Note from the Editor: This blog is part 3 of a 10-part series entitled, “Everything you need to know about an Internal Penetration Test.” To read the series from the beginning, please go to the blog, What is an Internal Penetration Test?
In most cases, an attacker is going to be much more successful with an offline password attack than from an online one. But why? In this blog, we will explore the difference between offline and online password attacks. We also cover the advantages of offline password attacks and the way an attacker can perform an offline password attack.
Online Password Attacks
Let’s start with the one you are probably most familiar with: online password attacks. Online password attacks are the traditional type of attacks against a web application, exposed SSH terminal, or really any login interface. An online password attack consists of trying a large number of username/password combinations against the login portal in hopes of guessing the correct password.
Limits of Online Password Attacks
One way online password attacks are limited is in the speed of the network. Each username/password combination is sent over the network to the authentication server and then the server responds accordingly. The time it takes for this back and forth transmission depends on the speed of the application server and the speed of the network. However, a typical password attack can only get around three to five login attempts per second.
The second way online password attacks are limited is that they are extremely noisy. When we are attempting five logins every second for an average password dictionary (around 10,000 passwords), this is likely going to be flagged by almost any type of logging and alerting mechanism. Additionally, most applications are protected with account lockouts. When a password is guessed incorrectly a certain number of times in a row, it may lock out the targeted account, block the attacker’s IP address, or both.
Offline Password Attacks
Here comes one of the most obvious statements: The difference between offline and online password attacks is that offline password attacks are offline. Great, but what does that mean? How could a password attack be offline? Well in some cases, an attacker can get a hash of your password that they can take offline and try to crack it.
A hash is just a one-way form of encryption. When your computer saves your password, it doesn’t (or shouldn’t) save your password in clear-text. Instead, it hashes your password and saves that. So, for example, if your password is Password123 your computer will store: 42f749ade7f9e195bf475f37a44cafcb. This way if anyone is able to read the memory of your computer, they won’t be able to know what your password is.
Now when you login to your computer, the computer takes what you put in the password prompt, computes a hash, and compares that hash with the one it stored when you set your password. An offline password attack will take this hash offline and try to find the clear-text value that computes to that hash. To do this, an attacker will use a computer (or a beefed up computer) to take passwords, compute the hash, and compare them very quickly over and over again until they find a match.
Advantages of Offline Password Attacks
In terms of advantages, the difference between offline and online password attacks is huge. In an offline password attack, the attacker is never actually attempting to login to the application server. This means it is invisible to the security team and logs. Also, common protections such as account lockouts will not work. This is because the attacker is going to take it offline, find the password, and then only one correct attempt will be registered by the application.
Speed is another major difference between offline and online password attacks. While online password attacks are limited by the speed of the network, offline password attacks are limited only by the speed of the computer the attacker is using to crack them. To put that in context, we have a cracking machine we built for less than $5,000 that can attempt three-billion password guesses per second. That means that an eight character password can be brute forced (every possible combination of characters) in less than three days.
How Do Hackers Get My Password Offline?
The truth is, there are hundreds of ways an attacker can get your hashed password offline, but let’s look at a few.
Sniffing on the network
When you connect to the shared drive to try to access that file you need, you have to prove you have permissions to view the file you are trying to access. This is what prevents the marketing department from reading the HR folder. The way that works over the network is that the shared drive will send you a challenge, and you will compute a new value using your hashed password and the challenge, and send that back to the server for authorization. If an attacker is able to sniff the network and get both the challenge and the response, they can take them offline and perform a password attack. There are also things an attacker can do to increase the likelihood that they can get this hash, known as NETBIOS Name Server Spoofing or Link-Local Multicast Name Resolution Spoofing. In these attacks, the attacker impersonates the file share, and gets you to authenticate to them! We will cover that more in a future blog.
Dumping memory contents
Once an attacker gains administrative access to a single server or application, they can dump the contents of memory, including the SAM file. Your computer saves a hash of your password that it checks every time you login. This hash is saved in the SAM file (for Window’s computers). An attacker with admin level access can dump this file, revealing the hashes of all local accounts on the system. Similarly, if an attacker gains access to a database, they can dump the user table which may contain password hashes.
NTDS File
If an attacker is able to get domain administrator credentials, and gain access to the domain controller, they can gain access to the NTDS file. This file holds the hashed password for every user on the domain. This is obviously worst case scenario for an organization. And a pot of gold for an attacker looking to launch offline password attacks.
How Can I Protect My Password?
Knowing all this, the next step is to protect your password. We recommend taking a layered approach, as there is no silver bullet to protect against password attacks.
Prevent an attacker from getting your password offline
This first one is obvious, and it may be hard to do, but prioritizing prevention is key. Preventing an attacker from gaining that initial access to the hashes and takes them offline is imperative. This includes many common security best practices, such as:
- ensuring systems are patched and up to date
- performing system hardening to remove unnecessary functionality and services
- increasing and customizing logging and alerting
Reduce the severity of the password disclosure
As we discussed above, there is a fairly good chance a dedicated attacker can get valid credentials. If not yours, then one of your users who has their password based on their dog’s name. Therefore, you should take actions to reduce the severity of the incident when that happens. This can include steps such as:
- having a different password for each application
- strict use of least privilege when permitting access
- using multi-factor authentication anywhere possible
- requiring users to change passwords regularly
Increase the strength of your passwords
If your password is only 8 characters in length, an attacker can reasonably get the password in under 3 days. This should make it painfully clear that 8 characters is no longer sufficient.
Conclusion
In this blog we explored the difference between offline and online password attacks. We covered why offline password attacks are much more likely to be successful. And, how an attacker is likely to get password hashes offline in order to perform these attacks. Finally, we covered three broad options to protect your passwords better. If you would like to learn more about assessing the password security of your organization, please contact us today. We can help.
About the Author:
JR, Director of Penetration Testing at SIG. JR holds a BS in Computer Science Engineering from the University of Florida. And a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. He is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
