PASSWORD ATTACKS - Overview
If a service requires valid credentials in order to gain access, we can simply try to guess or Brute Force these credentials. Depending on the type of authentication, the tools and techniques for these types of attacks vary. Generally speaking, the passwords used in our guessing attempts, can come from 2 sources:
- Dictionary files
- Key space Brute Force
The quality of these dictionary files often determines whether a brute force attempt will be succesful or not.
Password dictionary files are usually text files which contain a large number of common passwords within. These dictionary files are often used in conjunction with password cracking tools which use these files as a source of passwords to try against a given service.
Kali linux has a collection of such dictionary files which are located in a consolidated wordlist directory:
PASSWORD ATTACKS - Crunch
Password Key Space Brute Force is a technique for generating all possible combinations of passwords given a specific character set and password length. A tool that can do this, and is present in Kali Linux is called Crunch.
Crunch is able to generate custom wordlists with defined character sets and password formats.
For example, to create a list of passwords that are 6 characters long with only the following the characters, 0123456789ABCDEF the syntax is as noted below:
#crunch 6 6 0123456789ABCDEF
This file is reported to be 112MB large and every single combination of these characters is generated.
To save these passwords to a file we can use the -o parameter.
#crunch 6 6 0123456789ABCDEF -o list.txt
This very limited character set has created a file with over 16 milllion entries.
If you want to use a more common character set in your password list we could choose to generate a wordlist using several pre-defined character sets available in the crunch share directory.
The following Crunch command line syntax will create a password file using mixed upper and lowercase letters of 4 character passwords.
#crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha -o mixedalpha.txt
Crunch can also be used to create more personalised password lists. For example, consider youhave cracked a few passwords for a specific device and they have the following format:
1x Uppercase, 2x lowercase, 2x special characters, 3x numbers
We wish to create a password list of 8 character passwords with the same format as shown. Crunch allows us to do this using character translation place holders. The resulting commands to generate this password list is shown below:
#crunch 8 8 -t ,@@^^%%% |more
Crunch starts working on the list however the estimated size of the output file is huge. It is noted as 160GB with over 19 Billion entries. Crunch has many more advanced features that should be explored to grasp it's password generation capabilities. Crunch's manpage contains several useful examples.
PASSWORD ATTACKS - PWdump and FGdump
PWdump and FGdump are good examples of tools that are able to perform in memory attacks as they inject a DLL containing the has dumping code in to the local authority security sub system or LSAS process. The LSAS process has the necessary privileges to extract password hashes as well as many useful APIs that could be used by hash dumping tools.
It is worth noting that most of these password dumping tools require admin privileges in order to run.
Run fgdump from the Terminal in windows:
This will then proceed to dump the pasword hashes and place them in a text file. This file will contain the NTLM hashes for the users configured on the system. For windows 2008 systems, LM hashes are not stored on the system and therefor are shown as empty.
We can now take these passwords and try to crack them or otherwise use them in pass the has techniques.
PASSWORD ATTACKS - WCE - Windows Credentials Editor
WCE is a security tool, that allows one to perform several attacks to obtain clear text passwords and hashes from a compromised windows host. Among other things WCE and steal NTLM credentials from memory and dump clear text passwords stored by windows authentication packages installed on the target system.
Let's try running WCE:
If you are on a 64bit system, ensure that you are using the 64bit version of wce. eg wce64.exe, wce32.exe for the 32 bit OS.
In order to run wce64:
wce has now dumped the clear text password for the administrative user.
JOHN THE RIPPER:
If you have password hashes, you will then want to crack the hashes and get the clear text passwords from these hashes. One of the most popular password crackers is John The Ripper.
To start, copy the contents of the dumped password hashes that fgdump provided earlier, in to a new txt file on kali. Let's call this hashes.txt
Running john in brute force mode is as easy as passing the password hashes to john on the command line. eg:
Brute forcing will take a very long time. Let's look at other options. These options include Pass the Hash. For Pass the Hash attacks, we pass a username and a hash for NTLM or LM password. This is possible because NTLM and LM passwords are not salted and remain static between sessions.
PASSWORD ATTACKS - Passing the Hash
pth-winexe -U Administrator%: //10.11.1.xxx cmd
I guess it's a spoiler to name the system but it's running Microsoft Windows Server 2008 R2 Standard.
The tools in the Passing the Hash suite in Kali linux can use hashes instead of passwords to authenticate. To see the list of tools within the passing the has suite, use pth- and then you may need to press tab several times.
Open the hashes.txt file and replace the NO PASSWORD string for an empty NTLM string.
Copy the hash for the admin user and export this to the SMBHASH variable eg:
#pth-winexe -U offsec% //10.11.25.139 cmd
This results in a shell. Take the time to learn the PTH toolkit as this could save a huge amount of time in an engagement.
PASSWORD ATTACKS - Password Profiling
One way to customize our dictionary file and make it more potent against a specific target is by using password profiling techniques. This involves using words and phrases taken from the target organization that we are targeting and including them in our wordlists with the aim of improving our chances of finding a valid password.
Using a tool like 'cewl' we can scrape web servers and create password lists from various webpages browsed.
