Passwords: Policies, Securing, Cracking, and More

all right everyone welcome back good morning welcome to bsides Las Vegas this is passwords con this talk is passwords policies securing cracking and more given by Derek melber a few announcements before we begin we'd like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors prism Cloud semre blue cat and Toyota it's their support along with all of our other sponsors donors and volunteers that make this event possible and of course thank you to all of you for coming to besides Las Vegas these talks are being streamed live and as a courtesy to our speakers please make sure that your cell phones are set to silent at this time also as a reminder

you may be uh Las Vegas bsize LV photo policy prohibits taking pictures without the explicit permission of everyone in frame these will be made Available to You on YouTube in the future if you do have a question towards the end of the talk I have a microphone here please just raise your hand when the time comes and I will come around with a microphone please do not start asking your question until the microphone makes it to you so that YouTube can start hearing you with that please take it away Derek awesome thank you so oh I on am that good everyone hear me good awesome fantastic well I also want to thank you for um

getting up in Vegas and arriving here I appreciate that um hopefully everybody's having a very good week um uh you want me you turn it up here hold on how about that that better better better better better better yeah have that okay good all right can you hear me now all right um so I I I normally do an introduction and kind of talk about my background but the last couple of weeks have been interesting the company I was working for um went out of business so kind of in a little bit of a flux right now so I guess I'm an independent contractor um which I did for a long time but um it was a very

interesting June and July when the company um lets go of 55 people all of sales and marketing in the United States and one go and then 6 weeks later um hey guess what we're all unemployed um so if you were using software from that company um which I'm being recorded so I won't say it um you no longer have access to that software I'm very sorry cuz they removed access to the software as well on July 31st so um very interesting times but um it is great to be here um I do a lot of talks um throughout the year I probably do about 25 to 30 presentations um this year I've had the honor of speaking at um RSA

Gartner FS ISAC identiverse you've ever heard of that um so it it's good to be here and this particular talk um I actually pulled out of the archive um I used to do this talk quite a bit in the past um and then of course passwords kind of fell to the Wayside and people said get rid of passwords and whatnot but I thought it was appropriate to kind of bring it back because let's be honest in Windows Active Directory we're not going to get rid of passwords anytime soon right it's just not going to happen so I I I wanted to kind of go over a lot of stuff in a short amount of time

obviously I can't go over everything I want to go over because we don't have enough time but what I want to do is kind of engage you with some information that maybe you weren't aware of to show you how password policies work within active directory as well as aure active I'm sorry intra ID um the new name for aure active directory um and kind of go down that path so anyway um so what we want to do is we want to talk about on Prim ad we want to talk about intra ID um and then we want to talk about about the attacks themselves and and kind of what's going on so let's first of all

decrypt this whole concept of on Prim active directory password policies I have given this presentation over a hundred times yes it's the year 2023 but I guarantee someone is going to learn something in the next couple of slides and as we go through this because it is probably one of the most complicated and misunderstood parts of active directory which is the password policy okay so let's go over some Basics first of all the password policy for active directory for a domain is configured in the default domain policy okay it must be it being the password policy must be configured in a go linked to The Domain that is a requirement all right now this particular password

policy controls a couple of different things okay first of all it it controls all of the user accounts in active directory so every user account within active directory whatever the password policy is set to by default that user adheres to that password policy secondly with the way Group Policy works the group policy object applies to all of the users I'm sorry all of the computers in the domain therefore all of the users in the local Sam on every computer in the domain also adheres to that password policy so by default with an active directory every user domain and local adheres to one password policy and that is the one that is set by default in the

default domain policy okay so if we jump into the default domain policy and I nope not that one let's go over here so here is the default domain

policy okay and I'm going to go down here to my policies my Windows settings security settings account policy password policy this is the default password policy okay I have not modified this in any way all right so this setting applies down through the entire Enterprise and every user within the Enterprise by default aderes to this password policy okay now let's talk about some details around how the password policy works so it sets the minimum maximum age it's going to set the complexity requirements and is going to establish what the password is by default can it be changed of course it can be changed it can be changed within this group policy object or I can add a new group policy

object linked to The Domain that has higher precedence than this GPO and then that group policy object would control the password policy okay now what if I were to do this so I'm going to come down to let's say an organizational unit let's go to my domain and you'll see here that I have an OU called USA now a lot of times people say all right I want to have certain users have a different password policy than other users so I'm going to come to an OU that has users and I'm going to rightclick and I'm going to in the group policy Management console that is create a new GP right and this is going to be the

