Password Cracking

During a penetration test, password hashes are often captured using NTLM-SSP interception or by extracting the hashes directly from compromised systems. These passwords are often required to meet the default Active Directory password policy requirements.

Active Directory Password Policy

Most organisations use Active Directory for single sign on. As such, it’s important to tailor our password cracking attempts to meet the password requirements imposed by Active Directory.

As per Microsoft’s documentation by default passwords need to be at least 8 characters long, and contain characters from at least three of the following categories;

  • Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/) Currency symbols such as the Euro or British Pound aren’t counted as special characters for this policy setting.
  • Any Unicode character that’s categorized as an alphabetic character but isn’t uppercase or lowercase. This group includes Unicode characters from Asian languages.

So, Password1 is a likely candidate 👍

Enumerating the Password Policy

To effectively crack passwords, you need to understand the password policy in place to adjust your approach to cracking accordingly. Crackmapexec can be used to determine the domain password policy:

crackmapexec smb 192.168.1.200 -u john -p 'Password1!' --pass-pol
SMB         192.168.1.200   445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:bordergate.local) (signing:True) (SMBv1:False)
SMB         192.168.1.200   445    DC               [+] bordergate.local\john:Password1! 
SMB         192.168.1.200   445    DC               [+] Dumping password info for domain: BORDERGATE
SMB         192.168.1.200   445    DC               Minimum password length: 7
SMB         192.168.1.200   445    DC               Password history length: 24
SMB         192.168.1.200   445    DC               Maximum password age: 41 days 23 hours 53 minutes 
SMB         192.168.1.200   445    DC               
SMB         192.168.1.200   445    DC               Password Complexity Flags: 000001
SMB         192.168.1.200   445    DC                   Domain Refuse Password Change: 0
SMB         192.168.1.200   445    DC                   Domain Password Store Cleartext: 0
SMB         192.168.1.200   445    DC                   Domain Password Lockout Admins: 0
SMB         192.168.1.200   445    DC                   Domain Password No Clear Change: 0
SMB         192.168.1.200   445    DC                   Domain Password No Anon Change: 0
SMB         192.168.1.200   445    DC                   Domain Password Complex: 1
SMB         192.168.1.200   445    DC               
SMB         192.168.1.200   445    DC               Minimum password age: 1 day 4 minutes 
SMB         192.168.1.200   445    DC               Reset Account Lockout Counter: 30 minutes 
SMB         192.168.1.200   445    DC               Locked Account Duration: 30 minutes 
SMB         192.168.1.200   445    DC               Account Lockout Threshold: None
SMB         192.168.1.200   445    DC               Forced Log off Time: Not Set
                                                                                    

Hashcat

Hashcat is a password recovery tool which can utilise a computers GPU to significantly speed up the process of finding passwords from their relevant hashed values.

To demonstrate the performance increase in using a GPU, a Ryzen 3600 CPU has the following hash cracking rate:

sudo hashcat -b -m 5600 -D 1
hashcat (v6.2.5) starting in benchmark mode

dlerror: libMesaOpenCL.so.1: cannot open shared object file: No such file or directory
OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-AMD Ryzen 5 3600 6-Core Processor, 14957/29978 MB (4096 MB allocatable), 12MCU

OpenCL API (OpenCL 2.1 AMD-APP (3423.0)) - Platform #2 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #2: AMD Radeon RX 5700 XT 50th Anniversary, skipped

Benchmark relevant options:
===========================
* --opencl-device-types=1
* --optimized-kernel-enable

----------------------------
* Hash-Mode 5600 (NetNTLMv2)
----------------------------

Speed.#1.........: 74055.4 kH/s (82.65ms) @ Accel:512 Loops:1024 Thr:1 Vec:8


On the same system, utilising the 5700 XT GPU leads to a significantly faster cracking time:

sudo hashcat -b -m 5600
hashcat (v6.2.5) starting in benchmark mode

dlerror: libMesaOpenCL.so.1: cannot open shared object file: No such file or directory
OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-AMD Ryzen 5 3600 6-Core Processor, skipped

OpenCL API (OpenCL 2.1 AMD-APP (3423.0)) - Platform #2 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #2: AMD Radeon RX 5700 XT 50th Anniversary, 8064/8176 MB (6949 MB allocatable), 20MCU

