Do you remember a thing called trust? I remember when I was 10 or 11 years old I decided to open a “family” bank for my brother and sister.
Being the conniving bigger brother, I convinced them that their allowances would be safe in my hands and that I would store their money in a secure place. I reasoned they could save their allowance so they could have more money for movies and snacks. My credulous siblings trusted their duplicitous brother and I abused their trust. Whenever I got the chance, I would dip into the bank and steal small portions of money so I can augment my own savings.
I know this is pretty dickheaded thing to do but I didn’t have a conscience. I was a snotty nosed bully fully of greed and low on compassion.
So what does that have to do with cracking Windows passwords?
It’s all about trust!
Windows passwords are stored on a computer and the user trusts that unauthorized users won’t have access to it. But today I’m going to show you just how simple it is to crack passwords in Windows using Kali Linux.
It’s so easy that it’s embarrassing. Microsoft should be chagrinned.
Wrangling Windows Passwords
So here’s the thing: Windows passwords use hashed values.
So for example, if your password is “dontStealMyMon3y”, Windows will send your plaintext password through a hashing algorithm such as MD5 or SHA and produce jumbled text known as a digest. The unique thing about hashes is that the digest is a fixed length regardless of the input size. And it’s a one-way function which means you can’t extrapolate the plaintext password from that digest.
Hashes are mathematically impossible to reverse engineer.
Sucking “dontStealMyMon3y” through a SHA256 hash results in a digest that begins with 200186c. It’s too long for my type here.
In Windows Server 2003 and older, there’s a file called the SAM (Security Accounts Manager) in \Windows\Repair that contains the hashes of all the passwords on the computer. If you open the file in notepad it’s completely unreadable. And you won’t see the password itself. you see the hashes but I’m going to show you how to make guessing attempts at the hash so you can figure out what it is.
Active Directory stores all the passwords in the NT Directory Services directory information tree. NTDS.DIT is your guy but you can’t directly access it and even if you could the information is obfuscated.
But don’t worry – we’ll circumvent that too.
Back in the early 90’s there was something called the LAN Manager (LANMAN).
It divided the password into two 7 character portions to ease the performance burden. Remember, this was during the paleolithic age of the 486 processor. So performance was costly. The problem with LANMAN was that it wasn’t very secure.
Well the longer the password the more difficult it is to crack. But since we divided the password into two 7 character chunks we only need to crack a password that is seven characters long in one section and 7 characters long in the other section. Incidentally, if the password is shorter than 7 characters, the second half will always have the value: AAD3B435B51404EE.
Another security problem obviously.
LANMAN bifurcated the password to optimize performance but this unwittingly introduce a security flaw because it made the job of cracking passwords really really easy. Most people used L0phtcrack to compromise machines running LANMAN.
Next, we had the NT LAN Manager (NTLM). It used a 16 byte value so it was longer and more difficult to crack than its predecesor but all the passwords were automatically converted to uppercase values which made it even easier to crack. Instead of dealing with the complexity of “dontStealMyMon3y” you only needed to pay attention to “DONTSTEALMYMON3Y”. Both LANMAN and the NTLM had this same weakness.
So NT LAN Manager 2 (NTLMv2) came out which used a 128 byte values but it’s still crackable.
Kerberos is also crackable. It’s hard to directly crack the Kerberos tickets but there are tools that can crack it. This is significant because it’s the defacto protocol used between a domain joined PC and a Windows Server.
How to do it?
There are several options:
Sometimes the most effective way to crack passwords is to guess. You may be tempted to gainsay my claim that guessing is an effective password cracking method but let’s think about this. If you already know the company password security policy or discovered it through software engineering then it would be easier to guess it. Or maybe you just watched someone enter their password.
Most people can’t figure out the the key order from watching people type in passwords because it happens too quickly; however, there are a few folks who have perfected the art of shoulder surfing. We can’t rule out the viable option of obtaining passwords through keen observation. It’s even easier if the user is tapping a password into an iPhone, Android or Blackberry because the characters are temporarily enlarged with each key press.
The other option is to do network captures.
You can use a protocol analyzer such as Wireshark to capture passwords sent through the network in cleartext.
- FTP sends credentials in cleartext.
- Telnet sends credentials in cleartext
- POP3 sends email passwords cleartext.
- Some versions of SNMP even transmit the community string in cleartext.
But ultimately this doesn’t matter. Even if the passwrds are transmitted as hashes you can still crack them using specialized cracking tools.
Cracking open the dictionary
Another way to crack passwords it to use a dictionary based cracking techniques. For example, you could take a dictionary word like “baseball” run it through a mathematical algorithm and analyze the result. You could take a huge dictionary of common passwords and compare the results. If the result matches a known dictionary value then you know the password.
Brute force of course
Brute Force is another method. It uses an automated approach to guess every feasible combination a password could be and and it keeps trying all those values until it gains success.
A Hybrid attack combines the reliability of a dictionary with the thoroughness of a brute force attack. This is the most nefarious password cracking effort.
Looking at how this works
Let’s say my password hash digest is 14ML33T. Real hashes are longer but let’s keep it simple for this demonstration.
And let’s say you think my password is “fixedbyvonnie”. So you would run the string “fixedbyvonnie” through a hashing algorithm like MD5 and get a digest of N0TH4TNT. So you would comare the digests. Since they don’t match you know my password can’t be “fixedbyvonnie”.
But you’re resolute so you try another one. Let’s say you tried “brokebyvonnie”. You run this through the same hashing function but this time the digest matches the digest on your file: 14ML33T. Now you know my password! My password must be brokebyvonnie because the digests match.
You can see this for yourself with a hashing tool like HashCalc. Here’s what the “brokebyvonnie” hashes look like in several of the most popular hashing algos:
For example check this out: Here’s is a real password digest of one of the most common passwords of all time.
Let’s say you somehow obtained this hash and needed to know the password obfuscated in that hash. You could entering a few strings in HashCalc. Start with the most common passwords:
Bingo! You’re two for two now.
You can see 1234567 matches the SHA256 hash in notepad.
Wasn’t that easy?
Also notice that it doesn’t matter that SHA256 is cryptographically stronger than SHA1. If you have the hash you can still deduce the password with brute force. The 256 means the keyspace is 256bits but if you have a dictionary of common passwords you can use a hybrid attack to try the common ones first. This is an insidious way to subvert the strong encryption SHA256 and SHA512 afford us.
But how do you even get these hashes in the first place? I’m glad you asked my friend.
In the next part of this series we’re going hands on with the password crack. We’ll use PwDump6 and Cain to steal the user account hashes off a Windows Server 2003 machine.
Check back tomorrow.