That’s ~20% of accounts that an attacker might be able to take over with a simple password spraying attack. 4% of the accounts have a password that does not cohere to the password policy.10% of the accounts have a password which includes the company name.6% of the accounts have a password which occur in public wordlists.Out of all unique hashes (4924) it was possible to crack ~46% with wordlists and rulesets.For that I tried to write a regex pattern, which was no fun at all □.Īnyway, around 247 enabled accounts have a password set which does not cohere to the password policy. Just for fun I wanted to know how good the password policy is enforced. Passwords Not Cohering to the Password Policy This is approximately ~10% of all enabled accounts. In fact, if I check all enabled accounts, there are 609 accounts that include the company name in their password. 5 used passwords (cracked) of enabled employee accountsĪs you can see most of the passwords include the company name plus a year in some form. “Company” is a place holder for the company name that, for obvious reasons, has been redacted. In the list below are the mostly chosen employees passwords. This is roughly ~6% of all enabled accounts that have a known bad password set. Out of the 4924 unique hashes 395 could be recovered by looking it up directly from a wordlist without any mutation. GroupĬracked hashes count per group Passwords in Wordlists This approach was chosen since I was mostly interested in the easy to crack passwords. To crack the NTLM hashes I choose a combination of wordlists and rulesets mainly. But nobody would choose this password right?! Analysis So Password123 would happily fit the password policy. Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).Important to understand is, that “Complexity” in a Windows environment is fulfilled when 3 out of 4 of the following characters groups are used. With a length requirement of 10 characters it is mostly stricter than what we usually encounter. Password History: 24 Used Windows Password PolicyĪs you can see the password policy is fairly secure. But if we include the service accounts a lot share the same password. GroupĪs you can see from these numbers it looks like that employee accounts mostly have a unique password. One includes all enabled user accounts the other only accounts belonging to an actual employee. Since this also includes disabled and service accounts I built a small filter solution to get two groups. The original ntds.dit contains roughly 8500 user accounts. Luckily they agreed and here is the reason why you should implement a banned password list. But since the company has employees around the globe and is fairly large, I could not resist and ask the customer for permission to analyze the hashes. For obvious reasons we stay away from dumping hashes and doing analysis on them. This file contains all password hashes of the domain. During a recent engagement I got hold of a juicy ntds.dit file from a domain controller backup.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |