Group51.org

Make Password Policies Work for You(Attacker)!

This isn’t anything new so some of you may already know the majority of what I’m going to be talking about, but for those who don’t hopefully you find this information useful.

I’ve noticed a lot of people, when attacking authentication, whether it’s with Medusa, Hydra, JtR, or whichever tool, tend to throw the biggest dictionary they can find at it and wait til something pops up. Now, it’s not that this method doesn’t work, but it takes forever and sometimes you just don’t have the time or cycles to spare. Other than using rainbow tables to speed up the process, what I’m trying to get at is that you can cut down your dictionary size and create a custom wordlist for your specific target and with this I think you’ll find much quicker success.

Ways of going about doing this are pretty straightforward. If you happen to know the password policy for your target organization, say, maybe they require numbers or capital letters or even some special characters, you can really narrow down your wordlist. Even further, if you know(and sometimes can easily guess) where specifically the number or capital letter resides in the password, you can easily use something like masks in Hashcat, which I’ll get to in a bit, to really beef up the effectiveness of your wordlist and overall attack. Just one example to find information regarding such a policy could be through using rpcclient(provided in Backtrack):

root@bt:~# rpcclient -U ""
Enter 's password:
rpcclient $> enumdomusers
...
user:[bob] rid:[0xbba]
...
rpcclient $> getusrdompwinfo 0xbba
min_password_length: 0
&info.password_properties: 0x88a05584 (2292209028)
0: DOMAIN_PASSWORD_COMPLEX
0: DOMAIN_PASSWORD_NO_ANON_CHANGE
1: DOMAIN_PASSWORD_NO_CLEAR_CHANGE
0: DOMAIN_PASSWORD_LOCKOUT_ADMINS
0: DOMAIN_PASSWORD_STORE_CLEARTEXT
0: DOMAIN_REFUSE_PASSWORD_CHANGE

Nothing too crazy here, but more information can’t hurt. Another tool that I’ve found plenty useful is CeWL, a custom word list generator created by Robin Wood(@digininja). Just point it at your target website, throw it whichever options you desire, such as spidering further through links and it will crawl the page(s) and feed you a potentially very useful dictionary. From its README:

Based on a discussion on PaulDotCom about creating custom word lists by spidering a targets website and collecting unique words I decided to write CeWL, the Custom Word List generator. CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

This tool is great, although, it will grab some extra bits that don’t necessarily belong in your wordlist, so it can require some editing before you fire it off against your target.

When it comes to cracking hashes you’ve obtained through a vulnerable webapp, for instance, Hashcat is a fantastic tool. It allows you to create masks and custom rule sets so you can really fine-tune your attack. Also, oclHashcat takes advantage of your GPUs so, if you really want to get flying, that’d be the way to go however, the rule sets for oclHashcat are somewhat limited compared to what Hashcat is capable of. Hashcat’s arsenal is way beyond the scope of this article, but you should really check out Martin Bos(@purehate_) talk “Why Your Password Policy Sucks”. It’s more of an overall password talk, but he does touch a bit on Hashcat. One last tip, using oclHashcat will obviously tie up your GPUs as it’s supposed to, but now you could even throw JtR up to take advantage of your lonely CPU.


Categorised as: blog


One Comment

  1. qubit says:

    Really interesting article BD. When we used to have g51 challenges, I used to used get lot practice. But, my computer security knowledge is quite rusty now. This article really updated me.

    Thanks BD!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>