Abstract - cysecure.orgcysecure.org/470/19s/groupFinal/...WindowsAuthenticationFlaw.do… · Web...
Transcript of Abstract - cysecure.orgcysecure.org/470/19s/groupFinal/...WindowsAuthenticationFlaw.do… · Web...
Windows Authentication Flaws
Amber Jemison, Dylan Fried, Delbis Luciano, Ramadhin Rajkumar, Lanar Watson
IASP 470
Dr. Yoon
5 May 2019
AbstractWindows is a proprietary operating system that is owned by Microsoft. The majority of
the public uses windows as their operating system, and large corporations use windows for their
employee's workstations. The general public does not realize that Microsoft uses weak
encryption and hashing methods to store users’ passwords. Hackers can harvest usernames and
password on the victims PC, and use password cracking method to obtain the password to the
user account; because Windows hashing is weak, attackers can acquire the password in a
minimal amount of time. Microsoft needs to address this issue because the bulk of PC users
employ Windows as their operating system, and Microsoft priority is to make sure their customer
data keeps its integrity, confidentiality, and authorization from intruders.
ApproachResearch Windows encryption methods and how passwords are stored on a Windows
machine. Analyze other encryption and hashes methods that can be integrated into Windows
authentication logon that will provide better security. Provide a demonstration on the tool Kon-
boot and show how easy to attain unauthorized access to Windows machine. After, we will
inform users on how to protect from Kon-boot.
Table of ContentsAbstract.....................................................................................................2Approach...................................................................................................2Research Work Distribution:....................................................................3Introduction...............................................................................................4Standard Encryption Methods..................................................................4What are Hashes.......................................................................................7Windows Password Hashing....................................................................7Using Konboot..........................................................................................9Securing Windows Login.......................................................................10Windows Password Regulation Requirements.......................................14Password Cracking.................................................................................19Conclusion..............................................................................................21Works Cited............................................................................................22
Research Work Distribution: Amber will provide research and information on standard encryption methods, and
password cracking methodology.
Lanar presented password cracking methods
Delbis will discuss and research Windows regulations and password requirements
Raj will research Windows encryption methods and how passwords are stored on a
Windows machine and assisted Kon-boot.
Dylan will demonstrate how to get into a Windows machine using Kon Boot and possible
solutions to Windows password encryptions
Introduction The general population wants to use a user-friendly operating system that will allow
them to navigate around the system without having difficulties. The operating system that users
have become acquainted with is Windows. Windows is an extremely popular operating system
which has over 75 percent of users with Windows installed on their devices. Although, Windows
has become the users go to operating system, there has been a serious vulnerability that has not
been patch by Windows for a long time and still exist in Windows newest release. A tool named
Kon-boot allows attacker to bypass Windows authentication logon and extract users’ sensitive
information on the machine. This paper aims to discuss Windows hashing methods, analyze
other encryption and hashing methods that could integrate in the operating system, demonstrate
Kon-boot attack, and provide ways on how to prevent users from an attack such as Kon-boot.
Standard Encryption MethodsEncryption is meant to protect consumer information, emails, sensitive data, and secure network
connections. There are many different encryption methods that you can choose. Encryption
algorithms are classified into two categories symmetric and asymmetric. Symmetric encryption
uses a secret key (number, a word, string of random letters) that is combined with the plain text
of a message to change the content in a particular way. The sender and receipt both need to know
the secret key so that the message can be encrypted or decrypted. Asymmetric encryption uses
two keys a public key and private key to encrypt a plain text. The secret keys are exchanged over
the internet/network. The public key is available to anyone that wants to send you a message.
The private key is a secret that only you should know. When a message is encrypted using a
public key to decrypt the message you need to use the private key and vice versa if the message
is encrypted using the private key. When a consumer has to decide which encryption method,
they want to use the consumer should focus on what fits their needs as well as what is secure.
The Standard Encryption Methods will be considered to be Advanced Encryption Standard,
Twofish, Triple Data Encryption Standard, and RSA.
