Password Cracking and Malicious USB Devices
Many organizations enforce strict security policies in order to prevent adversaries from compromising their information-sensitive systems. These policies include creating complex passwords and prohibiting the use of USB devices on machines. However, the technical measures enforcing these policies are not foolproof and due diligence is required of the user to maintain security. Due to the inconvenience of these policies, many users create passwords based on certain mnemonic devices, such as visual keyboard patterns, and adopt a lenient attitude on USB device usage. It is important to demonstrate to users that these shortcuts lead to a significant weakening of the organization’s security. To this end, we created an interactive web-based platform to quickly crack certain visual keyboard patterns.
We researched a variety of password crackers to implement into our demonstration and results have shown the open-source software, hashcat, to be the quickest and most efficient. Up to 1.8 million cracks were made within 78 seconds and 693 million hashes were checked in 37 seconds. Our website allows a user to input pattern-based passwords which are cracked in real-time using hashcat. Additionally, we demonstrate how an attacker can steal the password file from a Linux machine with a malicious USB device and send the hashes to a website to be cracked.