Cracking Windows Accounts Passwords in 25 Secs - BETA Version of the Article

THIS IS A BETA VERSION OF THIS ARTICLE

We are looking forward to your comments. Tell us what do you like, what you do not like, what should be changed or added to this article – visit the comments section.

The final version of this article will be available in the upcoming Password Attacks issue. You can preorder it here:

https://pentestmag.com/password-attacks-pentest-regular/

You can also send your feedback to the following address: [email protected]

Introduction

In any secure operating system, passwords are stored hashed, encrypted, or masked, but never in clear text format for many reasons including improving security measurements and protecting passwords from discovery in case of data leakage.

The Windows operating system opposite to other operating systems use its own hash algorithm. There are two version of the hashing algorithm used: LM, and NTLM. These hashes are explained briefly in this article, then several types of cracking the Windows hashes are introduced, followed by step by step guide to crack a less than 7 characters password hashed using NTLM.

[no_access][ym_user_is_not package="1"]
Buy a subscription and get access to all issues on our website


[item title="Create Free Account"]
[ym_register id=1 hide_custom_fields="5"]
[/item]
[item title="Subscribe"]
[ym_register id=8]
[/item]
[item title="Log In"]
[ym_login redirect="/cracking-windows-accounts-passwords-in-25-secs-beta-version-of-the-article/" register_text=0]
[/item]




[/ym_user_is_not]
[/no_access]
[ym_user_is package="1"]



[/ym_user_is]

[private]

The Basics

In this section two types of hashing algorithms are explained without digging too deep into the details of each. A great focus is made about security strength and weakness

LM Hashes

Also known as: LanMan Hashes, or Lan Manager Hashes. LM Hash is an obsolete hashing function used in earlier versions of Windows (Perior of NT). This function is not used anymore. If found in a system it is for backward compatibility purposes and not for password storing.

Weakness

Passwords are limited (trimmed) to 14 characters only. Passwords case is ignored and - everything is converted into uppercase.

Limited key-space. A normal desktop computer can brute force all the keyspace in several hours due to the fact that any password that is more than 7 characters is actually spilled into two chunks of data and encrypted using DES leaving the hashing function severely vulnerable.

Vulnerable to pass-the-hash exploitation of re-using the hash instead of the password in a network environment.

NTLM Hashes

Because of the weakness in LM hashing function. NTLM was implemented in next generations of Windows after the NT family. NTLM or NT Lan Manager is the new hashing function used in today’s Windows versions including Windows 7.

Weakness

Still not using any type of salting - where random value is added to the password then hash it to prevent rainbow tables attacks. All types of attacks are explained later in this article.

Attacks Types

Brute Force

Unlike other types of attacks where the attacker’s focus is on finding a single weakness (usually called security vulnerability) and exploit it to gain access to the system. A brute force attack targets a single or multiple accounts of any application or system by trying different combinations of usernames and passwords. Also called exhaustive key search.

In the case of LM/NTLM hash function brute forcing. A password is generated, hashed, then compared to the target hash. Since there is no salting added to the hashes in Windows system this is fairly effective method when the password is short.

The efficiency of this attack depends on the power of processor used to calculate the hashes of the generated passwords. The generation of passwords phrases is usually random but sometimes developers use special algorithm to use only the most used passwords first then random ones later.

One of the most famous tool used for this method is called JTR or JohnTheRipper. JTR and other cracking tools are explained later in this article.

Protection

A usage of lengthy passwords and enforcing accounts lockout should be sufficient to protect any user from this type of attacks.

password

Memory Based Attacks - RainbowTables
This is also called Time–Memory Trade Off (TMTO) where the process does not depends on the power of the processor used to calculate the hashes. The hashes are usually pre-calculated and stored in huge data tables called Rainbow Tables.
To have an idea how ‘big’ can the table size be Table 1 is an NTLM precalculated hashes tables for different character sets. Usually an alpha-numeric of 1 to 9 characters is very effective on most passwords and that is due the limitation of human memory remembering long complex passwords.