Advanced Encryption Standard (AES) is a symmetric algorithm that uses a symmetric block
cipher. Joan Daemen and Vincent Rijmen created AES. The United States Government uses
AES encryption. AES helps protect classified information, software products, and hardware
products. AES is a symmetric key algorithm and uses a symmetric block cipher. There are three
key sizes; 128,192, or 256 bits. When turning the plaintext into ciphertext, it is a process called
around. Depending on the different bit sizes there are different rounds. There would be ten
rounds for 128 bits. When there are 12 rounds, it is for 192 bits. If you see 14 rounds, it is for the
size of 256 bits. By definition of asymmetric key encryption, you have to share the key with each
other to encrypt or decrypt the message to use AES.
Twofish is a symmetric block cipher. Twofish was made by Counterpane Labs and is
technically an update of the Blowfish. The best use for the Twofish algorithm is on smaller
computers because it works well with smaller CPUs. Twofish is free of licensing for all users.
Twofish protects hardware and software. The Twofish works with three different key sizes;
128,192, or 256 bits. For the algorithm to work, it uses rounds. Even with there being different
sizes the rounds of the algorithm will always be 16. Twofish is considered to be flexible based on
the fact it is free. The user has control of the setup.
Triple Data Encryption (3DES) is asymmetric key encryption that uses block cipher.3DES
was created by Walter Tuchman who worked for a development team for IBM. Triple Data
Encryption replaced Data Encryption Standard that was used by the United States Government to
encrypt ATM PINs, and used in UNIX password encryption. 3DES uses 56 bits keys. It encrypts
data three times. When it encrypts three times, it makes the 56-bit key a 168-bit key. There are
different key options. The user can have all three independent keys. Another choice is that you
can have the key strength of 112 bits by making Key 1 and two separate and Key 3 the same as
Key 1. The final choice is making it 56 bit key by letting all three of the keys become the same.
Different financial institutions and business use Triple Data Encryption.
RSA is an asymmetric algorithm that stands for Ron Rivest, Adi Shamir, and Len Adelman.
RSA is a public key algorithm. RSA by definition of asymmetric algorithm uses a public key as
well as a private key. The public key is of course public. The private key is of course
confidential. RSA can multiply two prime numbers but will the product is hard to factor back to
the two original numbers multiplied. The keys are 1024 bits or 2048 bits long. The user chooses
to use RSA just because of lengths are an enormous size.
The Standard Encryption Method AES, Twofish, 3DES, and RSA are commonly known
algorithms. Depending on if the algorithm uses symmetric encryption or asymmetric encryption
the keys have to follow the definition. The user may need the algorithm for different purposes.
The main goal is to choose the best algorithm that meets the needs as well as secure enough to
get the job done.
What are Hashes A hash function is used to map data of arbitrary size onto data of a fixed size. When
passwords are stored onto computers or servers, it is converted into a hash function. The hash
functions must be computationally efficiency, the computer must be able to perform the
mathematical hash function, and deterministic, the computer must get the same hash for the same
file. The next two properties are preimage resistant, meaning it must not reveal any information
about the actual input, and lastly collision resistant, no two hashes should ever match. When a
user types their password into a field, the website matches the hash values to confirm the user.
There are different hash methods. The most commonly used functions are SHA-2 and 3, MD5.
SHA-2 has become popular in the last few years as it is the primary hash used in blockchain
technology linked with the cryptocurrency Bitcoin. While all these hash functions aim to do the
same thing, the algorithm differs significantly on them.
Windows Password Hashing Windows passwords use to be stored on the physical machine and in the system path.
Microsoft Windows uses two different methods for hashing users’ passwords, LAN Manager
(LM) and NT LAN Manager (NTLM).
