Passwords are safe right?
Let’s take a second to talk about passwords. They are really the backbone of a lot of consumer security, yet no one seems to take the time to make strong passwords or even understand the consequences of insecure passwords. Passwords keep the bad guys from accessing your stuff and tell the app/website/server/computer you are on that you are actually you. For a long time, authentication relied almost solely on passwords. Meaning if someone was able to trick you into disclosing your password they could pretend to be you on any app/site/computer etc. The other big way to get someone’s password was to capture the encrypted, or hashed, form of the password that is stored by the server. If the developer is following good practice your plain text password should never be stored.
For example if your password was
It would be stored in what’s called an NTLM hash in windows which looks like:
Obviously if a bad guy can retrieve the hash of a password the immediate impact is much less. The problem here is that most people look at that and think it’s secure without understand the attack surface of passwords. With how many passwords get dumped online it is incredibly easy to analyze these passwords and figure out how to best crack them.
Combine this analysis with the fact that most people use very similar passwords. For example, a recent pen test report I saw of a company who had their domain controller owned and all the passwords dumped, showed that 13% of employees were using the password
Aa123456. Forreal right now? Let’s understand just how dumb of an idea this is.
The Attack Surface
In my recent development of a product that will launch soon I have been researching attack passwords fairly heavily to figure out how to be as effective and efficient as possible. Combine that with some mild penetration testing I’ve done at an enterprise level trying to crack individual user passwords and I feel I have a decent understanding of it but am by no means an expert.
Let’s start with targeted attacks. What happens if someone was able to grab your encrypted password and username from the network (which I may or may not have done to a user)? Well when you have any password or set of passwords the first thing you want to do is go grab a good wordlist or set of wordlists. There are plenty out there on GitHub and what not. I always grab danielmiessler’s GitHub repo with tons of dictionaries on it, you will see why more is better in a minute.
Once you have your ammo you need your weapon. Hashcat is my password attack weapon of choice. John the Ripper is another good one, but I have found Hashcat to be better supported and better suited to my needs. I will not go over installing Hashcat and the drivers and stuff here but there are plenty of install tutorials out there.
If you are feeling lucky and think the password, you recovered is super weak you can just launch a straight up dictionary attack and compare all the passwords in your dictionary(s) to the captured password and see if you have a match. This is successful maybe like 20% of the time.
Too add some variation to your dictionaries which will make you much more successful we can use rules to mutate and change certain parts of the passwords we are trying. Hashcat comes with rules by default, dive being the best/most extensive one in my opinion, but there are tons out there. Some are designed for efficiency, some just to get as many passwords as possible. Using these rules allows us to launch as close to a brute force attack as possible without blindly iterating through characters. Simply throw a
-r at the end of your Hashcat command.
Efficiency is Key
Now if you have attacked your password with an extensive wordlist like rockyou.txt and have used a solid rule like dive.rule and are still empty handed it’s time to get a little more creative. TrustedSec has a great tool on GitHub called hatecrack. It automates a lot of effective attacks that can be pretty advanced. Feel free to play around with it but I most just use the wordlist_optimizer.py script. It takes a dictionary of wordlists, like the ones we just got, and uses hashcat-utils to dedup, sort, and generally optimize them to, hopefully, get our password early. Since Hashcat can take a directory of dictionaries as the dictionary argument all you need to do is point the script at your directory of wordlists, give it an empty directory for the optimized wordlists, then point Hashcat to that directory of optimized wordlists like so:
hashcat -a 0 -m 1000 my_hash.hash /path/to/opt_wordlists/ -r dive.rule
Where a is the attack type, dictionary here, and -m is the hash type, NTLM in the example.
Assuming you’ve got a good collection of large dictionaries this will take a while to run, depending on hardware, but I would say you’ve got around a 60% chance to get your password here. Now I haven’t gone into getting the right hardware and all that because that could be a whole different write-up, I’m just trying to focus on the broad overview here.
I used a command similar to this against the entire Ashley Madison password dump (~400,000 passwords) and was able to get around 70% of them. The above methodology is great for a large group of passwords from a diverse group of users, but if you just popped a box on a network and dump the /etc/shadow file, or you used responder to grab a password off the wire you may know a little more to help you get more effective dictionaries. There is tool called CeWL from Robin Wood which scrapes websites and builds a wordlist based on parameters you give it.
Say you got a password hash from a user on Acme Company’s network. You know that user works there, and you probably know their user id. From there you can often get an email which you can look up on LinkedIn, Facebook, etc. and find out lots about the user. Add anything you think may be useful from their profiles, addresses, family member names, maiden names, sports teams, etc., to a text file and save it. Then download and fire up CeWL like so:
cewl -d 1 -m 5 -e http://acmecompany.com/ >> .txt
This is telling cewl to only get words from the home page, only get words that are over 5 chars in length and to also grab emails, then to pipe that into the wordlist you started by hand. Now you can either run this new dictionary with rules by itself or you can add it to your pool of dictionaries and use the wordlist_optimizer.py script to have a good set of dictionaries for attacking any recovered password from that company.
Maybe in the future I’ll do another post on more advanced techniques and attacks such as masks and using PACK to analyze your attack. I’ll also put up some scripts I use often in my password auditing methodology to hopefully help some of you guys out.
The moral of the story here is to make strong passwords and use 2 factor authentication where you can. It is much easier to get your hashed password than you think and you would have no way of knowing I cracked it until all your account passwords started changing or spam starts pouring out of your outbox. I have only recently realized how insecure passwords truly are with how easy it is to get powerful GPUs these days which can easily pump out 50,000,000,000+ password guesses per second on something like NTLM hashes.
There is a lot of talk about what makes a strong password and what the requirements should be when creating one. At the end of the day, the main thing that makes a strong password is length for a couple reasons, 1) long passwords are more uncommon and will be less likely to appear in common dictionaries and 2) When dictionary attacks fail and the attacker has to resort to masks/brute force attacks, the time it takes to crack a password over 12 characters is years. So, make it long, make sure there aren’t any dictionary words in it, especially any related to you.
That’s all for now folks, stay tuned as I learn more and correct my naivety.