The NetNTLMv1 protocol is insecure due to the way it calculates the challenge-response allowing an attacker to retrieve the NTLM h ash by easily cracking the response. Furthermore, r etrieving the NTLM hash of a user is almost synonymous to retrieving the plaintext password of a user, since it can be use d for a ‘ Pass the Hash ’ attack. LM2NT: Alters the case of characters in cracked LM hash passwords to crack the corresponding NTLM hash passwords instantly. Review all the cracked passwords. We can easily review all the broken passwords within the hash suite. As you can see below the file crack.txt which has the hashes of the password. 2) Extracting password hash dumps from Windows Pwdump is an amazing hacking tool that can help you get the LM and NTLM secret password hashes of client accounts from the Security Account Manager (SAM) database. In such cases, you can as well use the NTLM hash to recover password with RainbowCrack. Ideally setting up the rainbow tables takes huge amount of disk space and lot of computing time to generate the tables. Hence its not practical for anyone to create such an setup on the home system.
In part 1 we looked how to dump the password hashes from a Domain Controller using NtdsAudit. Now we need to crack the hashes to get the clear-text passwords.
Hash Types
First a quick introduction about how Windows stores passwords in the NTDS.dit (or local SAM) files. If you’re not interested in the background, feel free to skip this section. Windows stores passwords using two different hashing algorithms – LM (Lan Manager) and NTLM (NT Lan Manager).
LM Hashes
The LM hashing algorithm is very old, and is considered very insecure for a number of reasons. Firstly, it is case insensitive, with all letters being converted to uppercase, which greatly reduces the possible keyspace. Secondly, and more importantly, the algorithm pads the password to 14 characters, and then splits it into two 7 character strings, which are hashed separately (using DES). This means that cracking a 14 character password is twice as hard as cracking a 7 character password, rather than being billions of times harder as it would be with an algorithm that did not split the passwords. These, and the fact that the LM algorithm is relatively fast and does not use salts, means that almost any LM hash can be cracked using brute-force or rainbow table attacks in a matter of hours (often minutes or seconds), on commodity hardware. Windows stored both LM and NTLM hashes by default until Windows Vista/Server 2008, from which point only NTLM hashes were stored (along with the empty LM hash AAD3B435B51404EEAAD3B435B51404EE). This means that in a modern environment there should only be LM hashes stored on local systems, but Active Directory makes this a bit more complicated. If the Active Directory domain was created before this change was implemented (on Server 2003 or before), it will still store LM hashes, unless a specific Group Policy setting is configured to prevent the storage of LM hashes. However, configuring this policy does not remove existing LM hashes. Any LM hashes already present will remain until the password for that account is changed. This means that in many domains, there are a small number of accounts that still have LM hashes, which are usually accounts that haven’t had password changes in a number of years (and are quite often privileged or service accounts).
NTLM Hashes
In Windows NT Microsoft introduced the newer NTLM hashes type, which is essentially the MD4 algorithm (so would not be considered secure by modern standards). NTLM fixed the main two problems with LM hashes (case sensitivity and splitting passwords), so in a major improvement in those respects. However, it lacks many of the features of modern hashing algorithms such as Bcrypt or PBKDF2, such as being slow, salting and GPU/FPGA/ASIC resistant.
Tools
There are lots of different tools you can use to crack the password hashes – to some extent it comes down to personal preference. Three of the main ones that people use for AD passwords are Cain and John the Ripper (my personal preference), and Hashcat.
Cain & Abel
Cain & Abel is a Windows-based tool with a host of useful features, including a password cracker. Lots of antivirus products incorrectly flag it as malware (mostly due to the Abel component, which can be remotely installed to sniff packets and dump passwords), so your AV may not be happy with you downloading or installing it.
Usage
Cracking passwords with Cain is fairly straightforward. Under the “Cracker” tab, choose “LM & NTLM Hashes” in the bar on the left. You can then right click -> add to list, and import the hashes your pwdump.txt file. Once the hashes are imported, you can select all, right click, and choose one of the cracking options. For each mode you can choose whether to try and crack the LM hashes or NTLM hashes. Cain has three main modes:
Password Hash Cracker
Brute Force
Does exactly what it says. It’s single threaded and CPU only, so brute-forcing anything more than 5 characters is unlikely to complete in a reasonable amount of time. However it can be very useful for getting the second half of LM hashes (for example, PASSWORD123 would be stored as two hashes, “PASSWOR” and “D123”). Dictionary Attack Uses a provided wordlist and optionally some permutations. The default Cain wordlist is about 3MB and isn’t bad, but you can get much bigger and better ones online. The “rockyou” wordlist (from the leaked password database of the rockyou website) is a popular choice. The permutations provide a number of options, such as appending numbers of changing the case of the password, however they’re fairly limited and can’t be combined. This is the biggest problem with Cain for password cracking – there’s no rule to capitalise the first letter and append a number, which is what most people do. Because of this, you’ll have much better success with Cain if your wordlist has the first letter capitalised on all the words that if it’s entirely lowercase (which Cain’s default one is). Cryptanalysis Attack (Rainbow Tables) Very effective against LM hashes with either the previously mentioned Ophcrack table, or other larger tables you can get. It’s normally a good idea to break very weak passwords with a simple dictionary attack and short (5 character) bruteforce attack first, then let the Rainbow Tables pick up the rest.