LAN Manager is the first password hashing technique used by Microsoft. It was initially
used for Xerox Network systems as a Server Message Block. The last version of LAN Manager
was released in 1993, it is still supported by Microsoft for backward compatibility but is turned
off by default since Windows Vista and Windows 7. The steps of LM hash would be to convert
the password to all uppercase values; then it would add null values to make the total characters
14. It would then be separated into two DES 64-bit encryption keys. Each DES key is then used
to encrypt a present ASCII string into two 8-byte cipher values then combined to form a 16-byte
LM hash. LM based on DES considered insecure since 1998 but is not considered a true one-way
function, easy to convert but hard to invert. The first significant problem with LM hashes was
that the passwords are limited to 14, this means that the maximum key space as 9514. The next
major flaw is that if the password is longer than seven characters it is split into two separate
pieces and each piece is hashed separately; this lowers the maximum key space 957. When
passwords are being stored in this hash function, they were not case sensitive as well; all letters
were converted to the uppercase letter, reducing the maximum key space even further to 697.
The last major flaw of the LM hash is that it does not salt the password or hash. These
disadvantages leave the LM hash vulnerable to brute force attack.
Figure 1: Password to LM Hash http://techgenix.com/how-cracked-windows-password-part1/
NTLM was used to replace LM. NTLM is considered to be much similar and more
secure than LM hashes. NTLM reuses MD4 to produce the complete NTLM hash. NTLM
converts the password to Unicode format then uses the MD4 hashing algorithm. MD4 is
considered stronger than DES and allows users to use longer passwords. Another benefit that is
case sensitive allowing for upper- and lower-case letters. The last significant improvement made
from LM is it no longer splits up hashes into smaller pieces, making it harder to crack.
Unfortunately, NTLM still does not provide salting for the passwords and hashes. With
Microsoft not adopting salting, passwords become prone to rainbow table attacks. As of 2019, it
took 2.5 hours to crack an NTLM password.
Using KonbootWhen using Kon-boot, the first thing you need to check is to see if there an account
present on the machine with a password. When the user cannot access the system because the
account does not allow them access and there no guest log in; then the user can use Konboot to
bypass the windows authentication and access the machine. However, sometimes when using
Konboot, the user has to be aware if secure boot is enabled on the computer because that will
stop the Konboot from making any changes from the kernel so the user can have access to the
machine. The user can enter into the BIOS with the function’s keys of F12, F11, F2, F1, or
delete. The function key entirely depends on the motherboard of the PC. Also, if the there is a
password assigned to access the BIOS, then the user can use this trick to bypass the BIOS
password. The user has to take out the CMOS battery in the motherboard and place it back. The
BIOS password will be blank, so when the user tries to change the BIOS configuration, they will
not be halted by the BIOS password. After the user disable secure boot, then the user can restart
the machine, plug in the USB with Konboot; once the computer is restarted the user need to press
F8 to make the machine boot from the USB instead of the hard drive. Also, the function key once
again depends on the motherboard the machine has. Upon a successful attempt, the user will be
presented with a Konboot logo and a description of what is happening; usually, this attack will
only take a couple of seconds. Once Konboot is done modifying the kernel it presents the user
with the windows authentication where the user can enter anything in the password box or press
enter without supplying a password, and the user will have administrator privileges. Also,
because this software is proprietary, it impossible to have a complete understanding of how
Konboot works and what modifications it does to the kernel so that users can have full access to
the machine in a couple of seconds.
In the thread “How does Kon-Boot work?”, An author Ankit Kumar who is currently
working in cybersecurity industries gives his opinion on how Konboot works. Kumar states “In
general, bootkits hook the 0x13 interruption routine that is usually provided by the BIOS of the
computer. The role of this routine is to read sectors from the hard disk and to load them into a
given location in RAM Memory. . . bootkits such as Kon-boot. . . modify directly the code of the
operating system when it is copied into main memory, just before it execution” (Kumar, 1). Kon-
Boot disrupts the operating system process by changing the boot routine so that the user can
bypass the authentication login. Perhaps Konboot does a buffer overflow which allowed itself to
make changes it the kernel, but people will never know because the software is proprietary, only
the creators will know about this exploit. As a result, using Konboot is an effortless way to get
access to unauthorized machines, and the threat vector of this attack is imaginable; because the
user or attacker can download malicious software on the computer and take full control without
physically being at the machine.
