TechGenix and SolarWinds have partnered to provide a fully-functional, free 21-day trial version of SolarWinds ipMonitor, the WindowsNetworking.com Readers' Choice Award Winner for monitoring applications, servers, and network devices to all visitors who join Security Forums. Sign up to Security Forums and get your copy today! Existing members can pick up a copy from the Members Area.
| View previous topic :: View next topic |
| Author |
Message |
Northerner
Just Arrived
Joined: 13 Jun 2005
Posts: 3
|
 Posted: Mon Jun 13, 2005 11:29 am Post subject: Windows 2003 Brute Force Attack Software |
 |
|
Hi All,
I am testing security on an offline copy of our Active Directory.
I want to test the AD password strength and see how long it would take a client/hacker to decrpt our passwords using a Brute Force Hacking tool to do an attack.
I orginally intended using LoftCrack but this tool requires Admin rights on the DC to gain access to the unencrypted password hashes. This is not something I would expect a hacker to have.
Does anyone know of a tool that will attempt a brute force attack on Windows 2003 usernames/passwords but does not require an agent install? I have seen many tools but they all seem to want to use the password hashes rather than a simple Brute Force attack. For the test the Account Lockout policy is disabled.
I would be very grateful for any information on any tools that people have used to do something similar.
Thanks in advance for any help you can give.
Cheers,
Tony.
|
|
| Back to top |
|
 |
njan
Trusted SF Member
Joined: 02 May 2005
Posts: 811
Location: Scotland, UK
|
| Posted: Mon Jun 13, 2005 11:52 am Post subject: |
|
|
| Quote: |
I orginally intended using LoftCrack but this tool requires Admin rights on the DC to gain access to the unencrypted password hashes. This is not something I would expect a hacker to have.
|
just because you expect an intruder not to have this sort of access to your DCs doesn't mean they won't get it! There are many intrusion vectors which could cause an attacker to get this sort of access - physical access to any of your DCs will allow them this access, as will several varieties of privilege escalation which are made possible based on your network setup.
There are several groups of users who have access to systems which allows them to gain system or administrator-level access to them; Print Operators, for instance, although non-administrative users, have privileges required to install drivers, and therefore can load any (not just print) drivers into the kernel, allowing them more than enough access to provide them with a means to gain administrative access to your servers!
You also have to be concerned about the human element to your security, which in most infrastructures is the weakest point - disgruntled employees, staff who use the same password for multiple accounts (such as their work account and a home or personal account which may be compromised), and social engineering are all methods through which their logon credentials may either be compromised or shared - in this instance, one of your IT staff might steal or cause to be stolen your logon hashes - an employee who was intending to leave under a cloud might have enough motivation to attempt to steal other employees logon credentials, for instance, and in this situation, your attacker quite possibly might have administrative access to your DCs!.
| Quote: |
Does anyone know of a tool that will attempt a brute force attack on Windows 2003 usernames/passwords but does not require an agent install? I have seen many tools but they all seem to want to use the password hashes rather than a simple Brute Force attack. For the test the Account Lockout policy is disabled.
|
There are two likely attack vectors after hashes being grabbed off the machine itself - an attack against hashes sniffed from the network (l0phtcrack will attack hashes gleaned in this way) or a 'simple' authentication brute force attack. There are several specialist tools designed for auditing brute force attacks, such as thc-hydra which comes in a CLI and GTK flavour and supports SMB.
_________________
James Eaton-Lee / njan | ICQ:10807960
Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix, courtesy of a.g.s-f)
|
|
| Back to top |
|
|
MattA
Trusted SF Member
Joined: 13 Jun 2003
Posts: 1790
Location: Eastbourne + London
|
| Posted: Mon Jun 13, 2005 12:40 pm Post subject: |
|
|
Hydra will also brute just about any other protocol you care to mention.
LDAP included.
