April 19, 2018
It Was the "Summerof2018" - Password Auditing for Windows Administrators
Written by
Costa Petros
IT departments around the globe spend countless hours and money ensuring that their company’s data and infrastructure are properly secured. Startup company? Install a firewall and maybe get an antivirus subscription. Past the startup phase? Upgrade your firewall to have an Intrusion Prevention Sensor (IPS) and/or maybe an Intrusion Detection Sensor (IDS). Hitting the revenue mark where a breach of the infrastructure or loss of data could cripple the business? Invest in a 24-hour Security Information and Event Management (SIEM).Let’s say you are the CIO of a company with an unlimited budget. What would you do?
Figure 1 - Winning the Lottery, the IT Way
Your job is done, right? Kick your feet up and do what everyone else thinks IT personnel do: play some video games…But we all know that’s not the case. Your perimeter and infrastructure are locked down tight, but what about password spraying accounts? One thing you can’t do is audit the passwords in your infrastructure… or can you? There’s always that one employee at your company whose obsessed with Bryan Adams and decided to get their first real six string over at the Five-and-Dime. If a hacker can breach the infrastructure, gain hashes, and convert them to the plaintext password, why can’t you gain your network’s passwords and test them to help mitigate password spraying?Auditing your infrastructure passwords helps you mitigate weak passwords like: Summerof69, Summer2018, Winter2017, <yourcompanyname>1, or 1234567.
Figure 2 - The Password Gem from Mel Brooks
I’ll be the first to admit that passwords do suck and there are ways to create secure passwords and store them. Over the years, IT personnel have let our co-workers know that it’s okay to use weak passwords by creating temporary passwords like Password123. (Understanding why employees use weak passwords and how to fix it is beyond this blog post and I will maybe save that for next time.)A question that I get a lot after performing a password audit or a social engineering engagement is, “I don’t know Linux. How can I audit the passwords being used in my network?” You are in luck my friend. The same people who developed the password hash extracting and cracking software for Linux have also created them for Windows.Obtaining Password Hashes
In order to audit your user’s passwords, you will need to first extract the password hashes from a domain controller. Passwords transmitted across a network should be encrypted in the event of a man-in-the-middle attack. In a Windows environment, passwords are also stored and transmitted for authentication and encrypted with a “hashing algorithm”, hence the shortened term hash. These password hashes for user and service accounts are stored in Active Directory in the Ntds.dit ESE database file. This includes user and service account password hashes. We will first need to extract these hashes to test them for weak passwords.While the password hash crackers that I will be covering have the capability of independently extracting the password hashes from the domain controller, leveraging this feature often requires the paid version or the installation of an agent. This guide will walk you through using the safest and easiest way to do this through the use of the open source tool CrackMapExec. We had written up a great blog on how to use CrackMapExec (https://www.trustedsec.com/2016/03/wmi-post-exploitation/), but this was written for Linux. Thanks to maaaaz (https://github.com/maaaaz/), a Windows version of CrackMapExec is available (https://github.com/maaaaz/CrackMapExecWin). Download the CrackMapExecWin zip file from the GitHub repository by clicking on the Clone or Download link and unzip the contents.
Figure 3 - Downloading CrackMapExecWin
Once CrackMapExecWin is downloaded and decompressed, open a command prompt and change the directory to the location to which you unzipped it. To proceed with extracting the Windows NTLM password hashes, run the following command.crackmapexec.exe -u [DomainAdmin] -p [DomainAdminPassword] -d [Domain] [DomainControllerIP] --ntds drsuapi
Figure 4 - CrackMapExecWin Command
The CrackMapExec.exe commands that are needed are as follows.| -u | Domain Admin account to authenticate to Active Directory with |
| -p | Password for the privileged account |
| -d | Name of the domain and the domain controller IP address in which we will be auditing the passwords |
| --ntds drsuapi | Instruct CrackMapExec to dump the NTDS.dit file through the RPC protocol Directory Replication Service API (drsuapi). This method is the fastest as drsuapi is the protocol used in reading and administering Active Directory through a client running the Active Directory Administration Tools such as Active Directory Users and Computers. |
Figure 5 - CrackMapExecWin Output
Now you have extracted the password hashes from your domain into a .ntds file found in the CrackMapExecWin folder under logs. We now have to crack these hashes.Cracking Password Hashes
For cracking password hashes on Windows, there are no longer any open-source tools with a built-in graphical user interface (GUI). Of the ones I tested, we are going to look at Hash Suite and l0phtcrack. Make sure that you take a look at the versions available and make a decision on which version will work for your needs and environment. Both have a trial version so that you can test them out, but you have limited capabilities such as passwords being up to 6 characters and a limit to how many hashes you can crack.Hash Suite -http://hashsuite.openwall.net/downloadAfter downloading Hash Suite, open up the executable for the architecture of the computer from which you will be cracking the hashes. Once open, we will need to import the hashes from our domain. Go to the Keys menu on the top left, select Import, then From file.
Figure 6 - Hash Suite Import of CrackMapExecWin Hashes
Now with our hashes imported, we will need to set options for cracking our passwords. After you get familiar with Hash Suite, take a look at the tutorial to fine-tune your password cracking attempt to be more successful. In this case, I have changed our options to crack our Bryan Adams inspired password of Summer2018. In Hash Suite, you will perform the following:- On the right, you will see your accounts and hashes you imported.
- Under Wordlist Params on the right, I know that the word in our password is 6 characters. To save time, I will set the minimum and maximum wordlist characters to 6 (for summer) and check Use rules. I also kept the default wordlist. With the paid version, you can set any minimum and maximum character count. If your password policy requires a minimum of 8 characters, you may want to set this at 8, or 4 with the use of rules to add characters like an additional 4 for a year to equal 8 total characters. Keep in mind that password cracking requires constant tweaking with each pass. The more options you add to the rules and the larger the gap between the min and max characters, the longer it will take to complete the cracking attempts.
- Change Rules to only Capitalized+Year.
- On the main tab, click on the Start button.
Figure 7 - Hash Suite Hash Cracking
l0phtcrack –http://www.l0phtcrack.com/The l0phtcrack download will install the application in Windows. After installing, open the application and click on Start A New Session.- In the top left, click on Import.
- In Import Mechanisms under File, choose Import from PWDump file.
- Browse for the .ntds file that you extracted and select it.
- Click on Run Import Immediately.
Figure 8 - l0phtcrack Hash Import and Cracking
Figure 9 - l0phtcrack Password Cracking Output