Password Auditing - A Word of Advice

Here is a piece of free advice:

Next time you decide to run a password audit against your company out of the goodness of your own heart to try and educate users or the organisation about password practices in the org, do yourself a favour: run as fast as you can face-first into a brick wall instead and remind yourself that this was less painful than convincing users to not do stupid things. Then ask yourself if you still want to proceed.

If the answer is still "yes", then consider taking this approach:

Only look for the truly daftest of passwords. Don't try and put any actual effort into guessing what users passwords are, because [spoiler alert] you will succeed. 

Two-factor is the only way to save the general populace from their own laziness / stupidity / ignorance / stubbornness. If someone wants their password to be "Jessica1987!", then maybe you should let them. At least it is not "Pa55word". Combine their shitty password with MFA and you are probably doing the best you can to protect your organisation, unless you work for the bank or government.

Even taking this simplified approach, be prepared for a world of pain while you try and find someone to take ownership of the several hundred or more accounts that no one remembers what they are for.

Happy hunting!

Password Cracking Top Tip!

Maintain your own wordlist of previously guessed passwords. In follow up audits, you can then use JTR rules against user's old passwords. You'll be amazed (or maybe not) at how many users that have been asked to change their passwords will think it's OK to simply put a "1" or yesterday's date at the end of their old password.

Rainbow Tables

I often see people talking about rainbow tables in lectures and seminars and just getting it wrong. If you have a dictionary of words and their precomputed hashes, then this is a hash lookup table, and there are plenty of free services that will allow you to check the hash that you have obtained against their database to see if it has been cracked before.

A rainbow table, on the other hand, consists of precomputed "chains" of hashes, where a reduction function is repeatedly performed on each output hash along the chain to create a new password candidate according to the desired length and complexity. Once a chain is complete, which is typically thousands of hashes long, only the start and end hash are stored in the rainbow table.

There are instructions online for generating your own rainbow tables or for downloading or purchasing precomputed rainbow tables. This effectively allows any password within a given character set and length to be cracked in a very short space of time, as long as it has not been salted, and as long as you have the storage available for your rainbow table.

When you have a hash for which you wish to find the password, you begin by running the same reduction function on it repeatedly until you match the end hash for one of your chains. You then start the repeated reductions again from the start of that same chain until you find the hash that matches the one you wish to crack. At this point you have successfully guessed the password, if all has gone according to plan. Software such as rtgen will do all of this for you and it is much quicker than a standard brute force, and will take far less storage space than a complete hash table for a character set.

AD Password Auditing Workflow

I'll come back in the future and add more detail on some of the below steps and useful powershell and bash scripts that can help to reduce effort, and password dictionary resources. I like to use docker for the linux work as it provides a means to access a known state environment in seconds with all the correct tools installed.

For now, this is a high level overview:

1. Acquire your AD backup NTDS.dit, and SYSTEM file.
2. Remember to tidy up files as you go, leave no trail.
3. Extract the hashes using 2014 version of libesedb and latest esedbextract.py.
4. Filter the accounts and hashes to only show active user accounts that have not expired.

Once you have the list of accounts you want to crack, use John the Ripper:

1. For the worst offenders, just use the worst password lists freely downloadable from the net, in NT format, and no rules.
2. For slightly less bad offenders, use more wordlists such as rockyou from previous breaches.
3. For more offenders, use a dictionary containing company names and usernames, etc. and start adding rules.
4. For users who do at least make some effort to choose their own password, use a dictionary containing months, days, seasons, town names, countries, etc. with rules.

This should be as far as you need to go for a typical password audit. If you want to go further for companies with higher risk profiles or smaller risk appetites, then consider using one or more of the following methods:

1. Crack in LM mode and use the output passwords to create a new dictionary for NT mode
2. Larger dictionaries with harder rules
3. Incremental mode
4. Another tool such as rainbow tables.

A future post will go into the elegance of rainbow tables and try to explain in simple terms how neat this solution is, plus describe the pros and cons. Watch this space.

When your audit is over, run the list of passwords through pipal to report on password usage and trends in the organisation.