The Case for Password Auditing in Enterprise

all right our three o'clock speaking slot Doug Burns Nikolaidis so Doug in InfoSec for five years has a passion for sharing information making other people better primarily interested in our analysis red team and CTF and Nick is a senior security analyst on a vulnerability management cyber threat team and a red team and is a g-pen certified g-pen a couple key pins in the house anybody else got two pens in here and sans folks yeah okay here's a few and is a gamer good hatton hobby and passed on so yeah give it up for Doug Burns Nicholas all right all right this is the password routing for the enterprise so we'll get started

there it is all right off to a good start so to rehash because we like talking about ourselves I'm Doug burns at Doug Saigon 2002 care lead security analyst at a place I can't talk about because I said no InfoSec interested in malware analysis red team loves TTS and again love sharing information so I won't claim to know everything but I know a little about a lot of stuff so if you have any questions that I can help out with please reach out to me if I don't have the answers then hopefully I can find somebody who does have the answers I just want to make you better and the industry in general better so with that

said this is Nick hi I'm Nick I'm a senior security analyst at protected I didn't focus on vulnerability management cyber threat team and all the cyber 13 my focus more on the red team side of the house I'm a g-pen certified n tester I'm an avid gamer and any past life I used to be an SEC em engineer focusing on system configuration and operating system deployment all right so kind of a disclaimer here if you're expecting like bleeding edge research not going to happen we don't have any zero days all the work that we're doing is really standing on the shoulders of giants so you're going to see a lot of references up here we're

going to have a lot of blog post a lot of links a lot of github absolutely the encouragement here is to go to those places read these resources that we also read and check it out so that being said go ahead let's talk about where we're going to go so why all the passwords we're going to start out with why should you care about this right we're all busy everybody's got other stuff to do who even cares about auditing passwords right it's going to cost you thousands of dollars and you're going to spend days and days at it and maybe you'll get three passwords and nobody's going to care all right probably not we'll talk

about it then we'll talk about how do you do it right so we'll go through a brief tutorial talk to you about at least on the windows side right so Linux side is a little bit easier you have your root account you copy down the shadow out crack your hashes off to the races windows it's a little bit more complicated than that so we'll go through a process and talk to you about how to get the hashes how to decrypt the hashes once you've got the hashes of tools and techniques to use to crack the hashes once you've acquired them then we'll talk about hardware so this can really be done on a number of

different hardware platforms right so this could be done on a VM on the laptop that you use for everyday work or you can scale it up all the way in spend tens of thousands of dollars if you want to and we'll talk about presenting your findings right so that's the important thing you have to make other people care about your finding we can spend all day cracking passwords and telling our buddies a I cracked 70% of the passwords if you're not talking to management if you're not talking to Department nobody's going to care and your work is really going to be for nothing so we're going to talk about presenting your findings who should you talk to you what

should you talk to them about I know the details from the depth so we'll talk about some of the stuff that we've seen during the course of our password on it some kind of gotchas when you get involved in something like this and just some funny stories that we have passwords all right so we stole a meme from the guy before so why not a passwords number one your passwords suck tell me your company name tell me your OWA link and I will log into it almost guarantee there are a couple passwords that you see all the time everybody's using them I don't know where this idea came from but apparently it's a very pervasive idea that you should use

certain things and passwords and people have latched on to it and everybody to it maybe everybody thinks they're unique maybe that's why they're doing it Oh nobody's ever thought about this before I'm going to do this everybody so number one that's the real reason your passwords are terrible second was kind of survey the crowd here like of everybody that's in here who does an annual pen test ok cool how about don't keep your hands up keep your hands up uh so if you don't do an annual pen test who's had money in the slush fund in the last five or ten years and you've got a pen test ok so of those pin tests that

you've done put your hand down if there wasn't a finding that was related to passwords right so nobody's putting their hands down that's the thing we're paying pen testers tens of thousands of dollars to come into our networks and crack passwords we could be doing that work ourselves and be getting more rich pin tests but instead have crappy passwords on our network the pen testers come in they do a couple different attacks which I'm going to talk about in a few second they crack the passwords when they're in that's it right so we should be challenging pen testers we're going to pay them tens of thousands of dollars to attack our network they should be struggling they

should have a hard time with it but just in a survey of pen testers that I know that do this professionally on a consulting basis they're quoting statistics of size like 90 to 95% of their engagement involve cracking hashes of some kind so if we make those hashes Mirel it next to impossible to crack and that's going to make their job a lot harder maybe we encourage red team to get better maybe we encourage the pen tester to find more interesting findings of just oh I crack the hash oh I cracked your admin hash whatever so let's make other people be better - so what are pet pen testers using passwords spring right so the way this works if you're not

