How strong are your passwords?
It’s been nearly 2 years since we talked directly about password strength though we did discuss password cracking as it relates to penetration testing last summer. Password security will always be topical as computing power grows and the time it takes to crack passwords (even complex ones) drops.
Password policies are common in enterprise environments. Windows Active Directory has a basic one enabled by default after all. Unfortunately a lot of organizations either leave the default policy in place or make minor changes and never think about it again. This begs the question: is your password policy useful? Chances are there is room for improvement! This is one area of security that you should be regularly revisiting.
The default Active Directory password policy is very basic. It’s better than nothing but there’s also lots of room for improvement. Here are the highlights:
24 Passwords remembered.
42 days maximum password age.
1 day minimum age.
7 digit minimum length.
Password complexity enforced.
Microsoft’s Security Compliance toolkit recommends:
Enforce Password History: 24
Minimum password length: 14
Password must meet complexity: Enabled
How do you know your weak spots if you aren’t testing? It may be bad practice to know your users’ passwords but if your password policy is weak how do you their passwords aren’t? There are new lists of commonly used weak passwords published regularly. NordPass’s 2020 list is nice (and frightening) because it includes how long it takes to crack them. Hopefully your password isn’t on the list but chances are someone in your organisation is using one of these somewhere! And that’s a scary thought given the majority of entries take less than a second to crack.
Password Cracking BASICS
A standard element of any penetration test is pulling your hash table to see which passwords can be cracked. Grabbing as many passwords as possible enables the tester to gain lateral movement or privilege escalation within your environment. It’s amazing what access they gain from this seemingly innocuous foothold.
Many penetration testers use Responder to collect NTLM hashes. This script pretends to be a file share so users directed to it inadvertently give up their hash. I digress but VIPRE had a bit of a Responder problem recently.
Other pen testers use Mimikatz to grab hashes although it is almost universally flagged by antivirus nowadays. I haven’t built a lab Mimikatz to bypass AV though I have used it successfully many times.
Regardless of the tool, grabbing a copy of C:\Windows\NTDS\ntds.dit or C:\Windows\System32\config\SYSTEM gives you all the hashes on that machine. We don’t need to run tools to gain access. Members who wish to take part should send us these files for analysis.
LARG*net to the rescue!
We are offering a new service that mimics the process attackers and pen testers use to pull your hash table and see what info they can get out it. We will grab your hash table and see what we can crack. Strong passwords will be immune to this test so hopefully your report is empty! Regardless we’ll provide a report outlining the results of the test including which accounts we were able to crack and offer advice for improving your password policy so you can remediate these issues. This will not be a full penetration test as it focuses only on password recovery so you can expect the service to be far more cost effective than a full pen test. We will also offer discounted retests if you want to check on the actual results of your changes.
Get in touch if you are interested or have any other questions.