Generally, password cracking takes place in the ENTRENCH phase of the attack, after an initial penetration has been successful and password hashes have been retrieved from the compromised system, but it can be done at any point if it will yield results and hashes are available. The attacker will probably need admin/root level access, but that state is not unusual after executing a successful exploit. The point of cracking passwords is to enable future access by having valid credentials that make it difficult for defenders to distinguish malicious traffic and activity from normal. It also may be possible to gain a higher level of privilege by compromising credentials with greater access. A typical scenario could include initial penetration of a workstation, retrieving password hashes and cracking them to get access with a network admin account, then repeating the process until a domain admin account is obtained, at which point the network is fully owned by the attacker.
Password cracking involves two distinct phases:
1. Collecting the password hashes – this usually requires admin/root access and may need special tools to bypass protections against collecting hashes.
2. Cracking the hashes – once hashes are obtained, they are typically cracked by a combination of dictionary and brute force attacks. If the password is a simple dictionary word, comparing the hash to the results of hashing lists of dictionary words can reveal the password. If the password is composed of random characters, brute force attacks that try every combination of characters, hashing them and comparing to the target hash, will reveal the password in time. Many tools offer hybrid combination techniques of dictionary and brute force methods. The key element is computing power and cracking time. Rainbow tables pre-calculate every possible hash for a given character set and offer fast searching routines that can greatly reduce cracking time.
NOTE – in some cases it may be unnecessary to crack the hash if it is possible to offer the hash directly to the authentication mechanism and gain access. This is known as “passing the hash”.
Recent advances in cracking techniques are making the cracking times for some conventional passwords uncomfortably short. Using graphical processing units (GPUs) on video cards and loading rainbow tables onto very fast solid state drives (SSDs) are among these.