familiar I'm going to take a publicly accessible portal that you've got maybe it's OWA maybe it's a VPN something like that and I know through my courses been testing that these are the three passwords that are generally most used maybe it's - let's go - so these two passwords are generally found in most organizations so I'm going to compile the biggest user list that I can and I'm going to send those two passwords for every user in your organization and your detection tools probably aren't going to see this unless you're correlating false like failed logins across multiple accounts which is a pretty hard thing to correlate you're not really going to be able to set up an alarm for two failed

logins for a user so especially if I spread this out and I'm doing like five user chunks every 30 minutes it's going to be almost impossible to detect so but through the course of that because everybody's using the same passwords I'm going to get in I'm going to get logged into OWA I'm going to create a rule that's going to give me persistence back to their root machine I'm going to get logged in to your VPN it has a network access so that's a big thing of having weak passwords is going to make you susceptible password spraying secondly years responders so spider labs came out with a pretty nasty tool here basically this execute of this exploit the

vulnerability and Microsoft domain resolution so Microsoft had this great idea like oh we should take less take some stress off with the DNS servers and some other people are already doing these queries so before we clear the DNS server let's just ask our friends and see if anybody else has queried the same recently well that's fine that's cool so I'm going to run responder I'm going to be that friend I'm just going to tell you that I'm that I'm your file server I'm your domain controller I'm whatever you're looking for and you're going to send me your hash and I'm going to say oh that's great I'm going to send it wherever you want to go you get logged on to the file

system I've intercepted your hash now I'm going to crack your hash get logged on to your machine and move laterally throughout the network it is worth noting this is you do have to already have an internal foothold for responder to work so this is going to be a lateral movement once they've gotten inside through something like class or spraying or phishing more likely a certain final note of violet passwords password compromised right so that's where compromises in the news everywhere right everybody sees LinkedIn everybody sees these giant massive mega breaches I think I saw I got an email the other day that said I was part of her breach of like 500 million users or something like

that it's just disgusting the volume and the size of these breaches and it just seems like they come a month to month to month to month the problem I mean generally there is like a three year lead time I don't necessarily know why that exists but it seems like between the time of the breach and the time that the passwords are released there's about a three year lead time so you think oh that's great well somebody was reusing a password and they probably changed it in three years right well maybe but the problem is maybe they were using hippopotamus 1 as their password three years ago but now they've rotated up the hippopotamus 13 well you're no more

secure because they're using hippopotamus 13 rather than hippopotamus 1 because based on the nature of techniques of password cracking I'm going to get hippopotamus 13 just as fast into the pond this one so if I can get that root password and do some transforms on it then I'm going to have a better idea of like being able to crack your passwords so hopefully that makes sense it's a good use case about why should you care about this so now I'm going to hand this off to Nick and he'll talk a little bit about how you actually get this done all right so like Doug said we're not doing anything groundbreaking here this is this is all

kind of state of the art just that's what you do when you crack passwords so now we've convinced you that you should probably be cracking your own passwords to get more out of your pen test let's talk a little bit about how you go about it the first thing we need to know is that in an Active Directory environment all of the hashes are stored on the domain controller in the Active Directory database so the first thing we need to do is dump all of them so the few ways that we can do this the first and probably the most effective way is to use NTDs util it's built in it shows that there is nothing to install I don't

have to worry about AV triggering on it that being said we've seen attackers use this so Blue team you should probably have advanced logging turned on and be alerting when you see this thing fire so what that will do I went specifically looking at the I FM which is installed for media function so what this is going to do is it's going to create a backup copy of your Active Directory database along with everything that you need to install it on another domain controller which includes the system and security registry hives which is what you're going to actually use to decrypt all the user accounts in a later step another way that you could do this is using like

VSS admin to either access already existing shadow copies or to create your own and then move them off so the next step is decrypting the hashes so now that you have your dip file and your two security key or hives you need to decrypt the accounts that are inside there so again we have a few different ways that we can go about this one of these is NTDs extract so this consists of two different things you've got the easy database export tool easy DB export so what this thing is going to do is it's going to you're going to feed it your disk file and what it's going to do is put on hold tables into a working

directory so that you can use your DES users up high script to grab all of the user accounts and decrypt them with your system hive the other one that you can use is the empty empty empty tie method so the extract HSH script was customized and written by harm droid we talked about him in an earlier talk you might have heard of will he worked on PowerShell Empire Bale framework and now bloodhound I believe so what so what he did with this is it extracted that Sh only pulls out the tables that you need to get password hashes and user accounts so it runs a little faster it's cleaner it's my preferred method if it works your

mileage may vary with some of these but that's why I'm lifting two of them I've had some Active Directory backups not extract with one or even either of these methods so you have to kind of toggle between the two it's okay if you have to do that it's not going to affect the results of your audit at all it's just a different way to do the same thing so once you've ran your extract at it Shu will extract the hashes with M top PI same same concept you feed it the system registry hive and your tables and it dumps it into a hash file that you're going to feed into the tool to crack the