password policy 2 so in password policy 2 go to the same location within the group policy object my account policy my password policy and let's say that I want to have my minimum password length be let's say 12 characters okay so I want all the users in this OU to have a 12 character password policy so I apply that and I'm done okay how many of you now think that Cleo Hercules and Maximus my pets if you want to guess my password go for it right Hercules and his birthday right how many of you think that these three users now when they reset their password will have to put in a 12 character password okay doesn't work that way does not work

that way these users will adhere to the password policy in the default domain policy let me prove it okay first of all I'm going to go back to the go right right here password policy 2 and I'm going to go into the password policy which is right here and I set it to 12 and notice which objects the password policy applies

to computers is Hercules a computer it cannot apply to Hercules it's impossible it is absolutely impossible okay the p word policy applies to computers and the way that I look at it is it becomes a filter for the database on that computer where users are stored it actually doesn't apply to users it applies to computers okay so by default every user in this domain applies to one password policy it's just the way it works okay so if you are responsible for your password policy and you think that you have applied a password policy and know you to apply to users in there I suggest you create a another user and test it because I guarantee you it will not work

that way it does not work that way it hasn't worked that way for 13 years okay now one password policy per domain and you have no control over any other parameters of the password policy the password policy is the password policy unless you get a third partyy tool so those settings that are in that password policy you can't do anything else for example complexity says that you have to have three of the four character types lowercase uppercase number and special if you want require all four in a password you cannot do that with Microsoft Technology you can't you have to get a third party tool right and again the password policy for the domain users must be linked to The

Domain but let's talk quickly about what in the world is this group policy object going to affect okay passord password policy 2 this one right here linked to the USA OU what would it affect remember the password policy affects which objects Compu computers so which computers would it affect USA every computer that's in the usao you will now have a 12 character minimum password meaning all of the local users in the local Sam on all of those computers will require 12 characters okay that's how the password policy works but all the domain users still are going to adhere to whatever is linked to that domain now obviously we have this other default GOP the default domain

controllers policy Does it include controls for the password policy in that gopo let's go look I'm getting mixed reactions so let's go look ah there they are if I were to configure these settings in here would these settings modify the domain users where must the go be linked for domain users at the Domain this one's linked at the Domain controllers OU and yes I fully understand the domain controllers computers are in this OU but welcome to Microsoft doesn't work that way okay the only way that users can have a password policy apply to them domain users is in a GPO linked to The Domain it's just the way it is this will do absolutely nothing if I can

figure anything in here it doesn't nothing unless I put a different computer let's say a server in the domain controllers OU then that computer's local Sam would adhere to this but not domain controllers right very confusing and it's just going to get a little bit more confusing as we go through right because welcome to Microsoft all right now if I want to have m multiple password policies in the same domain I can do that with Microsoft Technology I just can't do it with gpos I do it with something called fine grain password policies okay also referred to as a PSO or password setting object right but these are not in group policy objects up until Microsoft released the

ad uh the admin Center you had to do it in adsy edit okay now you can do it through adsy edit you can do it through uh the admin Center you can even do it with Powershell if you also wanted to kind of painful but you can all right now the same settings are inside of a PSO so if I were to open up a go and a PSO they would have the same controls right minimum age maximum age history all of that I cannot add additional settings to A fine grain password policy I have the same all it allows me to do is say this side of the room you get one password policy this side of the room you get a

different password policy all right and you control who receives it by permissions it's referred to as PSO applies to right so if I go into my admin

center right here is where I can configure my password setting object okay it's kind of nice it's actually a gooey now inside of the admin Center because when you went through adsy edit it was kind of a wizard it walked you through and said what do you want for this what do you want for this and it was brutal because you had to put in the correct syntactical entry which was not obvious right but this is how you create new ones and you can see here is where you set it to apply to right so now you can have multiple password policies in the same domain allowing it to have let's say a 14 character password maybe you have

developers have a 12 character password and then the C Level has a two character password because that's all they can handle right but with that of course never expires that's obvious that's that's that's a no-brainer right but of course it let's also not expire those because we're King of the Hill we just want to do that right okay so PSO applies to users in global groups okay can't add additional things and it becomes an object it is actually an active directory object it is not a gopo it is called completely separate completely different technology but both work side by side so which one applies if I do not have a PSO at all then every user gets the password

