by Costa Petros
IT departments around the globe spend countless hours and money ensuring that their company’s data and infrastructure are properly secured. Startup company? Install a firewall and maybe get an antivirus subscription. Past the startup phase? Upgrade your firewall to have an Intrusion Prevention Sensor (IPS) and/or maybe an Intrusion Detection Sensor (IDS). Hitting the revenue mark where a breach of the infrastructure or loss of data could cripple the business? Invest in a 24-hour Security Information and Event Management (SIEM).
Let’s say you are the CIO of a company with an unlimited budget. What would you do?
Figure 1 – Winning the Lottery, the IT Way
Your job is done, right? Kick your feet up and do what everyone else thinks IT personnel do: play some video games…
But we all know that’s not the case. Your perimeter and infrastructure are locked down tight, but what about password spraying accounts? One thing you can’t do is audit the passwords in your infrastructure… or can you? There’s always that one employee at your company whose obsessed with Bryan Adams and decided to get their first real six string over at the Five-and-Dime. If a hacker can breach the infrastructure, gain hashes, and convert them to the plaintext password, why can’t you gain your network’s passwords and test them to help mitigate password spraying?
Auditing your infrastructure passwords helps you mitigate weak passwords like: Summerof69, Summer2018, Winter2017, <yourcompanyname>1, or 1234567.
Figure 2 – The Password Gem from Mel Brooks
I’ll be the first to admit that passwords do suck and there are ways to create secure passwords and store them. Over the years, IT personnel have let our co-workers know that it’s okay to use weak passwords by creating temporary passwords like Password123. (Understanding why employees use weak passwords and how to fix it is beyond this blog post and I will maybe save that for next time.)
A question that I get a lot after performing a password audit or a social engineering engagement is, “I don’t know Linux. How can I audit the passwords being used in my network?” You are in luck my friend. The same people who developed the password hash extracting and cracking software for Linux have also created them for Windows.
Obtaining Password Hashes
In order to audit your user’s passwords, you will need to first extract the password hashes from a domain controller. Passwords transmitted across a network should be encrypted in the event of a man-in-the-middle attack. In a Windows environment, passwords are also stored and transmitted for authentication and encrypted with a “hashing algorithm”, hence the shortened term hash. These password hashes for user and service accounts are stored in Active Directory in the Ntds.dit ESE database file. This includes user and service account password hashes. We will first need to extract these hashes to test them for weak passwords.
While the password hash crackers that I will be covering have the capability of independently extracting the password hashes from the domain controller, leveraging this feature often requires the paid version or the installation of an agent. This guide will walk you through using the safest and easiest way to do this through the use of the open source tool CrackMapExec. We had written up a great blog on how to use CrackMapExec (https://www.trustedsec.com/2016/03/wmi-post-exploitation/), but this was written for Linux. Thanks to maaaaz (https://github.com/maaaaz/), a Windows version of CrackMapExec is available (https://github.com/maaaaz/CrackMapExecWin). Download the CrackMapExecWin zip file from the GitHub repository by clicking on the Clone or Download link and unzip the contents.
Figure 3 – Downloading CrackMapExecWin
Once CrackMapExecWin is downloaded and decompressed, open a command prompt and change the directory to the location to which you unzipped it. To proceed with extracting the Windows NTLM password hashes, run the following command.
crackmapexec.exe -u [DomainAdmin] -p [DomainAdminPassword] -d [Domain] [DomainControllerIP] --ntds drsuapi
Figure 4 – CrackMapExecWin Command
The CrackMapExec.exe commands that are needed are as follows.
|-u||Domain Admin account to authenticate to Active Directory with|
|-p||Password for the privileged account|
|-d||Name of the domain and the domain controller IP address in which we will be auditing the passwords|
Instruct CrackMapExec to dump the NTDS.dit file through the RPC protocol Directory Replication Service API (drsuapi). This method is the fastest as drsuapi is the protocol used in reading and administering Active Directory through a client running the Active Directory Administration Tools such as Active Directory Users and Computers.
Here is the command in action.
Figure 5 – CrackMapExecWin Output
Now you have extracted the password hashes from your domain into a .ntds file found in the CrackMapExecWin folder under logs. We now have to crack these hashes.
