RE: How do you conduct a password audit?



That's a good point and good concern. We had originally investigated doing it over WMI or with AD, and we weren't able to come up with what we wanted (if anyone knows of a way to do this though, by all means, please share!)

pwdump6 gave us exactly what we wanted with no fuss. We've not encountered any issues with crashes or av, but your mileage may vary. It's licensed under the GPL, so if such a bug was ever encountered, I would just fix it after apologizing profusely to the Windows Engineering Team :)

________________________________________
From: Vincent Maury [maurybond@xxxxxxxxx]
Sent: Friday, May 13, 2011 1:36 PM
To: Jeremi Gosney
Cc: wyfr1972@xxxxxxxxx; Julius K.; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: How do you conduct a password audit?

Hi,

thanks for this great tuto.
However, dumping the hashes using pwdump6 can be very dangerous, as this
program performs DLL injection on LSASS. So if the injection contains
any bug, or if a antivirus is installed, that may crash the system!
Are you aware of any alternative solution to extract the hashes with no
potential damage? Like requiring some WMI or Active Directory?

Thank you in advance for your answer,

Vincent


Le 13/05/2011 20:09, Jeremi Gosney a écrit :
Well of course you should have a password complexity policy, but the point of the audit is to perform some governance to ensure the effectiveness of the policy. Your requirements might be mixed alphanum, length greater than 9, with at least one special character, and you'll still have people selecting passwords like Autumn2008*. The point of performing the audit is to ensure that your password complexity policy is as effective as you thought it was when you implemented it, and to ensure your users are being properly trained on how to select strong passwords (hopefully you do some sort of mandatory annual security training for all employees which covers this topic.)

Management should be supportive. You don't have to phrase it any certain way; in fact, you should be up-front about your intentions. The typical verbage I use is something along the lines of: "I will be conducting a password audit of all AD accounts to test the effectiveness of the corporate and production password complexity policies. This will entail dumping all of our password hashes and using common hash-cracking practices to attempt to break each hash. The results of the audit will determine whether our policy is strong and sufficient, or if we should adjust the policy. It will also help identify those individuals who might need to be re-trained on selecting strong passwords." Their response should be nothing more than "right on, let me know how it goes."

So that said, the following is how we typically conduct our password audits.

Preparation. You will need the following:

1. Large, real-world wordlists. Probably no less than 4GB of unique words / actual plaintexts. The RockYou wordlist is a great foundation to build upon. Check out http://www.skullsecurity.org/wiki/index.php/Passwords if you're low on wordlists.

2. Rainbow tables. LM is completely compromised, so rcracki_mt with lm_all-space#1-7 from freerainbowtables will be a major win. Up to you if you want to get NTLM tables as well, they might not be as useful. Ophcrack is good too, if you can afford the xp_special and/or vista_special tables.

3. Cracking tools. You'll want pwdump6 to dump hashes from a domain controller. For cracking the hashes, you'll want john the ripper (jtr), oclHashcat (oclhc), oclHashcat+ (oclhc+), and maskprocessor (mp). You'll also want a copy of PACK to help perform some analysis. You'll also need some l33t-ass Bash scripting or Powershell skills for manipulating wordlists and plaintext lists.

4. Hardware. Faster it is, less time you have to wait. We use a Phenom II X6 1090T with 4x Radeon HD 5870s. Pretty beastly for hash cracking, and cost less than $2k to procure. If you can get budget for such a box, it'll be worth it.

Procedure overview:

1. Dump all the hashes with pwdump6 as domain admin against domain controller. Use some awk magic to split out the LM and NTLM hashes from the pwdump file (some tools accept pdwump format, some don't.)

2. Kick off your rainbow table lookups, because these will take a while. Whenever they finish, record how many hashes were in the rainbow tables (for LM, should be all of them.)

3. Run jtr in single mode against the pwdump file. It'll run super quick, and you'll probably be surprised how many hashes you get.

