tools and dictionaries for online password guessing


The thc-hydra command line utility is a classic tool for online password guessing , and for ethical hackers and administrators who love comfort, this functionality with an intuitive interface is available in our Scanner-VS complex :

Also a key factor in successful password guessing is the availability of well-written dictionaries, but this can be problematic. The dictionaries supplied with modern domestic security analysis tools do not always contain really useful word sets. For example, they include a standard dictionary distributed with one free utility. The solution is simple, of course, but not very effective. Is it possible to imagine a Indian user choosing such passwords as soccer, cutiepie, maganda or mustang. How many happy owners of Ford Mustangs are there in an average Delhi city? Sometimes they include a wonderful dictionary based mostly on default passwords, but completely forget about ordinary users and their favourite passwords.


We decided to fix this annoying situation and compiled our own lists of passwords, which are now available not only to users of our Scanner-VS security testing complex, but also to everyone on the website of our solution in the Passwords section :

Account Lists:

Custom male: first letter of first name + last name
Custom male: first letter of first name + period + last name
Custom male: first name + dot + last name
Custom female: first letter of first name + last name
Custom female: first letter of first name + period + last name
Custom female: first name + dot + last name

Conclusion


The hacker from the Swordfish Password movie got lucky and, despite the distractions and chaotic work style, was able to guess the password and stay alive. By taking a structured approach, ethical hackers increase their chances of success in penetration testing and rely less on luck. This approach will work as long as passwords are chosen by humans😈.

Previous Post Next Post