Securing Windows LoginAnyone that works in IT needs to be aware of security issues revolving around in the
industry. Tools are circumventing in IT that gives unauthorized users access to machines. That
tool is known as Konboot, and it is a popular tool that is used to bypass the windows
authentication login page and gives the user full access to the machine. Konboot is proprietary
software that does not allow people to analyze its code; this tool is available for people to
purchase and use. However, this company advocates from their website “Kon-Boot is an
application which will silently bypass the authentication process of Windows based operating
systems. Without overwriting your old password. . . Easy to use and excellent for tech repairs,
data recovery and security audits” (https://www.piotrbania.com/all/kon-boot/). This tool seems
great for IT support employees when dealing with issues that revolve on not being able to access
a machine. Nonetheless, there is always that daunting thought that not everyone is going to be
using that tool for ethical purposes. In the following sections, I’ll be discussing ways for users to
avoid being susceptible to Kon-boot.
There are a couple of ways to keep users machine protected from tools such as Konboot. In the
thread “How secure can Bitlocker and EFS be when the Windows passwords are notoriously
easy to hack?”, Phillip Remaker who has been a Window system administrator since 2001 and
has Twenty-two years of experience in computer security discusses this question. For the people
that are aware of Konboot, this tool has not only become a savior for IT support employees but
another tool that attacker can use to obtain unauthorized access to user machines. One of the
ways to stop attackers from getting information from a user machine is to protect it with EFS
(Encrypting File System). Remaker states “EFS only protects user data. In EFS, files get
encrypted with a symmetric File Encryption Key (FEK) which itself is encrypted with a per-user
public key. The FEK can only be reconstituted with matching private key, which gets
mathematically unlocked only by the user’s password” (Remaker, 1). Although this scheme does
not stop the user from bypassing the authentication login page, this scheme adds another layer of
security which when dealing with security in IT; administrators always needs to have layer upon
layers of security measures in their infrastructure, so that one scheme can be back up by another.
Moreover, EFS provides the protection of data becoming accessible to attackers who have
complete physical control of the machine. Remaker says “If the SAM (Security Account
Management) is stolen, the private key cannot be unlocked without the user password. If the
user’s password gets reset or cleared without updating the password on the private key, the
private key can never be unlocked again” (Remaker, 1). For a user to have complete access to the
data, the user needs to know the user’s password which coincides with the private key that
allows decrypting the data and present plain text to the user. However, if the attacker tries
another attacking method that clears the user’s password and believes they will be able to access
the data; then they are mistaken. As previously said by Remaker, if the user's account is either
delete or the passwords changes and is not updated with the system. Then those keys are forever
destroyed and regenerating that specific key to decrypt the data will be impossible; those files
will never be accessible again.
Furthermore, the next strategy to terminate tools from bypassing the authentication login page
would be BitLocker. In the article “Prevent Windows password reset hacks” by Michael
Pietroforte who is the editor in chief of 4sysops and has more than 35 years of experience in IT
management and system administration, explains his countermeasures for stopping tools that can
bypass the authentication login page. Pietroforte states “In my view, encrypting all system
drives, desktops, and servers is a must for various reasons. Encryption with BitLocker is the most
secure way to prevent password reset hacks because an attacker can’t just boot up a second
operating system and manipulate an unprotected Windows installation” (Pietroforte, 1).
BitLocker eliminates attackers from using tools that can manipulate the operating system to
bypass the authentication login. Also, BitLocker is an easy implementation to the infrastructure
of an organization; Pietroforte says “Many admins still shy away from BitLocker because of the
additional management work. However, BitLocker is a mature technology that can be easily
deployed, and it rarely causes problems once it is properly configured” (Pietroforte,1). To
reiterate me, having more than one scheme to defend against threats is always a good thing.
