Hello there! In this Article of Windows Forensics, we’ll learn all about Password-Cracking in Windows and Understand the security of Windows.

In last article we’ve seen how to use some inbuilt tools in windows to perform certain actions.

After reading this article, you will know about:

1.Password Cracking and Password Hashes.

2.Windows Password structure.

3.Windows security.

Contents at a glance

Password Cracking

Password cracking is a process of calculating or extracting the password of the device using several tools and methodology. So before we learn what is password cracking and how we can do by tools and methods, we must have to know about how the password is saved in windows and understand the logic.

Understanding the Windows password system

Windows systems store their user and password data in one of two places: the Security Account Manager (SAM) file or Active Directory. Information about local accounts is stored on the local computer’s SAM file, which is located in the %SystemRoot%\System32\Config folder; this file exists as a registry hive file. An additional copy of this file may be found in the %SystemRoot%\Repair folder for use by system-recovery utilities in the event the working copy becomes corrupted. The file may also be found in Windows NT Rescue floppy disks that
administrators sometimes create for use in repairing damaged systems. Information regarding domain accounts is stored on each domain controller in Active Directory. The Active Directory database information resides on the domain controller in a file called ntds.dit, which is located in the %SystemRoot%\ntds directory.

Computer Forensics : Windows Forensics Part 2 - Password-Cracking (Cain and Abel)

What is Password Hashes?

Windows does not store passwords in plain text. A password is run through a specific algorithm that converts the password into a numeric value. This value, called the hash value or simply the hash of the password, is then stored in lieu of the actual password.

Hashing algorithms (also called hash functions) are in a group of algorithms called one-way functions. The algorithm is designed such that whenever a particular password is used as the input to the function, it will always generate the same hash value, and the likelihood of two separate passwords generating the same hash value is low.

The hash function is considered one-way because while the same password can be used to consistently generate the same hash value, the resulting hash value cannot be used to determine the original password. The user first selects a password; the system runs the password through a hash function and calculates the resulting hash value. The system then records the resulting hash value along with the account name in the SAM or ntds.dit file. When a user attempts to authenticate using that account name, the system takes the password that the user provides during the authentication attempt, runs it through the hash function, and compares the resulting hash value to the hash value stored in the password file. If the two are the same, the authentication proceeds. If the two are different, the authentication fails. So after all if you get any password hash it might be look like:

f61b26d635309536c3c83c0adc3cb972

This is a MD5 Hash

Password Cracking Methodology

The term password cracking refers to the process of taking a password hash and attempting to determine the associated password that generated that password hash. The attacker simply guesses what the password may have been. He or she then runs that guess through whatever password hashing algorithm is used by the target system. The attacker compares the password hash generated by hashing the guess to the password hash that he or she is trying to crack.

If the two match, then the guess was correct. If the two do not match, then the guess was incorrect. The more guesses the attacker makes, the greater his or her odds of correctly guessing the password. The process therefore consists of multiple iterations of the following:

1. Guess a possible password.

2. Generate a password hash of the guess using the same hashing algorithm used by the target system.

3. Compare the hash of the guess to the hash of the target account’s password.

4. If the two match, the guess was the original password. If the two do not match, start over.

Attackers will utilize a dictionary of possible passwords to facilitate the password-cracking process. The attacker will hash each entry in the dictionary, comparing the resulting hash of each entry to the hash of the password the attacker is trying to crack.

You can Sniff the Authentication passwords and crack the Hash using some of the tools provided here:

Tool : Cain and Abel

One tool that is useful for an attacker in the scenario described previously is Cain, along with its companion product, Abel. Cain has many different capabilities; among them is a network sniffer that is designed to look  for passwords exchanged during various types of authentication exchanges.

Cain also has a built-in password cracker that is capable of cracking many different types of passwords and can use rainbow tables to facilitate rapid pre-computed hash attacks. Cain’s sniffer is even able to use ARP cache-poisoning techniques to defeat the segregation of traffic normally found within a switched network to set up a man-in-the-middle attack and allow sniffing of traffic that the compromised host would not normally receive. Abel acts as a remote sensor for Cain.

By installing Abel on a compromised computer, an attacker can use that computer to sniff traffic, sending the results back to a different computer for cracking. This allows the attacker to remotely control the Abel sensor while analyzing the sniffed data from his or her own workstation.

Tool : Helix

Helix is a customized distribution of the Knoppix Live Linux CD. You can boot into a customized
Linux environment that includes customized Linux kernels, hardware detection, and many applications dedicated to incident response and forensics.

Helix is designed not to touch the host computer in any way, and it is forensically sound. It will not automatically mount swap space or any attached devices. It focuses on incident response and forensics tools.

Computer Forensics : Windows Forensics Part 2 - Password-Cracking (Cain and Abel)

Helix Tool : Windows Forensics Toolchest (WFT)

The Windows Forensics Toolchest (WFT) collects security information from a Windows system and provides an automated incident response. It is capable of running other security tools. It produces reports in HTML format.

I hope this post was helpful to you. We’ll discuss the password Cracking in detail, in our further articles of Linux Forensics.

Please write comment, if you have any queries..

Did you read the Last post? Part1 of Windows Forensics. 😉