Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Using password cracking as metric/indicator for the organisation's security posture - Internet Security | DShield SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Using password cracking as metric/indicator for the organisation's security posture

(Warning, Long)

The strength of passwords used is a good indication of the security posture of an organisation, considering the userid and password combination is in many cases the first and last line of defence. It is quite important to get it right. 

Most of us know that when we turn on password complexity in Windows it is no guarantee that the user will select a decent password. After all Passw0rd is an 8 character password that will pass complexity checking in Windows and not many of us would argue that it is a decent password. Another element needs to be in place to get decent passwords, user awareness. When you analyse the passwords you can identify whether reasonable passwords are being used and hence determine whether user awareness training has worked, a refresher is needed or all is good. When cracking passwords you will also be able to determine patterns used by users, admin staff, service accounts, resource accounts, helpdesk etc.  All useful information in determining the security posture.  

I'll take you through the process that I've been using over the last year or so to examine passwords and get an idea of the security posture or issues within an organisation. Following that I'll take you through some sample outputs and what they show.


In a nutshell what we'll be doing is the following: 
  1. extract the userids and corresponding password hashes from AD
  2. split all the different history passwords into separate files and get the total number of users for the files
  3. for each file run a dictionary crack 
    • count how many passwords were cracked
    • Record the result in a spreadsheet
  4. For each file run a hybrid attack (dictionary plus numbers)
    • count how many passwords were cracked
    • Record the result in a spreadsheet
  5. for each file run a brute force crack for a set amount of time (I use one hour).
    • count how many passwords were cracked
    • Record the result in a spreadsheet
  6. Create the graph
  7. Examine the results

Tools used: fgdump, pwdump, john the ripper, grep, favourite spreadsheet application.

Extract Userids and password hashes
Firstly the userids and passwords will need to be extracted from the Active Directory (AD).  Feel free to use your favourite tool. I find fgdump does it for me and should it fail, pwdump will get the password hashes.  As long as the output is in pwdump format it doesn't matter what you use, as long as you are comfortable using it in your environment and of course you have permission
If uncomfortable using "hacking" tools on a production machine (I understand), select a non critical AD server. Alternatively what I've done in the past is to set up a new AD server on a VM. Allowed the account information to replicate.  Then removed the new AD server from the network and ran the extract against that now non networked AD server. 
As long as you end up with something similar to the following you should be OK 
Chip :9985:1F53A128E5EF1E9F4A3B108F3FA6CB6D:F78444DB59D2398C368E67ECFB890BB4:::
Both fgdump and pwdump have help available so you should be OK to sort that out yourself.  fgdump doesn't really provide you with much feedback as it is running, so you may want to keep an eye on the task itself (it hangs on occasion for me).  Your AV may also have a bit of a problem with the either of these two programs.  fgdump has an option to shut down the AV, you'll want to switch that option off. As always read instructions before you leap and do this only with permission
Split all the different history passwords into separate files and get the total number of users for the file

We'll clean out the machine accounts first 

  • grep -v  '$' abcomp.pwdump  >   abc-users 
  • abc-users should now contain only user accounts. 

Split each iteration of the password history into different files

  • grep -i "history_0" abc-users > abc-hist-0 
  • Rinse lather and repeat for each of the histories (typically you will have at least 8, it depends on the site)

