A lot of people believe that password cracking is complex or requires a large budget to complete. And of course, the general public believes that it's only for criminals. Well, I'm here to say that's not the truth. Not only am I going to show you how you yourself can start cracking passwords, but I'm going to do it on "cheap" commodity hardware too (a laptop with an 8th gen i7 processor and 16GB RAM).
Why Cracking Passwords Matters?
I think that is the biggest question that anyone in the IT industry would ask. Not only that, but they want to know why they should invest the time, and potentially money to crack their own users' passwords. Arguments that are common include:
- We require a long password (15 characters minimum)!
- We require capital and lower characters and numbers and symbols!
- We check with Have I Been Pwned so users can't use an already known password!
- We teach all our users to use passphrases!
What if I told you that I can bypass literally all of those rules you've just described, and STILL make an incredibly weak password?
I present to you AzureRandomPassword1! this password meets the minimum length requirement. It has capital and lower characters, numbers and symbols. It's not in the Have I Been Pwned database (yet), and it's a passphrase. And I'm willing to bet that I could crack it in under 8 hours.
What this proves is that all your fancy password rules, while they help, don't stop end users from making incredibly dumb, and weak passwords. Because at the end of the day, our brains are really bad at making passwords and passphrases.
So, your last defense against bad passwords is to crack them before your enemies do, before they get a dump of your user password hashes.
But Cracking Takes So Much Time!
Does the actual cracking/brute forcing take time to complete? Yes absolutely. But the actual setup, and running of the commands to get going is actually incredibly straight forward, quick, and simple process. Personally, I went from not knowing how to do it at all, to cracking more than 20% of my user base passwords in just under 45 minutes. That's a massive ROI when it comes to time. If cracking them first successfully stopped an attack even just once, it will have saved me hours or even days of time in cleanup efforts, and the company I work for tens of thousands of dollars.
OK, I'm Convinced, Show Me How!
Prerequisites
- Service Account with Directory Replication permissions (or AD Domain/Enterprise Admin)
Getting Started with DSInternals
To get started with our password cracking endeavor we have to start by replicating all of our user accounts NTLM passwords to a text file that Hashcat can understand. Make sure you store this text file someplace securely; it stores the username and the hash for their password.
Install-Module DSInternals
Get-ADReplAccount -All -Server DCNAME -Credential (Get-Credential) | Where-Object Enabled -eq "True" | Format-Custom -View HashcatNT > userhashes.txtYes, it really is this simple to get the hashes for users. Do note that if you have any semi-decent threat detection software it should alert that a non-DC computer/account is replicating the DC.
Get Started with Hashcat
For this part, I highly recommend getting the binaries direct from the Hashcat website. Not only is it probably more up to date than your repositories for Linux users, but I've also found to have better success with hardware support. The repository binaries are often built in such a way that they fail to work on some hardware. On top of that, it is also easier to follow this tutorial.
Now that you have Hashcat itself, you'll need a wordlist as well, this will massively speed up your password cracking efforts over brute force. To get started I recommend the rockyou.txt list (extremely famous cracked password list). You can find a copy of it on this amazing wordlist Github repo (I'll show you how to merge lists later).
From here, we just need to run Hashcat on our user password hash list.
hashcat -m 1000 -a 0 --username userhashes.txt rockyou.txt -r rules/dive.ruleTo explain what's happening here, -m sets the hashing mode, in this case 1000 represents NTLM hashes. -a sets the attack mode for the attack, in this case 0 means dictionary attack. --username tells Hashcat that our file contains usernames. The two parameters after that set the userhashes.txt file we generated with DSInternals, and the dictionary Hashcat will use. -r sets the Hashcat rules that will be used. In this case a built-in ruleset.
From here we just have to wait for this to finish running, on my laptop it took around 24 hours to complete with nothing but CPU. Adding a single very old Nvidia workstation GPU though dropped this down to 8 hours.
The next command we want to run will also be a dictionary attack, but with a different ruleset.
hashcat -m 1000 -a 0 --username userhashes.txt rockyou.txt -r rules/d3adhob0.ruleAnd then finally, after this rule is complete, if you want to continue your attack even further, we can now brute force attack passwords.
hashcat -m 1000 -a 3 --username userhashes.txtOnce you're done attempting to crack passwords, it's time to find out which users have bad passwords, and see those passwords in plain text!!!
For that we can simply run the following commands:
copy hashcat.potfile weakhashes.txtThis converts the hashcat.potfile into a regular text file that can be used by other commands and services. You can also open it up and read it yourself. The format of this file is the hashed password, and then the plain text password after.
Finally, to perform the actual comparison:
Get-ADReplAccount -All -Server <DC> -Credential (Get-Credential) | Test-PasswordQuality -WeakPasswordHashes weakhashes.txt > Pass_Result.txtThis will spit out a text file that contains all the users with weak passwords that you can then use to reset user passwords.
I Want More Advanced Custom Dictionaries!
Awesome! But where to start with expanding your dictionary? Well, I'd recommend starting by adding company specific information, things like products you use and sell, company specific slang, etc.
To get started with this I recommend creating a new text file called something like companyslang.txt that you can then enter a new term on each line. It would look something like this:
microsoft
sysadmins
sysadmins
journal
ghost
javascriptFrom there, we can combine the rockyou.txt with your custom list using a pretty simple PowerShell Command:
Get-Content rockyou.txt,companyslang.txt | Select-Object -Unique | Set-Content -Encoding UTF8 customdict.txtThis will output a UTF-8 encoded text file with the combined contents of the two files.
I would also recommend exploring the Wordlist GitHub repo linked earlier, and merging some of those in (such as popular names, Hotmail, city names, etc.) you should also add things like local sports teams, popular locations, etc.
The goal of your dictionary is to shorten the amount of time it takes to crack passwords, which means some guessing is required to figure out what your users might be using in their passwords.
I've Done This, And My Users Passwords Are Weak!
Yep, that's pretty much what is expected from doing this, my first run I managed to get about 20% of employees' passwords, but I've also heard from others that they've had has high as 45%.
So, what's the solution? Well for one we can train users to use long passphrases, containing multiple words, numbers, symbols, padding, uncommon words, etc. And we can also make sure that we're implementing either multi-factor authentication wherever we possibly can, and even better passwordless when possible.
The good news is now you have a benchmark of your users' passwords. Now start training them, and keep cracking passwords, with any luck your users will listen and they'll start making more secure passwords. And if they start listening, the number of passwords you successfully crack should decrease every time you run this test.
