15. Password Attacks

by J H.

Content

Brute-force vs dictionary-based attacks

Password spraying

General rule for authentication attacks

should not take more than 3 minutes in labs and challenges

HTTP Post Login attack

Rule-based attacks

Mimikatz

Cracking methodology

Mimikatz

Cracking NTLM hahses

Windows stores hahsed user passwords in the Security Account Manager (SAM) database file
- not salted
- located at C:\Windows\system32\config\sam
- SAM is only accessible for kernel process
Other processes use the hashes, e.g. the LSASS prcess, which caches hashes in memory
mimikatz can be used to extract user hashes, but requires privileged user

Passing NLTM hashes

because of missing salts, a found hash + username can be used to authenticate against local or remote targets -> pass-the-hash
Example:
- found NLTM hashes of local admin on HOST01
- use this hash to authenticate against admin on HOST02, where a restricted SMB instance is hosted
- requriment: both loca admins with same password

pass-the-hash and RCE

UAC remote restrictions since windows vista
- if attacking remote systems, we most likely do not have permission to code execution because we need the password of the user
- only for local administrators relay attacks give RCE

Net-NTLMv2

useful if we can not use mimikatz
replaced by Kerberos, but still often used to support older software
Net-NTLMv2:
- Challenge-Response
- Server sends challenge, client encrypts challenge with NTLM hash

Net-NTLMv2 Attacks

Crack: Attacker makes client to connect to attacker-controlled server, then attacker tries to break NLTM hash (hashcat)
Rleay:Attacker makes client to connect to attacker-controlled server and relays all message to actual server

Last changed
a year ago