Wednesday, 7 July 2010

Cracking Windows passwords with fgdump and John the Ripper

This information is for educational purposes only. Do not break the law. Only use these techniques on your own test network, or where you have express permission. Remember it is your Karma, and see the mitigations for these threats at the bottom of this article.

Backtrack contains several flexible and powerful password brute-forcing tools, including Rainbowcrack, Hydra, Medusa, and John the Ripper.

John the Ripper (jtr) is very easy to use, but first we need some hashes to crack.

There are a several ways of getting the hashes, here are some examples of methods I have successfully used in pentests.
  1. Pwn a system with Metasploit, and use the "use priv" and "hashdump" commands to obtain the local password hashes
  2. Use pwdump.exe to dump the local password hashes of a system
  3. Use fgdump.exe to dump all domain passwords remotely from a domain controller (having already pwned a domain administrator password)
Looking more closely at option 3. here is the syntax that could be used, where username and password are the previously obtained details of a domain admin:

c:\ fgdump.exe -h hostname -p password -u username

This is a very flexible tool, and more advanced options for fgdump.exe are available here http://www.foofus.net/~fizzgig/fgdump/fgdump-usage.htm

Whichever of these ways is used you will get a hash-dump file, this file will typically have a format which looks something like this:

MyUser:1188:E52CAC67419A9A224A3B108F3FA6CB6D:A4F49C406510BDCAB6824EE7C30FD852:::

As you can see, we have two types of hashes here, an LM hash (starting E52C) and an NTLM hash (starting A4F4)


To run a basic crack with jtr, you could use the following commands:

john

(This runs a script which sets up a few things and puts you in the correct directory, then...)

./john passwordhashes.txt
Loaded 1 password hashes with no different salts (LM DES [128/128 BS SSE2])
D                (MyUser:2)
PASSWOR          (MyUser:1)



And in a few seconds, bada bing bada boom, you have some passwords ;o)

As you can see, because of the way that LM hashes are created and stored, they are cracked in two halves which are only 7 characters long and uppercase only, which makes them much quicker crack - and so less secure. Dictionary and hybrid attacks are used by default, making the use of this tool very easy. 

John also keeps track of hashes it has cracked already in the john.pot file, so take note of that too.

For more info, take a look at http://www.openwall.com/john/doc/

Mitigations for these tools and techniques could be:
  • Many Antivirus products will block tools such as fgdump.exe and pwdump.exe as "hacking tools", which can prevent basic users from using these tools on their systems
  • Strong password policies and regular audits can prevent easy dictionary words being used as passwords, and enable regular password changes
  • Disabling LM hashes makes hash cracking more timeconsuming from the attackers perspective
  • Long NTLM passwords are very timeconsuming to attack with brute force

7 comments:

  1. I use a range of knives, with very small-tipped knives for carving outlines and details, and much larger ones for cutting away the background.
    Block Printing Classes|Block Printing in Bangalore| Block Printing Classes in Bangalore

    ReplyDelete
  2. Sharing my experience that i got working windows key from site www.vinhugo.com to got. The key after i used is works great. and it's genuine.

    ReplyDelete
  3. Hi guys, I feel so happy that I am the first person here to comment that is not a spam-bot

    ReplyDelete
    Replies
    1. Adam Smith check out how much weight I lost when shopping at www.robotoverloard.tk cannot compute human.

      Delete
  4. office 2013 activation keys , windows vista home basic service pack 2 product key , windows 10 serial keygen , what is my windows 10 enterprise serial key , windows 8 key oem wholesale , windows 10 pro key , windows 10 product key free , windows 10 activation servers down , tnm0Hp

    office 2016 pro plus key

    buy windows 10 pro key

    windows 8.1 professional key sale

    ReplyDelete