passwords and also I have linked as blog here this was really helpful when I first started doing password cracking so I recommend a read if you're going to get into the business so cracking that's our next step so now that we have everything we need to crack the passwords we need to decide on what tool we're going to use so once again there's many different things we can use to do this the first one I'm going to talk about is John the Ripper so if you're just starting off to do this John the Ripper can be run on pretty much anything you can run it on the VM and CPU only that being said it's kind of

legacy at this point because hash gets got the ability to utilize GPUs and just performance wise it it gets outpaced there is something to be said about functionality here or utility in the fact that John the Ripper is actually capable of extracting hashes from password-protected files Excel files where it falls what have you and then there's the hash guide so hash cat can use either the CPU or the GPU that being says like I mentioned before it's superseded John as the primary tool for cracking passwords so whereas you have John who can access the 12 cores maybe of a CPU hash cat can access all the CUDA cores on a graphics card which could be thousands and that's where you

get your performance increase from the parallel processing I feel like this had a liar higher learning curve for people who were trying to get into it but it's more feature-rich and the online documentation is fantastic anything that you could try to do with hash cat is lift it out there I have a link to their wiki their recommend to read and for most of the purposes of this talk we use hash cat once we had a GPU all right so let's talk about the different approaches that we can take with these tools the first one is dictionaries so there's a variety of dictionaries but the general purpose or methodology that haschke uses with these is you have a

file that has a bunch of words in it and what it does is it runs those words through the password hashing process and get the hash what that done does is compares that hash to the list of hashes in your hash file that you've dumped from your active directory if it gets a match it displays that on the screen and we'll all you cracked your first password so word lists or you connect with you sound like they're just a list of words nothing special Apple potato whatever a few good word lists so that we have found are the mega risk that's like 3 1 gig files it's a ridiculous amount of words but it's fantastic the idea behind the word

list is you apply rolls to them which I'll talk about in a little bit which will actually mangle them and extend the amount of guesses that ashtec gets from the list the second type is cracked password so this is your leaked passwords LinkedIn breach RockYou is kind of like the bread-and-butter password crackers you start there they condensed list it's like two million words so even if you're running on just CPUs it doesn't take forever to get through even with rules and it's unbelievable the amount of passwords that are that it gets right out the gate and that people are still using megatron's a little bit bigger it's kind of like mega risk several files what's cool about hash ket is you can

specify a directory so you just dump all negatron to do a directory give it a rule and there just turn through each of those in line there's also custom word lists there's a tool that you can use called cool and what that does is it will crawl a website that you feed it say your company's website grab all the plaintext words it can find dump those into a word list so that I can use for with rules or what have you and again you're going to be surprised at how many people in accounting decides that their password should be accountant one or accountant two along with the custom is as you crack passwords and you go through

multiple audits you should be taking all the passwords that you're cracking and dumping them into a new wordlist and using those on future password audits because you're going to have people who have slight alterations on their passwords you're going to have repeat offenders that don't even change their password even if you notify them it's just good practice to do that and then there's the rule sets so like I mentioned you could apply rules to these word lists to further extend the amount of guesses you're getting out of them so hash has got a variety of built-in word lists that are fantastic and I mean really you can do entire password audits on just of those CoreLogic has also

published their rule lists that they use for when they correct passwords is there a little bit more extensive and resource heavy so just keep that in mind if you're going to try to use them so that's our correcting continued another type of attack is a Combinator attack so the idea behind this is you take two word lists and you have a left word list and a right word list and hash cat will take a word from each of those line-by-line combine them into a password and attempt to correct passwords with it so what this does is it kind of extends out of just a single path of single word passwords and you get multiple word passwords people think

oh I've got two words in it it's perfectly secure now this gets the crazy amount of hazards like more than I would have thought when I did I was like oh we get a few but it gets all kind you can also insert des limiters in between the words like an underscore or a hyphen any special characters it is to get even more another three fours so a brute force is probably the most time consuming and resource intensive attack that's available to hash ket and the reason for that is you're trying every single character combination in every single slot in a password so you're trying anything you can think of and it takes forever depending on how long it

gets really you can only do this if you're using GPUs and even then there's a certain point where it just becomes impossible to crack things and then you'll get into other techniques that you can kind of try to lower the character space and that's what mask attacks are for so mask attacks are you think of it as targeted for enforcing so I really forcing the entire 10 character space is a small feat but on the current rig that we have we can do it in just a few days with the right mask so the idea behind it is instead of trying everything everywhere you look at all the passwords that you've cracked previously using dictionaries what have

