Free Essay

Csec 610 Lab 1

In:

Submitted By truth83
Words 1190
Pages 5
1. Explain the two different types of attacks that can be performed in Cain and Abel to crack user account passwords. Which do you think is the most effective and why?

Answer: The two different types of attacks that can be performed in Cain and Abel are Brute Force attack and a Dictionary attack. The Brute Force attack is a method of breaking a cipher in a word through every possible key. The extent of breaking the password depends greatly on the length of the password. Within the program Cain and Abel, Brute Force will look at all possible combinations of characters within the password to try and recover or crack the password than the dictionary attack. Brute Force cracking can take forever to find the password but it will eventually lead to a password being cracked (Ducklin, 2013). Dictionary attacks, also known as wordlist attacks, is a simple and more efficient way to crack passwords. Many people tend to use words listed in the dictionary for passwords. The program uses multiple dictionaries as well as technical and foreign language dictionaries as support to enable the cipher to be cracked. The downside to this type of password cracking is that if a word contains complex symbols, uppercase, lowercase, and numbers that are not in the dictionary, then the dictionary attack can be beat (Gibson, 2011). With working with Cain and Abel in class, I felt that the dictionary attack was more efficient in finding the password due to real life scenarios where individuals set passwords for social media sites using words that are commonly found in the dictionary. Those types of words tend to be easily remembered than something more complex with symbols and numbers in a combination.

2. Compare and contrast the results from the two methods used to crack the accounts for the three passwords each encrypted by the two hash algorithms. What conclusions can you make after using these two methods?

Answer: With Brute force using the LM hashes, there was a significant time for all three users regardless of complexity amongst the different password that needed to be cracked. For the first user the time stated 6.5 years, user 2 was 5.5 years, and user 3 was 6.6 years. Using the NTLM hash all three users passwords would take forever to crack. The dictionary method proved to be more effective in cracking the ciphers amongst all three users. Using the LM hash in the dictionary attack, User 1’s password was cracked in 44 seconds; user 2’s password was cracked in 35 seconds; and user 3’s password was unsuccessful in cracking the password. Using the NTLM has User 1’s password was cracked in 42 seconds; user 2 in 26 seconds and user 3’s password was unsuccessful in being cracked. With all of the data that was tested using the Brute Force and Dictionary attack methods, the dictionary method proved to be more effective in cracking the passwords with less complexity. The more complex a password tends to be makes the process harder to crack, which sometimes can lead to it being unsuccessful. 3. Research another algorithm used to store passwords that were not discussed here. (Include references in APA format.) Answer: Another algorithm used to store passwords is the MD5 algorithm. According to ZDNet, MD5 password scrambler is no longer safe to be used on commercial websites. This shed light on MD5 when there was a breach on the website LinkedIn, which 6.4 million passwords were leaked on the Internet (Whittaker, 2012). MD5 Algorithm is used to verify data integrity with the creation of a 128-bit data input. MD5 replaced MD4, which was the old cryptologic hashing program. MD5 hashes are also used to ensure data integrity amongst files. MD5 Hashes are used in relation to credit card numbers or storing passwords. This is essential because MD5 uses small strings rather than larger ones for more complex ciphers. Other companies have moved past using MD5 hashing by blocking its digital certificates. Microsoft was a big name that also has updated their security protocol. The move was influenced because it has proven t be insecure with SSL certificates and digital signatures. MD5 has algorithms that could cause an attacker to decrypt its content and also to perform phishing (Constantin, 2013). 4. Research another password recovery software program and provide a thorough discussion of it. Compare and contrast it to Cain and Abel. (Include references in APA format.) Answer: Another password recovery software that was found is called Ophcrack. This software runs on Windows, Macintosh, and Linux operating systems. The program itself uses rainbow tables to cipher the password. Operating systems do not store passwords in plain text, which would make it, unsecure. What operating systems do is put passwords through a one-way hashing function to store the passwords. Once the password is entered the hashing does calculations to which it is then compared to the password hash. The program offers fast tables and small tables in which passwords can be cracked faster and in half the time using the fast tables. The only downside to this program is the inability to crack passwords composed of special characters (Slangen, 2009). 5. Anti-virus software detects Cain and Able as malware. Do you feel that Cain and Able is malware? Why or why not? Answer: Anti-virus software that are up to date will detect Cain and Able as malware because of the software sniffing tools that are embedded in the anti-virus software. In a blog called Bleeping Computer, a user stated that he tried to download the Cain and Able tool while having Avast anti-virus on his desktop computer. When he downloaded the program a message popped up stating that his computer was at risk and the program was “other potentially dangerous program.” The file name was Win32: Cain-B (Tool)- Malware type. With it being considered malware, the program can still be successfully downloaded on ones computer. With Cain and Abel being a password recovery tool, many companies that give updates to anti-virus software will encode Cain and Abel as malware for the purpose that it can be a vital tool in the right IT professionals hand, but can be detrimental to the integrity of passwords and sensitive information.

