In the last post in this series, we tried to guess a local password and move sideways on the network of the invented company Acme. But what if you cannot guess a password?
In our test scenario, server names and local admin passwords contain names of beers. It can’t be completely dismissed that a certain amount of comfort can creep in with busy IT employees. At the expense of security. "I’m now on the server ‘Miller’, so the password is ‘admin-miller’."Hackers are only too happy to exploit such vulnerabilities.
But let’s assume you end up in an environment where your creative advice attempts fail. This is where a hash-based approach can pay off.
We have already written about pass-the-hash attacks. But before we go into more detail, we want to introduce a much simpler idea: cracking password hashes.
Cracking hashes made easy
Passwords are never stored in clear text on Windows systems.
Instead Windows stores the hash value of passwords – more precisely the NTLM hash value. the hash value is required by the Windows challenge/response authentication protocol. In principle, users prove their identity by sending a random text with the NTLM hash value of their password as a Key used.
Where does Windows store these hash values? According to our research, Windows stores the hash values local User accounts in the security account manager (SAM) database, which is part of the local security authority (LSA). You can find more information in this TechNet article.
The first question of a penetration tester is: Can I access the hash values?? Because once you have a hash value, you can try to figure out the actual password using some standard methods.
The answer is: Yes. There are tools that can read the SAM and crack hash values. For example the fgdump which can be found via a simple Google search, Pwdump7 is another option.
To run these tools, however, you need extended privileges. Still, it happens every now and then that a hacker is lucky enough to end up with a power user who fell for a professionally crafted phishing email.
So we tried it with fgdump on one of the servers in the well-known Acme IT environment, which we had set up specially. The screenshot below shows the results:
Now we have the NTLM hashes for two local administrator accounts (the long strings at the end of the lines). "NO PASSWORD", by the way, means that fgdump could not find the older and much easier to crack LM hash. What is good! LM hashes should not be enabled unless you are forced to do so for compatibility reasons.
Crack the hash
A commonly used method for cracking hashes are dictionary attacks. This compares a huge amount of frequently used German terms and maybe an existing list of actually used passwords after hash encryption with the NTLM hash values.
So all that is needed is to find the matching hash value and output the corresponding plaintext password.
Fortunately, you don’t have to reinvent the wheel here, as there are services like this one that do much of the work for you.
In our penetration test, we entered the hash for "admin2", and promptly got the solution, "daisy" (see above).
However, Windows imposes certain complexity requirements for passwords, and in many installations such a simple password would not be accepted. However, some relatively complex passwords can be cracked with a brute force attack. Or in a system there are older local accounts that were set up before Windows switched to longer passwords.
John the Ripper
For testing purposes, we set the service to the more complex password of the admin account on the Miller server, which was "miller1234". Even after days of brute force calculations, the service was not able to easily crack the password.
But of course, we didn’t give up that quickly and came across a sophisticated password cracking tool: John the Ripper. It is able to perform brute force attacks in a very clever way. John the Ripper uses a special method of exchanging characters of words from an existing, definable dictionary list according to the rules you specify (called "mangling"). The rules seem a bit cryptic at first, but are very effective. Here you can find a relatively easy to understand overview of mangling. For example, rules can be created to attach different sequences of numbers to the terms in the dictionary.
If you suspect that passwords consist of certain names and simple alphanumeric characters, feed John the Ripper an appropriate list and then configure rules to test a variety of different suffixes.
Pass-the-hash attacks
Cracking NTLM hash values is admittedly not that simple.
Pass-the-hash attacks, on the other hand, don’t even try to crack the hash value at all. Instead, it is entered directly into the NTLM challenge/response log. So authentication is done without the plaintext password. In recent Microsoft releases, however, this approach has become much more difficult, and with Windows 10 it may even have become completely impossible.
Andy Green
Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.