If you would like to read thefirst part in this article series please go toHowI Cracked your Windows Password (Part 1).
In the first part of this series we examined passwordhashes and the mechanisms Windows utilizes to create and store those values. Wealso touched upon the weaknesses of each method and possible avenues that canbe used to crack those passwords. In the second and final article in thisseries I will actually walk you through the process of cracking passwords withdifferent free tools and provide some tips for defending against having yourpassword cracked.
It is always crucial to note that the techniques shown hereare strictly for educational purposes and should not be used against systemsfor which you do not have authorization for.
In order to crack passwords you must first obtain thehashes stored within the operating system. These hashes are stored in the Windows SAM file. This file is located on your system atC:\Windows\System32\configbut is not accessible while the operating system is booted up. These values arealso stored in the registry atHKEY_LOCAL_MACHINE\SAM, but again this area ofthe registry is also not accessible while the operating system is booted.
There are a few different options here depending on the level of access you have to the machine you areauditing检查.
If you have physical access, one of the most effective methods is to boot the computer into a different operating system. If you are comfortable using Linux then this means you can simplyboot to a Linux live CD that is capable of reading NTFS drives, mount the Windows partition, and copy the SAM file to external media.
If you are not quite comfortable doing this, you can use P.Nordahl’s famed Offline NT Password Editor, availablehere. This is a bootable Linux distribution designed to aid system users who have forgotten their passwords by allowing them to reset them. The software takes the users input, creates a valid hash, andreplaces the old hash in theSAM file with the new one. This is useful to us because we can also use the distribution tosimply read the SAM file and get the hash data.
In order to do this, boot from the CD image and select your system partition, the location of the SAM file and registry hives, choose the password reset option [1], launch the built in registry editor [9], browse to SAM\Domain\Account\Users, browse to the directory of the user you wish to access, and use the cat command to view the hash contained in the files. The output will be in hex format, but it works with a simple conversion.
Figure 1: Hex output of the SAM hash
Before using the Offline NT Password Editor to actually reset a password, be sure that you are not usingEncrypted File System (EFS) on anything released after Windows XP/2003. If you do this, it will cause the operating system to lose its EFS keys, resulting in more problems than just a forgotten password.
If you are performing password auditing activities without physical access to the device in question, but you still have console access through remote desktop or VNC, then you can obtain password hashes through the useFizzgig’s fgdump utility, obtainable here.
Once you have downloaded fgdump to host you can simply run it with no options to create a dump of the local machine SAM file.
Figure 2: Confirmation the Fgdump Utility Ran Correctly
Once this is completed, a file will be generated in the same directory the utility was launched from that contains a list of all user accounts, their LM hashes, and their NTLMv2 hashes.
Figure 3: Password Hashes Output by Fgdump
Finally, if you do not have any interactive access交互式访问 to the machine that has the hashes you want, your best bet is to attempt to sniff the hashes as they travel across the networkduring the authentication process. Of course, this will only work if the client is authenticating to a domain controller or accessing resources on another client, otherwise, you are more outof luck than a one armed man in a paper hanging contest.
If you are on the same network segment as the target client you can use the Cain and Abel program to intercept截获 the password hashes as they are transmitted between devices. Cain and Abel is a free utility downloadable fromhere. Using Cain and Abel you can initiate a process called ARP cache poisoning, which is a man in the middle attack that takes advantage of the ARP protocol to route the traffic between two hosts through your computer. While ARP cache poisoning is active you can use Cain and Abel’s built in network sniffer, making it possiblefor you to intercept NTLM password hashes that are being communicated betweenthe poisoned hosts. The theory behind ARP cache poisoning and how to do it are another lesson in itself and a bit beyond the scope of this article, but if you wish to learn more about ARP cache poisoning you can do so here.
Now that we actually have password hashes we can try to crack them. If you have already downloaded and installed Cain & Abel then you are already a step ahead because we will be using it to crack our sample LM passwords.
If you have not yet installed Cain and Abel you can download it from here.The installation is just a matter of hitting next a few times. If you do notalready have it installed, you will also be prompted to install the WinPCappacket capture driver used for Cain and Abel’s sniffing features. Onceinstalled you can launch the program and click on the Cracker tab near the topof the screen. After doing this, click on the LM & NTLM Hashes header inthe pane on the left, right click in the blank area in the center of thescreen, and select Add to List.
Cain will not accept a simple copy and paste of thepassword hash, so you will have to place the hash in a text file formatted aspecial way. If you extracted your hashes using fgdump then you should alreadyhave the text file you need, which contains hashes on a line by line format.
Figure 4: Accepted Formatting of Passwords Hashes
If you extracted your password hashes manually you will need to create a file with a line entry for every user account. Each line should contain the username, the relative identifier (RID) portion of the users SID, and the hashes. The format of these elements should be:
Username:RID:LMHash:NTLMHash:::
Browse to this file, select it, and click next to import the hashes into Cain and Abel. Once this is done, you can right click the account whose password you want to crack, select the Brute Force Attack option,and choose LM hashes. The brute force attack method attempts every possible password combination against the hash value until it finds a match. On the screen that follows you can select the characters you want to use for the bruteforce attack and the minimum and maximum password lengths. Notice that the character set is automatically configured to use only upper case characters and number with a maximum length of 7, due to the characteristics of LM hashes.
