8 – Entrench

[the italicized section below is a security control from NIST SP 800-53]

Control: The information system uniquely identifies and authenticates users (or processes acting on behalf of users)

Guidance: Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination therein. FIPS 201 and Special Publications 800-73 and 800-76 specify a personal identity verification (PIV) card token for use in the unique identification and authentication of federal employees and contractors. NIST Special Publication 800-63 provides guidance on remote electronic authentication. For other than remote situations, when users identify and authenticate to information systems within a specified security perimeter which is considered to offer sufficient protection, NIST Special Publication 800-63 guidance should be applied as follows: (i) for low-impact information systems, tokens that meet Level 1, 2, 3, or 4 requirements are acceptable; (ii) for moderate-impact information systems, tokens that meet Level 2, 3, or 4 requirements are acceptable; and (iii) for high-impact information systems, tokens that meet Level 3 or 4 requirements are acceptable. In addition to identifying and authenticating users at the information system level, identification and authentication mechanisms are employed at the application level, when necessary, to provide increased information security for the organization.

Control Enhancement 1: The information system employs multifactor authentication.

[the following is the PHA response to the security control described above]
Implementation: The minimum password length is to be set to 8 characters. Password complexity requirements must be set to “enabled” and requires three out of four factors in each password, including: lower case letters, upper case letters, numbers and special characters.
NOTE – the password length and complexity settings were incorrectly included in AC-2 Account Management, but have been presented here nonetheless.

B. ATTACKERS: A Simple Batch File
Commands issued from a windows command prompt can be used to collect a lot of system information. Some of the data collected includes:

  • User accounts
  • Share names
  • Make, model and hardware configuration
  • Operating system specifics
  • Network adapter configuration (IP address, MAC address and many more)
  • DNS server addresses
  • Admin accounts
  • Live network connections
  • Security patch status
  • Processes that are running (can reveal defenses such as Anti-Virus or HIPS and possibly weaknesses/attack vectors)
  • The configuration of services on the system
  • External share connections

Here is a sample batch file which uses this technique to capture all of this information and more, generally in less than two minutes:

echo off
echo collecting basic information
net users > %userdomain%-%computername%-netusers.txt
net accounts > %userdomain%-%computername%-netaccounts.txt
net localgroup > %userdomain%-%computername%-netlocalgroup.txt
net localgroup administrators > %userdomain%-%computername%-netlocalgroupadmins.txt

echo Collecting system information…
systeminfo > %userdomain%-%computername%-systeminfo.txt

echo Collecting ipconfig information…
ipconfig /all > %userdomain%-%computername%-ipconfig.txt

echo Collecting netsh diag information…
netsh diag show all /v > %userdomain%-%computername%-netshdiag.txt

echo Collecting net stats information…
net time > %userdomain%-%computername%-netstats.txt
net user >> %userdomain%-%computername%-netstats.txt
net share >> %userdomain%-%computername%-netstats.txt
net session >> %userdomain%-%computername%-netstats.txt
net statistics workstation >> %userdomain%-%computername%-netstats.txt
net statistics server >> %userdomain%-%computername%-netstats.txt
netstat -ano >> %userdomain%-%computername%-netstats.txt

echo Collecting task and service information…
tasklist > %userdomain%-%computername%-tasks.txt
sc query > %userdomain%-%computername%-services.txt

echo Collecting audit information…
auditpol > %userdomain%-%computername%-audit.txt

[note – this last command depends on the auditpol.exe program being present – it may be available in a resource kit, or built into the operating system, or it can be included with the attackers’ tools.]

WMIC stands for “Windows Management Instrumentation Command”, and can be used to both read configuration information and write changes to both local and remote systems. WMIC is found on XP, Windows 2003 and Vista, but can also be used to read and manage Windows 2000 systems. It requires administrative privileges.

You can run WMIC in interactive mode by entering “wmic” at a command prompt. You will find yourself at a “wmic:root\cli” prompt and can enter commands. To run WMIC in non-interactive mode, simply type “wmic” followed by whatever parameters you wish, from a command prompt. This is useful for batch operations. For help, type “/?” from a wmic prompt or “wmic /?” from a normal command prompt to see a list of switches and options available.

“Aliases” are used to reference WMI classes and they are listed in help. One such alias is “computersystem. Entering the command “wmic computersystem” will show a list of information about the system. The verb “list” is the default and is implied when not specified, so “wmic computersystem list” offers the same output. This can be modified with adverbs to show “wmic computersystem list brief” or “wmic computersystem list full”. There are also output formatting options.