Strengths
The biggest benefit of Cain is that it supports the use of Rainbow Tables for cracking hashes. I won’t go into Rainbow Tables in detail here, but essentially they allow precomputation of password hashes to greatly speed up the cracking process. In practical terms, you can download some (fairly large) tables, and use them to quickly crack hashes. They don’t work very well for longer passwords (unless you have terabytes of fast storage), but for shorter passwords they’re extremely effective. Since LM hashes are a maximum of 7 characters long (due to the way the passwords are split), they’re the perfect target for Rainbow Tables. The “XP free fast” tables from Ophcrack are about 700MB, and will crack most LM hashes in a matter of seconds.
Weaknesses
The bruteforce and dictionary modes that Cain provides are fairly limited, and it doesn’t really provide any customisation. The project is also pretty much abandoned, so it’s unlikely there will any new features added in the future. It also only runs on Windows, and is single threaded, so it’s a lot slower than the alternatives. Finally, it doesn’t scale too well to large pwdump files – thousands of users (especially with history) will make it quite unresponsive. It’s good for cracking the LM hashes with Rainbow Tables, or as a basic GUI tool, but beyond that you’re better off using a tools that’s specifically designed for password cracking.
John the Ripper
John the Ripper was originally designed to crack Unix passwords, but now runs on pretty much everything and cracks pretty much any kind of password. The original version is maintained by Openwall who provide the source code and prebuilt Windows binaries. However, there’s a fork (known as the Jumbo version) on GitHub which provides better performance, more hash types, and new attack modes. This is the version that ships in Kali, and I’d highly recommend using it over the original version. There’s also a GUI for it called Johnny, but I’ve never really used this, so can’t comment on it. John stores cracked passwords in a pot file (the default is “john.pot”), and it’s main configuration file is “john.conf” (which will probably be in /etc/john/ on Linux). There are a lot of command line options and further options in the configuration file.
Usage
At the simplest level, you can just point john at a pwdump file, tell it what type of hashes you want it to crack (NTLM) and let it go:
This will perform a number of different attacks (single mode, wordlist mode and incremental mode), but it’s not really the best way to use john. Once it’s finished (although this mode will never finish, so you’ll have to kill it with ctrl+c), you can display the cracked passwords with the show option:
Single Mode Single mode uses information from the pwdump file to try and crack passwords (such as the usernames), as well as some common default passwords and patterns. It’ll probably only take a few minutes (at most) to run and will pick up a decent number of very weak passwords, so it’s usually a good starting point:
Wordlist Mode At the basic level, this is a dictionary attack with a provided wordlist:
Rules However where John starts to shine is the use of password cracking rules. This are similar to the permutations in Cain, but all you a lot more flexibility. A small dictionary with a good set of rules will crack a huge number of passwords, so it really comes down to the quality of the rules you have. Unfortunately the default rules that ship with John are over 15 years old, so aren’t very effective in the days of password complexity. You can try out the default rules with a wordlist:
It should crack a lot more passwords that just the wordlist with no rules, but adding our own rules will make things much better. You can define custom rules in the “john.conf” file. The default rules are defined in the following section:
You can overwrite this section, add your rules here, or create your own rules section. The following rules do some very basic changes (capitalising words, adding 123 or the year, etc). They’re fairly simple and quick to run, but will crack a lot of very weak passwords.
Once these are saved in the configuration file, we can use them by specifying the new “simple” rule set:
![Ntlm Ntlm](/uploads/1/2/7/8/127874809/840002075.png)
The syntax for rules isn’t too complex when you get your head around it, and you can read up the details here if you want to make your own rules. KoreLogic also have a popular set of rules published (although there’s lots of them, so they’ll take a very long time to run). Incremental (bruteforce) Incremental mode is john’s version of a bruteforce attack. Like a normal bruteforce it’ll probably never finish, but it works more intelligently than Cain’s mode. Rather than a simple a-z, it uses an intelligent order based on the most common patterns that occur in passwords. The default charset (where it stores that information) is old, so doesn’t work well, but you can create your own. Once you’ve cracked some passwords, you can create a charset based on those with the following command:
You can then define this charset in John’s configuration file:
And then perform the attack:
Loopback Mode Loopback mode uses all of the previous cracked passwords (from John’s pot) and tries to crack other passwords based on those by permutations (for example changing the number on the end, adding symbols, etc). It’s very effective once you’ve cracked a number of passwords and want to find people who are changing their passwords using weak methods (such as incrementing the number of the end each time they change it).
