Microsoft Active Directory Password Analysis and cracking with Hashcat tool

Let’s conduct a penetration testing on a file with a detailed study analysis of system passwords as part of an ethical hacking engagement, a brief finding is presented in this report.

Executive summary:

The Security team has adopted an industry-standard approach towards the password analysis assessment. The objective of the assessment is to measure the security posture of the in-scope password techniques, and identify any deviating loopholes, potential vulnerabilities, enhanced countermeasures by measuring them against industry-adopted controls, and cybersecurity standards. Our comprehensive approach ensures that results are represented by their real-world likelihood and potential impact to the customer business.

For more information about our approach and methodology, please refer to the assessment sections.

Applicable Laws, Regulations, Standards & Guidance

The following cybersecurity laws, regulations, industry standards, and guidance are applied to this security and privacy control testing, and risk assessments [1 –6]

[NIST SP 800–53A, Rev 4] Assessing Security and Privacy Controls in FIS and Organizations.

[FISMA] Federal Information Security Management Act.
[NIST SP 800–30, Revision 1] Guide for Conducting Risk Assessments.
[NIST SP 800–53, Revision 4] Security and Privacy Controls for Federal Information Systems and Org.
[NIST SP 800–115] Technical Guide to Information Security Testing and Assessment.
[OSSTMM] Open-Source Security Testing Methodology Manual.
[PCI-DSS] Information Supplement: Penetration Testing Guidance.

Assessment Scope:

The assessment scope of the penetration testing for this case are as follows:

1. To analyse the digital file and crack the password file.

2. To analyse contents of the password file with respect to reconnaissance tools and techniques, industry standard security practice, and technical guidance.

3. To compare the discovered intruder techniques against the common web application attack techniques and propose a mitigation rationale to the client.

Assessment Tools:

In this assessment, the following commercial and open-source tools has been utilized.

1. Microsoft Windows 10 64-bit Operating system [8].

2. Kali Linux 64-bit Operating system [9].

3. John the Ripper [10].

4. Hashcat [11].

[Hands-on Project 1] Password Analysis

Investigation and Development Procedures:

In this section, we examine the password file given by the client to identify any evidentiary artefacts that might relate to this assessment. All the required procedures, such as identifying, analysing, investigating, developing, testing of various operations, has been documented in this section.

Step 1: First, Open the Downloaded Password file named “ntds.dit.zip”, right-click and unzip the file. There will be two subfolders nested inside the “ntds.dit”, main file, as like shown in Table 1.

Step 2: To open the Kali Linux and import your target file, “ntds.dit”, into kali as like shown in Figure 1.

Active Directory( AD) and Registry Hive:

In AD, username and passwords are stored inside the ntds.dit file also known as NT directory service (Ntds) file, and the keys are protected and stored inside the registry hive.

In the ntds file, most commonly you can find information’s about schema data, domain data, configuration, and application profile details.

Note: To learn more about the Registry Hive, refer to this link, it should take you to the Microsoft webpage.

Step 3: In this step, we will create a hash dump list with the help of an open-source tool called “Impacket”, it’s a python-built tool with set of features used to extract the hash from the “ntds.dit” raw file [12]. For this task, we clone that from GitHub repository into your Kali as like shown in Figure [2–5].

Step 4: We will use the “secretsdump.py” script to extract the list of user account hash.

secretsdump.py script:

In the Impacket suite, a script called “secretsdump.py”, which is utilized to secretly read the Windows registry keys, and decrypt the LSA secrets password without triggering alert modules on the registry hives. The hives can be stored locally or exported to a remote point.

There are several ways to execute the script. We’ll use the following command to guide the script to extract username, hash, and keys into a text file.

Command: impacket-secretsdump -system /root/SYSTEM -ntds /root/ntds.dit LOCAL -outputfile myhash117.txt

Once the reading and decrypting hashes from ntds.dit file has been completed. It will display the compiled hash on the terminal as well as export the entire results to the user defined file name, in our case its “myhash117.txt” file.

Step 5: The list of username and password are exported to the following files Myhash117.txt.ntds, Myhash117.txt.ntds.cleartext, Myhash117.txt.ntds.kerberos as like shown in Figure 8.

Step 6: We are in the final lapse of retrieving our clear text passwords from the exported hash files. To accomplish this task, we will use an open-source password recovery tool called hashcat. It’s used to recover the clear text passwords over 250+ hash modes and different attack combinations [13].

We will run the command wordlist to fetch the file to run against with our Hash files as like shown in Figure 10.

Command Briefing:

We have given a glimpse of the used command in the Table 2.

hashcat -m 1000 -a 0 -O /home/kali/Desktop/impacket-0.10.0/examples/myhash117.txt.ntds /usr/share/wordlists/rockyou.txt

Successfully Decrypted:

Recovery Status of the ntds File: Attempt 1

Recovery Status of the ntds File: Attempt 2

Analysing the Password results:

We examined the obtained results with the industry standards and practices [14 –16].

✓Minimum 7 and maximum 12 characters are used, and not using 8–63 characters.

✓No salts.

✓No special characters.

✓Upper cases not utilized.

✓Used predictable dictionary words.

✓Using Defunct hashing algorithms (MD5 with SHA-1) with poor digest and block size.

✓Lack in encryption standards.

✓Consecutive 3 characters.

Different Attack techniques:

To dump the ntds and registry files. In addition to our methodology, the following techniques can be used to extract AD, and dump credentials [17 –18].

Recommendations/Mitigations:

Ntds.dit file:

This file is utilized by the Windows Active directory(AD) server and usually restricted by the administrator to access.

When an intruder tries to access, AD prompt a “File in Use”, pop-up on the screen.

The quick remedy for this issue is to use the in-house tool “vssadmin” to display, list, delete, copy backups, and write the files. This can be exploited with PowerSploit modules, which helps attacker to read RAW files in the PowerShell application without triggering a HIDS software’s. After the extraction of Ntds.dit file, again PowerShell module can be used to interact with the obtained file and export hashes. In the last step, the attacker can pass the gathered hashes into well-known tools like Hashcat, Mimikatz etc., to acquire the password in text format.

AD Mitigation and Technical recommendations:

✓To increaser the scrutiny on need-to-know principles.

✓Restrict users on directory traversal.

✓Restrict access to file system.

✓Implement a centralized SIEM monitoring protocols.

✓To encrypt the stored backups of the AD files.

✓To enforce a unique password strategy for all users.

✓Keep the AD with up-to-date patches.

✓To restrict non-standard and standard users with appropriate access rights and privileges strictly based on need-to-know basis.

✓Use MFA.

✓Follow PCI-DSS, NIST standards on encryption and password management policies.

Conclusion:

In this project, we conducted an internal penetration testing on the client AD files. We created and explored the different types of hash formats, and captured the results, analysed the password rules, and provided required mitigations.

(Maybe Popular and Trending😉): Don’t forget to check out these Article’s ⬇️

Also Published Here

Using Hashcat Tool for Microsoft Active Directory Password Analysis and Cracking

Microsoft Active Directory Password Analysis and cracking with Hashcat tool