One of the most common recommends that I’ve found myself making to clients over the last year or two has been regarding updating their password policy. Every organization has a password policy of some type, but rarely do they test it to see how effective it really is against realistic attacks. I’ve done just that on numerous adversarial emulation engagements and, at the risk of making my job harder for myself, you guys all suck at passwords. Here’s the deal:
How To Get Hashes
First, I’m not talking about brute-forcing a live system to get access to some resource. I’m talking about obtaining hashes and cracking them offline. That way when I log into your system, I’m accessing it using legitimate credentials and never have a failed login attempt - ensuring that your SIEM log trigger for “5 Failed Logons” doesn’t trip.
So how do we get hashes? What kind of hashes? Well, there are a lot of different ways that we can get hashes on a traditional Windows-based enterprise network.
The first is the traditional NTLM password hash. You can obtain these hashes by dumping the SAM file on a Windows system that you have administrative access to. You can also run a variety of tools like Mimikatz, hashdump, etc. and get these hash values. Note that all of those techniques require local administrative permissions, but as we’ve seen frequently the ability to locally own one system often leads to subsequent compromise due to the re-use of local account passwords or other methods for lateral movement. If you have access to a domain controller or dcsync abilities, you can get the hashes from a large number of domain accounts as well.
The other main kind we’re going to talk about are NetNTLMv1 and NetNTLMv2 hashes - used for SMB authentications. We can obtain these hashes using something like Metasploit or Responder.py, but if we’re being stealthy we’re using Inveigh running in memory. These are challenge-response hashes where as the attacker, we’re able to control the challenge which aids us in cracking the hashes, but we can’t just straight up use them for pass-the-hash like we could with the NTLM hashes.
On any enterprise network on which you have administrator access to at least one system, you’re going to be able to start getting hashes. The more you expand your access, the more hashes you obtain. And the more you obtain, the better you’ll be able to break them. Even better, I can enumerate exactly what your domain password policy is as a standard user, letting me know how many characters you’re required to have in a password.
One of the frequent rebuttals that we get to this is “If you have the hash, who cares? You’re not compromising the account any more thoroughly” - but that’s wrong. The ability to have the password to an account enables you to impersonate the user a lot more thoroughly, including logging into accounts natively, accessing email, reusing that password on other types of accounts linked to the user, etc. Remember, realistic objectives is key - domain administrator is the first step to an enterprise compromise, not the last.
Setting The Stage
If you’re not familiar with oclHashcat, you should check it out. It’s a fantastic GPU-based password cracking software that makes short work of hashes on relatively inexpensive software. On their website, they have performance metrics for some basic hardware configurations. I’ll direct your attention to “PC1” for this example.
PC1 has an AMD Radeon HD 7970 video card, which can be purchased on Amazon for around $220. This is a pretty commodity video card for gaming, something that your college roommate who loved building his own gaming rigs would be likely to purchase. It can try 16,916,000,000 permutations per second against NTLM hashes. The set of all possible 8-character passwords (using traditional ASCII characters) is 6,634,204,312,890,620 permutations. PC1 can bruteforce the entire space in 4.5 days.
That’s every possible 8-character password in a 4.5 days on a single gaming PC. Then we move onto people who have botnets of thousands of computers mining bitcoins (or breaking hashes), purpose-built computers with multiple video cards, and into nation-state level capabilities with FPGAs and ASICs. At that point, our 4.5 days shrinks to hours or minutes. If we had a botnet of 1,000 copies of PC1, we could brute-force the entire 8-character space in a theoretical 39 seconds (not accounting for overhead due to tasking, etc.).
Note: Of course we’re only talking about 8-character passwords, but I’ve seen several large organizations (including Fortune 500 companies) who have a company-wide password length requirement of 8 characters. What we’ve seen is that most (handwave: 75%?) employees in most companies only do the minimum when it comes to password lengths.
Complex Attacks
But let’s be realistic - anyone with a longer security policy isn’t really going to fall victim to the pure brute force attack. The attack times for 12+ character passwords are in the centuries (or longer), so we’ve got to work smarter. To tackle that, we look at hybrid attacks like Hashcat’s rule-based attack.
Within our practice, we go and build databases of real passwords. There are a lot of word-lists out there from real data breaches and other collections and we try to grab as many as possible. Then we combine them, removing duplicates, etc. and add things like our client’s name, locations, and other relevant bits of information. Then we apply an intelligent set of rules against them.
These rules account for everything that we know people do with their passwords. Do they add a number-symbol combination at the end for complexity requirements? Do they capitalize the first letter? Do they use leet-speak combinations to turn a into @ and the like? Do they add the year or month to a word? Computers can very easily run these permutations against dictionary words, increasing our effectiveness at breaking “complex” enterprise passwords.
With that information, we’re shockingly effective at cracking dictionary-based passwords, including those of 16+ characters. I think one of the longest we cracked (within a week, no less) was 25 characters long. And of course, we take all of our cracked passwords and add them back. Within our engagements, if we don’t crack passwords within a week, we typically give up and move on - it’s not worth the effort to go further, but that’s definitely not the case for real attackers.
Terrible Advice and Your Keyboard
One of the most amusingly terrible pieces of advice that I’ve seen around passwords is the “Come up with a phrase, then use the first letter of every word to create your password” rule. That quoted phrase would then be “Cuwap,tutfloewtcyp” as your password. That’s a great password, but everything newer than Windows 2003 allows 127-character passwords. If we have to remember the entire phrase as our mnemonic, then why not use the entire phrase as our password? It creates a much stronger password.
Side note: does nobody but me ever use the space key when creating passwords? Seriously, use the damned space bar. Gives you a free character and it’s counted as a symbol.
What we’ve seen is that complicated password policies don’t work - when people are forced to create 12+ character passwords with a minimum of 3 symbols, 2 numbers, and a partridge in a pear tree, they take the easy route. They do keyboard walks. Unfortunately for them, our dictionary files include those keyboard walks.
I was on an engagement with a client for several months, we’d dumped the domain’s passwords and threw them into the password cracker. We broke out 12 different domain administrators who all used keyboard walks as their passwords, including several service accounts. The likelihood of those getting changed was pretty much never, ensuring that we had persistent domain administrator credentials forever.
Recommendations
So what do I recommend? Personally, I’d recommend that you create a multi-word phrase based on dictionary words, ensuring it’s easy to remember and yet hard for computers to break. You can do something like Diceware or this generator. Even more flexible is this generator with a custom configuration.
{ “num_words”: 6, “word_length_min”: 4, “word_length_max”: 8, “case_transform”: “NONE”, “separator_character”: “ “, “padding_digits_before”: 0, “padding_digits_after”: 0, “padding_type”: “NONE”, “random_increment”: “AUTO” }
Then I’d recommend you change your corporate password policy to remove the complexity requirement and increase the minimum length to 20+ characters. And then you have to educate your users on this, or else they’ll have absolutely no idea on how to cope.