Social engineering The most popular low-tech method for gathering passwords is social engineering, which I cover in detail in Chapter 5. Social engineering takes advantage of the trusting nature of human beings to gain information that later can be used maliciously. A common social engineering technique is simply to con people into divulging their passwords. It sounds ridiculous, but it happens all the time.
Shoulder surfing Shoulder surfing (the act of looking over someone’s shoulder to see what the person is typing) is an effective, low-tech password hack.
Inference Inference is simply guessing passwords from information you know about users — such as their date of birth, favorite television show, or phone numbers. It sounds silly, but criminals often determine their victims’ passwords simply by guessing them!
Password-cracking software You can try to crack your organization’s operating system and application passwords with various password-cracking tools:
✓ Brutus (www.hoobie.net/brutus) cracks logons for HTTP, FTP, telnet, and more.
✓ Cain & Abel (www.oxid.it/cain.html) cracks LM and NT LanManager (NTLM) hashes, Windows RDP passwords, Cisco IOS and PIX hashes, VNC passwords, RADIUS hashes, and lots more. (Hashes are cryptographic representations of passwords.) ✓ Elcomsoft Distributed Password Recovery (www.elcomsoft.com/ edpr.html) cracks Windows, Microsoft Office, PGP, Adobe, iTunes, and numerous other passwords in a distributed fashion using up to 10,000 networked computers at one time. Plus, this tool uses the same graphics processing unit (GPU) video acceleration as the Elcomsoft Wireless Auditor tool, which allows for cracking speeds up to 50 times faster. (I talk about the Elcomsoft Wireless Auditor tool in Chapter 9.)
✓ Elcomsoft System Recovery (www.elcomsoft.com/esr.html) cracks or resets Windows user passwords, sets administrative rights, and resets password expirations all from a bootable CD.
✓ John the Ripper (www.openwall.com/john) cracks hashed Linux/ UNIX and Windows passwords.
✓ ophcrack (http://ophcrack.sourceforge.net) cracks Windows user passwords using rainbow tables from a bootable CD. Rainbow tables are pre-calculated password hashes that can help speed up the cracking process. See the nearby sidebar “A case study in Windows password vulnerabilities with Dr. Philippe Oechslin” for more information.
✓ Proactive Password Auditor (www.elcomsoft.com/ppa.html) runs brute-force, dictionary, and rainbow cracks against extracted LM and NTLM password hashes. ✓ Proactive System Password Recovery (www.elcomsoft.com/pspr. html) recovers practically any locally stored Windows password, such as logon passwords, WEP/WPA passphrases, SYSKEY passwords, and RAS/dialup/VPN passwords.
✓ pwdump3 (www.openwall.com/passwords/microsoft-windowsnt-2000-xp-2003-vista-7#pwdump) extracts Windows password hashes from the SAM (Security Accounts Manager) database.
✓ RainbowCrack (http://project-rainbowcrack.com) cracks LanManager (LM) and MD5 hashes very quickly by using rainbow tables.
✓ THC-Hydra (www.thc.org/thc-hydra) cracks logons for HTTP, FTP, IMAP, SMTP, VNC and many more.