Admins should be conscious of improving their security by having more than one procedure
when dealing with attacks. Another approach that Pietroforte recommends is to change the BIOS
settings, Pietroforte says “Another option is to ensure that a potential attacker can’t book up a
machine from external media by changing the corresponding BIOS settings. . . Some
manufacturers also allow you to automate the task with bulk management tools and scripts”
(Pietroforte, 1). IT employees can prevent people from breaking into their system by integrating
vendors tools that secure the BIOS. For example, HP has a BIOS Configuration Utility (BCU)
which will protect data such as “Secure BIOS settings, set authentication and credentials
requirements, enable Microsoft Device Guard, and manage TPM firmware updates”
(https://www8.hp.com/us/en/ads/clientmanagement/overview.html#manageability-tools).
Numerous vendors are heading in the direction of integrating more tools that can eliminate tools
that manipulate the BIOS or kernel to bypass the authentication and obtain unauthorized access.
Also, security professionals can disable booting from a USB and CD from the BIOS which
eliminate the tools that need to operate using a USB or CD in order to initiate the attack. The last
plan of action that Pietroforte advises security professional is to utilize the syskey; Pietroforte
states “The SysKey utility might be a bit outdated, but it can still be helpful in some
environments. . . It allows you to move the SAM database encryption key to a USB stick.
Whenever the server boots up, you will have to insert the USB stick. . . Note that even if you
protect the SAM database this way, an attacker can still manipulate the database with various
hacking tools by setting a blank password. However, since an additional password is needed to
boot up the server, you have an extra layer of protection” (Pietroforte, 1). Although the SysKey
is outdated, it provides security professional another layer of security to protect against attacks.
This makes the attacker work harder towards getting unauthorized access to the machine, and
sometimes the attackers will become unmotivated to continuing attacking the computer because
of too many obstacles in their way.
Windows Password Regulation RequirementsTo develop an environment with adequate security, machine users must follow a
password protocol. Choosing any password for a windows profile is threatening as hackers may
use specific tools to crack into the system and access unauthorized content. Depending on the
complexity of the password, intruders can either quickly gain access or have a difficult time. The
easier the password, the easier to crack. Having a password protocol with additional security
features can create a much higher defense against password cracking.
Today, the typical machine user has the freedom to use almost any password whether on their
email, social media accounts or to log into their account on a laptop or pc. However, this mainly
applies to personal utilities as professional organizations tend to implement a password protocol
in their organizations to enforce network security. These protocols are often referred to as group
policy. Giving users the privileged to choose any password for their machines is not the most
secured decision by Microsoft. In the case of intrusion, while the device is on the network and
lock, an intruder can implement attacks such as Brute Force Attack to gain unauthorized access
into the system. The worst part of this situation is that a Windows machine does have a limit for
the wrong password attempts. Though there exists a lack of security for the typical windows
user, there are always convenient regulations the user can follow to keep their machine safer.
Windows 10 has developed a security policy setting which is applied today in many companies.
This security setting is known as Passwords must meet complexity requirements. Depending on
the company, the level of modified restrictions can vary. First, passwords cannot contain the
user's account name or part of the value that is displayed (Hall). Second, the password contains
characters from at least three of the following categories: 1) Uppercase letters from A through Z,
2) Lowercase letters from a through z, 3) Base 10 digits and 4) Special characters such as @#!^
%*$. These complexity requirements are enforced when passwords are changed or created.
These rules are part of "Passfilt.dll." Enabling this policy setting along with a minimum
password length of 8 assures that there are at least 218,340,105,584,896 possibilities for a
password. Although not impossible, it would make a brute force attack much more difficult. This
setting should be implemented for a windows user personal machine. It has the structure as to if
it was for an organization. However, it can help the user to break the habits of choosing easy
passwords, and it can provide more security in the case of an unexpected attack. Organizations
should also implement this type of protocol but should enforce such security into a higher level
as it will be discussed.
