Cracking Passwords - jude-lindale/Wiki GitHub Wiki
Password Storage Locations
Password storage locations vary by operating system. Windows usually stores passwords in these locations:
- Security Accounts Manager (SAM) database (c:\windows\system32\config)
- Active Directory database file stored locally or spread across domain controllers (ntds.dit)
- Windows may also store passwords in a backup of the SAM file in the c:\winnt\repair or c:\windows\repair directory.
Some Windows applications store passwords in the Registry or as plain-text files on the hard drive. A simple registry or file-system search for “password” may uncover just what you’re looking for.
Linux and other Unix variants typically store passwords in these files:
- /etc/passwd (readable by everyone)
- /etc/shadow ( accessible by the system and the root account only)
- /etc/security/passwd (accessible by the system and the root account only)
- /.secure/etc/passwd ( accessible by the system and the root account only)
Dictionary attacks
Dictionary attacks quickly compare a set of known dictionary-type words — including many common passwords — against a password database. This database is a text file with hundreds, if not thousands, of dictionary words, typically listed in alphabetical order. Suppose that you have a dictionary file that you downloaded from one of the sites in the following list. The English-dictionary file at the Purdue University site contains one word per line starting with 10th, 1st all the way to zygote.
Many password-cracking utilities use a separate dictionary that you create or download from the Internet. Here are some popular sites that house dictionary files and other miscellaneous word lists:
Raindow attacks
A rainbow password attack uses rainbow cracking to crack various password hashes for LM, NTLM, Cisco PIX, and MD5 much more quickly and with extremely high success rates (near 100 percent). Password cracking speed is increased in a rainbow attack because the hashes are precalculated; thus, they don’t have to be generated individually on the fly, as they are in dictionary and brute-force cracking methods. Unlike dictionary and brute-force attacks, rainbow attacks can’t be used to crack password hashes of unlimited length. The current maximum length for Microsoft LM hashes is 14 characters, and the maximum is 16 characters (dictionary-based) for Windows Vista and 7 hashes (also known as NT hashes). The rainbow tables are available for purchase and download via the ophcrack site at http://ophcrack.sourceforge.net. There’s a length limitation because it takes significant time to generate these rainbow tables. Given enough time, a sufficient number of tables will be created. By then, of course, computers and applications will likely have different authentication mechanisms and hashing standards — including a new set of vulnerabilities — to contend with. Job security for IT professionals working in this area never ceases to grow.
If you have a good set of rainbow tables, such as those offered via the ophcrack site and Project RainbowCrack (http://project-rainbowcrack.com), you can crack passwords in seconds, minutes, or hours versus the days, weeks, or even years required by dictionary and brute-force methods.