How Hacker Obtaining Passwords

Attackers have several ways to get hold of your passwords. The following sections list them in order of ease of attack and prevalence (roughly speaking).


Ask for Them
An astonishing number of people, up to three-quarters in some studies, are willing to part with their passwords in trade for something they value more, like chocolate in one particular study (Wagner, 2004).


Capture the Passwords Themselves
Apart from just asking for them, the most fruitful, simplest, and possibly most common way to attack passwords today is to use a keystroke logger to capture them in plaintext as the user enters them. There are many different kinds of keystroke loggers. An innocuous option is using a hardware device that mounts between the keyboard and the computer and has onboard memory to hold all keystrokes. It can be surreptitiously installed or removed in a matter of seconds. Such a device will get access to everything that the computer sees, including all keystrokes, metadata such as typing cadence, and so on. A software program, commonly found in malware and spyware today, can also capture all keystrokes, and can typically capture metadata as well, not just passwords. Some of these include an automatic upload feature to a Web site or an Internet Relay Chat (IRC) channel. Others include a small Web server that the attacker can use to retrieve the goods.

However, the simplest and most direct route for an attacker to capture only passwords is to write a sub-authentication package. Windows, like any other industrial-strength operating system, includes functionality for third parties to extend its authentication subsystem to authenticate to other network devices. An attacker can, with just a few application programming interface (API) calls, write a sub-authentication package that will receive all passwords in plaintext when a user logs on. With some more effort, the attacker can augment the package with the same features as a more general keystroke logger, but generating far less noise because it is specialized to capture only passwords.
Both of the software options require administrative privileges to install, meaning that the attacker must first completely compromise the computer. Physical compromise would also be sufficient to install these types of tools; and it is quite telling that keystroke loggers are now found regularly on public access computers, especially at conferences.


Capture the Challenge-Response Sequence
It is rare that passwords are passed over the network in any form today, and even rarer to see new implementations of plaintext protocols such as FTP, POP, and Telnet. However, even with challenge-response protocols the attacker can often capture both the challenge and the response and attack the combination. It requires more calculations than attacking ordinary hashes, but can be very fruitful if the password is weak.


Capture the Hashes
This is the quintessential attack that everyone worries about. If an attacker has access to the password hashes, he can crack them or use them in some other way. There are several ways to crack them, as we shall see shortly. The most common way to capture the hashes is to compromise the authentication server that stores the passwords. Another option less common but equally valid—is to compromise a computer where someone is already logged on. When a user logs on, as I mentioned earlier, Windows caches that user’s NT hash in memory. An attacker with complete control over the computer can retrieve that hash and use it in the same way as any other hash. Again, this is a problem largely related to your operational practices.


Guessing Passwords
Finally, the attacker can simply try to guess passwords. This is the easiest method to remedy, and also the least fruitful, or at least it should be. Anyone who has an Internet-connected Windows computer and actually looks at the log files will see attempts at this. Most attackers use automated password “grinders” that attempt to log on using either Terminal Services or Windows Networking (Server Message Block, or SMB). The log-on actually an Internet Information Services log-on attempt, which I know only because the host does not respond on either Terminal Services or SMB across the Internet. The automated password grinders will typically try common user names, such as Administrator, with a dictionary of passwords. Shockingly, they must be successful enough with that approach to make it worthwhile to continue. Many people argue that you should rename the Administrator account to fool attackers, and some even say to create a decoy account called Administrator. This has absolutely no effect whatsoever. The error message is the same whether an account does not exist with the name Administrator or whether the attacker gets the password wrong. Therefore, from the attacker’s perspective, he cannot tell whether you have an account called Administrator. He can only tell that he did not get in. You can assure yourself that he will not get in simply by setting a reasonably strong password. For example, if the password is 15 characters long and seemingly random (meaning that it seems random from the attacker’s point of view) the attacker will have to try 542,086,379,860,909,058,354,552,242,176, or so, times before he succeeds. More than likely he will move on before he succeeds in guessing that password.

Source of Information : Microsoft Press Windows Server 2008 Security

No comments:

Cloud storage is for blocks too, not just files

One of the misconceptions about cloud storage is that it is only useful for storing files. This assumption comes from the popularity of file...