Our expertise in operational technology (OT) / industrial control systems (ICS) is driven by a mission to ensure resilience and security in our digital world.

To that end, this month’s blog explores the art of password cracking, an important tool our security team uses in penetration testing. It will enhance your understanding of the role password cracking plays in bolstering cybersecurity defenses in a dynamic threat environment. This knowledge is crucial for organizations across both federal and commercial sectors, empowering them to safeguard sensitive information and bolster their risk management capabilities against constantly evolving threats.

The Art and Necessity of Password Cracking

Password cracking is a crucial part of any internal penetration test, particularly in sensitive OT environments. RMC assessors often find that users tend to choose easy-to-remember passwords such as company names or personal references, making them more predictable. This tendency, coupled with the common practice of users reusing passwords across multiple systems for convenience, poses a unique challenge in ensuring robust security. This challenge is magnified in OT environments as operators tend to favor quick system access, especially in situations where they need to quickly identify and resolve production issues. As part of the penetration test, the team determines if there are weak passwords being used in the environment, and if so, how the trivial passwords can be exploited to gain unauthorized access to the site’s critical assets.

A recent RMC engagement perfectly illustrates the challenges and successes of this approach. Tasked with evaluating a client’s security controls placed in between the IT and OT networks, the team was given access to the client’s network, but not the Active Directory (AD) corporate domain. Using specialized techniques such as “adversary in the middle,” the team captured usernames and password hashes in the IT networks, which they then cracked offline. Additionally, once they obtained the cleartext passwords, assessors verified that some plant users reused their same (IT) password in the OT domains used for process control. In this scenario, the reused passwords allowed the team to bypass the firewall separating the IT and OT networks and allowed unauthorized domain user access into the OT domains. This demonstration revealed several critical issues for the client, such as insufficient password complexity and the potential for lateral movement across multiple domains due to password reuse, irrespective of the absence of trust relationships between these domains.

The success of this particular operation hinged on the ability to identify and crack weak passwords, a scenario often encountered in OT environments where the desire for operational efficiency can inadvertently result in suboptimal security practices. Throughout this onsite engagement, RMC managed to crack several vulnerable passwords. Then, armed with these user credentials, they gained critical access to the company’s Microsoft accounts and their AD domain. This breakthrough not only allowed unauthorized access but enabled us to delve deeper into their network to leverage domain misconfigurations, escalate privileges, and even employ social engineering tactics, all through the lens of compromised user accounts. The potential impacts that stem from this access underscore the pivotal role password integrity plays in the broader spectrum of cybersecurity.

Tailoring Cybersecurity to Diverse Environments

Among commercial clients, the RMC security team often observes different password security standards between OT and corporate IT environments. Mandates for more complex password requirements in OT settings reflect a heightened awareness of security risks associated with critical industrial assets.

The recent engagement also revealed the pitfalls of re-using passwords, which is a common finding across both IT and OT. A single compromised password can lead to a chain of attacks resulting in lateral movement and potentially unauthorized access to process control systems. In keeping with RMC’s principles of excellence and customer focus, we emphasize best practice password policies, such as regular password updates and avoiding re-use.

At RMC, we champion a comprehensive approach to password security. This includes implementing robust complexity policies, educating users about secure practices, and using advanced hashing algorithms. Our approach is specifically designed to address the diverse needs of our federal and commercial clients, ensuring impactful and resource-optimized outcomes.

Technical Deep Dive: Understanding Password Cracking

The Process of Password Cracking
Penetration testers use password cracking to test the strength of user’s password complexity. The goal is to crack passwords from their encrypted form—hashes. This process reveals the strength of passwords in a system and identifies security vulnerabilities. By simulating attack scenarios, ethical hackers help organizations understand and bolster their security posture.

What is a Hash?
A hash is a cryptographic conversion of plaintext passwords into a fixed-length string of characters. This crucial one-way function obfuscates the password and allows for relatively secure storage, meaning you can’t easily derive the original password from the hash. Hashing is foundational in password security, ensuring sensitive data remains protected even if breach attempts occur.

Common Cracking Techniques

• Dictionary Attack: This technique involves a pre-compiled list of common words and phrases. Hackers hash each word and compare it against the target hash. It’s particularly effective against weak or predictable passwords, such as password1234, ChicagoBulls, or qwertyasdf.
• Rainbow Table: Rainbow tables are precomputed tables used for faster cracking. They store hash and plaintext pairs, streamlining the process. However, the effectiveness of rainbow tables is notably diminished when organizations implement a security measure known as ‘salting’ to their password hashing process. Salting methods change from vendor to vendor, but the general idea is to add random strings to the passwords to alter the hashes.
• Bruteforcing: This exhaustive method involves trying every possible character combination to discover the correct password. It’s effective but requires significant time and computational resources, especially for longer, more complex passwords. Bruteforcing is common when the password policy is known. For example, an organization that has a minimum of 8-character passwords can be a prime target for bruteforcing due to the probability of users following the minimum requirements.

Importance of Hashing Algorithms
The choice of hashing algorithm is critical in password security. Older algorithms like MD5 and SHA-1 are vulnerable to attacks due to their known weaknesses. Modern, secure algorithms like SHA-256 and bcrypt incorporate stronger computational complexity, providing stronger protection against various cracking techniques. They represent the evolution of cybersecurity measures, adapting to the increasing sophistication of cyber threats and the rapid pace of computer hardware’s evolution.

Conclusion

At RMC, password cracking is more than just a technical process; it’s a critical tool in our cybersecurity toolkit, providing key insights into the strength of an organization’s password security. We help our clients navigate the complexity of cybersecurity by employing penetration testing, using password cracking as an essential tool. These techniques help us uncover both the strengths and weaknesses in security practices, offering a clear perspective on how simple, inexpensive changes could result in significant risk reduction. By understanding and applying the strategies used by ethical hackers, organizations are better equipped to proactively strengthen their digital defenses. Committing to robust hashing algorithms, enforcing strict password policies for all assets, and advocating for best password security practices are fundamental steps toward creating a more secure and resilient digital environment.

In the spirit of continuous improvement and effective risk management, RMC Global recommends that organizations regularly revisit their password policies to assure the integrity and resilience of their industrial systems. Remember, when it comes to cybersecurity, a strong digital fortress is built one secure, non-recycled password at a time.