Wednesday, 7 July 2010

Cracking Windows passwords with fgdump and John the Ripper

This information is for educational purposes only. Do not break the law. Only use these techniques on your own test network, or where you have express permission. Remember it is your Karma, and see the mitigations for these threats at the bottom of this article.

Backtrack contains several flexible and powerful password brute-forcing tools, including Rainbowcrack, Hydra, Medusa, and John the Ripper.

John the Ripper (jtr) is very easy to use, but first we need some hashes to crack.

There are a several ways of getting the hashes, here are some examples of methods I have successfully used in pentests.
  1. Pwn a system with Metasploit, and use the "use priv" and "hashdump" commands to obtain the local password hashes
  2. Use pwdump.exe to dump the local password hashes of a system
  3. Use fgdump.exe to dump all domain passwords remotely from a domain controller (having already pwned a domain administrator password)
Looking more closely at option 3. here is the syntax that could be used, where username and password are the previously obtained details of a domain admin:

c:\ fgdump.exe -h hostname -p password -u username

This is a very flexible tool, and more advanced options for fgdump.exe are available here http://www.foofus.net/~fizzgig/fgdump/fgdump-usage.htm

Whichever of these ways is used you will get a hash-dump file, this file will typically have a format which looks something like this:

MyUser:1188:E52CAC67419A9A224A3B108F3FA6CB6D:A4F49C406510BDCAB6824EE7C30FD852:::

As you can see, we have two types of hashes here, an LM hash (starting E52C) and an NTLM hash (starting A4F4)

To run a basic crack with jtr, you could use the following commands:

john

(This runs a script which sets up a few things and puts you in the correct directory, then...)

./john passwordhashes.txt
Loaded 1 password hashes with no different salts (LM DES [128/128 BS SSE2])
D                (MyUser:2)
PASSWOR          (MyUser:1)


And in a few seconds, bada bing bada boom, you have some passwords ;o)

As you can see, because of the way that LM hashes are created and stored, they are cracked in two halves which are only 7 characters long and uppercase only, which makes them much quicker crack - and so less secure. Dictionary and hybrid attacks are used by default, making the use of this tool very easy. 

John also keeps track of hashes it has cracked already in the john.pot file, so take note of that too.

For more info, take a look at http://www.openwall.com/john/doc/

Mitigations for these tools and techniques could be:
  • Many Antivirus products will block tools such as fgdump.exe and pwdump.exe as "hacking tools", which can prevent basic users from using these tools on their systems
  • Strong password policies and regular audits can prevent easy dictionary words being used as passwords, and enable regular password changes
  • Disabling LM hashes makes hash cracking more timeconsuming from the attackers perspective
  • Long NTLM passwords are very timeconsuming to attack with brute force
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)