During penetration testing and red teaming engagements SureCloud’s cybersecurity consultants regularly perform password analysis of the passwords being used on live client networks. It is extremely common to find several password weaknesses, such as poorly constructed passwords or passwords that have been shared between administrative and standard privileged user accounts. This information has been useful to clients for helping to address weaknesses and shape the password policy to further secure their systems.
For the purposes of this blog, we are going to talk specifically about analysis on Active Directory domain user accounts.
When performing a password audit on a live domain it is important to ensure that you only do so with prior authorisation. The method described below assumes you have the correct user account permissions on the Domain to perform the creation of a shadow copy on a Domain Controller.
Although there are several methods to achieve the extraction of the password hashes from a Domain Controller (such as Oxid Cain and Able, pwdump6, and fgdump), most are flagged by anti-virus products and blocked or quarantined. One of the safest and most reliable methods for password extraction on a Windows Domain has been outlined below.
Performing the Audit (Manually)
To initially obtain the password hashes, you will need to gain access to the NT Directory Service (NTDS) database file (NTDS.dit) and use the SYSTEM key to decrypt the data to obtain the user objects and associated attributes, including the password hashes. These files cannot be accessed whilst in use, however Windows has a built-in feature to help with this.
Introducing the Volume Shadow Copy utility.
Shadow Copy is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service known as Volume Shadow Copy Service, Volume Snapshot Service, or VS. The Shadow Copy technology requires that the file system to be formatted as NTFS to create and store shadow copies. Shadow Copies can be created on local and external (removable or network) volumes by any Windows component that uses this technology, such as when creating a scheduled Windows Backup or automatic System Restore point.
Obtaining the NTDS database and SYSTEM files
Using an Administrative Command Line, run the following command on a Domain Controller:
vssadmin create shadow /for=c:
This will create a snapshot for the C drive In this snapshot normally inaccessible files, including the file we are after, can now be accessed via command line. This shadow copy will be placed in the following location:
[*] Refers to the shadow copy number; it is always best to create a new ShadowCopy to ensure you have the latest information. In the example below the version is 2.
Although not directly accessible from the operating system, the volume shadow copy that has been created provides us with the ability to extract the NTDS.DIT and SYSTEM files within the Shadow copy, as they are no longer directly in use.
Running the following commands will copy the NTDS.dit and SYSTEM files to a folder on the local C: drive to a folder named “SC”
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\SC copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM c:\SC
To extract the User objects and associated attributes into a plain text file, we must first extract the different tables from the NTDS database file using SYSTEM file as the decryption key. Depending on the number of user accounts within your organization this may take some time to complete.
To demonstrate this task, we will perform the extraction using the adXtract tool, which is a command line tool aimed at streamlining the process of hash extraction from the NTDS.dit. For the purposes of this demonstration, we are using the Kali Linux distribution in a virtual machine. The adXtract script aids in the extraction process keeping user interaction to a minimum. An example of the command line arguments used for adXtract:
adXtract.sh [/path/to/ntds.dit] [/path/to/SYSTEM] [ProjectName]
Once this tool has completed processing the extraction and decryption of the data, the username and associated password hashes will be exported in a format that can be used with common password cracking tools such as Hashcat, JohnTheRipper, and OphCrack.
As the purpose of this exercise is to check for weak passwords, it is recommended to use the list of hashed passwords, you have extracted against a list of known weak passwords such as the “Top 500 Passwords” or “Rockyou” wordlists; both are freely available online.
The use of a custom word list using information bespoke to the organization would also help to identify weak or guessable passwords. An example of this would be to use the name of the organization in various states, e.g. ‘SureCloud’, ‘scloud’, etc. Passing the output file from adXtract into a password cracking program, such as Hashcat, would allow the enumeration of known weak passwords from the input ‘wordlists’. An example of a simple Hashcat input argument, along with a demonstrated output can be seen below:
Hashcat64.exe -m [mode] [hash target file] [wordlist] [options]
A tool that we have used internally at SureCloud, developed by one of our cybersecurity experts Adam Govier, is ‘Pwdlyser.’ The Pwdlyser tool is a Python command line script and Windows-based tool that was built to automate the process of manually reviewing cracked passwords during both password audits and penetration testing. It is freely available and offers a multitude of functionality, both for penetration testers and organizations performing internal password audits.
An example of a simple command line argument for the more common analysis aspects:
./pwdlyser.py –-all -p crackedPasswordList.txt