Here is a batch file which uses WMIC commands to collect system information:

echo off
echo collecting system information…
wmic /output:”%userdomain%-%computername%-computersystem.txt” computersystem list /format:table
echo …computersystem done

wmic /output:”%userdomain%-%computername%-os.txt” os list full /format:table
echo …os done

wmic /output:”%userdomain%-%computername%-environment.txt” environment list brief /format:table
echo …environment done

wmic /output:”%userdomain%-%computername%-process.txt” process list brief /format:table
echo …process done

wmic /output:”%userdomain%-%computername%-sysaccount.txt” sysaccount list full /format:table
echo …sysaccount done

wmic /output:”%userdomain%-%computername%-service.txt” service list full /format:table
echo …service done

echo collecting patch information…
wmic /output:”%userdomain%-%computername%-qfe.txt” qfe list full /format:table
echo …qfe done

echo collecting network information…
wmic /output:”%userdomain%-%computername%-share.txt” share list full /format:table
echo …share done

wmic /output:”%userdomain%-%computername%-netuse.txt” netuse list brief /format:table
echo …netuse done

wmic /output:”%userdomain%-%computername%-ntdomain.txt” ntdomain list brief /format:table
echo …ntdomain done

wmic /output:”%userdomain%-%computername%-nic.txt” nic list full /format:table
echo …nic done

wmic /output:”%userdomain%-%computername%-nicconfig.txt” nicconfig list full /format:table
echo …nicconfig done

This batch file writes information out into text files that are in “table” or space-delimited format. While .csv format might seem more useful for importing into other applications, the presence of many extra characters in the data (commas and others) normally used for delimiting, make this the easiest format to consistently import into Excel. The formatting options can be changed easily.

Some of the data collected may be redundant from one set to another. This batch file was designed for general purposes and is easily tailored to suit other purposes. Password hash dumping can also be added to such a batch file, assuming the needed permissions and program files are in place.
One of the most interesting results from this process was the following list of domain controllers.

ClientSite DcSite Desc DnsForest DCAddress DCName Domain Status
PHASITE PHAR01 PHAR01 pha.gov \\ \\PHAR01DC2 PHA01 OK
PHASITE PHAR02 PHAR02 pha.gov \\ \\PHAR02DC1 PHA02 OK
PHASITE PHAR03 PHAR03 pha.gov \\ \\PHAR03DC1 PHA03 OK
PHASITE PHAR04 PHAR04 pha.gov \\ \\PHAR04DC1 PHA04 OK
PHASITE PHAR05 PHAR05 pha.gov \\ \\PHAR05DC2 PHA05 OK
PHASITE PHAR06 PHAR06 pha.gov \\ \\PHAR06DC2 PHA06 OK
PHASITE PHAR07 PHAR07 pha.gov \\ \\PHAR07DC1 PHA07 OK
PHASITE PHAR08 PHAR08 pha.gov \\ \\PHAR08DC1 PHA08 OK
PHASITE PHAR09 PHAR09 pha.gov \\ \\PHAR09DC2 PHA09 OK
PHASITE PHAR10 PHAR10 pha.gov \\ \\PHAR10DC2 PHA10 OK
PHASITE PHAR11 PHAR11 pha.gov \\ \\PHAR11DC2 PHA11 OK
PHASITE PHAR12 PHAR12 pha.gov \\ \\PHAR12DC1 PHA12 OK
PHASITE PHAR13 PHAR13 pha.gov \\ \\PHAR13DC2 PHA13 OK
PHASITE PHAR14 PHAR14 pha.gov \\ \\PHAR14DC2 PHA14 OK
PHASITE PHAR15 PHAR15 pha.gov \\ \\PHAR15DC2 PHA15 OK

Domain controllers are of key interest to attackers because they contain the Active Directory list of password hashes for all users in the domain. Once the Active Directory administrator account has been compromised, the entire domain has been compromised. This is the holy grail target for most attackers.

C – ATTACKERS: Password Cracking

Password cracking is generally described as the process of extracting logon password hashes and cracking them offline. Cracking often begins with a dictionary attack that checks to see if common words were used to create a password. Once a dictionary attack is exhausted, the next step is often a brute force attack that checks every possible combination of a specific character set. In either type of attack, the normal technique is to compute the hash from the current password guess, check to see if it is the same as the actual hash, then move on to the next guess.