Issues
Many organizations have a group policy in place. Colleges, banks, cashiers, police departments
all have developed password protocols to enforce the security in their organizations. As a former
employee of some of these fields and currently an IT Help Desk Analyst for the NYPD, I have
had the opportunity to see how effective a group policy has been to their organization but have
also thought of how it can be improved. Group policies are not always perfect as when creating
them one is also considering the user's comfort. Marketer strategist and community manager
Laine Hoke has expressed some of the most common policy mistakes (Hoke). We will look into
three of these common mistakes. First, recycling old passwords as long as it has been more than
six months. Second, requiring at least eight characters will make the password uncrackable. Last,
the more requirements that a group policy holds, the safer it is. These are all common mistakes
that organizations usually applied to their policies.
Approach
To reduce the probability of an attack, an individual should follow certain additional
guidelines. Symantec, an outstanding IT security company, points out that a strong password
should have no personal information, no dictionary words, a length between 6 and nine
characters, and the use of all possible characters including uppercase, lowercase, numbers, and
symbols (Richardson). "A good password is easy to remember, but hard to guess." Requiring at
least eight characters in the attempt to make the password uncrackable is not enough. Using eight
characters is only secure if it takes advantage of all the potential character types. This includes
26 possibilities from lowercase, 26 from uppercase, ten from numbers and 12 from the full set of
symbols. Every key space has now 74 possible entries. It has been determined that the possible
combinations for an 8-character password are 74^8. This would allow almost 900 trillion
combinations of passwords which at 2 million guesses per second would take 14 years to
complete. Enforcing such protocol for every pc user would be beneficial as not everyone
possesses higher tools that would crack the passwords at a faster rate. For example, Jeremi M.
Gosney introduced a system that contained 25 AMD Radeon GPUs, a system capable of putting
out 20,000 million password attempts per second. Using this system on the 8-character password
would lead to the password being broken in about 12-13 hours. However, not every intruder
would possess such a tool, and it would most likely be used against an administrator who tends
to have a much stronger password than the typical user. It has been demonstrated that increasing
the length of a password can highly enforce the security of a system. For example, increasing a
32-value subset's password length to 10 instead of 8 will increase the cracking time to over 17
years in a tool that runs 2 million guesses per second. Thus, having such additional security
features can create a much higher defense against password cracking within an organization.
Another factor to consider to prevent the issues surrounding usernames and passwords is the
enforce password history policy setting that Windows provides. The longer a password is used in
an account, the higher the chance that an attacker will be able to discover the password through a
brute force attack (Hall). Also, requiring users to change their passwords but allowing them to
reuse an old password, reduce the effectiveness of a group policy. Administrators must set
"Enforce password history" to 24 as this will help reduce vulnerabilities that are caused by
password reuse. Along with enforcing password history, other factors need to be considered to
prevent further issues. The maximum password age setting provides the amounts of days that a
password can be used before it expires. Depending on the environment, the maximum password
age should be set to a value between 60 to 90 days. One does not want a user to be required to
change their password too frequently as they will forget, neither would want them to wait too
many months before replacing it as it will increase the likelihood to be compromised by a brute
force attack. 60 to 90 days is a decent time as it provides the attacker a limited amount of time to
compromise a user's password. The minimum password age setting is another factor that must be
considered. This setting determines the number of days that a password must be used before the
user can change it. Such configuration can prevent the user from changing their passwords 24
times in one single day so that they can reuse a password they desire. Therefore, as
recommended by windows it is best to set the minimum password age to 1 day.
All of the three factors all work with one another to sustain the function of a group policy. A
potential impact enforcing password history is that if users are required to change their
passwords to new values, there is a risk that users might start writing their passwords somewhere
so that they do not forget them (Hall). Another risk is that many users might create passwords
that change incrementally by one or two numbers to prevent from forgetting them. I have seen
individuals follow such an approach. To address this concern, I have decided that an
administrator can allow such act for six months. After six months, you must use a different
password that does not match the wording or structure of the previous one. This policy setting
would be named, similarity limit. The administrator should implement such a protocol to ensure
the security is up to high standards.