Cracking Password Hashes
For cracking password hashes on Windows, there are no longer any open-source tools with a built-in graphical user interface (GUI). Of the ones I tested, we are going to look at Hash Suite and l0phtcrack. Make sure that you take a look at the versions available and make a decision on which version will work for your needs and environment. Both have a trial version so that you can test them out, but you have limited capabilities such as passwords being up to 6 characters and a limit to how many hashes you can crack.
Hash Suite – http://hashsuite.openwall.net/download
After downloading Hash Suite, open up the executable for the architecture of the computer from which you will be cracking the hashes. Once open, we will need to import the hashes from our domain. Go to the Keys menu on the top left, select Import, then From file.
Figure 6 – Hash Suite Import of CrackMapExecWin Hashes
Now with our hashes imported, we will need to set options for cracking our passwords. After you get familiar with Hash Suite, take a look at the tutorial to fine-tune your password cracking attempt to be more successful. In this case, I have changed our options to crack our Bryan Adams inspired password of Summer2018. In Hash Suite, you will perform the following:
- On the right, you will see your accounts and hashes you imported.
- Under Wordlist Params on the right, I know that the word in our password is 6 characters. To save time, I will set the minimum and maximum wordlist characters to 6 (for summer) and check Use rules. I also kept the default wordlist. With the paid version, you can set any minimum and maximum character count. If your password policy requires a minimum of 8 characters, you may want to set this at 8, or 4 with the use of rules to add characters like an additional 4 for a year to equal 8 total characters. Keep in mind that password cracking requires constant tweaking with each pass. The more options you add to the rules and the larger the gap between the min and max characters, the longer it will take to complete the cracking attempts.
- Change Rules to only Capitalized+Year.
- On the main tab, click on the Start button.
Figure 7 – Hash Suite Hash Cracking
l0phtcrack – http://www.l0phtcrack.com/
The l0phtcrack download will install the application in Windows. After installing, open the application and click on Start A New Session.
- In the top left, click on Import.
- In Import Mechanisms under File, choose Import from PWDump file.
- Browse for the .ntds file that you extracted and select it.
- Click on Run Import Immediately.
Figure 8 – l0phtcrack Hash Import and Cracking
As you can see from the log at the bottom, cracking Summer2018 only took 6 seconds with the default options.
Figure 9 – l0phtcrack Password Cracking Output
Once you get comfortable with l0phtcrack, take a look at the documentation (http://www.l0phtcrack.com/doc/L0phtCrack%20Password%20Auditor%20v7.html). As in Hash Suite, you can customize your rules and wordlists from the Audit menu to fine-tune your hash cracking.
When it comes to password cracking, the better the hardware, the quicker the crack. My tests were in a virtual machine with 5 actual hashes to crack. The weak passwords were cracked within 10 seconds by setting rules that were specific to the password I was looking for. In an enterprise, you could be facing thousands of passwords that could take weeks to crack. When you choose an application, make sure you understand the hardware dependencies and throw as much horsepower at it as possible.
Once you have decided on where you will install these tools, also remember that you will have an extremely sensitive date on this system. Not only will you have password hashes, but you will also have plaintext passwords of those hashes that you cracked. Encrypt your disks, use randomized long passwords, multi-factor authentication if possible, and shut down this system when not in use.
There was a purple team engagement where we covered all of our action items and had a little over a day left. We utilized the extra time to audit the passwords within the client’s domain. I remember sitting at the end of the table and noticing that everyone in the room was paying more attention to the password cracking than they had through the entire previous four days. Every new line that would appear in our tail -f was like every puck thrown in sportsball. The suspense would build up with every password that was cracked to either be a huge letdown of a boring password or high fives for an epic one. You will come across some of the most absurd and the most boring passwords so pop that popcorn, but remember that this is the time to analyze the passwords. You may find that 20% of the employees are using Summer2018 or 10% are using <Yourcompanyname>!; this is the time to catch the trend and make sure everyone is using unique and complex passwords.
Finally, when you perform password audits, go easy on your coworkers. They are human and are tired of passwords just like all of us are. Help them understand the implications of a bad password and how easy it is to steal one (or simply ask for one like in a phish or social engineering attack). Reprimanding your coworkers builds poor morale so reward those who have not had a password cracked or have learned their lesson and improved their password setting skills. Happy auditing!