MEOW!

Hashcat. Lots of lolz.

February, 2nd 2022

It's again that time fo the year! Yep, the time to perform your annual or bi-annual Active Directory password cracking exercise and report statistics on how weak your admin, technical or end-user accounts are.

Personally, it's an exercise I love.

Each time the same ritual:

Let's start by the beginning: Get your Active Directory passwords.

For this part I use the NTDS Utils and you will find here an excellent detailed article on how to do it step by step.

Remember that, if you do not feel comfortable, it cost nothing to setup a virtual server 2016 or 2019 and enable Active Directory on it to practice before...

Once you have your Active Directory dump, it's time to use the fantastic Directory Services Internals that will help you extract the data in text format from the RAW file you've retrieved using NTDS Utils

If you are lazy, just download this text file that I've generated for you and will simulate you've successfully dump your AD and extracted your user information. So you can use it below for hashcat cracking. Should you not be able to retrieve all the password in this hash file, you should review your scenario or improve your dictionary as these password are really not strong.

Give me six hours to chop down a tree and I will spend the first four sharpening the axe.

There is no cracking exercise without a first pass against a dictionary attack!

Well, lucky you, I provide you everything you need here: https://weakpass.com/wordlist

*BE SMART!*

There is a ton of dictionary out there on the internet, heavily specialized and based on language. If you are spanish it's good to ALSO have a specific dictionary based on Spanish language. It's especially true for first name dictionary. You will not find "Pablo" in an English dictionary...

Try to find a dictionary that fit your activitiy domain, there exist specific vocabulary words that worth being part of your attempt and are extremely different if you are working in health domain or in insurance domain.

Generate your own dictionary, do not forget your company name and all its possible way of writing it using leetspeak language.

Use the program named "cupp" that will give you lots of possibilities to create a custom dictionary for your company or victim.

Cupp

That's it! You're all set for the first step of the cracking exercise using dictionary. Hashcat syntax for this purpose is quite clear and easy:


hashcat.exe -a 0 -m 1000 C:\hashes.txt C:\PwdDictionary.txt --remove --username -o C:\cracked_dictionary.txt -O
hashcat.exe -a 0 -m 1000 C:\hashes.txt C:\CompanyPwd.txt --remove --username -o C:\cracked_company_dict.txt -O

Now that you've done the dictionary attack phase, it's time to prepare your hashcat script for the real bruteforce but not a blind stupid brute force that will not lead you anywhere.

Smart Brute Force

Trying to brute force everything is useless and not the way to go.

At the time I'm writing these words, the fastest graphic card on the market is the GeForce RTX3090. It's about 121.2 millions NTLM hash per second. Which means that it's able to test every 8 characters long passwords in about 15 hours. If you go for all the 9 characters passwords it will take about 56 days. The good news is that you can use multiple graphic card with hashcat. Though, I never did it, I would love to see it with my own eyes some day.

I do not own such a graphic card monster and even if I would, I should still think smart before going all in.

You shall read the hashcat syntax before going further to understand what it's all about:

- ?l = abcdefghijklmnopqrstuvwxyz
- ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
- ?d = 0123456789
- ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
- ?a = ?l?u?d?s
You are also able to define your own combination using the following syntax:
-1 ?l?u : meanse that by using "?1" you will match both upper and lower letter
-2 0123 : meanse that by using "?2" you will be able to match 0,1,2,3 instead of all the 9 digit. Quite usefull for date!

Here is my personal attack scenario (in short):

All these above scenario are defined below using hashcat syntax:


#Pure brute force all 8 char:
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\cracked_all_8_char.txt -O ?a?a?a?a?a?a?a?a

#Without special character:
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\cracked_6_char_2_dig.txt -O -1 ?l?u ?1?l?l?l?l?l?d?d
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\cracked_6_char_4_dig.txt -O -1 ?l?u ?1?l?l?l?l?l?d?d?d?d
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\cracked_7_char_19YY.txt -O -1 ?l?u -2 56789 ?1?l?l?l?l?l?l19?2?d
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\cracked_7_char_20YY.txt -O -1 ?l?u -2 012 ?1?l?l?l?l?l?l20?2?d
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\cracked_7_char_DDMM19YY.txt -O -1 0123 -2 01 -3 56789 -4 ?l?u ?4?l?l?l?l?l?l?1?d?2?d19?3?d
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\cracked_7_char_DDMM20YY.txt -O -1 0123 -2 01 -3 012 -4 ?l?u ?4?l?l?l?l?l?l?1?d?2?d20?3?d

#With special character "!*%" at beginning or at the end:
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\crckd_6_char_2_dig_1_spe_char.txt -O -1 ?l?u -2 !*% ?1?l?l?l?l?l?d?d?2
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\crckd_1_spe_char_6_char_2_dig.txt -O -1 ?l?u -2 !*% ?2?1?l?l?l?l?l?d?d
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\crckd_6_char_4_dig_1_spe_char.txt -O -1 ?l?u -2 !*% ?1?l?l?l?l?l?d?d?d?d?2
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\crckd_1_spe_char_6_char_4_dig.txt -O -1 ?l?u -2 !*% ?2?1?l?l?l?l?l?d?d?d?d
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\crckd_7_char_19YY_1_spe_char.txt -O -1 ?l?u -2 56789 -3 !*% ?1?l?l?l?l?l?l19?2?d?3
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\crckd_1_spe_char_7_char_19YY.txt -O -1 ?l?u -2 56789 -3 !*% ?3?1?l?l?l?l?l?l19?2?d
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\crckd_7_char_20YY_1_spe_char.txt -O -1 ?l?u -2 012 -3 !*% ?1?l?l?l?l?l?l20?2?d?3
hashcat.exe -a 3 -m 1000 C:\hashes.txt --remove --username -o C:\crckd_1_spe_char_7_char_20YY.txt -O -1 ?l?u -2 012 -3 !*% ?3?1?l?l?l?l?l?l20?2?d

Don't forget phone numbers, social security number, etc.
Your imagination leads the way...

Personal advices:

Advice 1:
You can just type your hashcat command and wait for hashcat to tell you how much time it will take to complete. Sometimes, it will help you prioritize your test or simply forget them.
Advice 2:
USE hashcat session! This will give you the possibility to interrupt your brute force exercise when needed and avoid slaping you in the face like I did in the past.
Advice 3:
There is so much more in hashcat than what I have written above. It's the reason why you should perform password cracking exercise multiple time a year. At each iteration you should improve and implement an additional scenario to what you already have. Proceed with small steps. If you have a project dedicated to it, lucky you, go on and read the whole documentation. A long work, but it will be rewarded in the end.

Security considerations:

Retrieving password is a funny exercise but funny is not synonym of suicide mission. You shall *NOT* perform this exercise on a computer at home, except for practice.

Here are some advices that should help you to contain any data leakage/theft of your precious passwords.

I hope you enjoyed this article.