Thus, having a password protocol with the additional security features mentioned above
allows a much higher defense against password cracking. Choosing any password for a windows
profile is threatening as hackers may use certain tools to crack into the system and access
unauthorized content. Administrators must set enforce password history to 24, set the maximum
password age to a value between 60 to 90 days, and set the minimum password age to 1 day.
Also, requiring at least eight characters while also demanding the user to take advantage of all
the possible character types, can increase the defense against password cracking. To address the
concern of individuals changing their passwords by very little, windows administrators should
implement the similarity limit idea into group policy. Overall, windows password regulation and
requirements are an essential factor in security that should continuously be review for
improvements.
Password CrackingPassword cracking is when someone attempts to gain unauthorized access to a system by
using common passwords or algorithms that guess the right password. Password cracking can be
considered “Recovering a password from stored locations or the data transmission system. It is
used to get a password for unauthorized access or to recover a forgotten password.”(Infosec).
Depending on how complex the password is if it uses numbers, characters, and special characters
it may take a lot of time to get the right password. Hackers use different techniques and tools to
gain access to the correct password. Hackers may use methods such as Dictionary Attack, Brute
Force Attack, Rainbow Table Attack, Hybrid Attack, and guessing. Hackers also tend to find
themselves using tools that will save some time compared to techniques. The common tools used
are Wfuzz, John the Ripper, RainbowCrack, Cain and Abel, OphCrack, and many more.
Techniques for password cracking
Techniques may vary to get the correct password, but some may have the same kind of
concept to gain access to get the password. The time may vary to get the correct password. A
Dictionary attack “A simple file containing words that can be found in a dictionary, hence its
rather straightforward name. In other words, this attack uses exactly the kind of words that many
people use as their password.”(V.Highfield) Brute Force Attacks are just like a dictionary attack.
The difference is that a Brute Force Attack can use non-dictionary words. Brute Force Attacks
will go through all of the possible alphanumeric combinations. It takes time to get the password
especially if it is complex. A hacker can try to make the process faster by adding computing
horsepower. A Rainbow Table Attack is “A table down into a list of pre-computed hashes – the
numerical value used when encrypting a password. This table contains hashes of all possible
password combinations for any given hashing algorithm. ”(V.Highfield). A Rainbow Table
Attack saves time to crack a password hash but needs a lot of computing power to run.”A Hybrid
Attack is a blend of both a dictionary attack method as well as a brute force attack. This means
that while a dictionary attack method would include a wordlist of passwords, the brute-force
attack would be applied to each possible password in that list.”(Cybrary.IT) Guessing the
password can be robust.Some hackers have time to put in the effort to figure out the password on
their own.
Password Hacking Tools
Hackers may find themselves using different tools that were created by computer
programmers. Computer programmers are trying to come up with algorithms that will crack the
password in a short amount of time. Wfuzz is web application password cracking tool that cracks
password using the technique brute force. “This tool can also identify different kind of injections
including SQL Injection, XSS Injection, LDAP Injection, etc. in Web applications.”(Infosec)
John the Ripper is another tool that is used for password cracking. It is an open source that works
on Linux, Unix, and Mac OS X. There is a window version for John the Ripper. John the Ripper
can detect weak passwords. RainbowCrack is used for hashes. RainbowCrack is convenient
because you don’t have to generate rainbow tables on your own. There are LM rainbow tables,
NTLM rainbow tables, MD5 rainbow tables, and SHA1 rainbows tables that are free and
available online. Cain and Abel is another tool but only available on Windows platforms, “It can
work as a sniffer in the network, cracking encrypted passwords using the dictionary attack,
recording VoIP conversations, brute force attacks, cryptanalysis attacks, revealing password
boxes, uncovering cached passwords, decoding scrambled passwords, and analyzing routing
protocols.”(Infosec) OphCrack is a free rainbow table cracking tool for Windows, Linux, and
Mac. It is a top-rated Windows cracking tool. These tools are ready and accessible to use to get a
password.
