Sometimes, you just have to be a hacker to get your job done. This is generally referred to as 'White Hat' hacking. Any admin will tell you that it's a fine line with users passwords that you have to walk. Too complex, and they write them down on sticky notes found under their keyboards. Too easy, and you have the risk of brute force attacks. Microsoft has made improvements in enforcing password complexity within Active Directory, however, these methods can be circumvented in a number of ways, some by accident and some out of malice or procrastination. Thus it's prudent for any administrator to do a semi-annual review of users passwords and ensure their complexity.
It should be noted that doing any of these things on any system you do not have proper authority on will wind you up in jail. Although what this article talks about is mostly limited to requiring the user to be logged on to the local system with administrative rights, it's important to understand that attempting to crack passwords that you do not have permission to do so on can lead to a world of legal trouble. If that happens, you're on your own, so don't complain to me.
Step 1: Get the encrypted password hashes
Microsoft stores all the user passwords in a file called the SAM (Security Account Manager). This file may or may not be encrypted by something called Syskey; you can learn more about using Syskey to encrypt your password database here.
You need to extract the hashes from the SAM; this can be done with fgdump, a utility set that includes pwdump (currently based on iteration 6). From the local system or a remote system, copy pwdump and run it from the command prompt like so:
pwdump -o mypasswords.txt -u <domain\username> -p <password> <domaincontroller>
If you used an account with proper permissions you should now have a file called mypasswords.txt that looks something like this:
Administrator:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
krbtgt:502:NO PASSWORD*********************:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
user1:1109:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
user2:1110:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
user3:1111:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
user4:1112:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:::
Step 2: Crack the passwords
There are a variety of cracking tools out there to crack Windows hashes. One of the more complex, but effective, is the Rainbow Tables method. This method is a time to memory trade off that requires large sets of precomputed tables to calculate the hash against. Currently, the tables can be gathered from a few sources; generally however, the larger the table, the more complex of a password it can crack.
Ophcrack
Probably the best tool that makes use of these Rainbow Tables is ophcrack. It's an extremely effective tool with the right Rainbow Table at cracking LM hashes (LanMan hashes are still the most prevalent method that Windows stores passwords).
LCP
Another method is by pure brute force or dictionary attacks. This method can require a large amount of processing time to be successful, depending on the password complexity. LCP is a tool that has many of these advantages.
Crackbot
A third option is to use no software at all and use a service that has a large amount of precomputated hashes, such as Crackbot. Keep in mind doing this is dangerous, since the password will be revealed to a third party.
That's all there is to cracking Windows passwords for auditing purposes in a nutshell.
Keep in mind that it's a good idea to let your users know in advance and afterward so they can change their passwords. This helps maintain trust between the administrator and the users, something that many good administrators forget and prevents them from becoming great administrators.
|
