• Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  • Edinburgh: +44 (0)131 541 0118 
  • New York: +1 646-781-7580 
  • Bucharest: +40 316 301 707 
  • Tokyo: +81 (3) 4588 8181 

Active Directory Password Auditing (2012)

You are here

18

Oct

Active Directory Password Auditing (2012)

A customisable and straightforward how-to guide on password auditing during penetration testing and security auditing on Microsoft Active Directory accounts.

Update October 2016: A more recent guide can be found in a more recent blog post here.

I do a lot of password auditing during penetration testing and security auditing, mostly on Windows Active Directory accounts. There are lots of different ways of doing this. The method I discuss here I have found to give consistently good and relatively quick results, as well as being relatively straightforward and easily extendable and customisable.

First, the obligatory disclaimer. The tools used in the process are those which I have developed a personal preference for over the years, and are in no way intended as a tacit recommendation of any particular tools. On a related topic, I take no responsibility for any damage caused by the incorrect use of any of these tools, or the process discussed below. I assume a certain level of technical knowledge on your part, and I also assume that you have authorisation to perform the steps discussed below.

So, disclaimers aside, you will require a few things before we begin. These are:

• A "Domain Admin" or equivalent account for the systems you will be auditing.
• A designated auditing workstation – this should NOT be a domain controller or production server.
• The security testing tool Oxid Cain, downloadable from http://www.oxid.it/cain.html
• A password dictionary.

There are a number of these available online, or you can create your own wordlist based on your organisation.
The dictionary should be all lowercase, and avoid number substitution, as Cain will modify the dictionary entries automatically.
Symbols (such as !@#?<> etc.) are ok, but ensure that you also have the non-symbol equivalents listed in the dictionary.

Optionally, you can also utilise rainbow tables, however I would recommend that you understand the nature of Windows password hashing, before attempting to use these. Both rainbow tables and Window password hash mechanisms are discussed in the articles below:

http://en.wikipedia.org/wiki/Rainbow_tables
http://en.wikipedia.org/wiki/LM_hash
http://en.wikipedia.org/wiki/NTLM

Please note that Oxid Cain, and its related service Able, are flagged by most anti-virus and anti-malware solutions as malicious software. As such, you may need to configure exceptions for these, however I would strongly advise that this is not set up as a blanket rule and is only configured on the specific auditing workstation, and on a target domain controller for only as long as is needed to perform steps 8 to 12 in Part 1, below.

Part 1 – Obtaining the Password Hashes

1) Download and install Oxid Cain on the designated auditing workstation.

2) Open Cain, and ignore the firewall warning. The firewall setting will not affect what we are doing here.

3) You should now be faced with the default Cain interface.

4) For our purposes, we are interested in the "Network" tab and the "Quick List" node, so go ahead and open them.
Please note that some people prefer to use the "Microsoft Windows Network" node however I have had mixed-results with this, and find the "Quick List" to be more reliable.

5) Right-click on "Quick List" and choose "Add to Quick List", then enter the name or IP address of your target system, for our purposes, this is a domain controller.

6) The system, indicated by IP address will now appear in the "Quick List". Right-click on it, and choose "Connect As", and then enter the credentials of the "Domain Admin" equivalent account. Please note that you may need to enter the username in full domain syntax – e.g. "domainadmin@mydomain.local".

7) Assuming that the connection is successful, you should now be able to expand the system node, and select the "Services" node.

8) Right-click on "Services" and choose "Install Abel". This will attempt to upload, and start the "Able" service on the target system.
The most common reason for this failing is due to anti-virus or anti-malware protection filtering it.

9) Assuming that the service uploads and starts successfully, double-click on the system node TWICE, to close and then re-open the node. This will cause the tree to refresh, and it should now show the "Abel" node.

10) Expand the "Abel" node and select "Hashes". This will attempt to extract the password hashes from Active Directory. Normally, you will not need to extract the password history for a straightforward password audit. You should now be presented with a screen showing something like this:

User Name       RID   < 8    LanMan Hash    NT Hash
Administrator  500     *      AAD3B43...      31D6CFE...

11) Right click the table, and choose "Send All To Cracker".

12) Go back to the "Services" Node, right-click on the "Able" service in the list, and choose "Remove".

This will stop, and remove the "Able" service from the target system.

13) Right-click on the system node, and choose "Disconnect".

Part 2 – Cracking the Hashes

1) Choose the "Cracker" tab in Cain. This should show a table similar to that below:

User Name     LM Password   < 8    NT Password     LM Hash
Administrator   * empty *       *          *          AAD3B43...

2) Active Directory stores password hashes for users and computers. We are not interested in the computer account password hashes, so remove them by right-clicking in the hashes window, and choosing "Remove Machine Accounts".

3) With the remaining hashes, right-click and choose "Select All".

4) Right-click again, and choose "Dictionary Attack" -> "LM Hashes".

5) Import your password dictionary, leave the default options as they are for now – although as you get more familiar with password auditing you may wish to modify these, and then click "Start". This will likely take a while.

6) Once this process has finished, and you have hopefully cracked some passwords, click on "Exit". Then, right-click the password hashes list again, and this time choose "Dictionary Attack" -> "NTLM Hashes".

7) Right-click the "Dictionary" list and choose "Reset all initial file positions".

8) Change the default options, selecting those listed below, and then hit "Start". This could take a VERY long time, so be patient.

As Is (Password)
Reverse (PASSWORD – DROWSSAP)
Double (Pass – PassPass)
Lowercase (PASSWORD – password)
Num. sub. Perms (Pass,P4ss,Pa5s,...P45s...P455)
Case perms (Pass,pAss,paSs,...PaSs,...PASS)
To numbers Hybrid Brute (Pass0...Pass99)

9) Once the process is completed, and you hopefully have some more cracked passwords, click "Exit", and then you should be faced with a long list of users, some with cracked passwords and some without.

10) At this point it is advised to close Cain, and take a copy of the raw data file, which contains the usernames, passwords, and password hashes as a "TAB" delimited list, before you do anything else. The file is located at the following path by default, although it may be different on your system:

C:\Program Files (x86)\Cain\lmnt.lst

11) Re-open Cain, or import the lmnt.lst into a spreadsheet, then review the passwords as required.

Posted by Dave

Leave a comment