For the current password you remove all references to history so use -v 

  • grep -iv "history_" abc-users > abc-hist-c
Count the totals
  • grep -c ":" abc-hist-? 
  • using the ? will get all the files in one go
Results may look similar to the following: 
The c version and the 0 version will have more users than the others. This will be because in every site there will be users whose passwords rarely, if ever change, e.g. service accounts or users with non expiring passwords. These are represented in the last two or three iterations depending on how many times their password has been changed. You can remove them, but usually their influence does not change the percentages much.
To record the results open you favourite spreadsheet/graphing tool. Create the columns: total, Dictionary, Dictionary %, Hybrid, Brute Force and % Brute Force. You will want to work with percentages in the graph in order to make fair comparisons.  For the rows you can use anything, I usually go with: current, previous, -1, -2, -3, etc.  to indicate previous passwords used.
Under total column put the results of the grep -c command
Now that we have the totals we can move on to the password cracking. 
Dictionary crack
First of all rename the john.pot file to something else.  This effectively blanks out passwords that you may have cracked on a previous exercise. The idea is to start afresh. 
  • ./john --format=NT --wordlist=password.lst  abc-hist-?  (using the ? will process all abc-hist-x files)
With john you can crack lanman as well as NT hash formats (plus others). I use --format=NT when I have to compare a number of sites and lanman hashes are unavailable for one or more of these. Using Lanman gives you more obvious results, when using NT hashes the differences are a little bit more subtle between a good and bad site. Another reason to use LanMan is because the whole password needs to be cracked before it will show as a valid guess. For sites where Lanman is disabled the --format=NT option will still give you results. I also use the default password.lst file which is fairly small. If your password is guessed it is truly lame. You can refer to your own words dictionary and tie it into the test. 
Check the results
For each of the abc-hist-x files run the john command to show the results
  • ./john --format=NT --show abc-hist-c
The results for each command will along these lines
22 password hashes cracked, 480 left
Record the xx password hashes cracked number in the spreadsheet under the dictionary column
Hybrid crack 
  • ./john --format=NT --wordlist=password.lst  --rules abc-hist-?
Checking the results is exactly the same as above for the dictionary crack 
  • ./john --format=NT --show abc-hist-c
Record the results in the hybrid column
Brute force 
  • ./john --format=NT  abc-hist-?
Leave this running for an hour or what ever time frame you decide. Just make sure that the next time you use the same period otherwise you are comparing apples with peanuts. 
Repeat the checks using ./john --format=NT --show abc-hist-c
Record the results in the brute force column
Whilst the brute force is happening it will start scrolling passwords past the screen. Check these out and see if you can spot patterns in how the service desk resets passwords and how users are selecting passwords. If many users rotate their password through, then it is certainly time for education. e.g.
cassie33         (ssmith_history_7)
cassie34         (ssmith_history_6)
cassie35         (ssmith_history_5)
cassie38         (ssmith_history_2)
cassie37         (ssmith_history_3)
cassie36         (ssmith_history_4)
cassie39         (ssmith_history_1)
If you hit enter whilst the crack is going on it will tell you where it is up to and how long it has been running.
Once done hit ctrl-c to quit the crack and use ./john --format=NT --show abc-hist-c to display the results.  Record these in the column for brute force
And we are done, work out the percentages for each in the % column and get the chart drawn. You'll get something along the lines of the figures below. 

Figure 1 - No password complexity

Figure 2 - Password complexity, good education initially, but needs a refresher

When using NT hashes the results will be less obvious than when using lanman hashes but the graphs are still telling.  In figure 1 there is no password complexity in place. The dictionary line is above 0%. With the hybrid test it shows in the graph that users are using dictionary words and adding numbers. The brute force password test gets results for over 20% of passwords within one hour again indicating that password selection is not great.  There is however a dip at the previous password point, which is when some education was done. The next graph is expected to look more like the first few data points in figure 2.  

In figure 2 password complexity is enabled and users are educated.  Something started going wrong a few password changes ago which may indicate some awareness training is needed to get the line back to where it started near the 0% line for all three tests. 

The test is relatively simple to do, you have all the information above, and it gives a nice graph that can be shown to management (with explanation) showing that your hard work with respect to passwords is paying off.  You'll also be able to identify issues with password selection for password resets, service accounts, privileged accounts etc. It provides you with additional information that you can use to help improve the security posture.  The above takes about 90 minutes to do from start to finish and can largely be automated.

If you have some nice metrics that you create to measure effectiveness of controls in place in your organisation, let us know. Might be as simple as measuring the number of viruses sent out of an organisation by email (hopefully 0) to measuring the number of attacks dropped by the firewall, etc. 

Mark H - Shearwater



391 Posts
ISC Handler
Does anyone actually see on-line brute-forcing of the passwords done anymore? The only things I see that are being brute-forced right now are FTP and SSH.

Passwords that are being leaked out of my org are all from employee home computer (and a few laptops) infected with malware. Password complexity is a moot point here.

Off-line cracking... sure maybe that is useful for an attacker, but at that point they are already in your network, and keystroke loggers and pass-the-hash attacks are being used anyway...

Not to say that doing a password audit is a bad thing... just that I think you have to put it in persepective. Perhaps I only have the view from my fishbowl though, I'd be interested to hear other comments.

29 Posts
I see windows user accounts being used to log in to VPNs, internet-accessible intranets, webmail, Remote Desktop, wireless access points, etc.
A lot of the time these services are available by default to end users without them even being aware of it.
One thing I think is missing is statistics on the most used passwords. Just count number of hashes that are the same. Probably 20% of the users will have a top 10 password in many orgs.

And your users will use the same password or variations across other websites.

Brute forcing is not really of value, but wordlists and wordlists + nums are.
Povl H.

71 Posts
We see frequently brute force attempts on POP3.

42 Posts
If you do not want to use "your favourite tool" in you production environment you can try the built-in REG command. The REG command can be used by an administrator to create a backup copy of the registry hives containing the password hashes (as described in the blog post below).

3 Posts

Sign Up for Free or Log In to start participating in the conversation!