BSidesSLC 2020 - Carrie Roberts, Darin Roberts, Cameron Roberts - The Domain Password Audit Tool

all right here we go how does it sound sounds good looks good okay let's see alright I'm Kerry Roberts or one equals one on Twitter we also have with me here in the house Darrin Roberts my husband he's mister or one equals one I helped him with that idea because I have Cameron jr. or one equals one and here we're supporting our nerd glasses and to introduce ourselves we even have some little junior hackers in the house that we're training up back here that help us out we're kind of a family of hackers in this phone this is our first presentation as a family had anything and this is a presentation on the domain password audit to watch how the kids

help out when when we're taking drinks of our so this year okay so we're presenting on the domain password audit tool which is a toy originally but since then Darrin and Cameron have maintained an added features to as part of their mentoring into infoset and we're gonna start off this presentation with a little cheerleading episode about getting into InfoSec presented by me and then I'll turn it over to Cameron who will give us some history on how passwords work how to crack password hashes how hash were how hashes are obtained from computers etc so bear with me I did a little cheerleading section here and the introduction so I started out as a mechanical engineer working for

HP building automation equipment it was awesome but there came a time I worried about job security at the company so I went back to school and learned computering and I came back in 2007 again to HP and start programming writing PC applications and mobile applications ultimately became a web application developer that was super fun I got to develop a brand new web app and I was the main developer and I was a new web app developer really and one day while I was happily developing about to release our about my boss walked by with a note pad of paper dropped it on my desk it was in a report and he pointed out the report and he said fix this

stuff and I had no idea what he was talking about I just saw a lot of red on the paper so I started reading and I realized that management had had security tests done on my application before we released it and it turns out it was vulnerable to some big security vulnerabilities one of the main vulnerabilities was SQL injection where the report said we could read modify or delete any data that you have and store in your database and all we have to do is type in something like or one equals one into one of your input fields and I was like no way this can't be I was like in shock and disbelief so

I go to my develop machines and I type in their example payload and you know the database my development database goes away and so I'm just completely in shock also learned about cross-site scripting which I'd never heard of before and that my app was vulnerable to that in a lot of places as well so that was my introduction to information security so I went home that night very discouraged like oh my goodness I've just been destroyed my application is terrible I didn't even know this was possible and gonna shrug my shoulders and pouted my way home talked to my husband and told my husband I just can't be a giftie but developer a programmer if I don't know anything about security

but he encouraged me to go ahead and just embrace security instead of kind of like be scared of it and worried that I didn't know anything to embrace it and learn about it so I inquired around with co-workers what would be a good way for me to learn about security and in 2010 I took my first security class from sans and I became certified in information security fundamentals so I took their 301 class there's really good class enjoyed it I took a few more classes over the next year and that's where I learned about pen testing so it hadn't really occurred to me that this pen testing you know trying to break into applications or

computer systems and make them not make them do things they weren't supposed to do or steal information would be a really fun job so when I learned about that I realized that I really wanted to be a pen tester this really cool job instead of trying to make things work try to make them break and try to break in to steal things and even sometimes physically get permission to physically break in and learn to pick locks and jump through windows so I thought this this is definitely the job for me so it became my goal to become a pen tester it reminded me of that sneakers movie where ex-convicts kind of they get together and prove that they can steal money from

a bank but it wasn't all unapproved activity so when they're done with that job and the lady's typing out the cheque she's asking them so people hire you to break into their places to make sure no one can break into their places and and that's exactly what it is and he replies it's a living and so I like that maybe so in 2014 I reached my goal and I became I finished my I went for the master's degree in information security from sans and completed that and became a penetration tester for Black Hills information security I love that but I moved on in 2017 to the Walmart Red Team and did that for a couple years and then

