The Importance of Analysing Domain User Passwords
During penetration testing and red teaming engagements, SureCloud’s cybersecurity consultants regularly analyse the passwords used on live client networks.
It is extremely common to find several password weaknesses, such as poorly constructed passwords or passwords shared between administrative and standard privileged user accounts. This information has been helpful to clients in addressing weaknesses and shaping their password policy to secure their systems further.
This kind of security examination can form part of our penetration testing and advisory services or our audit and risk management software offering, depending on the level of control you would like to outsource.
Analysis of Active Directory Domain User Accounts
For this investigation, we will talk specifically about analysing Active Directory domain user accounts.
When performing a password audit on a live domain, it is essential to ensure that you only do so with prior authorisation. The method described below assumes you have the correct user account permissions on the Domain to perform the creation of a shadow copy on a Domain Controller.
Although there are several methods to extract the password hashes from a Domain Controller (such as Oxid Cain and Able, pwdump6, and fgdump), most are flagged by anti-virus products and blocked or quarantined.
One of the safest and most reliable methods for password extraction on a Windows Domain has been outlined below.
Performing the Audit (Manually)
To initially obtain the password hashes, you will need to gain access to the NT Directory Service (NTDS) database file (NTDS.dit) and use the SYSTEM key to decrypt the data to obtain the user objects and associated attributes, including the password hashes. These files cannot be accessed whilst in use; however, Windows has a built-in feature to help with this.
Introducing the Volume Shadow Copy utility.
Shadow Copy is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service known as Volume Shadow Copy Service, Volume Snapshot Service, or VS. The Shadow Copy technology requires that the file system to be formatted as NTFS to create and store shadow copies. Shadow Copies can be created on local and external (removable or network) volumes by any Windows component that uses this technology, such as when creating a scheduled Windows Backup or automatic System Restore point.
Obtaining the NTDS database and SYSTEM files
Using an Administrative Command Line, run the following command on a Domain Controller:
vssadmin create shadow /for=c:
This will create a snapshot for the C drive In this snapshot normally inaccessible files, including the file we are after, can now be accessed via command line. This shadow copy will be placed in the following location:
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[*]
[*] Refers to the shadow copy number; it is always best to create a new ShadowCopy to ensure you have the latest information. In the example below the version is 2.
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
Although not directly accessible from the operating system, the volume shadow copy that has been created provides us with the ability to extract the NTDS.DIT and SYSTEM files within the Shadow copy, as they are no longer directly in use.
Running the following commands will copy the NTDS.dit and SYSTEM files to a folder on the local C: drive to a folder named “SC”
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\SC copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM c:\SC
Obtaining hashes
To extract the User objects and associated attributes into a plain text file, we must first extract the different tables from the NTDS database file using SYSTEM file as the decryption key. Depending on the number of user accounts within your organization this may take some time to complete.
To demonstrate this task, we will perform the extraction using the adXtract tool, which is a command line tool aimed at streamlining the process of hash extraction from the NTDS.dit. For the purposes of this demonstration, we are using the Kali Linux distribution in a virtual machine. The adXtract script aids in the extraction process keeping user interaction to a minimum. An example of the command line arguments used for adXtract:
adXtract.sh [/path/to/ntds.dit] [/path/to/SYSTEM] [ProjectName]
Once this tool has completed processing the extraction and decryption of the data, the username and associated password hashes will be exported in a format that can be used with common password cracking tools such as Hashcat, JohnTheRipper, and OphCrack.
Password Cracking
As the purpose of this exercise is to check for weak passwords, it is recommended to use the list of hashed passwords, you have extracted against a list of known weak passwords such as the “Top 500 Passwords” or “Rockyou” wordlists; both are freely available online.
The use of a custom word list using information bespoke to the organization would also help to identify weak or guessable passwords. An example of this would be to use the name of the organization in various states, e.g. ‘SureCloud’, ‘scloud’, etc. Passing the output file from adXtract into a password cracking program, such as Hashcat, would allow the enumeration of known weak passwords from the input ‘wordlists’. An example of a simple Hashcat input argument, along with a demonstrated output can be seen below:
Hashcat64.exe -m [mode] [hash target file] [wordlist] [options]
Password Analyser
A tool that we have used internally at SureCloud, developed by one of our cybersecurity experts Adam Govier, is ‘Pwdlyser.’ The Pwdlyser tool is a Python command line script and Windows-based tool that was built to automate the process of manually reviewing cracked passwords during both password audits and penetration testing. It is freely available and offers a multitude of functionality, both for penetration testers and organizations performing internal password audits.
An example of a simple command line argument for the more common analysis aspects:
./pwdlyser.py –-all -p crackedPasswordList.txt
References