Benchmark relevant options:
===========================
* --optimized-kernel-enable

----------------------------
* Hash-Mode 5600 (NetNTLMv2)
----------------------------

Speed.#2.........:  1529.5 MH/s (54.61ms) @ Accel:2048 Loops:64 Thr:32 Vec:1

CPU Attempts per second: 74055400 (kH/s is 1,000 hashes per second)
GPU Attempts per second: 1529500000 (MH/s is 1,000,000 hashes per second)

So, roughly a 1965.35% performance increase 🙂

The reason for this performance increase is the GPU contains 2,560 RDNA cores, versus the Ryzen’s 6 processing cores. The GPU operating frequency may be lower (1905 Mhz for boost speed), than the Ryzen’s 4.6 GHz boost speed but the benefits of massively parallel operations wins out.

Configuring Hashcat on Ubuntu 22.04

The hashcat -I command can be used to see what processing units are available:

hashcat -I
hashcat (v6.2.5) starting in backend information mode

OpenCL Info:
============

OpenCL Platform ID #1
  Vendor..: The pocl project
  Name....: Portable Computing Language
  Version.: OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG

  Backend Device ID #1
    Type...........: CPU
    Vendor.ID......: 1
    Vendor.........: AuthenticAMD
    Name...........: pthread-AMD Ryzen 5 3600 6-Core Processor
    Version........: OpenCL 1.2 pocl HSTR: pthread-x86_64-pc-linux-gnu-znver2
    Processor(s)...: 12
    Clock..........: 4208
    Memory.Total...: 29978 MB (limited to 4096 MB allocatable in one block)
    Memory.Free....: 14957 MB
    OpenCL.Version.: OpenCL C 1.2 pocl
    Driver.Version.: 1.8

From the output, we can see only the CPU is detected. We need to install the OpenCL package for hashcat to detect our GPU. For AMD graphics cards, download the latest driver from AMD’s website and install with:

sudo dpkg -i amdgpu-install_22.10.2.50102-1_all.deb
sudo amdgpu-install --usecase=opencl --no-dkms

Hashcat should now be able to take advantage of the GPU:

sudo hashcat -I
hashcat (v6.2.5) starting in backend information mode

dlerror: libMesaOpenCL.so.1: cannot open shared object file: No such file or directory
OpenCL Info:
============

OpenCL Platform ID #1
  Vendor..: The pocl project
  Name....: Portable Computing Language
  Version.: OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG

  Backend Device ID #1
    Type...........: CPU
    Vendor.ID......: 1
    Vendor.........: AuthenticAMD
    Name...........: pthread-AMD Ryzen 5 3600 6-Core Processor
    Version........: OpenCL 1.2 pocl HSTR: pthread-x86_64-pc-linux-gnu-znver2
    Processor(s)...: 12
    Clock..........: 4208
    Memory.Total...: 29978 MB (limited to 4096 MB allocatable in one block)
    Memory.Free....: 14957 MB
    OpenCL.Version.: OpenCL C 1.2 pocl
    Driver.Version.: 1.8

OpenCL Platform ID #2
  Vendor..: Advanced Micro Devices, Inc.
  Name....: AMD Accelerated Parallel Processing
  Version.: OpenCL 2.1 AMD-APP (3423.0)

  Backend Device ID #2
    Type...........: GPU
    Vendor.ID......: 1
    Vendor.........: Advanced Micro Devices, Inc.
    Name...........: AMD Radeon RX 5700 XT 50th Anniversary
    Version........: OpenCL 2.0 
    Processor(s)...: 20
    Clock..........: 2100
    Memory.Total...: 8176 MB (limited to 6949 MB allocatable in one block)
    Memory.Free....: 8064 MB
    OpenCL.Version.: OpenCL C 2.0 
    Driver.Version.: 3423.0 (HSA1.1,LC)
    PCI.Addr.BDF...: 2b:00.0

Configuring Hashcat on Fedora 38

In Fedora 38, the following packages need to be installed;

 sudo  dnf install rocm-opencl rocminfo rocm-clinfo rocm-device-libs

Cracking Process

In general, the following steps seem effective at identifying easily guessed hashes;

  • Run a large word list against the hashes. 100GB of word lists can be processed in around 38 minutes.
  • Use rules with a base wordlist. For instance, looking for any dictionary words with modifications to change the first letter to a capital, and add numbers and letters to the end.
  • If the password still isn’t cracked, resort to using mask attacks.