Other Modes There are lots of other modes in john, some of which are really good at cracking more complex passwords (PRINCE), or passwords based on previously seen patterns (markov and mask). You can also apply rules to these other modes and do other interesting things that there isn’t really time to go into here, but there’s plenty of information online about them.
Strengths
John gives you a great deal of customisation, and supports a lot of different cracking modes and hash types. You can also chain together different modes (such as a combined wordlist and mask attack, or applying rules to a PRINCE attack). It can comfortably handle large (multi GB) wordlists and pwdump files (hundreds of thousands of users). Because John has been around for so long there are lots of other tools that are designed to work with it (and its output).
Weaknesses
Ntlm Hash Lookup
Although there’s some basic GPU support in the OpenCL builds, it’s not as good as Hashcat’s support (which was very much built with GPU in mind, rather than it being added on decades later). The commandline options can also be a bit finicky, and John can be fussy about the format of some hashes (not usually an issue with pwdump files, but it can be hard to get it to recognise other types).
Hashcat
Hashcat provides much of the same functionality as John (since they’re both open source they merge features from each other), but is built around using the GPU rather than the CPU for cracking. If you have a GPU it will be orders of magnitude faster for most hash types than just using the CPU, so if you’re looking to do password cracking on a system that has GPU(s) then I’d recommend looking into Hashcat. I’ve not used it a huge amount, and some of the syntax is awkward (especially the hash types), so I’m not going to go into detailed usage here, but there are plenty of guides you can find online. If you’re trying to crack as many complex passwords as possible, Hashcat with a decent GPU rig will probably be the best way to go, but if you just want weak passwords, GPUs are probably overkill.
Password Analysis
Part 3 of this series explores some of the different tools and techniques that can be used to obtain useful metrics from cracked password hashes in order to determine improvements to a password policy.
Conclusion
There are lots of different tools and methods you can use for cracking passwords, including plenty that haven’t been touched on at all in this article. Although it’s interesting (and fun) to try and crack as many passwords as you can, really the objective in most cases (certainly for internal auditing) is to identify the weakest passwords, so unless you have other objectives, it’s not worth investing too much time in all the more sophisticated cracking techniques – especially when there are dozens of accounts out there with Password1. In the next post we’ll look at analysing the results of the password cracking and see what useful information and patterns we can identify there.
Hashstack™ is the ultimate password cracking software stack, designed and developed by the world's top password crackers for true password cracking professionals, and exclusively available on Terahash® turn-key password cracking appliances.
![Ntlm Ntlm](/uploads/1/2/7/8/127874809/772204341.jpg)
Optimized Workflow
Modeled after Team Hashcat's own workflows, Hashstack™ works the way you work and is designed with team collaboration at the forefront. Hashstack™ is project-centric and list-centric rather than job-centric, which means that hash lists are logically organized by case/engagement. You may then add collaborators to each hash list, optionally organized into groups/teams, so that multiple simultaneous users may work together against multiple simultaneous hash lists. And Hashstack's™ advanced, multi-dimensional queueing mechanism and job scheduler ensures that all resources are fairly shared across the cluster, with the option to assign job priorities and resource limits. So whether you work in law enforcement, military/defense, information security, security consulting, digital forensics, or litigation support, Hashstack™ provides the perfect environment for collaborative, multi-user password cracking!
Extreme Performance
Unlike other software which only supports GPU acceleration for a small subset of available hash formats, Hashstack™ has full GPU acceleration for ALL 375+ highly-optimized hash formats. Coupled with Terahash's® finely-tuned appliances which deliver up to 35% more performance over other solutions using similar hardware, Hashstack™ offers unparalleled hash cracking performance. And unlike other software that allows you to queue up a batch of multiple hashes/files but then works on them in serial – exahusting all attacks on one file before moving on to the next – Hashstack™ works on multiple hashes in parallel, and on multiple jobs in parallel too, enabling you to find the most passwords in the least amount of time.
Infinitely Scalablity
One Terahash® appliance is great – 20 Terahash® appliances are better! Password cracking has exponential complexity, so there's literally no such thing as having 'too many' cracking resources. But password cracking is also an embarassingly parallel problem, and thus Hashstack™ was designed to be infinitely scalable – you can purchase and stack as many appliances as your budget permits, and Hashstack™ will fully utilize all of them for distributing password cracking jobs. Contrary to popular belief, the biggest advantage to operating a cluster of multiple Terahash® appliances is actually not the ability to utilize the raw compute power of all resources combined, but rather the ability to run many simultaneous jobs in parallel. Posting up 12 TH/s on NTLM is certainly impressive, but the ability to run 200 jobs in parallel is far more impressive and far more practical!
High Fault Tolerance
Hashstack™ is highly tolerant of failures, so having an appliance go down for any reason does not mean the jobs currently running will fail; Hashstack™ will simply route around the failure until the issue can be resolved. This resilience also enables you to add appliances on-the-fly as well: simply rack up a new appliance, and it will automatically join the cluster and begin work on the active jobs in the queue!