policy from the GOP if I have a PSO a fine grade password policy and a user has permissions to it it will receive the settings in the PSO if the user doesn't have permissions to it it defaults over to the group policy object if I'm a user and I have permissions to multiple password setting objects which is possible right I'm going to receive the one that has the highest priority so when you establish new password setting objects you have to set a priority for it I normally start with 10 that way I can have nine that have higher priority and the rest have lower priority that way when users have a multitude they're going to get the one that has the

highest priority okay but it always defaults back to whatever that GOP setting is if I don't have permissions to any of them now I'm going to go over a couple of different uh Powershell commands don't worry about writing them down just write down my email and I'll send you a a block of Powershell commands that allow you to look at certain things okay so if I come in here and I go to Powershell and I run my password policy per user this is going to show me which password policy applies to each user okay you will notice resultant PSO nothing shows up so which password policy are these users getting GP the GP and if they had permissions to a PSO

it would show the one that they had have the highest priority too very easy to look at but you have to look at this I beg you to go look at this especially if your organization is using fine grain password policies because a lot of organizations don't understand exactly how it all works and they don't have the password policy they think is in place because of permissions or they don't understand the way that the the GOP Works in comparison or or any of the details okay all right any questions on that fantastic oh sure when you me the user has permission I'll repeat the question I'll repeat it yeah if you when you mean that the user has permissions to the PSO

what did that exactly means because they have to be part of a group to to attach yep that but the permissions where where is exactly that lay okay so the question is what permissions in a PSO where how does that all work okay so I'm going to go back into my admin Center and when I create a new password setting object right here is where I configure the user Andor group that has access so that's a permission this is the permission right here okay the Powershell command that I ran says show me the resultant so if I have permission to five different psos it's only going to show the one that's in control for that

user which may be different for another user okay okay fantastic thank you yep no problem all right intra ID it's still weird to say that right it's Azure ad or I I am there's a clear split on the rename you either love it or you hate it I don't know if too many people are like yeah I'm indifferent okay I am on the love it side because I've been around for a while let's say 24 years yes I know it's 23 years old but I was dealing with it kind of before it never should have been called active directory ever it's not active directory okay there is nothing at all similar to on Prim ad and Azure ad nothing it

shouldn't have been called ad to begin with okay so it was a rename coming it should have been renamed a long time ago all right but intra ID in my opinion is almost just as confusing for its password policy as on Prim 0 okay you cannot configure the password policy like you do on Prim this is micro is there anyone working for Microsoft in here because I'm not going to change what I say I just start just going to know who to talk to Microsoft does a lot of things foolishly primarily for one reason and what's that one reason thank you we're all on the same page right to make money and they do it

through their marketing machine this is a perfect example of that a perfect example they don't want you to mess with the password policy why does anyone want to take a stab at that one why doesn't Microsoft want you to deal with the password policy in intra ID mess it up no no no no no no no that's that's not a money thing WHYY MFA they want you to get ENT ID because it has MFA and they're stripping away the ability for you to control multiple password policies because they want you to use MFA and the only way to get MFA subscribe it's the absolute truth I don't care what anyone in Microsoft says it's the absolute truth and I'm going to

prove it to you in just a minute okay now you can also use the onr password policy if you set up ad connect okay if you connect on Prim with and create a hybrid now you can actually Point users back to the on Prim and get some of those controls okay now the password policy for intra ID is this okay it's a little clunky minimum eight characters what's on Prim what's the what's the default seven okay that seven and 8 is very important we're going to talk about that okay 3 to the four of the following okay um password expires doesn't expire by default it doesn't expire we come back to that duration 90 days um only when password expir is

enabled um right this can be changed the rest of these except for one can't be changed it's just it's just crazy you cannot change this is set Microsoft said this is the way it is okay cuz they want you to use MFA sorry okay now Microsoft also provides a list of words that users can't use and there's two lists okay there's a list you cannot see that list is not publicized why because it's Dynamic it's 500 Words that Microsoft in the background analyzes constantly and updates for you they have no idea what's on the list they have no idea okay if you want to create a list that's where you go in here and create

your custom list that has a maximum of 1,000

words okay not really that robust how many passwords in the last 10 years have been posted on the internet enough Millions upon Millions Microsoft says I'm going to use 1500 yay it's it's it's a feeble attempt it is an absolute feeble attempt but they also go in and say hey we're going to allow ad to use this list thank you if you want to use list go get a third party tool completely honest right just go get a third party tool because this is not the way to secure passwords in my opinion okay it's a good first try but how long has Azure a d been out there a long time and they're not going

