root@dafthack:~#‎ > ‎

How to Crack Password Hashes Efficiently

posted Nov 20, 2014, 8:01 AM by Beau Bullock   [ updated Nov 25, 2014, 5:10 AM ]
Why Do We Need To Analyze Passwords?


To be a part of an information security team at most organizations can be a tough role to play. Being the one who sets a 15 character minimum password policy is even tougher. Organizations should start moving in this direction though. 8 character minimum password policies are not cutting it anymore. If you give a user a chance to make an 8 character password most of them will. Don’t think that administrative users (e.g. Domain Admins) in your environment are smarter than the rest of your employees and will make smart decisions when choosing a password. I have seen firsthand where a Domain Admin will use the company name in their password, or even create a variation of the word "password". On one occasion I found a DA that set his password manually in Active Directory so he could have a shorter password than the company policy designated.

With regards to pentesting one might ask why it is still necessary to crack passwords at all. With the ability to pass-the-hash or use Mimikatz to extract clear text credentials out of memory has password cracking become obsolete? I see three main reasons password cracking can still add value to a pentest or to an information security professional assessing their own organization’s passwords.
  1. With the "Pass-the-hash" patch killing network logon and remote interactive logon by local accounts (except RID 500 accounts) it might not be possible to pass-the-hash. In this case cracking the password still may be the only option.
  2. Domain Admin is not the goal. Perhaps you have achieved Domain Admin on a network but in order to get to sensitive data you need a specific accounts credentials (SQL login?, Archived/encrypted data?), and you can't find any other way of accessing this data without having the user’s credentials. Of course you could potentially key log, or maybe dump these creds with Mimikatz from somewhere but let's just say those aren't options. This may be another reason you need to crack a password.
  3. Lastly, as I stated earlier it can be extremely hard for an organization to increase their password policy past the default 8 character minimum. Dumping the password hashes for all domain users in an environment, and performing a company-wide "password audit" can help be that driving force needed to increase password restrictions.
How Do We Get Domain Password Hashes?

So how do we get every password hash for every user in an environment? Well in a Microsoft Active Directory environment you can get them from the NTDS.dit AD database on one of the domain controllers. I am not going to explain this process as it has been demonstrated multiple times here, here, and here. The other option is to run Carlos Perez's smart_hashdump post module in Metasploit against a domain controller. You can find that here.

What Do We Need To Crack Passwords Efficiently?

Now that we have every user's password hash what do we need in order to crack them?
1. Hardware
Generally, hardware is considered the most important piece. If you are interested in building a password cracker the guys who build cryptocurrency miners are who you need to look to. Mining cryptocurrency is a very similar process to cracking passwords, and both require some serious hardware. The general consensus is the more Graphics Processing Units (GPU’s) you can fit onto one motherboard the better. This post isn't meant to detail what hardware you need to buy though. I want to focus on how to get the most out of your hardware and crack passwords smarter. Personally, my current password cracking rigs aren't anything fancy. I use two separate systems. One of my systems, built for use with oclHashcat, has 4GB of RAM, a 1TB HD, Asus motherboard with 3 PCIe x16 slots, a super cheap AMD CPU, 1050w power supply, and two Radeon HD 7850's 2GB. The 7850's are all that really matter though. All of the actual hash processing is done there. You can get pretty crazy with the number GPU’s you use. Add as many GPU’s to your rig as your budget allows you. Check out this 25-GPU password cracker: http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

Some sites I would recommend checking out for building your own password cracking rig are here:
http://www.coinminingrigs.com/quad-7970-mining-rig/
http://blog.erratasec.com/2011/06/password-cracking-mining-and-gpus.html#.VG3xspPF_tw
http://blog.fox-it.com/2014/03/07/building-bowser-a-password-cracking-story/

2. Wordlists
After you get your hardware together go download some of these wordlists:
  • Crackstation - This list contains pretty much every wordlist, dictionary and password database leak out there. It contains 1.4 billion words.
  • Rockyou - I include the RockYou and Cain wordlists because sometimes it can be useful to use a smaller list.
  • Cain
The whole point of this article is to crack passwords more efficiently. We can do so much more than just throw a wordlist at a hash. But some of the techniques I like to use to do this are built around wordlists at the core. So, having good wordlists is very important.

3. Password Cracking Software
The third thing you will need is a good password cracking software. My personal favorite, and the one I will be detailing momentarily is oclHashcat. Others that you may end up using as well are John the Ripper, Pyrit, coWPAtty, and RCrack just to name a few.

How Do We Crack Passwords More Efficiently?

