Vector
Vector

Choose your topics

Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Vector (7)
Vector-1
Internal Audit Management, Cyber Security

Password Auditing: How to Extract and Analyse Domain User Passwords

Password Auditing: How to Extract and Analyse Domain User Passwords
Written by

Ellie Owen

Published on

27 Apr 2017

Password Auditing: How to Extract and Analyse Domain User Passwords

 
 

The Importance of Analysing Domain User Passwords

During penetration testing and red teaming engagements, SureCloud’s cybersecurity consultants regularly analyse the passwords used on live client networks. 

 

It is extremely common to find several password weaknesses, such as poorly constructed passwords or passwords shared between administrative and standard privileged user accounts. This information has been helpful to clients in addressing weaknesses and shaping their password policy to secure their systems further.

 

This kind of security examination can form part of our penetration testing and advisory services or our audit and risk management software offering, depending on the level of control you would like to outsource.

 

Analysis of Active Directory Domain User Accounts

For this investigation, we will talk specifically about analysing Active Directory domain user accounts.

 

When performing a password audit on a live domain, it is essential to ensure that you only do so with prior authorisation. The method described below assumes you have the correct user account permissions on the Domain to perform the creation of a shadow copy on a Domain Controller.

Although there are several methods to extract the password hashes from a Domain Controller (such as Oxid Cain and Able, pwdump6, and fgdump), most are flagged by anti-virus products and blocked or quarantined. 

 

One of the safest and most reliable methods for password extraction on a Windows Domain has been outlined below. 

Performing the Audit (Manually)

To initially obtain the password hashes, you will need to gain access to the NT Directory Service (NTDS) database file (NTDS.dit) and use the SYSTEM key to decrypt the data to obtain the user objects and associated attributes, including the password hashes. These files cannot be accessed whilst in use; however, Windows has a built-in feature to help with this.

 

Introducing the Volume Shadow Copy utility.

Shadow Copy is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service known as Volume Shadow Copy Service, Volume Snapshot Service, or VS. The Shadow Copy technology requires that the file system to be formatted as NTFS to create and store shadow copies. Shadow Copies can be created on local and external (removable or network) volumes by any Windows component that uses this technology, such as when creating a scheduled Windows Backup or automatic System Restore point.

 

Obtaining the NTDS database and SYSTEM files

Using an Administrative Command Line, run the following command on a Domain Controller:

vssadmin create shadow /for=c:

This will create a snapshot for the C drive In this snapshot normally inaccessible files, including the file we are after, can now be accessed via command line. This shadow copy will be placed in the following location:

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[*]

[*] Refers to the shadow copy number; it is always best to create a new ShadowCopy to ensure you have the latest information. In the example below the version is 2.

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2

Although not directly accessible from the operating system, the volume shadow copy that has been created provides us with the ability to extract the NTDS.DIT and SYSTEM files within the Shadow copy, as they are no longer directly in use.

Running the following commands will copy the NTDS.dit and SYSTEM files to a folder on the local C: drive to a folder named “SC”

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\SC
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM c:\SC

Obtaining hashes

To extract the User objects and associated attributes into a plain text file, we must first extract the different tables from the NTDS database file using SYSTEM file as the decryption key. Depending on the number of user accounts within your organization this may take some time to complete.

To demonstrate this task, we will perform the extraction using the adXtract tool, which is a command line tool aimed at streamlining the process of hash extraction from the NTDS.dit. For the purposes of this demonstration, we are using the Kali Linux distribution in a virtual machine. The adXtract script aids in the extraction process keeping user interaction to a minimum. An example of the command line arguments used for adXtract:

adXtract.sh [/path/to/ntds.dit] [/path/to/SYSTEM] [ProjectName]

Once this tool has completed processing the extraction and decryption of the data, the username and associated password hashes will be exported in a format that can be used with common password cracking tools such as Hashcat, JohnTheRipper, and OphCrack.

Password Cracking

As the purpose of this exercise is to check for weak passwords, it is recommended to use the list of hashed passwords, you have extracted against a list of known weak passwords such as the “Top 500 Passwords” or “Rockyou” wordlists; both are freely available online.

The use of a custom word list using information bespoke to the organization would also help to identify weak or guessable passwords. An example of this would be to use the name of the organization in various states, e.g. ‘SureCloud’, ‘scloud’, etc. Passing the output file from adXtract into a password cracking program, such as Hashcat, would allow the enumeration of known weak passwords from the input ‘wordlists’. An example of a simple Hashcat input argument, along with a demonstrated output can be seen below:

Hashcat64.exe -m [mode] [hash target file] [wordlist] [options]

Password Analyser

A tool that we have used internally at SureCloud, developed by one of our cybersecurity experts Adam Govier, is ‘Pwdlyser.’ The Pwdlyser tool is a Python command line script and Windows-based tool that was built to automate the process of manually reviewing cracked passwords during both password audits and penetration testing. It is freely available and offers a multitude of functionality, both for penetration testers and organizations performing internal password audits.

An example of a simple command line argument for the more common analysis aspects:

./pwdlyser.py –-all -p crackedPasswordList.txt

References