Password Cracking
Although password resetting is a good approach when all you need is access to a locked computer, resetting passwords attracts unwelcome attention. Attackers usually prefer to learn passwords without resetting them. Password cracking is the process of taking a captured password hash (or some other obscured form of the plaintext password or challenge-response packets) and converting it to its plaintext original. To crack a password, an attacker needs tools such as extractors for hash guessing, rainbow tables for looking up plaintext passwords, and password sniffers to extract authentication information.
Hash guessing. Some password cracking tools can both extract and crack password hashes, but most password crackers need to have the LM password hash before they can begin the cracking process. (A few tools can work on NT hashes.) The most popular Windows password hash extractor is the Pwdump family of programs. Pwdump has gone through many versions since its release years ago, but Pwdump4 is the current version. (You can download Pwdump4 at http://pr.openwall.net/dl/pwdump/pwdump4.zip.)
To extract password hashes using Pwdump, you must have administrative access to the local or remote machine you're attacking, and you must be able to use NetBIOS to connect to the admin$ share. There are ways around the latter requirement, but the tool alone requires it. When you run Pwdump4 successfully, it extracts LM and NT password hashes and, if Windows' password history tracking is active, all hashes for older passwords. By default, Pwdump saves password hashes to the screen, but you can also output them to a file, then feed them to a password cracker.
Many password cracking tools accept Pwdump-formatted hashes for cracking. Such tools usually begin the cracking process by generating some guesses for the password, then hashing the guesses and comparing those hashes with the extracted hash.
Common password crackers are John the Ripper and Cain & Abel. John the Ripper, which comes in both Unix and Windows flavors, is a very fast command-line tool and comes with a distributed-computing add-on. Cain & Abel can break more than 20 kinds of password hashes, such as LM, NT, Cisco, and RDP.
Rainbow tables. These days, password crackers are computing all possible passwords and their hashes in a given system and putting the results into a lookup table called a rainbow table. When an attacker extracts a hash from a target system, he or she can simply go to the rainbow table and look up the plaintext password. Some crackers (and Web sites) can use rainbow tables to crack any LM hashes in a couple of seconds. You can purchase very large rainbow tables, which vary in size from hundreds of megabytes to hundreds of gigabytes, or generate your own using Rainbow Crack (http://www.antsight.com/zsl/rainbowcrack). Rainbow tables can be defeated by disabling LM hashes and using long, complex passwords.
Password sniffing. Some password crackers can sniff authentication traffic between a client and server and extract password hashes or enough authentication information to begin the cracking process. Cain & Abel both sniffs authentication traffic and cracks the hashes it retrieves. Other sniffing password crackers are ScoopLM (http://www.securityfriday.com/tools/ScoopLM.html) and KerbCrack (http://ntsecurity.nu/toolbox/kerbcrack), a sniffer and cracker for cracking Kerberos authentication traffic. None of these can crack NTLNv2 authentication traffic.
Password Capturing
Many attackers capture passwords simply by installing a keyboard-sniffing Trojan horse or one of the many physical keyboard-logging hardware devices for sale on the Internet. Symantec reports that 82 percent of the most commonly used malware programs steal confidential information. Most steal passwords. For $99, anyone can buy a keyboard keystroke logger that can log more than 2 million keystrokes. Physical keyboard logging devices less than an inch long can easily be slipped between the keyboard cord and the computer's keyboard port. And let's not forget how easy it is to sniff passwords from wireless keyboards even from a city block away.