Whenever I’m cracking passwords I have a checklist that I go through each time. Many tutorials on cracking passwords tend to just throw a wordlist at a hash and call it a day. Most password cracking software including John the Ripper and oclHashcat allow for many more options than just providing a static wordlist. Below I will detail the process I go through when cracking passwords (specifically NTLM hashes from a Microsoft domain), the various commands, and why I run each of these.

First, some basic oclHashcat syntax:



The oclHashcat Help file is very useful as well:



Dictionary Attacks, Hybrid Attacks, and Rules
Straight Dictionary Attack – This will nail most of the common passwords out there but there is far much more we can do.
./oclHashcat64.bin -m 1000 -a 0 hashlist.txt crackstation.txt

Hybrid Dictionary + Mask Attack (1 char) – After I run a standard wordlist against a set of hashes I will start appending characters to the end of that wordlist. The command below appends one character of any type to the crackstation wordlist. By doing this you will start to crack passwords that users have chosen to append random characters to.
./oclHashcat64.bin -m 1000 -a 6 hashlist.txt crackstation.txt ?a

Hybrid Dictionary + Mask Attack (2 chars) – The command below appends two characters of any type to the crackstation wordlist.
./oclHashcat64.bin -m 1000 -a 6 hashlist.txt crackstation.txt ?a?a

Hybrid Dictionary + Mask Attack (3 chars) - The command below appends three characters of any type to the RockYou wordlist. The reason I switched to the RockYou list here was for the sake of time. As you start appending characters to wordlists the time it takes to completely cover all possible variations can grow exponentially. Dropping to a smaller wordlist allows you to still append multiple characters in a decent amount of time.
./oclHashcat64.bin -m 1000 -a 6 hashlist.txt rockyou.txt ?a?a?a

Hybrid Dictionary + Mask Attack (4 digits) – This command appends four digits to the crackstation list. One reason to append four digits is to cover years, pin numbers, and special dates that users append to their passwords.
./oclHashcat64.bin -m 1000 -a 6 hashlist.txt crackstation.txt ?d?d?d?d

Hybrid Mask + Dictionary Attack (1 char) – After I get to the point where appending characters has grown into an exponential amount of time to finish I move on to prepending characters to wordlists. I initially start by prepending just one character of any type to the RockYou list.
./oclHashcat64.bin -m 1000 -a 7 hashlist.txt ?a rockyou.txt

Hybrid Mask + Dictionary Attack (2 chars)
– Next I prepend two chars of any type to the RockYou list.
./oclHashcat64.bin -m 1000 -a 7 hashlist.txt ?a?a rockyou.txt

Hybrid Mask + Dictionary (3 chars) – Following the same pattern I prepend three chars of any type to the RockYou list.
./oclHashcat64.bin -m 1000 -a 7 hashlist.txt ?a?a?a rockyou.txt

Combinator Attack – The combinator attack combines two separate lists. To begin I create a “combinator list” containing key terms to append to crackstation list (year, month, company name, etc.). When these values are combined with the standard Crackstation list I generally end up cracking a few more passwords.
./oclHashcat64.bin -m 1000 -a 1 hashlist.txt crackstation.txt combinatorlist.txt

Rules Attack - Ninja-leetspeak – In my opinion rules-based attacks are truly the most advanced way of cracking passwords. Most people have been brainwashed into thinking that a secure password means you just substitute an ‘E’ for a ‘3’ or similar. This is called “leetspeak”. By taking a list like Crackstation and running it through a good leetspeak rule I usually end up cracking MANY more passwords than in all the previous steps. The following three rules are some of my favorites and are included in oclHashcat.
./oclHashcat64.bin -m 1000 -a 0 hashlist.txt crackstation.txt --rules=rules/Ninja-leetspeak.rule

Rules Attack - d3ad0ne
./oclHashcat64.bin -m 1000 -a 0 hashlist.txt crackstation.txt --rules=rules/d3ad0ne.rule

Rules Attack - generated2   
./oclHashcat64.bin -m 1000 -a 0 hashlist.txt crackstation.txt --rules=rules/generated2.rule

Special Wordlists – These can yield some interesting results when cracking passwords. By crafting targeted wordlists based on the company, usernames, and previously cracked passwords, then running them through all of the previous oclHashcat commands I tend to crack quite a few more passwords.

