Password Cracking (T1110.002)

Information

• Name: Password Cracking

• ID: T1110.002

• Tactics:

• Technique:

Introduction

Password Cracking () is a sub-technique within the MITRE ATT&CK framework under the Credential Access tactic. It involves attackers systematically guessing or recovering passwords from hashes or encrypted formats, utilizing automated tools and brute-force methods. This technique allows adversaries to escalate privileges, maintain persistence, and move laterally within compromised environments by gaining access to user accounts and sensitive resources.

Deep Dive Into Technique

Password cracking techniques typically involve automated processes designed to recover plaintext passwords from cryptographic hashes or encrypted credentials. Common methods include:

• Brute Force Attacks: Attackers attempt every possible combination of characters, numbers, and symbols systematically until the correct password is found. This method is effective but resource-intensive and time-consuming, especially for complex passwords.

• Dictionary Attacks: Utilizing pre-compiled wordlists containing common passwords, dictionary words, and known password patterns. Attackers often customize wordlists based on the target organization's context, industry, or language.

• Hybrid Attacks: Combining dictionary and brute-force methods, attackers modify dictionary words by appending numbers, symbols, or changing letter cases, increasing the likelihood of finding complex passwords.

• Rainbow Table Attacks: Pre-calculated tables of hashed passwords used to reverse cryptographic hashes quickly. This method significantly reduces the time required compared to brute-force attacks, especially for hashes without strong salting.

• Credential Dumping and Offline Cracking: Attackers extract hashed passwords from compromised systems (e.g., Windows SAM, Linux /etc/shadow) and crack them offline, avoiding detection and network-based rate-limiting mechanisms.

Attackers commonly leverage specialized password-cracking tools, such as:

• Hashcat

• John the Ripper

• Cain and Abel

• Hydra

• Medusa

These tools offer advanced capabilities, GPU acceleration, distributed cracking, and support for various hashing algorithms and encryption standards.

When this Technique is Usually Used

Password cracking may occur at various stages of an attack lifecycle, including:

• Initial Access and Reconnaissance: Attackers may attempt to crack externally exposed authentication services (e.g., SSH, RDP, web applications) to gain initial footholds.

• Privilege Escalation: After gaining initial access, attackers crack passwords of administrative or privileged accounts to escalate privileges within the environment.

• Lateral Movement: Compromised credentials obtained through password cracking are used to access additional systems, move laterally, and expand the attacker's foothold.

• Persistence: Cracked passwords enable attackers to maintain persistent access even after initial compromise vectors have been mitigated.

• Credential Reuse Attacks: Attackers crack passwords from one compromised system or service and reuse credentials to access other resources or accounts within the organization.

How this Technique is Usually Detected

Detection of password cracking activities typically involves monitoring and analyzing various security indicators and behaviors, including:

• Account Lockouts and Failed Logins: Increased frequency of failed login attempts or account lockouts may indicate active brute-force or dictionary attacks.

• Unusual Login Patterns: Monitoring for login attempts from suspicious IP addresses, geographic locations, or at unusual times can help identify password cracking attempts.

• Log Analysis: Security logs from authentication services (e.g., Active Directory, SSH logs, web application logs) can reveal repeated failed attempts, anomalous patterns, or automated tools usage.

• Endpoint Detection and Response (EDR) Tools: EDR solutions can detect credential dumping attempts, suspicious processes, and activities associated with password cracking tools.

• Network Traffic Analysis: Network monitoring tools can detect password cracking activities by identifying anomalous traffic patterns, repeated authentication attempts, or known signatures of password-cracking tools.

• Honeytokens and Honeypots: Deploying decoy accounts and services can help detect attackers attempting to crack passwords, providing early warning indicators.

• IoCs (Indicators of Compromise):

  • Presence of known password-cracking tools (e.g., Hashcat, John the Ripper) on endpoints.

  • Unusual spikes in CPU/GPU usage indicating computationally intensive password-cracking activities.

  • Detection of large-scale authentication attempts across multiple accounts or services.

  • Logs indicating access attempts from suspicious or known malicious IP addresses.

Why it is Important to Detect This Technique

Early detection of password cracking attempts is crucial due to the following potential impacts:

• Credential Exposure: Successful password cracking leads directly to unauthorized access, credential compromise, and potential data breaches.

• Privilege Escalation: Attackers gaining privileged account credentials can escalate privileges, leading to complete control over critical systems and infrastructure.

• Data Exfiltration: Compromised credentials enable attackers to access sensitive data, intellectual property, personal information, or confidential business data, resulting in financial and reputational damage.

• Persistence and Lateral Movement: Cracked credentials allow attackers to maintain persistent access and move laterally throughout the network, complicating remediation efforts.

• Regulatory and Compliance Implications: Credential compromise resulting from password cracking incidents can lead to regulatory penalties, compliance violations, and legal repercussions.

• Operational Disruption: Password cracking activities can cause account lockouts, service disruptions, and negatively impact business operations and productivity.

Early detection allows security teams to respond promptly, mitigate risks, contain incidents, and minimize potential damage.

Examples

Real-world examples of password cracking include:

• LinkedIn Breach (2012):

  • Attackers successfully compromised over 160 million user credentials.

  • Password hashes (SHA-1) were cracked offline using brute-force and dictionary attacks.

  • Impact: Massive credential exposure, user account compromise, and significant reputational damage.

• RockYou Breach (2009):

  • Attackers obtained 32 million plaintext passwords due to weak security practices.

  • Password lists from this breach have since become widely used dictionaries in password cracking attacks.

  • Impact: Increased effectiveness of dictionary attacks globally due to publicly available password lists.

• Colonial Pipeline Ransomware Attack (2021):

  • Attackers gained initial access through a compromised VPN account, likely cracked or reused from another breach.

  • Resulted in significant operational disruption, fuel shortages, and financial losses.

• Ashley Madison Breach (2015):

  • Attackers cracked weakly hashed passwords (bcrypt with weak implementation) from leaked databases.

  • Impact: Exposure of sensitive user data, severe reputational damage, and significant privacy implications.

Tools commonly associated with these scenarios:

• Hashcat: Advanced GPU-accelerated password cracking tool, widely used for offline cracking of hashed credentials.

• John the Ripper: Versatile password cracking tool supporting numerous hash algorithms, commonly used in penetration testing and real-world attacks.

• Hydra and Medusa: Network-based brute-force and dictionary attack tools used to target online authentication services (SSH, RDP, HTTP).

These examples highlight the critical importance of strong password policies, multi-factor authentication (MFA), continuous monitoring, and early detection capabilities to mitigate password cracking risks and impacts.