Oct 212009

Take this hypothetical scenario (Okay, it really wasn’t hypothetical at the time).  You recommend to your client that minimum 8 character passwords should be enforced but they want a minimum of 6 character passwords and instead they will enforce password complexity (alphanumeric and special characters).

As auditors we like to have facts to back-up our recommendations.  What better fact than simple math.

Password strength in relation to the number of guesses an attacker needs to brute force the password is represented by the number of characters available to choose from raised to the power of the length of the password.
Continue reading »

Jun 102009

An auditor’s interest in the Windows NTBACKUP Utility extends beyond examining their DR/BCP plan.

Suppose you just got command prompt access to a server (example tutorial 1, 2, & 3) but the host has anti-virus installed and you can’t disable it. You can’t use your trusty pwdump2 to dump the local password hashes (the same utility that SQLAT and SQLNINJA use). No problem, just use the ntbackup utility to make a current backup of the registry (including SAM and SYSTEM keys).

C:\>ntbackup backup systemstate /j "Auditor Owns Your Hashes" /f "%systemroot%\temp\%Username%SysState.bkf" /a
C:\>del "c:%systemroot%\temp\%Username%SysState.bkf"

You don’t need the backup file you created so it can be deleted (C:\>del %systemroot%\temp\%Username%SysState.bkf). When a backup is done of the systemstate the files in the %systemroot%\repair folder are updated. Copy the sam, system, and security files from %systemroot%\repair.

Once those files are obtained you can use the command line utilities from the creddump project to produce the same files obtained form PWDumpX (see tuturial).

Python needs to be installed for creddump to work.

Python version 2.5.4 from http://www.python.org/download/releases/2.5.4/
Pycrypto version 2.0.1 from http://jintoreedwine.com/files_and_stuff/pycrypto-2-0-1.zip

C:\creddump-0.1>pwdump.py SYSTEM SAM >> PWHashes.txt
C:\creddump-0.1>lsadump.py SYSTEM SECURITY >> LSASecrets.txt
C:\creddump-0.1>cachedump.py SYSTEM SECURITY >> PWCache.txt

Using RainbowCrack and the rainbowtables obtained from The Schmoo Group you will be able to obtain the passwords to any local account with a password 14 characters or less from PWHashes.txt.

See this tuturial on how to dictionary attack the passwords obtained from the PWCache.txt file.

You can review the LSASecrets.txt file to obtain plain text passwords for Windows service accounts. Often these accounts are also Domain accounts with the same password or even Domain Administrator accounts.