Targeted Wordlist (company name, addresses, employee names, etc.)   
All previous commands with targeted wordlist

Username Wordlist (create a wordlist using all of the usernames gathered)
All previous commands with username wordlist

Previously Cracked Passwords Wordlist (create a wordlist using all of the cracked passwords)
All previous hybrid and mangling commands with cracked passwords wordlist

Rainbow Tables – I like to use a combination of the above examples and rainbow tables. Typically, if you are cracking a lot of hashes rainbow tables can take a long time. So, I will knock out any of the low hanging fruit with the above commands and run the last hashes that I haven’t cracked yet through some rainbow tables. I use the NTLM tables you can purchase here: http://project-rainbowcrack.com/

Rainbow Tables - LM 1-14 chars all upper, lower, numbers, and special characters
rcrack/rcrack_cuda/rcrack_cl c:\rt\*.* -f pwdump_file

Rainbow Tables - NTLM 1-8 chars all upper, lower, numbers, and special characters
rcrack/rcrack_cuda/rcrack_cl c:\rt\*.* -n pwdump_file

Rainbow Tables - NTLM 1-9 chars all upper, lower, and numbers   
rcrack/rcrack_cuda/rcrack_cl c:\rt\*.* -n pwdump_file

Rainbow Tables - NTLM 1-10 chars all lower, and numbers

rcrack/rcrack_cuda/rcrack_cl c:\rt\*.* -n pwdump_file

Targeted Brute Forcing - Additionally, I like to do some targeted brute forcing with oclHashcat. For example the rainbow tables above include 9 character passwords with uppercase letters, lowercase letters, and numbers but no symbols. Take a common 9-character password format such as “Basebal1@” where you have an uppercase letter to begin, followed by six lowercase letters, a number and a special character. Using masks like the ones detailed below it is possible to do some targeted brute forcing against passwords in these types of formats. Instead of trying to brute force the entire 9 or more characters password space do some targeted attacks like these (a=numbers, upper, lower, special; l=lower; u=upper; d=digits; s=special):

Brute Force - 9 char, a,u/l/d,l,l,l,l,l,l,d
./oclHashcat64.bin -m 1000 -a 3 hashlist.txt -1 ?a -2 ?u?l?d -3 ?l -4 ?d ?1?2?3?3?3?3?3?3?4

Brute Force - 9 char, u,u/l/d,l,l,l,l,l,u/l/d,a
./oclHashcat64.bin -m 1000 -a 3 hashlist.txt -1 ?a -2 ?u?l?d -3 ?l -4 ?u ?4?2?3?3?3?3?3?2?1

Brute Force - 10 char, u,l/d,l,l,l,l,l,l,l/d,s   
./oclHashcat64.bin -m 1000 -a 3 hashlist.txt -1 ?s -2 ?l?d -3 ?l -4 ?u ?4?2?3?3?3?3?3?3?2?1

Typically, for each of the password audits I am doing I see a 75-85% crack rate within a 4-day period with the minimal hardware I have and the techniques above. You can imagine how that crack rate might increase given better hardware. I might be going out on a limb here but I’d be willing to bet that some nation-state attackers have better hardware than I do. This article has been focused mainly on cracking NTLM password hashes as part of a security audit. But the fact is, hashes are stored in MANY different formats. On almost a monthly or even weekly basis we see breaches that leak password data. When these happen typically an attacker might leak that data to an underground hacker forum or sell it. These same techniques can be applied to cracking other types of passwords such as MD5, SHA1, MySQL, etc. and the ones who are doing the cracking definitely have better hardware than I do.

The point is, password security, as a whole needs to be addressed in many places, not just the enterprise. Take pwnedlist.com for example. Pwnedlist.com hosts data from various breaches and will inform you if your email address was associated with one. This brings up the password reuse problem. If pwnedlist.com happens to find your enterprise email account within a breach of a completely different third-party entity you can bet that an attacker somewhere has that information and has tried to login to your email account with whatever password you choose for that third-party site. If you reused your same password on both the third-party site and your enterprise account the attacker has now gained access to your organization.

So How Do We Fix It?
I definitely am not wise enough to state a single fix for this massive issue we have. In my opinion though, 15 characters with no complexity requirements is decent enough. Most password crackers will have a tough time with that, and it’s still not outrageously long that users will forget their passwords or write them down. Two-factor authentication is another option. If you require your users to carry something with them in order to login this can help mitigate the issue as well. The future of authentication and password security is being assessed by a lot of brilliant minds. One such case is Ball and Chain by Benjamin Donnelly. Go watch his Derbycon 2014 video here and be blown away: http://www.irongeek.com/i.php?page=videos/derbycon4/t108-ball-and-chain-a-new-paradigm-in-stored-password-security-benjamin-donnelly-and-tim-tomes

Other Resources
To learn more about Windows hashes read this excellent article by Joff Thyer: http://blog.packetheader.net/2014/10/post-exploitation-metasploit-and.html
A great tool for analyzing passwords you have cracked is Pipal by DigiNinja: http://digi.ninja/projects/pipal.php

Comments