The common denominator of most massive data breaches is the use of weak passwords. Some are so weak that they could be cracked instantly with commercial dictionaries, while most others could not withstand a brute force attack on 8-10 character permutations. As a result, if an attacker can gain access to password challenges and export them for offline cracking, they are usually successful at breaking in.
In a pen-testing or red-team scenario, the main goal is to quickly show how an attacker with a minimal footprint in an organization is able to gain admin privileges. In this article, I will go far beyond simple Security Account Manager (SAM) databases cracking, Pass-the-Hash and password brute force techniques, and demonstrate some advanced techniques utilizing Kerberos and NT LAN Manager (NTLM) soft spots. Let’s explore how each method works.
Kerberos Password Cracking
Kerberos is considered a more secure protocol than NTLM, and understandably so – when two network entities authenticate, they don’t send password challenges to each other. However, there are two common scenarios where certain network configurations (albeit questionable ones) allow for password cracking: (1) Cracking a ticket granting server (TGS) to a service account and (2) cracking ticket granting tickets (TGT).
Cracking TGS – Kerberoasting
In this attack, also known as Kerberoasting, an attacker requests a TGS to a service account. In many cases, the TGS is signed with the credentials for the account. The attacker can then take the generated TGS offline for password cracking (using this code, for example).
This method is appealing for a number of reasons:
- No special permissions are needed; any authenticated user can create any TGS.
- The service principal names (SPN) for these TGSs can be scanned and automatically detected without any prior knowledge of the network.
- In many cases, the service accounts involved have elevated privileges.
- For the nitty gritty details, check out Sean Metcalf’s blog post on the Kerberoasting attack method.
In this scenario, an attacker either passively observes a Kerberos AS-REP message or actively generates one for the user. When the attacker is in possession of such a message, he may use standard cracking tools to try and offline crack a ticket offline and obtain plain-text password. Harmj0y (Will Schroeder) wrote a great blog post covering this issue here.
Two common attack vectors include:
- TGT with no pre-authorization: This vector is the lesser known of the two. In the past, any user could issue a TGT with any user principal, under the assumption that only the real user would be able to use the ticket as it was generated with their master key (derived from the user’s password).
- It was later discovered that any attacker with network access could create password challenges in the form of TGTs and crack them. To combat this, Kerberos V5 introduced pre-authentication. Our research here at Preempt revealed that in many networks, pre-authentication is sometimes turned off for certain users to enable testing and automation.
- Kerberos sniffing: When an attacker is able to see the communication between workstations and domain controllers, he can sniff the TGT requests and crack them. When a workstation is located physically in the network, the existing ability to sniff Kerberos traffic probably means the network was already severely compromised.
- Another interesting scenario is what happens when a user connects his workstation from an insecure (e.g. public WiFi) network. If the attacker has access to the network’s traffic, they will be able to crack a user’s password.
Ethical Hacking Training – Resources (InfoSec)
NTLM Password Cracking
Even though NTLM has been replaced with Kerberos as the default authentication protocol, and despite obvious security risks, backward compatibility NTLM is still turned on in most networks. In fact, I have not yet seen a network that has phased out NTLM completely.
One of the major risks with NTLM is that every time a user authenticates with it, they expose their password to offline cracking. An attacker can take advantage of this in two main ways:
- Wait for challenges: After an attacker gets a foothold in the network and assumes control over several endpoints, they can simply wait for users to authenticate and expose their credentials. As it turns out, many organizations have privileged users who perform scheduled tasks on all endpoints (e.g. AV management), meaning that their credentials are very easily exposed in this manner.
- Induce challenges: Attackers can create malicious emails or internet pages that lead users to send out an NTLM challenge, which can either be redirected or simply cracked. Once a single machine gets infected inside a network, the attacker can send email with a link to \\[IP_ADDRESS] or create a rouge IMG HTML tag with file://[IP_ADDRESS]/fake.jpg. Either way, since you’ve only supplied an IP address, the infected machine will surely use NTLM, as Kerberos requires knowing the identity of the target. What’s even more concerning is the fact that security researchers have learned that Internet Explorer (and EDGE) will even send NTLM challenges to an internet server. Once a user connects, the attacker can sniff incoming SMB packets and crack the NTLM challenge observed.
An attacker with zero or minimal foothold in a network can extract password challenges and has a high chance of successfully breaking them, which leads to further compromise in the network. Some of the security gaps I’ve demonstrated are easy to fix, while others are very hard to fix without major IT investments. Strong password policies remain a critical part of every organization’s security posture, and thus every security admin and pen-testing professional’s skill set.