#cewl www.megacorpone.com -m 6 -w /root/megacorp-cewl.txt
- m = min word size
- w = file to write in to.
Users tend to mutate their passwords. This could include, exchanging certain letters for numbers, adding numbers to the end, adding a special character etc.
We can add common mutations to this password list. One way to do so is by using John the Ripper. John comes with an extensive config file where password mutations can be defined. I found I needed to open the file in leafpad and perform a search in order to place the change in the correct location. If you just add the change to the end of the file the result is not the same.
The config file is here:
The rule below should be added to the end of the mangling rules. Just above "case toggler for cracking MD4-based NTLM hashes"
Add 2 numbers to the end of each password:
Have john the ripper apply these mutations to our existing wordlist:
#john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt
PASSWORD ATTACKS - Online Password Attacks
First we must be able to generate authentication requests for the specific protocol in use by that service. Medusa, Hydra and ncrack have built in handling for various authentication schemes.
PASSWORD ATTACKS - Medusa
HTTP brute force attack using Medusa.
The example is against an htaccess protected web directory.
#medusa -h 192.168.31.219 -u admin -P password-file.txt -M http -m DIR:/admin -T 20
Once medusa finds the correct password, it prints out its finding to the screen.
PASSWORD ATTACKS - Ncrack
Ncrack is one of the few tools that is able to bruteforce the windows RDP protocol reliably and quickly. Due to how RDP works, multiple threads are not practical in this case which makes the bruteforce process rather slow:
The rdp port is 3389
#ncrack -v -f --user administrator -P password-file.txt rdp://192.168.31.233,CL=1
In the event that a password is found, ncrack displays this result on the console.
PASSWORD ATTACKS - Hydra
Hydra is another password cracker worth getting to know.
Supported service include but are not limited to:
- ftp, http, mssql, mysql, icq, irc, sip, rlogin, rdp, smtp, ssh, socks5, telnet, vnc, pcanywhere, etc, etc.
An example below of using Hydra to brute force an ftp service:
#hydra -l admin -P password-file.txt -v 192.168.31.219 ftp
If hydra finds a correct password, it simply prints it out to the screen.
PASSWORD ATTACKS - Passwords and Hashes
Given an arbitrary block of data, gives a fixed size bit string called a hash value one of the most important uses of cryptographic hash functions is their application in password verification.
User password authentication mechanisms need to store these passwords locally on the machine. Rather than storing these passwords in plain text. Modern authentication mechanisms usually store them as hashes to improve their general security.
This means that when a user authenticiates, the password that they have provided is hashed and compared to the previously stored message digest.
PASSWORD ATTACKS - Cracking Hashes
Password cracking is the process of retrieving a plain text password given a sored hash.
Once the Hash Type is known a common approach to password cracking is to simulate the authentication process by repeatedly trying guesses for the password and comparing the new generated digest with our stolen or otherwise dumped hash.
Identifying the exact type of hash without having more information about the program or mechanism that generated it can be very challenging and sometimes even impossible. A list of common hashes can be found on the Open Wall website which provides us with an easy reference when trying to identify a password hash.
The OPEN WALL website for reference chart of passwords hashes.
Several password cracking programs such as John the Ripper apply pattern matching features on a given hash in an attempt to guess the algorithm used to generate it - this technique works on generic hashes only.
NOTE: Another tool to use is HASH Identifier
John The Ripper
Running JtR can be as simple as a brute forcing by passing he file to John. eg:
Bruteforcing as shown above will take a very long time. Instead we can pass a wordlist.
#john --wordlist=/usr/share/wordlists/rockyou.txt pwhash
If any passwords remain we can next try john's word mangling rules with the --rules parameter. eg:
#john --rules --wordlist=/usr/share/wordlists/rockyou.txt pwhash
In order to crack linux password hashes with you will first need to use the Unshadow utility to combine the password and shadow files from the compromised target.
#unshadow password-file.txt shadow-file.txt
OR to a file:
#unshadow password-file.txt shadow-file.txt >unshadowed.txt
We can now take the unshadowed hash and pass it to john as we would normally.
#john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
Rainbow tables are the result of the computational output of password cracking attempts. using the output without needing to perform the hashing overhead can increase the speed of the task hundreds of times. Unfortunately if the hashes are salted, password cracking with a Rainbow salted is not overly feasible.
PASSWORD ATTACKS - LM and NTLM
Microsoft windows operating systems store hashed user passwords in the SAM. Windows NT based operating systems up to and including windows 2003, store 2 different password hashes. LM and NTLM.
LM hashing is known to be very weak for several reasons:
- passwords longer than 7 characters are split in to 2 strings and each part of the sring is hashed seperately.
- The password is converted to UPPERCASE characters before being hashed.
- the LM hashing system does not include salts, making rainbow table attacks feasible.
From Windows Vista Onwards, the windows OS disables LM hashing by default and uses NTLM instead which among oher things is case senstive, supports all unicode characters and does not limit stored passwords to 7 chracter parts.
However NTLM hashes stored in the SAM Database are still not salted.
The SAM database cnnot be copied while the OS is running as the windows kernel keeps an exclusive file lock on this file. However in memory attacks to dump the SAM hashes can be mounted using various techniques.