Windows Hashcat Formats

The full list of hashcat formats is available here. Below is a list of common Windows formats.

Hash FormatHash TypeNotes
NetNTLMv25600Responder Hashes
NTLM1000SAM/NTDS Hashes
Domain Cached Credentials 2 (DCC2)2100Cached passwords of previous logins
Kerberos 5, TGS-REP13100For Kerberoastable Accounts
Kerberos 5, AS-REP18200For ASRepRoastable Accounts

Wordlist Attacks

Wordlists are useful for weeding out commonly used passwords. Hashcat can launch word list attacks using the following parameters:

hashcat -a 0 -m 5600 DumpNTLMv2.txt  /PasswordLists/crackstation.txt

Below is a list of available wordlists that can be used for this purpose.

NameSizeDownloadNotes
Crackstation15 GBhttps://crackstation.net/Combination of wordlists, including non english words
Rocktastic13 GBhttps://labs.nettitude.com/blog/rocktastic/Nettitude’s permutations of the infamous rockyou wordlist
RockYou2021100 GBhttps://github.com/ohmybahgosh/RockYou2021.txtThe largest collection of compromised passwords, including 8.4 billion entries
SecLists807Mbhttps://github.com/danielmiessler/SecLists/tree/master/PasswordsIncludes a large number of default passwords
Weakpass 2P9.4 Gbhttps://weakpass.com/downloadA password list complaint with the default windows password policy
English Words4.1Mbhttps://github.com/dwyl/english-wordsFor use with rule attacks

Custom word lists can also be created by scraping company websites using tools such as cewl.

Rule Attacks

Rule attacks take a base wordlist and modify it. This is useful since dictionary words with additional letters of special characters are common. Rule syntax is similar to John the Ripper. For instance, the following rule file will capitalize the first letter of each word and append a number to the end;

c
$1
$2
$3
$4
$5
$6
$7
$8
$9
hashcat -a 0 -m 5600 DumpNTLMv2.txt -r /usr/share/hashcat/rules/d3ad0ne.rule customwordlist.txt -d 2 -O

A comprehensive list of rule operators can be found on the hashcat website. NotSoSecure have released a third party ruleset OneRuleToRuleThemAll, which has also proved effective.

Mask Attacks

Mask Attacks check for passwords which match a specific pattern. Mask tokens are prefixed with a question mark character, and designate the character set to brute force;

  • ?l = abcdefghijklmnopqrstuvwxyz
  • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • ?d = 0123456789
  • ?h = 0123456789abcdef
  • ?H = 0123456789ABCDEF
  • ?s = «space»!”#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  • ?a = ?l?u?d?s
  • ?b = 0x00 – 0xff

So, a mask for Password1! would be;

CharacterMask Value
P?u
a?l
s?l
s?l
w?l
o?l
r?l
d?l
1?n
!?s

These patterns can be stored in a hcmask file. For instance, the contents of a default mask file looks like this:

head  /usr/share/hashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask
?d?d?d?d?d?l?u?s
?d?d?d?d?d?l?s?u
?d?d?d?d?d?u?l?s
?d?d?d?d?d?u?s?l
?d?d?d?d?d?s?l?u
?d?d?d?d?d?s?u?l
?d?d?d?d?l?d?u?s
?d?d?d?d?l?d?s?u
?d?d?d?d?l?l?u?s
?d?d?d?d?l?l?s?u

A mask attack can be launched with the following parameters:

hashcat -a 6 -m 5600 DumpNTLMv2.txt /usr/share/hashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask -d 2 -O 

Cloud Cracking

Cracking passwords using a local computer is effective for discovering weak passwords, but for more complex passwords more computing power is likely needed. Coalfire have released a password cracking system for Amazon Web Services, called NPK. This system provides an easy to use web interface to launch password cracking campaigns with hashcat. Limits can be set on campaigns to ensure the AWS bill stays within reasonable levels.