you combination attacks and then you find the patterns right so for instance in 90% of all of the past that we correct crack that had an uppercase character that uppercase character was in the first position so if we're going to create our mask it makes our first character easy uppercase bang you or push mark you so half cat has built-in character sets like this and they're separated out when you do go to do your mask by the question marks so U is for uppercase L is for lowercase B is for digit etc special and you can also create your own custom character sets if you want to further reduce the space say like from special characters

since that's like 33 characters that's a lot to add to any one plot and a lot of time but if you have the most common specials you can reduce your cracking time even further then we notice that after directly after an uppercase most often it was a series of lowercase characters so that makes our next few easy so we'll add five lowercase characters after the uppercase then we noticed at the end of most of the passwords it was a variety right so there was digits so people had years people had exclamation points at signs what-have-you so we decided let's try a variety of things at the end we've been pretty confined in the beginning of the

password we can afford to do this so what that will do at the end is that we'll try all lowercase and for our digits and specials and it will rotate up through all those so a way you can generate these masks in a reasonable way is using its tool called pack the password analysis and cracking kit so what you do with pack is you feed it all the correct passwords that you've gotten so far from the plot file which is where our hash cap stores all of its passwords as a crack saloon and what do those spell out something looks like this so what you can do is take this and kind of find where they overlap so you can come

up with a middle ground between character space is covered and time it takes to crack them doing these mask attacks we tried wiping the pot file several times and running different attacks to see how many we can get with each attack masks attacks with the right set of masks attacks we were able to replicate anything that we got from diction most of the things that we got for dictionaries except for the really long ones brute force it pretty much does the same thing it's just targeted right so we got most of those they're very powerful so once you get to a certain length even mask attacks get hard but you could also do these hybrid

dictionary attacks and mask attacks so it's kind of like instead of brute forcing a huge character password you can start with a dictionary or end with a dictionary in this example I just took the mess that we created in the previous slide and added say a dictionary with a bunch of years in it so we didn't have to brute force for extra characters so it would run in roughly the same time that the 10 character magic attack would but you'd also get 14 character passwords because in most of the most of the time when a password has four digits at the end or four digits if it's all at the end so we just tacked it on the end and we got

crazy amount of password from it you could also do that like I said the other way and have just a dictionary and then at the end you can say well I want to try lbs in the last four places and you'll probably get even more passwords they can go either way you're just effectively extending the reach of your brute force without drastically increasing your time so once you start doing this over and over again you're kind of going to get into a rhythm the first thing you probably do is going to do a word list because those are the easiest thing to do the most common thing to do if you're on a word list at the password is probably pretty

bad anyway you're going to you're going to apply roles to though you're going to get as many as you can that way because they're quick they don't take forever to run then you'll move into the brute forces so what this will do is they'll get anything that was randomly generated up to probably that realistically the 10 character space once you start using GPUs and then once you have those you can start analyzing them with PAC or whatever you want to do you can do it on your own too and create custom custom character sets and then once you do that you create your masks and then you run your mask attacks one thing I didn't

include on here is after you do that you dump a ball and create your custom password lid there's your custom password list then the next time you go to do an audit you start off by running through all the repeat offenders so let's talk about the hardware that it takes to do all this so when I'll kind of run you through the progression at our the way we upgraded through our hardware so when we first started and I came back from training was like we're able to password audit doesn't be great and my boss was like sure I do a password on it correct passwords I was like sweet so all I had at the time was like a VM with Kali

Linux on it so I was able to get a dump of Active Directory environment and I slapped it on there and all I had was the processor to run so that being said I used John the Ripper for the first one like I said this could be anything it doesn't have to be a TM it could be just for the desktop anything so when you'll be surprised I didn't think I'd get that much just because I didn't have any power behind it but when we did this first initial test I was able to get over 60% of all the passwords in the domain and when that happened management was like oh wow we might have

a problem so that's when I was we decided we're going to get a little more serious about it and they were talking about doing you know regular password audits things like that when that happens we just started well maybe we'll step up our game a little bit let's try to use hash CAD for more efficient let's get a system with the GPU so we upgraded so this is the og plus plus nothing special it was a Dell Precision it had a NVIDIA Quadro GPU like 1300 CUDA cores I think the system only costs us about $1,500 so it's wasn't expensive at all you're still going to struggle to do bird forces with this thing just because

the power's out there you'll be able to get your dictionary tax pass or you can use some of the bigger rule sets with bigger dictionaries and get through them at a reasonable amount of time regardless this will get you into the haschke territory and get you prepared for what happens next and that's when you start improving you want to step up your game a little bit more and this is what we and apparently everybody else who has one has affectionately started calling the Kraken so what the Kraken is is just big for you server chassis it's got two Intel Xeon processors in it ours has four NVIDIA GTX 1080p eyes so that being said most of the credit for

this idea goes to the net bucks blog and how to build a password cracking rig we saw that blog and he's like oh yeah you can do this for like $7,000 for like sweet let's do it so what we changed here is the graphics card I think he was running ten 70s and at the time the 1080 T eyes had just come out where I was like let's go for it so we went ahead and did that we went we went ahead and got that so what this is going to do is put us into serious bird forest territory with the additional attack that you're able to do with all these GPUs which I think added up to 14,000

