Penetration Testing

Password Attack
Dr. Tran The Son
Vietnam – Korea University
• Passwords are often the path of least resistance on
pentesting engagements. A client with a strong
security program can fix missing Windows patches
and out-of-date software, but the users themselves
can’t be patched => social engineering

– On-line attack
– Off-line attack
 Authentication Types
• Username/Password
• Two-factor authentication
• Biometric (fingerprint or retinal scan-based)
 Online Password Attack
• Brute-forcing tool
– try every possible username and password
combinations, and given enough time, they will find
valid credentials => takes hours to years and even
beyond your natural lifetime
• Dictionary words
– are easy to remember, so despite the security
warnings, many users incorporate them into
passwords
 Wordlists
• User list

Internet
• Password lists [Link]
[Link]

Kali
/usr/share/wordlists
 ceWL tool
• To make educated guesses based on information you
gather while performing reconnaissance, a tool like
the ceWL custom wordlist generator will search a
company website for words to add to your wordlist

(1) -d (depth) option to

specify how many links
ceWL should follow on the
target website.
(2) minimum word length
(3) output ceWL’s results to
a file
 Crunch tool
• Another method for creating wordlists is producing a
list of every possible combination of a given set of
characters, or a list of every combination of
characters for a specified number of characters.
min max
 Hydra tool
• If you have a set of credentials that you’d like to try
against a running service that requires a login, you
can input them manually one by one or use a tool,
e.g. Hydra to automate the process
Hydra tool
 Offline Password Attacks
• Method: getting a copy of the password hashes and
attempt to reverse them back to plaintext password
• If the two hashes are the same, we’ve found the correct
password.
• We gained access to some password hashes on the
Linux and Windows XP targets
• In Chapter 8, we can use the hashdump Meterpreter
command to print the hashed Windows passwords

On the Linux target, the Vsftpd smiley-face backdoor gave us root privileges, and thus we can access to the file
/etc/shadow, which stores Linux password hashes.
• Though we were able to use Meterpreter to dump
the password hashes from XP (as shown previously),
sometimes you’ll be able to get only the SAM file.
• … but SAM file is obfuscated by encrypting the
password hashes inside the SAM file with 128-bit
Rivest Cipher 4 (RC4)
 Security Accounts Manager (SAM)
• SAM is a vital component of how Windows stores passwords locally
on the computer system. Storage of user and account information in
the SAM database provides system users the ability to authenticate
to the local system if an account has been created for them.
Passwords stored in the SAM database are stored in either LAN
Manager (LM) hash or NT LAN Manager (NTLM) format depending on
the policies implemented and enforced for password storage.

• During normal operation of a Windows system, the SAM database

cannot be copied due to restrictions enforced by the operating
system kernel.
• The SAM database is stored in two places within Windows:
%systemroot%\system32\config\sam is the location of the main
storage for passwords and %systemroot%\repair\sam._ is a backup of
the main file in the event that recovery is required for a repair
process.
 LM vs. NTLM Hashing Algorithms
• The LAN Manager hash was one of the first password hashing
algorithms to be used by Windows operating systems, and
the only version to be supported up until the advent of NTLM
used in Windows 2000, XP, Vista, and 7.
• These newer operating systems still support the use of LM
hashes for backwards compatibility purposes. However, it is
disabled by default for Windows Vista and Windows 7
• In earlier versions of Windows, the LM hash is typically stored
and transmitted by default. However, in Windows Vista and
versions above, the LM hash is not stored by default, nor is it
used by default during network authentication. Instead, the
newer versions use the NTLMv2 hash as the default
authentication method.
 LM Hash Example
• If LM hashes are enabled on your system (Win XP
and lower), a hash dump will look like:
1 2 3 4
Administrator:500:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B8[Link]

• If LM hashes are disabled on your system (Win Vista,

7, 8+), a hash dump will look like:
Administrator:500:NO PASSWORD*********************:0CB6948805F797BF2A82807973B8[Link]

(1) First filed: the username

(2) Second field: the SID (Security IDentifier) for that username
(3) Third field: the LM hash
(4) Forth field: the NTLM hash
 LM Hash Algorithm
• When a user creates a new password, this password is converted
to all uppercase
• then it's padded out to 14 characters
• The password is then split into two 7-byte chunks
• The two chunks then will be used as a key in a Data Encryption
Standard (DES) encryption to encrypt a fixed value
• The values of the two DES operations are concatenated and the
result is stored as the LM hash

LM hash weaknesses
The password length is limited to 14 characters, broken up into two independent 7-byte
chunks.
the password is case-insensitive which decreases the key space available for the users to
choose their passwords from
 NTLM Hash
• NTLM was accepted as the new authentication
method of choice and implemented with Windows
NT 4. It uses MD4 (NTLM v1) and MD5 (NTLM v2)
hashing algorithm to create the hash based upon a
series of mathematical calculations.
• MD4/MD5 is considered to be significantly stronger than
DES
NTLM Algorithm

It takes the password, hashes it using the MD4 algorithm

It does not break up the password into chunks
the password is case-sensitive
can support very long passwords (127 characters)
• The encryption key is called the bootkey stored in the
Windows SYSTEM file (C:\Windows\repair directory).

• Once we have the bootkey, we can use Samdump2 to

retrieve the password hashes from the SAM file
 Cracking passwords
• John the Ripper
• One of the more popular tools for cracking passwords is
John the Ripper.
• The default mode for John the Ripper is brute forcing
 Linux password hashes
• /etc/shadow
• contains the hashed password and the password expiry
data.
• /etc/password
• contains the users' public information (UID, full name, home
directory)
 Dumping Plaintext Passwords from
Memory with WCE
• If we have access to a Windows system, in some
cases we can pull plaintext passwords directly from
memory.
• One tool with this functionality is the Windows Credential
Editor (WCE)