to update it they do not want their engine looking through thousands of passwords to deny a user to put in that password now if you read some of the documentation sometimes a user can actually put in a password that contains one of those words okay there is a very sophisticated engine according to Microsoft of why that's possible they're going through multiple iterations of the risk of the password and if the password meets other criteria undocumented criteria you can actually have a password that includes that word it's not just that word it's other parts of it but it includes that very strange okay now I I pulled it out of this deck but and I challenge you to go look at this

right if you go and search on Azure ad password policy you are going to get a list of what Microsoft recommends for their password policy they're going to recommend eight characters they're going to recommend that the user never change the password and they're in agreement with nist on this but what they do not say in this document is that's only if you have MFA they do not say that they do not say use MFA if you're going to allow the password to exist forever and never be changed all right you have to have that you have to have that yes question I'll repeat it um so nowhere in5 is there a place to set correct it's not

configurable yes you can then set finein password policy that users when they're at M365 get enforced yes yes so the question is within again naming Microsoft 365 or Office 365 whatever you want to call it today right you cannot set some of these parameters but what you can do is if you have hybrid right you can come in here and say I'm going to have my users use the password policy from on Prim and now they will actually get that okay very confusing in my opinion where is this in in the admin Center looks this looks this is in Azure adid intra ID this is not the admin Center on Prim this is the cloud this is azure ad okay

okay okay great question okay all right let's talk about attacks so I I can't list them all here but this is some common attacks right the first one if you didn't know it it's still possible if you delete the Sam file and reboot what does it do on reboot it creates a new Sam file how convenient okay and it has default credentials in there it's just the craziest thing in the world you can still do this now of course it would be for a server I mean but it's it's still kind of crazy that's possible dual boot scenarios right you you can do a dual boot right on the same machine you go into the

other files because you have access to them because you're admin over here you can go to these files and now you can access those it's you can do this so physical security is a thing extremely important social engineering right fishing attacks still number one why well we got users if anyone if anyone figures out how to get rid of users our job would be a lot easier but we can't get rid of users right impersonation this is a big one right we're not going to go into the details of this but let me just throw out some different things here where impersonation comes in right I can do pass the hash attacks I can do pass the

ticket attacks you've all heard of golden tickets right have you ever heard of a sapphire or Diamond ticket that's impersonation they are modifying the ticket they're not creating a new one they're modifying a ticket Kerber roasting okay all of these are attacks against authentication protocols and the properties of those tickets tokens passwords okay then we get into password guessing and then we get into password cracking so let's first of all talk about password spray right referred to as low and slow right so what I'm going to do is I'm going to take the same password and I'm going to apply that to every single user the one password to every user okay why only one password

because I don't want to trigger the account lockout I don't want to trigger anything in the Sim so low and slow right and I'm just waiting for that one password to work very very very common if your sim is not set up for this today get it set up for this today okay because no one in the organization can get out of this oh no I I yeah I just tried one password against every user I was I was testing something you need this to come through your sim there's technology to look for this stuff it's very simple get it in the Sim have your sock be alerted to this okay you also have Brute Force

guessing not nearly as common why they don't want to trigger the account lockout but it's still possible and here they're just trying a multitude of passwords against the same account they may know a root of it right I know it's password but I don't know if it's password one password two password three so I'm going to try all of them okay so these are things that are possible and they they occur all the time right Microsoft you can go to Microsoft's website and look at their analytics about how many times accounts are being attacked it's extraordinary okay because people have access to them can your own employees do this to the internal database of course they can right now I

don't talk about this a lot not that I'd ever do this or I've ever seen it but let's say you have a discr employee okay can they go to their right so kind of go off the cuff here can they go to their command line and do net accounts and get the details of the password policy okay so they get details of the password policy so this is telling them the lockout threshold the lockout duration and the observation window it's telling them how many times someone can put in a wrong password before they're locked out so let's say that I just create a small little script that logs everyone in five times because the threshold is four and then I

point to the list of users can I get a list of every user in active directory as a normal user so I have a script that logs every user in five times what does that do to every user it locks every user out don't do this at work please don't blame me I didn't think maybe I thought it up a little bit but I've seen this happen I've done this okay so these are the kind of things that you need to think

