Penetration Testing Explained, Part V: Hash Dumping and Cracking

In the previous post in this series, I guessed a local password and then tried various ways to move laterally within my mythical Acme network. But what happens if you can’t...
Michael Buckbee
3 min read
Last updated May 9, 2022

In the previous post in this series, I guessed a local password and then tried various ways to move laterally within my mythical Acme network. But what happens if you can’t guess the password?

In my pen testing scenario, there’s a beer motif in all the naming of the servers and the local admin passwords. It’s not completely unheard of for busy IT people to sacrifice security for convenience. “I’m on the miller server, so I know my admin password is admin-miller.” Hackers of course are ready to jump on these weaknesses.

But let’s say you land in an environment where your inspired password guessing is not succeeding. That’s where a hash-based approach can pay dividends.

I’ve been writing about Pass the Hash (PtH) on and off over the last year. But before we dive into that technique, let’s first focus on a simpler idea: cracking password hashes.

Get the Free Pentesting Active
Directory Environments E-Book

There Be Hashes

On a Windows system, plaintext passwords are never stored. That would be a very bad thing to do.

Instead, in Windows the hash of the password — more explicitly the NLTM hash — is kept. You know from reading our posts (and our amazingly informative ebook) that the hash is used as part of the Windows challenge-response authentication protocol. Essentially, users prove their identity by encrypting some random text with the NTLM hash as the key.

Where does Windows store these hashes? From my own research, it appears that Windows keeps local user account hashes in the Security Accounts Manager (SAM) database, which is part of the Local Security Authority (LSA). You can read more about these topics in this technet article.

The first question for pen testers is whether they can access the hashes. Once we have the hash, we can then try few a standard cracking techniques to derive the actual password.

The answer is yes: there are few tools available can that read the SAM and dump the hashes. I chose fgdump — you can find this easily through a Google search — to do my dumping. Pwdump7 is another possibility.

Sure you need to have elevated privileges to run these tools, but it’s not unusual for a hacker to get lucky with a power user who falls for a well-crafted phish.

Anyway I tried fgdump on one of the servers in my Acme IT environment that I set up for this series. You can see the results in the screen shot below:fgdump-hashes

So I now have the NTLM hashes for what looks like two local admin accounts — that’s the long sequences at the end of the line. By the way, the “NO PASSWORD” indicated that fgdump didn’t find the older and far more crackable LM hash. And that’s a good thing: you should never enable LM hashing unless you absolutely have to for compatibility!

Cracking the Hash

One common approach to cracking hashes is to use a dictionary-based attack. That is, take a huge set of common English words, add in, say, an existing set of real world passwords, and pre-compute the NTLM hashes, thereby forming a reverse-lookup dictionary.

So the task of cracking now reduces to finding a matching hash and returning the associated plaintext password.

Thankfully, you don’t have to re-invent the wheel since there are services like this one that have already done the heavy lifting.

hashes

In my pen testing, I fed the hash for “admin2” into the cracking service, and it speedily returned the answer, which is “daisy” (see above).

It’s true that Windows enforces password complexity standards, and this simple password would never have been accepted in many installations.

However, a password can still be somewhat complex but crackable through a brute force attack. Or perhaps on your system there are legacy local accounts created before Windows started forcing you to come up with longer sequences.

The Ripper

For a better test, I tried the cracking service on the more complex password from the admin account on the miller server, which is “miller1234;”.

After a few days of brute force computing, the service couldn’t find a match.

Never say die!

I then learned about this fellow, John the Ripper, a very crafty password cracking tool. It’s too sophisticated a program to write about in the remainder of this post.

In brief, it’s very smart about how it does its brute force attacks. JtR has a special mangling language that takes an existing set of dictionary words that you can specify, and re-arranges them based on the rules you set up. The rules can be quite cryptic to look at, but are very powerful — here’s a digestible overview on the mangling language.

You can set up rules, for example, to append various numeric sequences to the existing dictionary words.  I think you see what I’m getting at.

If you have an inkling that beer names are used in passwords followed by some simple alphanumeric code, you feed the John the Ripper app a beer name word list and then configure rules to try out lots of sequence suffixes.

Enter Hash Passing

I agree that cracking the NTLM hashes ain’t easy.

Rather than trying to crack the hash, PtH will slip the hash directly into the NLTM challenge-response protocol. You’re authenticated without having to derive the plaintext.

It’s a very cool and powerful idea.  Although Microsoft has been making this harder to do in recent releases, and with Windows 10 perhaps even impossible to do in the future.

We’ll take all this up in the next post.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

varonis-seven-part-guide-to-penetration-testing
Varonis Seven Part Guide to Penetration Testing
Our sprawling pen-testing series has taken on a life of its own!  For your convenience and blog reading pleasure, we’ve assembled all the links to this six seven part series below....
penetration-testing-explained,-part-vii:-exfiltration-and-conclusions
Penetration Testing Explained, Part VII: Exfiltration and Conclusions
In this series of posts, I covered ideas to get you started using basic testing software to find security vulnerabilities. There are more advanced tools, such as Metasploit, which lets...
penetration-testing-explained,-part-vi:-passing-the-hash
Penetration Testing Explained, Part VI: Passing the Hash
We’re now at a point in this series where we’ve exhausted all our standard tricks to steal credentials — guessing passwords, or brute force attacks on the hash itself.  What’s...
penetration-testing-explained,-part-iii:-playing-with-rats-and-reverse-shells
Penetration Testing Explained, Part III: Playing with RATs and Reverse Shells
Last week I broke into a Windows 2008 server and inserted a remote access trojan or RAT. Don’t call security, I did this in a contained environment within virtual machines....