I moved to the blue team which is the network defenders so instead of breaking in it's back to keeping people from breaking in and I did that really with the goal to become a better red teamer not necessarily that I will go back to red team but I wanted to understand both sides and everything about everything because I like to learn a lot one of my main goals so I'm a brown belief Tina so I was having so much fun at the time Darrin was a high school math teacher online and he saw me and I'm just having so much fun in my room like I'm doing this and I'm making good money compared to a teacher especially sorry

to say and and I had a flexible schedule where I work from home so it was great Darrin started saying I wish I could be a pen tester and I'd say I'd put on my cheerleading outfit yeah yeah do you I knew you should do that totally do it and he said now I'm too old you know he was 40-something forty early forties he's like ah it's probably too late for me I can't do it so we wouldn't talk about it for a while and then he would again he would see me having way too much fun making good money and having a flexible schedule and you'd say can I should I I wish I could be pen tester I

should be a pen tester and I would cheer for him yeah yeah yeah yeah yeah but he would say he was too old and then ultimately he agreed and he went back to school and got a bachelor's in computer information technology he would just go online and finish that and while he was doing that he also went and got certified after taking some Sam's classes so we got three certifications in those topics listed there and in 2017 he became a pen tester for Black Hills and and then as a recent contributor to the EE and password audit tool which we are talking about today and lastly we have Cameron he's my son he's 17 I put

him on summer coding programs to keep him from playing his computer too much which annoys me and so he's gotten really good at Python he's also taking some high school programming classes and he's been contributing to dapat by fixing bikes and adding features so if you end up going and looking at our code you'll see the features teach that is there and with that mm-hmm so the moral of this little cheerleading story is that you're never too old you can get into InfoSec and be rewarded if you're older young male or free wise or otherwise hmm you can do it so with that so you just need to be willing to take that first step and then you take one

more and one more and eventually you're gonna get that so I'm gonna turn this over to Cameron who will give us some background on passwords and how they're stored and how attacker steal them and how they try to crack them to get your original password back so I'm Kevin Roberts jr. one equals one so I'm gonna be talking about passwords and password hashes so computers will normally store the hash of your password instead of like actual text of your password so they'll take the text and then put it through this hashing algorithm and then they'll output this long random string of numbers and letters so the hashing algorithm encodes data into a small fixed size and will always

give the same hash for the same password and it doesn't really matter how long the password is or how short the password is it'll always be this same link yeah hashing algorithms are one way meaning that you can't take the hash and reverse-engineer the algorithm to get the password back and you can only put them in and get the hash out so password cracking is where you have this hash that you don't know the password for so you would guess a password such as password one and put it into the algorithm and get the hash so in this case the hash is not their correct hash so you would guess a different password such as password to put that in and it's

still the wrong one and then you'd guess password three and then that's suddenly the right password so now I know password three is the password for the hash windows stores two different types of password hashes there's land manager and new technology elem hashes and the LM hash is older is where they split the password into two sections of up to some characters each and they take each section and convert through put it through that hashing algorithm then put the two hashes together to make this one longer hash and they convert the password into uppercase letters so there's so that there's less options on the different hashes that you can have so in this example there's aught of being baby

where only certain letters are capitalized and it's the same hash as thought of being baby where more letters are capitalized and where all the letters are capitalized so the LM hash is pretty weak because the time to crack a seven letter password is the same to crack in a letter password which is a saint's crack at fourteen letter password so an LM hash can only have uppercase letters numbers and special characters which and it splits it in half so there's only up to like a basically seven letter password so if that gives a total of one trillion different combinations which is a relatively small amount for how fast computers are today and a ntlm hash can

have uppercase letters lowercase letters numbers and special characters and it doesn't split it in half C like however long you put in your password there's actually that many letters that it uses so all of that makes it so that there's one octillion different combinations of hashes which is way more secure on my computer it would take an average of about eight minutes to crack any given 14 character password hash well it would take 4.3 billion years to crack any fourteen character password ntlm hash so how does the bad guy get your hash is a pretty big then because if they don't have your hash they can't crack the hash and so they then get it access to your computer

