The massive Equifax data breach compromised sensitive information for roughly 143MM people and is a sobering reminder that security flaws still exist in most organizations. The fact is that most enterprises use Active Directory as the cornerstone of their IT systems and, while AD can be configured in a very secure way, it runs on Windows, which is vulnerable by default. Windows services that are enabled by default, such as LLMNR and NetBIOS (NBT), make your organization more susceptible to cyberattacks by allowing hackers to easily obtain Active Directory password hashes. The most common breach vector is stolen credentials, so it’s important for IT professionals to understand how easy it is to crack passwords and take the necessary steps to protect their Active Directory services.
How are passwords stored in Active Directory?
Passwords stored in Active Directory are hashed – meaning that once the user creates a password, an algorithm transforms that password into an encrypted output known as, you guessed it, a “hash”. Hashes are of fixed size so passwords of different lengths will have the same number of characters, and are designed to be a one-way encryption, so that once they are coded, no one should be able to break that code (theoretically).
How do you like your hashes?
Different applications use different hashing algorithms, which vary greatly in terms of security. When a user creates or changes a password in Active Directory, Windows generates a LAN Manager hash (LM) and a Windows NT hash (NT). The NT hash is encrypted using a custom Windows algorithm, while the LM hash is created using the extremely vulnerable MD4 algorithm.
When a user logs onto their computer, the machine sends an Authentication Service Request that is composed of an encrypted timestamp using the user’s password hash. The Domain Controller then decrypts the timestamp using the user’s locally-stored password hash, and authenticates the user.
More salt, please.
Salting is an added layer of password protection that is (surprisingly) not used in the Active Directory Kerberos authentication protocol. When a password is salted, it means that an additional secret value is added to the original password, and then both the password and the salt value are encrypted as one hash. As you can imagine, it’s more difficult to hack into a salted password than one that is hashed without the added salt. That being said, every password can be cracked eventually, it’s really just a matter of time. All you need is a penetration testing tool and roughly five minutes.
2 Steps to Cracking Your Active Directory Password
If a Windows client cannot resolve a hostname using DNS, it will fall back to LLMNR or NBT to attempt to resolve the hostname. LLMNR and NBT will broadcast name resolution requests on their local subnet and will happily forward password hashes to other computers that respond. Pen testing tools like Responder, which is included in Kali Linux, are easy to use and watch for these communications on the network. Even seasoned Windows administrators would be surprised to learn how vulnerable the operating system can be to password interception and other tricks in its default configuration.
Step 1: Run Responder on a selected interface
Once you run Responder with a simple command of ‘responder -I eth0’, the tool will watch for vulnerable traffic, intercept the authentication process and capture the password hash.
Step 2: Run John the Ripper to crack the hash
Once you’ve obtained a password hash, Responder will save it to a text file and you can start trying to crack the hash to obtain the password in clear text. Kali Linux also offers a password cracking tool, John the Ripper, which can attempt around 180K password guesses per minute on a low-powered personal laptop. Note that all password hashes can be cracked if given enough time and enough computing power. On a high-powered corporate computer, cracking passwords can be incredibly simple – even if your password policy has complexity requirements.
John the Ripper was able to crack my home laptop password in 32 seconds using roughly 70K password attempts. It’s almost laughable.
Securing your Active Directory Password
Knowing how easy it is to crack a password is the first step in understanding how crucial it is to secure your Active Directory environment. There are some easy steps you can take to secure your IT environment, including setting strong password guidelines and uncovering and disabling Windows vulnerabilities such as LLMNR and NBT. It’s also important to implement an Active Directory auditing tool that will alert you to suspicious activity prior to a full-blown cyberattack. The truth is, it will likely take more than 32 seconds to crack most passwords, but it’s going to take a lot more than special characters to protect the IT building blocks of your organization.