4. Run a dictionary attack against each hashtype using either oclhc+ or jtr. Record how many of the passwords were found directly in your wordlists, as this is a great statistic.

4. Run a hybrid attack with oclhc+ using your wordlists + mangling rules (found in the rules/ directory of oclhc+). Record how many hashes were permutations of words in your wordlists. This is another great statistic because most people think if they append numbers or characters to a word or replace letters with numbers it magically makes their password strong -- this will instantly prove them otherwise.

5. You should have a decent amount of plaintexts now. Create a wordlist based on all the plaintexts you have, and maybe mangle up and transform the plaintexts a bit to expand the wordlist, then run them back through oclhc+ with your mangling rules. This should crack most of the *_history hashes, identifying all of those individuals who only change one or two characters of their password when it expires.

6. Run PACK's dictstat.py against your plaintexts to generate some statistics. Use the advanced mask statistics to start brute forcing the most used patterns. These masks plug right into oclhc.

7. Create a .chr file for jtr based on the plaintexts you've cracked, too, and kick off an incremental mode against all of your hashes using this .chr file.

8. As you collect more plaintexts while your rainbow table lookups and brute force attacks run, do some manual analysis as well. You should be able to write your own rules file for oclhc+ based on patterns you've identified in your plaintexts. You might also find some words through brute force and rainbow table lookups that you didn't have in your word list. Loop back to step 5 and repeat.

With the statistics you've collected from cracking (hashes in dictionaries, hashes in rainbow tables, hashes that were permutations of dictionary words, users who only change one or two characters when their password expires, etc) plus the statistics generated from PACK, plus with your own manual analysis of the plaintexts (including what the most used passwords were, and what you think the weakest passwords were that matched your complexity policy), you should be able to come up with some pretty conclusive results. Depending on the audience, you might want to make a PowerPoint presentation with graphs and such, or you might just want a plain report with raw stats.

This isn't an all-inclusive methodology, but it's a good overview. I've found this process to be quite effective.

Hope that helps!
Jeremi

________________________________________
From: listbounce@xxxxxxxxxxxxxxxxx [listbounce@xxxxxxxxxxxxxxxxx] on behalf of Julius K. [julius_bugs@xxxxxxxxx]
Sent: Friday, May 13, 2011 9:25 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: How do you conduct a password audit?

It might be very time consuming to conduct such audits. I think a better
approach is to set up a password creation policy that dictates the types of
characters that must exist in a password, and the rules governing the patterns,
e.g. do not use numbers that follow each other or passwords u have used before.

Plus couple that with a password expiration policy.
And then go have a kit kat bar! :)

But I do like the idea of a cron job scanning the shadow file.

________________________________________
From: listbounce@xxxxxxxxxxxxxxxxx [listbounce@xxxxxxxxxxxxxxxxx] on behalf of wyfr1972@xxxxxxxxx [wyfr1972@xxxxxxxxx]
Sent: Friday, May 13, 2011 4:47 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: How do you conduct a password audit?

Hi folks,

I have many questions on this. I've learnt a lot from SecBasics, but now I have a few questions of my own. I want to carry out a password audit for my company, but I'm not sure how to proceed.

Firstly, how do I broach the subject with management? Are there are standards/methodologies online that I can use to back up my request to management?

Then, how do you conduct the audit? We have a mix of devices Windows/Solaris/Unix/Checkpoint/Cisco/network printers/etc.

How do I phase the work for best effect? How do I present my findings?

Thanks for your advice and help in advance.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • RE: How do you conduct a password audit?
    ... Dump all the hashes with pwdump6 as domain admin against domain controller. ... Run a dictionary attack against each hashtype using either oclhc+ or jtr. ... Use the advanced mask statistics to start brute forcing the most used patterns. ... How do you conduct a password audit? ...
    (Security-Basics)
  • Re: How do you conduct a password audit?
    ... However, dumping the hashes using pwdump6 can be very dangerous, as this program performs DLL injection on LSASS. ... How do you conduct a password audit? ...
    (Security-Basics)