To understand how to protect yourself from a password attack, you should become familiar with the most commonly used types of attacks. With that information, you can use password cracking tools and techniques to regularly audit your own organization's passwords and determine whether your defenses need bolstering. To that end, here's a primer of the most widely used types of attacks.
Password Guessing
The most common type of attack is password guessing. Attackers can guess passwords locally or remotely using either a manual or automated approach. Password guessing isn't always as difficult as you'd expect. Most networks aren't configured to require long and complex passwords, and an attacker needs to find only one weak password to gain access to a network. Not all authentication protocols are equally effective against guessing attacks. For example, because LAN Manager authentication is case-insensitive, a password guessing attack against it doesn't need to consider whether letters in the password are uppercase or lowercase.
Many tools can automate the process of typing password after password. Some common password guessing tools are Hydra (see http://www.thc.org for links to the downloadable tool), for guessing all sorts of passwords, including HTTP, Telnet, and Windows logons; TSGrinder (http://www.hammerofgod.com/download.htm), for brute-force attacks against Terminal Services and RDP connections; and SQLRecon (http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=26), for brute-force attacks against SQL authentication.
Automated password guessing programs and crackers use several different approaches. The most time consuming—and most successful—attack method is the brute-force attack, in which the attacker tries every possible combination of characters for a password, given a character set (e.g., abcd…ABCD…1234…!@#$) and a maximum password length.
Dictionary attacks work on the assumption that most passwords consist of whole words, dates, or numbers taken from a dictionary. Dictionary attack tools require a dictionary input list. You can download varying databases with specific vocabularies (e.g., English dictionary, sports, even Star Wars trivia) free or commercially off the Internet.
Hybrid password guessing attacks assume that network administrators push users to make their passwords at least slightly different from a word that appears in a dictionary. Hybrid guessing rules vary from tool to tool, but most mix uppercase and lowercase characters, add numbers at the end of the password, spell the password backward or slightly misspell it, and include characters such as @!# in the mix. Both John the Ripper (http://www.openwall.com/john) and Cain & Abel (http://www.oxid.it) can do hybrid guessing.
Password Resetting
Attackers often find it much easier to reset passwords than to guess them. Many password cracking programs are actually password resetters. In most cases, the attacker boots from a floppy disk or CD-ROM to get around the typical Windows protections. Most password resetters contain a bootable version of Linux that can mount NTFS volumes and can help you locate and reset the Administrator's password.
A widely used password reset tool is the free Petter Nordahl-Hagen program (http://home.eunet.no/~pnordahl/ntpasswd). Winternals ERD Commander 2005, one of the tools in Winternals Administrator's Pak (http://www.winternals.com/Products/AdministratorsPak/#erdcommander2005) is a popular commercial choice. Be aware that most password reset tools can reset local Administrator passwords residing only on local SAM databases and can't reset passwords in Active Directory (AD).