What is the secret password? This is the question that people needed to answer to get into speakeasies in the 1920s....
Now, almost 100 years later, it's the question hackers ask because the password is often the only thing that stands between them and critical information. Banking, social networks, shopping and a plethora of other personal information is only one step away with this single password. There has been no replacement for this form of authentication since the dawn of the terminal, and technology is always advancing methods to defeat this age-old security mechanism. Microsoft Windows' Active Directory is another form of authentication that goes beyond password protection, but unfortunately it can be one of the weaker forms in use today if left in its default configuration.
Windows' authentication history
In order to understand the weaknesses in Microsoft Windows authentication, it is important to review a little history. Current versions of Windows evolved from Windows NT 3.1. Microsoft developed Windows NT in 1993 and upgraded an older product to provide the core networking architecture. This product was called LAN Manager, which was developed in the mid-1980s and operated by using NetBIOS as a transport and storing passwords in an LM hash format. Windows NT took this old design and layered NetBIOS on top of other transport protocols such as TCP/IP. LM hashing was used for securing network communication as well as credential storage.
LM hash evolved over time into NTLM and then NTLMv2 as the security capabilities have improved. However, NTLMv2 dates back to Windows NT 4.0 SP4 so it developed its own issues. Microsoft has since provided a number of security features to protect these protocols, but many organizations cannot take advantage of them due to backward compatibility issues. Old applications or network-attached storage systems require that these legacy protocols be enabled, and that opens the door for password cracking.
Rob "Mubix" Fuller, has recently been making news about being able to capture network credentials in less than 13 seconds. His ingenious attack takes advantage of old network protocols like LM and NTLM by installing a new network adapter and recording the NTLM responses. There are numerous other tools out there to help capture these authentications like Core Security's Impacket or the ever-reliable Responder from Laurent Gaffié. All of these tools can capture Windows authentication hashes, but they need to be cracked to be useful. That is where hashcat comes in.
Hashcat is a GPU-enhanced password cracking tool that can work magic on captured hash files. It will work on far more than just Microsoft hashes including anything from plain MD5 to WPA preshared keys and everything in-between. It is currently at version 3.10 and supports both AMD and NVIDIA GPUs graphics cards through the OpenCL library. Previous versions required a separate install for NVIDIA cards due to the reliance on the NVIDIA CUDA libraries, but that has all been migrated into the one version. It is always best to have the latest version of your graphics card drivers installed before running hashcat.
The captured hashes are usually identified by their type when they are captured. This is where a little knowledge of the history of these protocols can be useful. A file that contains an NTLM hash will be labeled as SMB-NTLMv1ESS-Client-IP-Address. Hashcat defines this hash type as 5500 for NetNTLMv1+ESS. The command line for getting hashcat to work on this file on Linux would be: hashcat64.bin -a 3 -m 5500 filename where -a 3 defines a brute-force style attack and the hash type is defined by -m 5500. Hashcat requires root access to be able to access the graphics cards and run correctly.
The test system that was used for this article had three NVIDIA GeForce 980s with Core i7 Extreme Edition processors. It can currently slug through these SMB-NTLMv1 hashes at about 32 billion per second rendering a seven character password cracked in less than 20 minutes. Password cracking used to employ rainbow tables which were precomputed hash values to speed up the process. They are no longer necessary now that cracking speeds have increased to this level. Organizations with deeper pockets can now purchase rack-mounted servers with eight dedicated graphics cards recovering these NTLM hashed passwords in just minutes.
There are also several cloud based options for those who can't afford expensive video cards and the massive electric bills that go with them. Amazon Elastic Compute Cloud instances are available with the required video cards and can provide decent speeds for some jobs. Passwords like the NTLMv1 above could be cracked in just a few hours at a minimal cost. There are new alternatives to using virtual private server services like Amazon that offer cracking as a service. These sites allow a hash to be uploaded through a webpage and are processed, or cracked, in the background. It is important to note that each site should be investigated before password hashes are updated as they could be retained and used by someone with malicious intent.
Password hash collection and cracking has advanced dramatically in the past few years. These tools are taking advantage of authentication vulnerabilities from protocols that are over 20 years old but are still in use for compatibility reasons. Prices of powerful graphics cards that can be used to crack passwords using utilities like hashcat continue to fall while getting dramatic increases in performance. The password has never been more vulnerable and it looks like Moore's Law will continue to pressure hashing algorithms and complexity. Organizations should learn to use these tools against their own environments to understand the level of vulnerability these older hashes pose to their networks and develop appropriate defenses.
Learn about the problem with passwords and how to make security easier
Discover how to have a safe password system
Find out how to fully test your network for vulnerabilities