_________________
All across the Internet, routers whisper paths they learn to their peers,directing ideas,business transactions and messages to loved one's across this planet. I've held all these in my hand and listened, holding my breath for fear of killing it with a twitch.
|
|
| Back to top |
|
|
AdamV
SF Mod
Joined: 06 Oct 2004
Posts: 4585
Location: Leeds, UK
|
| Posted: Mon Jun 13, 2005 1:46 pm Post subject: |
|
|
when you talk about this doing an 'actual' brute force attack on the passwords, this would usually entail repeatedly attempting to create and authenticated connection eg using a net use to a share, or validating against a web server. This will be as slow as these attempts can be validated and turned down, usually not very quickly.
in reality, it would be just as likely for someone to be using a sniffer to get hashes off the network and hack these offline, since they try hundreds more options per second this way. Improving the security if your hashes is a good start (ie disable LM hashes being stored, only use NTLM or ideally NTLM2 as a minimum for authentication (if you still have old clients or NT4 RAS you may not be able to use only NTLM2 - do some checking).
If this is an exercise in testing password strength, then using the hashes is reasonable valid - a 'real' brute force is jusy trying exactly the same permutations in a different (slower) way.
_________________
"Due to global warming, eskimos now have 20 words for water" John O'Farrell
Meteor IT - Technical Consulting Services and Software Training Courses, Leeds, UK
|
|
| Back to top |
|
|
Northerner
Just Arrived
Joined: 13 Jun 2005
Posts: 3
|
| Posted: Mon Jun 13, 2005 2:53 pm Post subject: |
|
|
Thanks for your reply Eliza.
I agree it would be slower over the network than using the local LMHashes. We would like a real world teast of how many passwords it could gather and how long it would take. I thought there would be more tools to test it than there seem to be (I can't find any).
We plan to enable digitally signed communications to avoid a sniffer gaining access to pasword hashes and we already use NTLM.
There are various areas of security to cover including physical security where someone could just boot from their own CDROM and gain access to the SAM thatway.
Does anyone know of a tool that can attempt a "brute force" attack over the network? I appreciate this will be slower.
Thanks again for your help.
Tony.
|
|
| Back to top |
|
|
njan
Trusted SF Member
Joined: 02 May 2005
Posts: 811
Location: Scotland, UK
|
| Posted: Mon Jun 13, 2005 3:18 pm Post subject: |
|
|
| Quote: |
Does anyone know of a tool that can attempt a "brute force" attack over the network? I appreciate this will be slower.
|
Um.. yup..
| Quote: |
There are two likely attack vectors after hashes being grabbed off the machine itself - an attack against hashes sniffed from the network (l0phtcrack will attack hashes gleaned in this way) or a 'simple' authentication brute force attack. There are several specialist tools designed for auditing brute force attacks, such as thc-hydra which comes in a CLI and GTK flavour and supports SMB.
|
..MattA and myself have already both pointed out the benefits of hydra 
_________________
James Eaton-Lee / njan | ICQ:10807960
Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix, courtesy of a.g.s-f)
|
|
| Back to top |
|
|
AdamV
SF Mod
Joined: 06 Oct 2004
Posts: 4585
Location: Leeds, UK
|
| Posted: Mon Jun 13, 2005 4:32 pm Post subject: |
|
|
when you say you use NTLM, have you also ensured that the LM hashes are definitely not saved as well, which is default behaviour for Win2k? (this is a reg key to force them not to be saved). (NB: if they are saved but not used, then cracking them would not necessarily give a password which could be used over NTLM, but would be close enough to reduce the permutations to peanuts. Force domain admins to use passwords over 14 chars or with special ALT characters which prevent LM hash even being created)
Ideally use NTLM2 if you can - NT4 and 98 can both do this (you probably need to install DSClient if not already done), so there are not many times you have to use NTLM only (obviously 2k and above uses Kerberos by default)
I would suggest a first pass test against hashes using a "very weak" combination eg 7 chars or less, alphanumeric only (maybe start with a dictionary and then go on to Brute force. Add extra words to a standard dictionary to include your company name and address, product names etc for example as these might be commonly used).
Anything cracked in this category is so weak you must assume it could be brute forced in a reasonable time (=shorter than your expiry period, which I guess is at least several days). L0pht will automatically include things like trying username as password.
