Ethical hacking: Breaking windows passwords by Blackhat Pakistan 2023
In This article we will cover Ethical hacking: Breaking windows passwords.
Windows is currently the most common desktop platform. As a result, it’s not uncommon for hackers to come across a Windows password that they need to crack in order to gain access to a specific account on a computer or move laterally across a network.
In the past, Windows passwords were very easy to crack. The design of the original LANMAN password hashing algorithm had the following shortcomings:
- Password is limited to 14 characters
- Force all letters to uppercase
- No salting
- Passwords split into two pieces and separately hashed
As a result, passwords stored in the LANMAN format were trivially easy to crack.
With NTLM, cracking Windows passwords is more difficult, but still possible. NTLM is weaker than modern algorithms because it is based on the MD4 cipher. Although it has been replaced by Kerberos for network authentication, NTLM is still used to store passwords locally in the Windows SAM file.
Cracking windows passwords
Because the Windows hash function is based on the weak MD4 algorithm, these passwords are often easier to crack than passwords protected by an equivalent modern cipher. Cracking a Windows password hash consists of three steps:
- Getting the hash
- Tool selection
- Choosing a cracking technique
For all of these stages, the best choice often depends on the details of the ethical hacking involved and the intended goal.
Getting password hashes
Windows password hashes can be obtained in several different ways.
The most common is their collection directly from the given machine. Windows password hashes are stored in a SAM file; however, they are encrypted with the system’s boot key, which is stored in the SYSTEM file. If a hacker has access to both of these files (stored in C:WindowsSystem32Config), the SYSTEM file can be used to decrypt the hash values stored in the SAM file. The SAM file is not directly accessible on a running Windows system, but can be accessed using tools like Mimikatz or using the reg command (if the hacker has SYSTEM privileges).
Password hashes can also be stolen by taking advantage of remote server authentication. A hacker who sends a user a link to a file on a server controlled by the hacker can trick the target computer into trying to authenticate with current credentials. This allows a hacker to steal password hashes using a well-crafted phishing email.
Both of these techniques have their pros and cons. Stealing a Windows SAM file requires access to the target computer, but can steal multiple password hashes at once. A phishing attack allows an attacker to steal the hash remotely, but may require an unpatched computer and access to certain ports through firewalls that get in the way.
Password cracking tools
The next step in the Windows password cracking process is choosing a password cracking tool. There are a number of different Windows password crackers, including:
- Hashcat: Free and open source password cracker for all desktop operating systems with GPU support
- John the Ripper: Available in free (all operating systems) or Pro (*nix operating systems).
- Ophcrack: A password cracker for all operating systems that specializes in cracking Windows passwords
While these are functional tools, hashcat and John the Ripper are often the most popular due to their support for various hash formats.
Choosing a cracking technique
Most Windows password cracking tools allow for any of the three main password cracking techniques. The choice of which technique to use depends primarily on the expected behavior of the target.
Most people use extremely weak passwords. The average person probably uses a dictionary word with common substitutions (0 for O, 4 for A, etc.) and potentially a special character and a few numbers tacked onto the end. A password cracker with a standard English dictionary can easily crack these passwords.
For slightly more advanced passwords, it is useful to have a dictionary of the most used passwords. These passwords have been exposed as a result of recent data breaches and are available online either for free or possibly at cost (for more curated lists). However, a 2018 analysis of cracked passwords found that 3% of people used the password 123456 and more than 10% used the 25 most common passwords, so in many cases an extensive list may not be necessary to gain access.
Brute force attack
Brute force attacks are the only way to be sure of success in cracking a password. By trying all possible passwords for the system, you are guaranteed to find the correct password.
Strong password systems are designed to make this type of attack computationally infeasible. However, Windows password storage systems have not kept pace with password cracking technology. The minimum password length is usually eight characters and allows a full range of letters, numbers and special characters.
While it may have been secure in the past, it can now be defeated by a hacker with access to the right hardware and software. In February 2019, team building hashcat reported that the tool could be used to search the entire eight-character password space in about 2.5 hours. Since most users choose a minimum length when creating a password (especially when the configuration may require uppercase, lowercase letters, numbers, and special characters), this means that these passwords can be cracked in a matter of hours.
Also Read:BIOS/UEFI Forensics:Firmware Acquisition and Analysis Appr0aches
Dictionary and brute-force attacks create trade-offs between speed and guarantee of success. Most tools also support a hybrid attack mode that first performs a dictionary attack and then switches to a brute force attack if unsuccessful. These tools contain a lot of expertise and optimization, which makes them extremely effective in cracking passwords.
Conclusion: Cracking Windows passwords
Every Windows password hash can be cracked in Ethical hacking. However, the amount of time and resources this requires may not be feasible for ethical hacking engagement. Before running the tool and trying to crack a password, it’s always helpful to use knowledge of the target to make the process easier.
Most users will do the bare minimum to meet an organization’s password requirements, so trying to learn them (whether by searching around or making a social engineering phone call) can greatly reduce the time and effort required to crack a particular password hash.
Sources of Ethical hacking
- Use an 8-char Windows NTLM password? Don’t. Every single one can be cracked in under 2.5hrs, The Register
- I can get and crack your password hashes from email, CSO
- The most popular passwords of 2018 revealed: Are yours on the list?, WeLiveSecurity
- LM, NTLM, Net-NTLMv2, oh my!, Medium