about okay then we get into password cracking all right and there are a multitude of options primarily there's a Brute Force attack there's dictionary attacks rainbow table attacks and then there's even more okay now when I get into tools right and I'm going to show you cane here right cane allows me to go in and say all right I can do a dictionary attack right click boom I bring in one or more dictionaries and now I I scan through that super simple I can do Brute Force attacks okay now when I do a Brute Force

attack right it allows me to go in and pick my character set allows me to go in and pick minimum and maximum length I'm going to guess that 95% of the organizations represented in here your minimum password length is between six and 10

characters no so what do I put in here the norm right I'm get I'm I'm putting in the norm right default is seven some people go to eight because that's important because of land manager because land manager manager right has a 14 character password broken into two seven character Parts going from 7even to eight is that leap right and then I have the ability to come in here and do cryptography attacks rainbow tables and if you don't have a rainbow table that's okay you can just run the tool and it create your own rainbow table it'll create a rainbow table which is a pre hash table it's a hash table so now you don't have to actually try to

decrypt or encrypt anything create a hash the hash is just there you do a comparison right and you notice that in order to get hashes in here I simply right clicked and I added to the list and I added to the list from the computer I'm on but if I have a Sam database if I have a database I can just import it in here and boom I'm ready to go now there are other ways to crack passwords and I know there's a lot of words on here but I I I went through and I'm like I want to keep it you can get you can get the PowerPoint okay but this is from a German company called

daac and basically what they have created is a way to crack passwords based on some phenomenal criteria right so this is including Enterprise data corporate branding names of people addresses so they put this in a database they suck it out of the website throw it in a database and that's part of the word list okay then they look at passwords leaked over the last 20 years in a database and then they use the above methods as well as create new Dynamic dictionaries and then they'll appin numbers and and do all these weird gyration they can crack passwords up to literally about 20 characters long in a couple of

days really cool stuff right primarily they do an audit on your ad and tell you hey you're you're really messed up here and over here maybe these three users are okay but most users passwords are crackable okay so you need MFA but you can't get rid of passwords especially for service accounts right there are certain accounts you cannot get rid of password so when people say have the entire Enterprise go passwordless not possible it's not going to work right you can't get rid of those service accounts and as last I checked no service account has any fingers to check their phone so we're kind of stuck okay so how do we protect passwords what can we do

well first of all we can kill LM and nlm right there are four authentication program protocols land manager ntlm ntlm V2 you can't kill ntlm V2 in almost every situation and keros right can't kill keros so you need these two but you can kill these others so there is a go setting that allows you to go in and control LM and nlm right now notice the default is send nlm response only but you got to consider this is a domain control that is set to so it function differently so what I did is I put the details in here 012 these are the registry entries the match up to those and it describes what those settings do it's only when you get

to four and five that it actually controls the authenticating server so you have to be down at four and five and you'll notice four and five are the ones that say refuse refuse L manager refuse LM and intm the other ones look like but they're not they're still allowing land manager and intm okay the most important thing about a password is link it's length Nothing Else Matters complexity doesn't matter all lowercase I don't care 20 plus characters you got to have it that long in order to create a more secure password link is the most important thing sure complex is in there but the Technologies today can crack it when it's shorter whether it has

complexity or not but length is the most important thing my recommendation is past phrases start with a capital end with a period it's a sentence right I don't know use your favorite quote from a book from a song from a speech from whatever I don't care it's easier to type it's easier to remember past phrases 20 plus characters Studies have been done on passphrases they normally go over 25 characters for passwords right and it meets complexity requirements uppercase lowercase special it's a sentence okay I know we didn't go over everything with passwords and and and attacks but I only had 45 minutes any questions if you do have any questions afterwards please there's my email more

than happy to address questions yes the brain core email still valid it is brain core is still valid yes and actually I had to change it for this because it was the other one yeah brain core has been around for a long time yes I don't know if you can talk about it or not but is there any alternatives to use a password protection besides Microsoft okay the question is there any Technologies to use for password protection other than Microsoft um one of the best that I've seen is from a company called spec Ops SP p o PS it integrates with group policy and it gives you every possible permeation you ever want for password

controls it's unbelievable it's been around for 20 years spec ops yep spec ops it's called password policy no no that's Spectre offs yeah SP p e c o PS has some really cool tools too yeah any other questions all right thank you for your time if you do have any questions and want to come up and ask I'll be around um thank you very much and have a great rest of your day