by like a phishing email or some other form of hacking and or they can get access to a different computer that would store your hash such as a domain controller on an enterprise environment so an enterprise environment is where there's the computers on the domain that have all their own stuff and then they all connect to this domain controller that stores their hashes and all their information to authenticate the users that are using the computer so the domain controller would store in this example it would store Larry's hash Curly's hash and Moe's hash but on more recent versions of Windows the the machine will not store the LM hash because it's so weak and replace it

with this aad hash which is the hash for a blank password so access to the Bing domain controller is really not good for any hacker because of all the information that it has on hashes and all the users on the domain so I'm gonna turn it over to Darren now hello everybody this is Darren Roberts and I'm mister or one equals one I am going to be talking about that domain password on a tool but I want to point out some a few things about what Cameron said the one of the things that we do at my work I work for Black Hills information security we recommend passwords of 15 characters or more the reason why we do

that is specifically for that Ilham hash it's amazing how many times you're on a test and you could access to the you get access to the hash as a new character and you do find out that there are LLM hashes on the environment even people as you talked to the people they swear up and down that there aren't LM hashes you still find them out there so with the 15 character password it does break that plus the possibility of even storing the LM hash so there are older older systems out there that do save LM hashes so we encourage you to have your passwords of 15 characters more but anyway on to the domain password audit

tool so what you can get it here at the at the repo CL are two of 8d pet there is a great read me that explains all that she needs to know about it it has a lot of them for great information and explains what it is and how to use it but we're gonna go through and look at it so one of the things that you need are the hashes from the domain controller and again Cameron explains what that is but you there's a command to get the dope that hashes off with the domain controller and you can see here it's also and readme but what this is gonna do is it's gonna it's going to

dump the hashes into a file that's called an EM TDS get file and this file is not very readable in terms of humans or and so we need to actually need to change this file the way that we do that is use secrets dump and again this command you can see it it's on the d-pad repo but what the secret stuff does is it's going to take that NTDs get file and it's going to convert it into this more usable format and we're going to get three four four three files out one is the customer dot NTDs file and you can name them whatever it is which whatever you want but this NTDs file is

going to have the the username and it's going to have the LM hash as well as the ntlm hash and as you're looking through this hopefully if you do this on your own environment you will see all blank LM hashes because if you don't have blank LM hashes then those hashes will be cracked when you send them through a cracker the other thing that you can notice on this is there's a history for each of these users the way that you get that is you add this flag at the end - history and this history is going to output all of the history password history stored for the users so you can see we have user Harry and then the

previous password the last password that he used is going to be stored as the history 0 and and so on and so forth that goes back through the history of the passwords that he's used by default the active directory is going to store 24 of these there's 24 of the passwords and you can adjust that you can change it if you want but by default it's set to 24 this is this has some great information not only for domain domain admins to look through also for hackers it's kind of it gives a lot of information for what we can use but after you get this NTDs file you ned you then will need to send it through some

kind of a cracker hash can john the ripper very popular ones that you can send this through the cracker and then try to crack all of the passwords and again depending on the length of the password will depend on how easy it's cracked the another thing that is important I don't know know how I just got there all right but one of the things that you need to look at is the word list so the more complete your word list the more complete your cracking will be you can see some of these passwords that got cracked on the side over here of course this was just a example and we could put in whatever one into the word list some

of these probably would not be cracked by a regular cracking machine but if they put them in a word list then for sure they will be cracked so even though you have a long password you need to make sure that the long password is something that is not in any word list otherwise it'll probably be cracked rather quickly so again after we have the output from our cracking machine hash cat saves this as a dot poto dot pot file so we knit then are going to go to our deep at tool so after we have the deep at tool again you can see that this is what the repo looks like you can see how to clone it