336 CUDA cores we so we started improving right but has I had the 60% on our first password audit then we started improving we got it down to under 40% of passwords crack using dictionaries and then when we got this it kind of wiped out that process so it's pretty it's pretty significant once you start being able to do different types of attacks and then just for fun I've got the benchmark comparison between the og plus plus and the Kraken so for those of you who aren't familiar with these kind of benchmarks MHS is millions of hashes per second and GHS is billions of hashes per second so with ntlm the Kraken is actually getting 200 and almost 9 billion hashes

per second operation and then if nobody's watching your corporate card [Music] you can get a little crazy and order a brutalus from sikita these things start at $22,000 you can fit 8 GPUs in them and they do offer 1080p eyes now you get 3 3 terabytes of RAM 18 terabytes of solid-state storage a question lot a lot it's actually really hot - oh right so things you can do when you're not cracking password is right there is something to be said though about diminishing returns like I said once you get to a certain password length which is like 15 characters it just becomes unrealistic to brute-force passwords so I mean what's half of eternity I mean so

once you step up from 410 a TTI's to 8 1080p is it's really not that much of a difference if you want to be cost effective you might consider just a crack in but I don't know maybe you have a use case for upper talus here's the fun these are so these are with 1080p is 513 billion has is a second all right and now I will turn it over to Doug talk a little bit more about how you report it to the business all right cool so you had a bunch of fun you're wearing your hoodie you were playing the black hat you got your cool like V for Vendetta mask and cracked all the

passwords now you've got to go business yeah it's the hoodie for some slacks and a button-up and start having meetings so the first thing to do is have meetings with department heads and management so first you want to go to your manager so that they can kind of set the stage for everybody else they can have some meetings and say hey look bad stuff is coming we cracked a lot of passwords give them kind of the heads up so that they know what's going to go on so if there's any blowback from and it's going to come back down then you can also look at some trends right so you want to have meetings with department heads for

outliers so maybe you can organize all of your crack passwords and look at it by department and maybe you find that the finance department for instance had a very low crack rate maybe it was 2% whereas like the entire enterprise of 60 to 70% go meet with that finance department head so you know what kudos to you like maybe we've got some money in the budget we're going to throw a pizza party for you guys like we only cracked 2% of your passwords and we got over half of the enterprise you guys are really doing something great keep up the good work on the other side of it maybe you find a department where you've correct 90% of

the passwords will call marketing you go to the marketing department head and you say hey you got a real problem here guys we only cracked 60% which was still significant of the enterprise we get 90% of your passwords so maybe that department head can have some conversations with their employees maybe there's password reuse going on maybe somebody got a really good idea I was like hey this is my secure password I'm going to use that too now everybody's using this super secure password so they can have some conversations around that so definitely reward people and recognize four people for good password habit and have conversations around bad we have password habits as well but you're also

going to end up meeting with some middle managers kind of discussing the findings what she found and kind of your recommendations moving forward the first recommendation that you're really going to have to really be effective with this you want to force password reset there's going to be two categories where you're going to have to two kind of fronts we're going to fight this battle so the first is going to be on the user side that might be a little bit easier to have that conversation we're going to send out an email and let everybody know we correct their passwords and we're just going to carb launch say everybody we're going to reset your passwords and start over

again you're probably not going to come up with too much resistance for that as long as you communicate it and everybody's aware of what's happening is theirs are probably going to be okay unfortunately the real problems you're going to have is system account service accounts ultimately we would like to see those reset immediately because otherwise they're just going to keep showing in our report quarterly quarterly quarterly every quarter we're going to using service account the only problem is nobody knows what these service accounts do they log into fifteen different servers and they only know about nine of the servers that they log into and nobody wants to touch it because everything works if you touch it

and it breaks so if you can try to put pressure to get those change usually those are so old that like they may not even be complying with your current password baseline if that's the case and that may be a use case that you can use to kind of put the pressure up this is to make a change like hey look we've got this password we found it we cracked it this doesn't even meet our main a minimum standards for passwords today this password wouldn't even be able to be created today you need to change it they still might tell you to go fly a kite but at least you got some annulled on you

