Password cracking

With the ability to pass-the-hash or use Mimikatz to extract clear text credentials out of memory has password cracking become obsolete?

  • In some cases, for example where it is mitigated by binding SSO tokens, it might not be possible to Pass-the-Hash. In this case dumping and cracking the password still may be the only option.
  • Domain Admin is not the end goal. Getting sensitive data is. In order to get to that, specific accounts credentials (SQL login?, Archived/encrypted data?) may be required, which in turn requires having a user’s credentials. These can be gotten by key logging, or dumping with Mimikatz from somewhere, or if those fail, cracking a password.

Hardware

Hardware is the most important part: the more Graphics Processing Units (GPU’s) you can fit onto one motherboard the better. All your passwords are belong to us.

Wordlists

Having good wordlists is also very important.

Get the CrackStation's Password Cracking Dictionary. It contains wordlists, dictionaries, password databases, every word in the Wikipedia databases (retrieved 2010, all languages), and lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago. It contains 1,493,677,782 words, and its download is 15GB.

The RockYou and Cain wordlists are smaller and can sometimes be useful as well. Those can be found on the Skull Security wiki.

Password Cracking Software

The third thing to get is password cracking software. Get John the Ripper and/or Hashcat. Both provide more options than just using a static wordlist based dictionary attack.

  • Eight character minimum password policies are not cutting it any more. Some organizations have a very hard time implementing a password policy past the default 8 character minimum. Dumping the password hashes for all domain users in an environment, and a company-wide “password audit” can help be that driving force needed to increase password restrictions.
  • Use a password manager like Keepass(X). Mind its limitations and recommendations.