A particular weakness of windows systems is the storing of password hashes in the older “LM” format, which, prior to computing the hash, forces the password into all upper-case, then splits the hash into two seven character chunks, which makes it much easier to crack. The newer NT hash format does not inject these weaknesses and is harder to crack, but LM hashes are typically stored for backward compatibility. The first step in cracking hashes is extracting them from the system and that normally requires admin access privileges.

Cain&Abel is a multi-function tool that includes password hash extraction and cracking functions. It is not as powerful as some other tools, but the fact that it has a very easy to use GUI and combines so many varied functions in a single tool, makes it ideal for training penetration professionals. Cain&Abel is currently recognized and treated as hostile malware by most anti-virus utilities. This makes it less useful to hostile attackers unless a customized stealthy version is being used or a preliminary attack to disable the anti-virus defenses has been successful. Cain can either dump hashes on the local system or import them from a file, including the output from pwdump.

caine - password cracking

caine - password cracking - dictionary attack

[dictionary attack password cracking in Cain]

caine - password cracking - brute force attack

caine - password cracking - brute force attack

[brute force attack password cracking in Cain]

caine - passwords being cracked

caine - passwords being cracked

[passwords being cracked in Cain]

John the Ripper is a powerful password cracking tool available for both windows and linux. In its default mode it uses a hybrid of what it considers to be “best case mix” of dictionary and brute force attacks. This makes it very easy to launch john and come back hours or days later to view the cracked passwords. John also has powerful options that include the ability to calculate complex hybrid variations of dictionary files. This feature can be used to feed input into other cracking tools (such as wep crackers for wireless).

Rainbow crack tables are pre-computed tables of password hashes that greatly speed up the cracking process. In a normal brute force attack, the cracker program computes candidate hashes to compare against the real hash to determine success. This takes time. The rainbow table calculates all the possible hashes for a given character set ahead of time, creating very large tables, and then uses sophisticated lookup techniques to speed up access to them and allow quick confirmation. Some rainbow tables can crack alphanumeric password hashes in a matter of seconds. Even when you include special characters, LM format hashes can be cracked in a matter of hours.

Password cracking can be a powerful penetration weapon when you consider it as a stepping stone in a larger framework. A common administrative password is often used by different admin staff across many different systems for routine tasks. Sometimes, the hashes for these logins are left behind on workstations tended to by the admins, without their awareness. By penetrating a low priority workstation that has no valuable information on it, the attacker may be able to retrieve and crack a “maintenance” level admin password that gives him legitimate access to many other systems, including some that may contain password hashes at higher levels, even domain admin credentials.

D – Scenario (Entrench and Crack)
As the password hashes were collected, they were put into John the Ripper to see what would come out in a first pass of only ten to fifteen minutes. Any NTLM hashes or LM hashes that took longer to crack could be split off to be handled separately.


john the ripper

john the ripper

[in a matter of seconds, John’s hybrid attack began producing cracked passwords – note that all of these passwords were compliant with the defenders’ password complexity policy]


john continues cracking

john continues cracking

[John continues cracking – note that the cracked hashes are handled in two different 7 byte parts – each password has a part one and a part two because of the LM format – you can see how easy it is to crack the often small “part 2”]


john - 9 minute mark

john - 9 minute mark

[results from John at the 9 minute mark]


There were no NTLM only hashes found in the collection and almost 70% of the LM hashes cracked in under 10 minutes. This was expected. The easily cracked LM passwords were dumped into a database and sorted and analyzed statistically in the hopes that some intelligent guessing might be gained or modifications to the dictionary lists suggested. The remaining hashes were dumped back into cracking mode using a rainbow table and yielded 100% of the remaining passwords in about three hours.

As the first round of cracking was completed, the attackers found that they had many passwords for individual accounts on workstations. They also noticed that the defenders seemed to use a common login for routine administrative tasks, since this password hash was left behind on most of the systems. This login had administrative rights but was probably not the domain admin account. They tried it out on several servers and were able to dump the password hashes stored there. Using their list of domain controllers retrieved by the batch file, they went after the domain admin accounts. In some cases, the “routine” admin account worked to give them access to a domain controller and they were able to dump the complete set of hashes for the entire domain. In other cases, they had to work their way patiently up a tier of “stepping stones” from workstation to server to server to domain controller, but the end result was the same: they gained control of the domain admin accounts and the domain controllers. With a valid domain admin account at their disposal, they could access every part of the network with little fear of being detected. This is a “game over” condition.

Leave a Reply

You must be logged in to post a comment.