Table 1 - RainbowTables sizes of different character sets.
Cloud (Hybrid) Attacks
This is not another type rather than it is a combination of both depending on the attackers needs. Cloud passwords cracking is becoming more familiar than before that is due to the low cost and easy of renting ‘CPU power’ and the unlimited hosting storage size.
Many of these services are offered for free initially but users have to pay if the password is recovered. Also the name might be changed to “password recovery service” for legal issues.
Tools
Freeware and commercial tools are both available for use to crack passwords. By cracking a password it means one of the attacks is used to recover a hash to its original password.
JTR - JohnTheRipper
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.1
This is tool is obviously not only for LM/NTLM hashes but also usable for other hashes as well. It uses brute force attack on the hash.

password2

ophcrack
Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.1
This tool is more focused on Windows passwords (hashes), and it uses the TMTO attacks type. What is more interesting is that a live CD was created to help attackers exporting the hashes from a Windows machine - since these are protected by the operating system as mentioned earlier in this article.
What is appealing about this tool is its well formed GUI and easy of use interface and buttons. Figure 3 is an example of Ophcrack used to crack multiple Windows password in a Linux machine.

password3

HashCat
oclHashcat is a GPGPU-based multi-hash cracker using a brute-force attack (implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask attack, and rule-based attack.
There are two things to note here:
1. First is the usage of CPGPU - General-Purpose computation on Graphics Processing Units also known as GPU Computing. Graphics Processing Units (GPUs) are high-performance many-core processors capable of very high computation and data throughput. Once specially designed for computer graphics and difficult to program, today’s GPUs are general-purpose parallel processors with support for accessible programming interfaces and industry-standard languages such as C. Developers who port their applications to GPUs often achieve speedups of orders of magnitude vs. optimized CPU implementations.1 Using GPU can massively speed up a brute force attack. To see the difference a test was made and a comparison between GPu vs CPU performance is plotted in Figure 4

password4

2. The usage of multiple attack types including hybrid of multiple attacks at once. This is what cloud services use to crack passwords and charge users for them.

password6

Step by Step Guide
Exporting the SAM and SYSTEM Hives
To start with cracking Windows passwords hashes, an attacker needs the hashes first. The hashes are stored in special and protected files in the System directory under Windows file system.
Since both are protected under Windows environment - unless the attacker has a SYSTEM privilege (via privilege escalation) both hives are inaccessible and hence there is a need to boot into a Linux live CD like Knoppix, Kali, Backtrack, etc.
What is SAM and SYSTEM Hives?
A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data1. SAM (Security Accounts Manager) Hive is where the hashes of all user accounts are stored. Depending on the target machine Windows version, the location of the SAM hive diverse. By default it is under x:windowssystem32config
Now that both hives are located and mounted with the Linux OS running. Both can be copied into a safe place to be cracked later.
Extracting the Hashes from the Hives.
Before hashes can be cracked they need to be extracted from the hives. Thankfully there is a tool for that called samdump2. Assuming SAMHive is the SAM file copied before and SYSTEMHive is the SYSTEM file copied before as well, an attacker can export the hashes using this simple 1-line command:
$ samdump2 /mnt/XXX/WINDOWS/system32/config/system /mnt/XXX/WINDOWS/system32/config/sam
The output should be something like this:
Administrator:500:**NO PASSWORD********:0CB6948805F797BF2A82807973B89537:::
the NO PASSWORD section is reserved for LM hashes but it is not used. The hash to be cracked in this case is: 0CB6948805F797BF2A82807973B89537
Download pre-calculated hash tables
Fortunately attackers have resources to massive rainbow tables, which are precalculated before. Some of the providers charge for each table, other are free. FreeRainbowTables.com is a probably the best website that offers free rainbow tables for password recovery.
Recovering the Hash.
This step completely depends on the software the attacker uses. Refer back to the tools section.
Rcracki_mt can be used to perform a rainbow table attack on password hashes. It is intended for indexed and perfected rainbow tables, mainly generated by the distributed project 2

$ rcracki_mt -h ***HASH*** -t 4 /path/to/RainbowTables/
-t: # threads
-h: hash
Depending on how complex the password is and which table is used. The time varries from few seconds to numerous mints.

password7

password8

Many other methods exist. Google is a good start.

One More Thing..
Users usually have a serious issue or a habit of reusing passwords. Expect to see the same password for that user all over his/her online accounts.

password9

[/private]

March 21, 2014

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013