Sources:

* Ducklin, P. (2013, August 16). Anatomy of a brute force attack - how important is password complexity? Retrieved from https://nakedsecurity.sophos.com/2013/08/16/anatomy-of-a-brute-force-attack-how-important-is-password-complexity/ * Gibson, D. (2011). Security : Get Certified Get Ahead SY0-301 Study Guide (p. 348). CreateSpace. * Whittaker, Z. (2012, June 7). MD5 Password Scrambler 'No Longer Safe' Retrieved from http://www.zdnet.com/article/md5-password-scrambler-no-longer-safe/ * Constantin, L. (2013, August 14). Microsoft moves to block MD5 certificates and improve RDP authentication. Retrieved from http://www.computerworld.com/article/2483686/security0/microsoft-moves-to-block-md5-certificates-and-improve-rdp-authentication.html * Slangen, S. (2009, July 17). Ophcrack – A Password Hack Tool to Crack Almost Any Windows Password. Retrieved from http://www.makeuseof.com/tag/hack-windows-passwords-with-ophcrack/

Similar Documents

Free Essay

Csec 610 Lab Question 1

...Lab Assignment 1 Questions 1. Explain the two different types of attacks that can be performed in Cain and Abel to crack user account passwords. Which do you think is the most effective and why? Cain and Abel is a MS operating password recovery instrument made for administrators and security professionals. Brute Force and Dictionary attacks through LM via Lan Manager and NTLM via NT LAN Manager hashes were used in the following assignment. Brute Force attack “is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies” (Rouse, 2006). This method is considered time consuming because it goes through all possible combinations of characters. Dictionary attack “is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password” (Rouse, 2005). In addition Cain and Abel has the ability to use Cryptanalysis attacks to break passwords, it is considered the fastest [time memory trade off method], being faster than brute force attacks while also not needing as much memory as dictionary attacks (Gates, 2006). During the lab assignment I found that Dictionary attack with NTLM was the most effective. It allows the user to select more search options like reverse, lowercase and uppercase…etc. It was the fastest method in cracking the passwords...

Words: 957 - Pages: 4

Free Essay

Csec 610 Lab One

...1) Explain the two different types of attacks that can be performed in Cain and Abel to crack user account passwords. Which do you think is the most effective and why? For the assignment we utilized Cain & Abel password recovery tool for Microsoft Operating Systems. For this lab assignment we utilized Brute Force NT LAN Manager (NTUM) and LAN Manager (LM) and Dictionary NTLM and LM hashes. (Features overview, n.d.) Brute Force is a password cracking -technique that tries every combination of numeric, alphanumeric, and special characters until the password is broken or the user is locked out. Dictionary is a technique that runs a given password against each of the words in a dictionary (file of words) until a match is found or the end of the dictionary is reached. (p. 13) Cain and Abel couples Brute Force and Dictionary with LM and NTLM hash. Based on my lab experience, my assessment is that the Dictionary NTLM Manager is the better of the processes. The table below reveals that Dictionary NTLM delivered more favorable results over LM because this process uncovered the passwords in the shortest amount of time and recovered the passwords in their entirety. Table | Brute Force LM | Brute Force NTLM | Dictionary LM | Dictionary NTLM | User1 | No password, 6-8 hours | No password, estimated time 10 years | yes, 75 seconds | yes, 40 | User2 | No password, 6-8 hours | No password, estimated time 10 years | yes, 30 | yes, 25 | User3 | No password, 6-8 hours...

Words: 971 - Pages: 4

Premium Essay

Itrust Database Software Security Assessment

...iTrust Database Software Security Assessment Security Champions Corporation (fictitious) Assessment for client Urgent Care Clinic (fictitious) Amy Wees, Brooks Rogalski, Kevin Zhang, Stephen Scaramuzzino and Timothy Root University of Maryland University College Author Note Amy Wees, Brooks Rogalski, Kevin Zhang, Stephen Scaramuzzino and Timothy Root, Department of Information and Technology Systems, University of Maryland University College. This research was not supported by any grants. Correspondence concerning this research paper should be sent to Amy Wees, Brooks Rogalski, Kevin Zhang, Stephen Scaramuzzino and Timothy Root, Department of Information and Technology Systems, University of Maryland University College, 3501 University Blvd. East, Adelphi, MD 20783. E-mail: acnwgirl@yahoo.com, rogalskibf@gmail.com, kzhang23@gmail.com, sscaramuzzino86@hotmail.com and Chad.Root@gmail.com Abstract The healthcare industry, taking in over $1.7 trillion dollars a year, has begun bringing itself into the technological era. Healthcare and the healthcare industry make up one of the most critical infrastructures in the world today and one of the most grandiose factors is the storage of information and data. Having to be the forerunner of technological advances, there are many changes taking place to streamline the copious amounts of information and data into something more manageable. One major change in the healthcare industry has been the implementation...

Words: 7637 - Pages: 31