so you just would clone that into your machine and then run the file so running the file is gonna look something like this with this file and we're giving at our customer NTDs file we're giving it our pot file and then we're also giving it some of our admins information because this again this is just gonna let us look at some of the groups that maybe we want to look at to see how their passwords fared so you can actually give it group files and and look at specific users and have their passwords work and another thing that it's the tool is going to do is try and crack the NT hashes based on the LM hash

so we know that LM hashes if when you send it through hash cat or whatever LM hashes are going to be cracked but that doesn't necessarily mean you have the NT password so what this d-pad tool does it's going to compare these hashes and it's going to try to finish cracking them based on our the output for the LM hash like Cameron said the LM hash is all uppercase so the LM hash is going to be all uppercase that is probably not the way that a user would store their password so the d-pad tool is going to look at the LM hash look at analyze all of the uppercase letters and then go through lower casing or whatever to to

these cracked LM hashes to see if you they can get the cracked n T hash after we go through that we are going to then open the report and it's going to look like this so again we get great output from this if we click on the details for the password hash we get this output and we see the username the password the password length and the NT hash so and then again if it's if ellen password has been correct now again look at these things some of these passwords that were cracked i doubt that this one up here this top one was really cracked but and let except if it was in the word list so

if it was in the word list that was used obviously would be cracked i don't think that a password length of 39 would be cracked if it wasn't in the word list so again training users on and not using common passwords if they're in the word list make sure that that's the case so again you can look for these passwords and check how secure your passwords are in your environment when we do this for customers on tests this is they really like seeing this kind of it Meishan it does give them insight as to what's going on with the users how they're storing passwords how they're choosing passwords gives the the administrators more leverage as to

training maybe creating a stronger password policy so this is something that everybody can use we again when we crack passwords and run it through this this is something that our customers at Black Hills really like to see they love to see this kind of information so the this is a list of the passwords that were cracked via the LM hash again these are not necessarily weak passwords but because they were stored as an LM hash they were able to be cracked very easily and you would want to look through this again as an administrator find out why these are stored in LM hashes if it's a if there is some kind of a tool on your network a

system on your network that requires the LM hash look to upgrade that so that you can get rid of these LM hashes some white but LM hash just basically shouldn't be there it's they're still found on environments it's not it's really not uncommon for us to see them and but if you can get rid of them it's obviously the best thing you can we also have an output of password lang statistics so again this is only based on the passwords that were cracked and if a password is not cracked there's essentially no way to know exactly how long the password was but out of the ones that are cracked you can see the details on how on how long the passwords

are again this gives you great detail as far as an administrator so that you can I in for more training and more opportunity to help your employees and co-workers to improve their password policy you can look at the password rheostats this is great information here for example let's say you find a password of welcome one two three that is just all throughout your environment this could be your IT support people giving out a password to set up a new account or to reset a password and then the people just never changing the password after that happens so you can look through common password reuses to find out information patterns that are going on with users in your network

we as when we try to crack passwords or guest passwords the season in here is a very common it's a very common password and you'll probably see that all throughout your network depending on your password policy so again look through password read reading stats it helps with help helping training now if you try and get that password history this is going to you might get this output so what this is saying is when you ran the secret stumped up high you didn't use that flag of history that I talked about so you need to go back run the secret stumped up high with that flag of history and then again try to crack those passwords if you do that

you'll get an output like this that talks about and then you can see here we have the list of the users and their current password and all of the previous passwords so you might again see some significant patterns that might help you again train users so as most of you know when you're required to get a new password you can't use either one of the similar last five passwords that you use or whatever it is so users will typically just change one character maybe a number maybe the season and the number so you can look through this and see patterns for example mo we see that he's using signs of the zodiac so we might be

able to guess actually what this password is for history one we can even probably guess his current password because we know his previous passwords so that's one way that this password history can be used and for hackers we like to see as many passwords as we can because it gives us great information on what is common and what we should guess next so that's pretty much what we have hopefully that was useful if you are if you do have any questions or comments we'd love to hear from them you can hit us up on Twitter or whatever and anyway thank you