the next thing you want to do is user education so way we did this was a security fear so we had a live security fear we hosted it in a room we brought everybody down we had several different stations for various aspects of enterprise security one of those at booths happened to be password security brought everybody into the password security booth showed them all our statistics about how many passwords and cracked had some conversations with people about passwords that we cracked it was pretty effective people are interested in this people want to know people want to get better so that was pretty effective you can also run like an online security fair if you have more distributed

workforce and you can't really gather everybody into a central location might make more sense to kind of run a webinar something like that where you can just kind of have a question and answer maybe a little bit interactive where people can contribute at least that you can distribute it to the business another effective tool will be an awareness email I think even if you do secure the awareness females probably a pretty good idea I just kind of gives people a general overview of what you did like hey especially the first time maybe you don't want to do this every time maybe maybe annually you do it but the first time it's very important we correct

passwords that's what we did we wanted to see what our password help really looks like and these were the Cystic that weren't it wasn't good and then maybe at the bottom you can put some tips in there for like how to create better passwords maybe you tell them a little bit about how you crack passwords they're going to think that's cool because they're like oh I'm learning hacks or tricks and they get the benefit because they're going to create a more secure password out of it so everybody kind of wins with that situation so now we kind of go into some of our findings and some things we saw as we were going through this so the

first thing to keep in mind your password rules are failing you unfortunately Microsoft Active Directory really hasn't done a lot of work and allowing you to create secure passwords for the most part you can define your minimum acceptable password length you can check the box if you want a complex password so I guess we'll talk about that right let's talk about what a complex password is compared to Microsoft right so we have four categories we needed a lowercase character an uppercase character a digit and a special character pick three or four right that's going to be secure good okay here's a lot.you this is a bunch of your passwords right now guaranteed spring 2017 I've got my

uppercase character I've got some lowercase characters in there I have some digits oh man if it's ten character password I'm two over the minimum I'm doing great that's awesome unfortunately everybody's using this password if then rocking you it gets found every time if you think okay well let's do it more secure then I'm going to make them three four four that'll be good let's do a special character to wrap so that's really not going to do you any good either so the real take-home from this is Active Directory Microsoft they're not going to be able to provide you the tools that you need to create a secure password to really get this into a point

where you can create some rules and standards around it you're going to have to start looking at third-party tools there's a lot of different companies out there that do these types of things it's the key features that you want to look at are like black lists so after you run your first password audit go through and look at the top 50 words maybe and put those into a password blacklist so if a user tries to create a password with spring in it you say no it's not going to happen whenever that's not going to happen the company name nothing going to happen so and eventually they'll have to create a password that's not in that top 50 but

then next time we run the audit we find the next top 50 we add that to the blacklist and we keep getting more secure as we iterate through the process another thing to look for if possible would be to kind of look at entropy or the difference between the passwords difference between old and new the only problem you're going to run into with something like this that we've seen is that you're going to actually store hashes somewhere else it may be less secure than your domain controllers so if you're going to do this the tool is going to have to be in a secure zone it is as secure as your domain controller because it's got to have the

old hash to compare the new hash to see how different they really are but if you can do that and you have a place to put it it's probably really good ultimately users are going to follow the path of least resistance so I'm going to give them a set of instructions to create a passwords they're going to create a password that meets only those specifications and they're going to go on with their life not any knock on users but they got more important things to do right they don't care about passwords they want to write crunch numbers they want to create marketing emails they want to do all the things that makes the business money

they want to have a passwords it's easy to remember every time they log in it's quick it's done so I guess the takeaway here is that users aren't going to go above and beyond don't expect that if you have three standards don't expect your users to adhere to seven standards they're going to do the three and that three standards should be a secure password so if you're allowing standards that create insecure passwords and that's going to be a problem ultimately your mileage is going to vary here so if you're not forcing password resets maybe you can't get managed it to buy into that it's too disruptive to users nobody wants to change their passwords we're

going to have a bunch of people angry about it and you just kind of let it go you will see a lot of users that change their passwords especially if you can communicate in a direct way we cracked your password we saw it we know what it is a lot of people are going to change their password what they're going to change them to that may or may not be more secure maybe they're just changing the digit at the end and we're going to correct it again next or you're going to see a lot of repeat offenders as you start iterating through this with your quarterly basis those people that are only changing it by a digit or

just rotating things around maybe they're substituting digits for letters the thing that the rules are going to catch those people are going to show up in your same report if you start seeing a lot of repeat offenders from like same departments again start mentioning as in like department head meeting so maybe third quarter back you're coming back in you're saying hey you all are improving but of the people that aren't improving it's just the same I mean we're not cracking new passwords we're just tracking the same user over so maybe that manager can go back and talk to that employee so I couldn't about the importance of passwords and maybe instill some more best practice final