ConclusionIn conclusion, through extensive research on analyzing hashes and different types of
encryption methods that can be integrated into Windows authentication login. The outcome was
that Windows uses an NTLM hash which is a dubious hashing method that can be replaced by a
better one such as SHA. Furthermore, while testing the Kon-boot tool, our team managed to get
through any version of Windows authentication login. Upon, investigating on how to halt the
Kon-boot from bypassing the authentication login, we came up with three solutions that should
be implemented in any environment that uses Windows. The first solution is to use EFS
(Encrypting File System) which encrypts documents that are associated with users’ account and
can only be decrypted by having the user password. The second is to use BitLocker which
encrypts the entire drive and makes Kon-boot useless because Konboot cannot modify the
kernel. Lastly, users should utilize group policy that allows users to disable booting from a USB
or CD, and to follow windows regulations requirements to provide an extra layer of security.
Works CitedAnkit, K. (2014, December 30). How Does kon-Boot work? From Quora: https://www.quora.com/How-
does-Kon-Boot-work
Carr, R. (2017, December 13). Types of Encryption: What You Need to Know About Underlying Algorithms. From Zettaset: https://www.zettaset.com/blog/types-of-encryption-underlying-algorithms/
Highfield, Vaughn. “The Top Ten Password-Cracking Techniques Used by Hackers.” Alphr, 26 June 2018, www.alphr.com/features/371158/top-ten-password-cracking-techniques.
Hoke, L. (2013, September 6). Top Five Password Policy Mistakes. From nfrontsecurity: http://blog.nfrontsecurity.com/2013/09/top-five-password-policy-mistakes/
HP. (n.d.). Client Management Solutions. From HP Offical : https://www8.hp.com/us/en/ads/clientmanagement/overview.html
Komodo. (2018, August 14). Cryptographic Hash Functions Explained: A Beginner’s Guide. From Komodo: 2018
Microsoft. (2016, October 11). NTLM Overview. From microsft.com: https://docs.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
Microsoft. (2017, April 18). Password Policy. From Microsoft: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy
Phillips, G. (2018, June 21). 5 Common Encryption Types and Why You Shouldn’t Make Your Own. From Make Use Of: https://www.makeuseof.com/tag/common-encryption-types/
Pietro, M. (2014, July 8). Prevent Windows password reset hacks. From 4Sysops: https://4sysops.com/archives/prevent-windows-password-reset-hacks/#restrict-physical-access.
Piotrbania. (n.d.). Kon-Boot. From Kon Boot: https://www.piotrbania.com/all/kon-boot/
Remaker, P. (2017, May 7). How secure can BitLocker and EFS be when the Windows passwords are notoriously easy to hack? From Quora: https://www.quora.com/How-secure-can-BitLocker-and-EFS-be-when-the-Windows-passwords-are-notoriously-easy-to-hack
Richardson, D. (2015). Information Security: An Investiagtion Into Password Habits. Finland.
Sanders, C. (2010, January 20). How i Cracked your Windows Password. From Techgenix: http://techgenix.com/how-cracked-windows-password-part1/
Shankdhar, Pavitra. “10 Most Popular Password Cracking Tools [Updated for 2018].” Infosec Resources, 3 May 2019, resources.infosecinstitute.com/10-popular-password-cracking-tools.
Stevens, P. S. (n.d.). Encryption Algorithms. From Top Ten Reviews: https://www.toptenreviews.com/software/articles/encryption-algorithms/
Symmetric vs. Asymmetric Encryption – What are differences? (n.d.). From SSL2BUY: https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-difference
“How to Crack a Password.” Meet Guru99 - Free Training Tutorials & Video for IT Courses, www.guru99.com/how-to-crack-password-of-an-application.html.
“Hybrid Attack.” Cybrary, www.cybrary.it/glossary/h-the-glossary/hybrid-attack/.
Top Ten Reviews. (n.d.). Which Types of Encryption are Most Secure? From https://www.toptenreviews.com/software/articles/secure-encryption-methods/