In our example scenario方案 where we have a password of PassWord123 we will see immediate partial results as the program returns that “Plaintext of 664345140A852F61 is D123”. We have already cracked the second half of the password hash. On a modern computer, going through every single possible password combination should take no longer than 2 ½ to 3 hours,guaranteeing an eventual success.
Figure 5: Cain Successfully Cracks the LM Password Hash
Cain and Abel does a good job of cracking LM passwords but it is a bit slow and its functionality for cracking NTLMv2 hashes is even slower. If you are comfortable using the command line for your password cracking activities, then John the Ripper is one of the fastest and most highly preferred cracking engines.
You can download John the Ripper from here. Once you have extracted the contents of the file you will find the john-386.exe executable in the /run subdirectory. John has a few different modes it can be run in, but to run it in its default mode all you have to do is supply the file containing the password hash as an argument when you run the executable from a command prompt.
Figure 6: John the Ripper Attempting to Crack a Password
Once it has completed, John the Ripper displays the cracked passwords and stores the results in itsjohn.potfile. In most situations the default cracking mode is fine, but John the Ripper also has these cracking modes available:
John is very efficient in all of its cracking modes and is my typical program of choice for password cracking.
When you suspect an NTLMv2 password of being highly complex and in turn being too time consuming to crack, the only logical resolution is the use of rainbow tables. A rainbow table is a lookup table consisting of password hashes for every possible password combination given the encryption algorithm used. As you can imagine, rainbows tables can take up quite a bit of storage space. In the past these tables were far too processor and storage space intensive to create and store, but with the advances of modern computing its becoming more and more common for both ethical penetration testers andmalicious恶毒的 hackers to keep external hard drives containing sets of rainbow tables.
Finding a place to generate or download a set of rainbowtables is just a Google search away if you prefer to do that, but there are better methods for the “casual”临时的 password cracker. One such method is by using a web service containing its own set of rainbow tables. One such web service is this. This site maintains multiple sets of rainbow tables for which you can submit passwordhashes for cracking, along with a list of recently cracked passwords for efficiency.
In order to submit hashes to plain-text.info you can simplyclick the Add Hashes link to specify the hash and encryption mode. If this hashhas already been cracked then you will be displayed results, and if not thiswill submit the hash into the queue. You can monitor the queue status by goingto the Search link and searching for the hash, which will tell you its queueposition. Complex passwords can often taken some time via this method, but itis typically quicker than allowing your own hardware to do the work.
People tend to think that the goal of encryption is to makeencrypted text to where nobody can ever decipher it, but this is a bit of anill conceived notion. That thought relies on the belief that computers are ableto generate random numbers for the purposes of encryption, but in all honestlycomputers don’t do “random” so well, as “random” is completely reliant upon programmedlogic. As a result of this, the real goal of encryption is to make theencrypted text so hard to crack that the amount of time it would take to crackoutweighs the benefit of doing so.
With this in mind, there are a few things that can be doneon a windows system to prevent your password from being cracked.
The most logical way to prevent people from cracking yourpassword is to make it incredibly complex. If your password contains lowercaseletters, uppercase letters, numbers, special symbols, and is fairly long, itwon’t be able to be cracked in any reasonable amount of time. In order to giventhings an added degree of complexity, changing your password frequently meansthat when an attacker cracks your password it will have already been changed.There is no single greater defense than using a strong password that is changedfrequently.
By now you should be thoroughly versed on the weaknesses ofLM hashes. The good thing for us is that we do not have to use them anymore.Modern Windows operating systems can be configured to use NTLMv2 exclusivelywith a few registry modifications.
You can disable the storage of LM hashes by browsing toHKLM\System\CurrentControlSet\Control\LSA in the registry. Once there, create aDWORD key named NoLMHash, with a value of 1.
Another step is to disable LM authentication across thenetwork. Once again, browse to HKLM\CurrentControlSet\Control\LSA. Once there,locate the key named LMCompatibiltyLevel. This can be set to 3 to send NTLMv2authentication only which is a great setting for domain clients. Thealternative is to set this value to 5 which configured the device to onlyaccept NTLMv2 authentication requests, which is great for servers.
The only instance in which these settings might cause anissue are cases in which you have Windows NT 4 and older client on yournetwork. However, in all honesty, if you still have those types of systems onyour network then getting rid of them is the best security device I can giveyou.
SYSKEY is a Windows feature which can be implemented to addan extra 128 bits of encryption to the SAM file. SYSKEY works by the use of a user created key which is used to encrypt the SAM file. Once enabled, SYSKEY can not be disabled.
It’s important to keep in mind that SYSKEY only protects the SAM file itself, securing it against being copied.SYSKEY does NOT protect against tools which extract hashes from running memory, such as Cain and fgdump.重要:Cain , fgdump提取的是内存数据!
You can read more about SYSKEY at http://support.microsoft.com/kb/143475.
Password cracking is an instrumental skill for someone attempting to break into a system, and because of this it is a necessity that system administrators understand how passwords are stored, stolen, and cracked.As potentialintruders入侵者 poke and prod戳啊扎的 at systems their mouths will water口水直流啊at the sight of an LM hash and their goal will be more than half way completed if users are using simple passwords. Remember, knowing is half the battle, so if you take this information and do nothing about it you are only half way there.Using the defensive techniques provided you can help deter attackers from compromising泄露 passwords of your systems.
If youwould like to read the first part in this article series please go toHow I Cracked your WindowsPassword (Part 1).