note here helpdesk isn't helping so as we were doing our password cracking we started seeing these common root words within business unit and we were like why is everybody using the same word in their password couldn't figure it out and we talked to the helpdesk support they say hey when you reset a password what do you reset it to always that root word so people are getting their password reset by to help desk to welcome 2017 and then when the passwords need to be reset they're changing it's a welcome bang 2017 or something like that so user has a new password there again taking the path of least resistance making a small modification to change

the password what entropy really is a important thing you look for in a third-party tool so again if you can't get something's going to monitor entropy on your passwords at least have a conversation with your help that maybe instill some best practices around that not give out the same type of root word passwords at least maybe rotate them quarterly or if you can just get beyond a random password and they have to reset password so some more things we found length is length matters right so of everything that we looked at the single most important thing to make a password for complex harder to crack his length guaranteed complexity rules don't matter link matters more than anything a 25

character passwords all lowercase that's not a dictionary word or accommodation of dictionary words they're going to be a lot harder to correct in like a seven character password that's truly randomly generated because of the brutality with the Kraken we can just crack the entire seven character space and lifespan so even if it's completely randomly generated seven characters still not secure so you want to try to get your link table so if you can create baselines around longer minimum passwords that's a good practice or at least educating users if they're trying to think about how they're going to create the password the number one thing is they should be considering is how long is their password so they want to create long but

also easy to remember we also talked a little bit about passwords links here this if statistics are a little bit old I mean you see a Radeon six ninety seven six nine seven zero so the technology is a little old it the trend still could follow you're going to get to a certain point where you're cracking everything really super quick and then just just going to go off the chart so you're going to go from like minutes it days to week to Eternity and then you're not gonna be able to crack this bathroom so that's why we say that the length is really a most important thing the next thing is special characters aren't created equally as Nick alluded to

earlier there are 33 characters in the special character space that's assigned by hash tag these are all the special characters curly braces square braces at all the things however when we looked at passwords of the passwords that included special characters 90% of those passwords special characters were those five characters bang at pound dollar and star so why bother looking through the other 33 characters or the other 28 characters when all you really need to look at five so if 90% of people that use a special character are using those five special characters that's so cost-effective you can add that to every mask that you use so that's what we did so we had like upper

lower lower digit digit right so we just made it upper that special character space lowers the special character station just edited a possibility for every character and we correct a ton of passwords so hash can allows for that you can create custom character spaces so create your custom character space with those five characters and really those are the ones that are even worth for again just added in volume map kind of a tangent from that those special characters might actually make your passwords less secure since 90% of passwords are using the same five characters if you're telling users to use special characters they're picking a character out of essentially a five characters so you're not increasing complexity or

making the passwords any more secure by the enforcing special characters I guess you could add that to your blacklist if you want to just uh still include special characters maybe you get more variance than now special characters show it in the crack another thing to consider here is practical considerations so if you're going to have this massive cracking rig this is going to become the crown jewels of your enterprise right so like you're going to have all the hashes you're going to have plaintext passwords you're going to have the capability to crack acid if I'm an attacker and I find you're cracking rig I mean like game over right so you really want to put some tight security

controls around that if you want to mean the way we do it is we completely air data from the network it's not connected to anything we have to go down to a room that's isolated there's a sign inside out physical access log through it we log into it and do all our work down there it's kind of a pain we're kind of considering that at this point because of the second point here environmental this thing run hot very very hot kind of a funny story about that so we got the Kraken and we're like alright we got it we're building it everything's awesome we got our cards in there we're going to do a super cool overnight attack see how

many passwords we can get all right let er rip so we leave and we come back in the morning and it turns out facilities had actually gotten a heat complaint about the floor that we were on because we were running a little bit too hot so we kind of had to rework that a little bit and take out some drop ceiling tiles to improve the air flow a little bit but it's going to be super hot so if you're doing security controls where it's physical axis hands on keyboards only maybe wear shorts that are going to be pretty hot I mean obviously you could restrict it in other ways IP restriction certificate based off things like that

so that kind of falls into the operational tasks I mean how are you going to do this do you want to sit down hands on keyboard next to a furnace for a couple hours or do you want to try to sacrifice security in some ways so that you can actually have access to through my desk and do tests more comfortably surprise Linux graphic drivers suck if anybody's ever dealt with a new graphics card in Linux it's a pain in the butt when we got it the first thing we did we just had to do Kali Linux we said kalyan there okay cool so we'll do one to 1604 try that alright here we go here's your new thing long-term release

yeah I don't know okay great so we finally went back to 1404 for the bleeding edge guards and they had supported drivers I'm sure now at this point you can probably do Kali or 1604 with 1080p eyes but if you're looking at this a few months down the road and you're creating your cracking rig looks like whatever the bleeding edge guard is at the time know that that's going to be a problem you might have a little bit of trouble with your operating system again so people are really going to be surprised during the security fears that we do we had a lot of password badasses I guess that came through they were like there's

