This article is part of the series "Penetration Testing Explained". Check out the rest:
In the previous post in this series, I guessed a local password and then tried various ways to move laterally within my mythical Acme network. But what happens if you can’t guess the password?
In my pen testing scenario, there’s a beer motif in all the naming of the servers and the local admin passwords. It’s not completely unheard of for busy IT people to sacrifice security for convenience. “I’m on the miller server, so I know my admin password is admin-miller.” Hackers of course are ready to jump on these weaknesses.
But let’s say you land in an environment where your inspired password guessing is not succeeding. That’s where a hash-based approach can pay dividends.
There Be Hashes
On a Windows system, plaintext passwords are never stored. That would be a very bad thing to do.
Instead, in Windows the hash of the password — more explicitly the NLTM hash — is kept. You know from reading our posts (and our amazingly informative ebook) that the hash is used as part of the Windows challenge-response authentication protocol. Essentially, users prove their identity by encrypting some random text with the NTLM hash as the key.
Where does Windows store these hashes? From my own research, it appears that Windows keeps local user account hashes in the Security Accounts Manager (SAM) database, which is part of the Local Security Authority (LSA). You can read more about these topics in this technet article.
The first question for pen testers is whether they can access the hashes. Once we have the hash, we can then try few a standard cracking techniques to derive the actual password.
The answer is yes: there are few tools available can that read the SAM and dump the hashes. I chose fgdump — you can find this easily through a Google search — to do my dumping. Pwdump7 is another possibility.
Sure you need to have elevated privileges to run these tools, but it’s not unusual for a hacker to get lucky with a power user who falls for a well-crafted phish.
So I now have the NTLM hashes for what looks like two local admin accounts — that’s the long sequences at the end of the line. By the way, the “NO PASSWORD” indicated that fgdump didn’t find the older and far more crackable LM hash. And that’s a good thing: you should never enable LM hashing unless you absolutely have to for compatibility!
Cracking the Hash
One common approach to cracking hashes is to use a dictionary-based attack. That is, take a huge set of common English words, add in, say, an existing set of real world passwords, and pre-compute the NTLM hashes, thereby forming a reverse-lookup dictionary.
So the task of cracking now reduces to finding a matching hash and returning the associated plaintext password.
Thankfully, you don’t have to re-invent the wheel since there are services like this one that have already done the heavy lifting.
In my pen testing, I fed the hash for “admin2” into the cracking service, and it speedily returned the answer, which is “daisy” (see above).
It’s true that Windows enforces password complexity standards, and this simple password would never have been accepted in many installations.
However, a password can still be somewhat complex but crackable through a brute force attack. Or perhaps on your system there are legacy local accounts created before Windows started forcing you to come up with longer sequences.
For a better test, I tried the cracking service on the more complex password from the admin account on the miller server, which is “miller1234;”.
After a few days of brute force computing, the service couldn’t find a match.
Never say die!
I then learned about this fellow, John the Ripper, a very crafty password cracking tool. It’s too sophisticated a program to write about in the remainder of this post.
In brief, it’s very smart about how it does its brute force attacks. JtR has a special mangling language that takes an existing set of dictionary words that you can specify, and re-arranges them based on the rules you set up. The rules can be quite cryptic to look at, but are very powerful — here’s a digestible overview on the mangling language.
You can set up rules, for example, to append various numeric sequences to the existing dictionary words. I think you see what I’m getting at.
If you have an inkling that beer names are used in passwords followed by some simple alphanumeric code, you feed the John the Ripper app a beer name word list and then configure rules to try out lots of sequence suffixes.
Enter Hash Passing
I agree that cracking the NTLM hashes ain’t easy.
Rather than trying to crack the hash, PtH will slip the hash directly into the NLTM challenge-response protocol. You’re authenticated without having to derive the plaintext.
It’s a very cool and powerful idea. Although Microsoft has been making this harder to do in recent releases, and with Windows 10 perhaps even impossible to do in the future.
We’ll take all this up in the next post.