Next pass, extend to say 8 chars and include the more common characters like ?!.
_________________
"Due to global warming, eskimos now have 20 words for water" John O'Farrell
Meteor IT - Technical Consulting Services and Software Training Courses, Leeds, UK
|
|
| Back to top |
|
|
MattA
Trusted SF Member
Joined: 13 Jun 2003
Posts: 1790
Location: Eastbourne + London
|
| Posted: Mon Jun 13, 2005 4:37 pm Post subject: |
|
|
vis a vis an attacker perspective I'd recommend getting usernames via e-mail addresses or nulling a server and doing user to sid sid to user which i'll elaborate on if you wish. A windows tool for this is brutus...but it's not as flexible as hydra. hoobie.net IIRC.
_________________
All across the Internet, routers whisper paths they learn to their peers,directing ideas,business transactions and messages to loved one's across this planet. I've held all these in my hand and listened, holding my breath for fear of killing it with a twitch.
|
|
| Back to top |
|
|
Northerner
Just Arrived
Joined: 13 Jun 2005
Posts: 3
|
| Posted: Mon Jun 13, 2005 5:16 pm Post subject: |
|
|
Thanks for all the replies and apologies for not noticing the earlier suggestions of Hydra. I am looking at this now but it only seems to attempt passwords from a password list rather than a generated password attack a-z, A-Z, 0-9 & special characters. I will look at this further to see if I can do this.
I will look at NTLMv2 Eliza. Thanks for the advice.
Thanks again everyone. This has been very useful and saved me a lot of time assuming I can get Hydra to work.
Best regards,
Tony
|
|
| Back to top |
|
|
laris
Just Arrived
Joined: 29 Jun 2005
Posts: 4
|
| Posted: Wed Jun 29, 2005 3:07 pm Post subject: Re: Windows 2003 Brute Force Attack Software |
|
|
| Northerner wrote: |
Hi All,
I am testing security on an offline copy of our Active Directory.
I want to test the AD password strength and see how long it would take a client/hacker to decrpt our passwords using a Brute Force Hacking tool to do an attack.
I orginally intended using LoftCrack but this tool requires Admin rights on the DC to gain access to the unencrypted password hashes. This is not something I would expect a hacker to have.
Does anyone know of a tool that will attempt a brute force attack on Windows 2003 usernames/passwords but does not require an agent install? I have seen many tools but they all seem to want to use the password hashes rather than a simple Brute Force attack. For the test the Account Lockout policy is disabled.
I would be very grateful for any information on any tools that people have used to do something similar.
Thanks in advance for any help you can give.
Cheers,
Tony. |
Everyone and there mother has LoftCrack
|
|
| Back to top |
|
|
Sgt_B
Trusted SF Member
Joined: 28 Oct 2002
Posts: 1147
Location: Chicago, IL US
|
| Posted: Wed Jun 29, 2005 3:24 pm Post subject: |
|
|
| MattA wrote: |
| or nulling a server and doing user to sid sid to user |
You like making things hard on yourself?
If allowed, used Dumpsec or enum. That'll not only give you usernames but group membership as well. Then you can go right after the enterprise and domain admin accounts.
user-sid, sid-user is nice if they're only allowing a wee little bit of access via NULL sessions.
_________________
Managing Partner - The BTB Group
|
|
| Back to top |
|
|
MattA
Trusted SF Member
Joined: 13 Jun 2003
Posts: 1790
Location: Eastbourne + London
|
| Posted: Wed Jun 29, 2005 4:15 pm Post subject: |
|
|
It's too much *nix .... I forgot about those windows utils, and I've currently got a head full of CHECK guidelines, where you need to explain how the tool works as you're using it mutter mutter mutter.
_________________
All across the Internet, routers whisper paths they learn to their peers,directing ideas,business transactions and messages to loved one's across this planet. I've held all these in my hand and listened, holding my breath for fear of killing it with a twitch.
|
|
| Back to top |
|
|
|