no way you got my password it's the best password around or like yeah we got it oh so then they keep coming back and I go a lot changed it do you have it now yeah we got it so a lot of people are going to be surprised they have things and tricks that they've been doing for a long time do you create passwords that they think are secure but are actually not secure on that note we also had a kind of like a banner scrolling screen of all the worst passwords and the enterprise it was like the top 50 or 60 worst passwords and it was pretty hilarious people would come up to me like oh man that's my password

that's good right no oh yeah that was a it was comical for sure and then you know his point you had password badasses that would come up and then they type their name in and then they'd get mad at you like I had a guy yell at me for 20 minutes saying there's no way I could have cracked his password and then after I told him like well I'm not going to bring your password up on the screen in front all these people then he wouldn't yelled at my manager for another 20 minutes so so the other people that are going to be surprised by this is management and that's what we found most often like

Nick said you went to a sans training said hey look we can crack passwords it's really not that hard not as long as everybody seems to think it is let's give it a shot man drew says yeah go do whatever kid here and then you come back and say hey here's 60% of the enterprise passwords like so then as you start iterating through this and they realize that it's a problem the wallet starts opening up and you start getting more more funding and then eventually you can get up to the point of the crackin we have an impressive management enough for brutality yet but maybe it's coming that's really all we've got open it up

to questions here it's to a certain extent right so I agree and I disagree right so that is important and we did account for a lot of the admin passwords we do use a password control program that's going to have large passwords completely randomly generated so a lot of those accounts that we have into that control aren't and imp like the thing is is the intern and accounting as an account it also has a local admin password shelled across the enterprise so maybe you don't care about the intern and finances password once I have the intern and Finance password I can get on on many cats dump all the passwords in memory and now I have the local admin

password man oh yeah it fills well if only right in the best of the a perfect world maybe and Abed yeah no no I mean it's certainly possible it's just it sometimes it's their struggle

yeah but that's the problem is 90% of the service accounts are in the latter not the former because people I mean like security is kind of an afterthought like 10 years ago right nobody cared about security like I need to get this POC running so I need domain admin it's got to get everything those accounts are going to be everywhere that's going to be the most common service of course a hidden the ideal security bubble that we create where we say we have this security this service account it can only access these subset of servers only these services upon it yeah for sure that's good so that's not the case I mean even in the best of cases now

there's still POC just one of them there's like I need an account today get me domain admin sometimes I'll just yeah and to that point when you when you go to present your findings to management you should be running those kind of reports right you should be like well I would correct these passwords how many even do we like really need to focus on to fix them do we need to communicate you to fix them and that all comes out there you'll have you know giant spreadsheets with columns and all that for what it's worth those tools will spit out those reports for you

yes so passphrases are good depending on how many Freight words are in your phrase right so if it's a two-word phrase and the Combinator is X going to just crunch it crush it right I mean if you're creating a passphrase where it's like several words long especially if you've got a delimiter in there you're going to have a lot more success with that I don't I would assume I guess with more CUDA cores higher Combinator attacks are you just running like multiple word lists was like different delimited aters are possible but again then you're going to start getting into the point where like somebody is investing thirty thousand dollars to kind of crack your password alright if

it's in a dictionary is going to get it anyways right so I have not yet correct that one it's probably in mega mega Tron though yeah I mean you think about it most of the users they may and the company probably don't know that's particular Cartland it probably been cracked at some point

yeah we're actually having those conversations right now in the enterprise there a password length that we would be comfortable with saying users if you create a password of this length that we're never to eliminate your password expire there maybe expire annually I think that's a great idea I think password I think users love that I think they're going to create more secure passwords the caveat there is I don't know that I would give it eternal expiration because of password compromised right so if I tell a user if you create a 25 character password you never have to reset your password guess what that 25 character password is Gmail it's their bank account its LinkedIn it's everything

because they have a super secure password now right so then LinkedIn gets up it goes into the password list and then the 25 character password garbage so I think an annual expiration on like a large password is probably a good idea I think everybody feels pretty good about that I mean as long as you're actually doing true randomization I mean not even true randomization right like if you're running like keepass or something where it generates passwords based on entropy during setup or whatever where it's truly like no human interaction like some are up or some are lower summer digits summer special that's really the best way to go password management really is a good tool here because then we can create a

giant massive password that we only have to remember that one and then generate all of our other passwords that can be 64 characters truly random well and then to the another thing on that so I think it was new became out with a blog about you know the sweet spot for password length and I think it was 26 maybe twenty seven characters somewhere in that range where hash cat won't even it just can't crack it period so if you're at that length it's just not going to happen just cache gate can't get that big I think we're actually out of time but we'll hang around up here in the front I want to give time to the next presenters well I

round up here up front you have any questions will you have to answer them afraid the bar you [Applause]