Cracking

Theory

Attacking Active Directory domains often leads to obtaining password interesting, but either hashed or encrypted data. When this information cannot be directly leveraged for higher privileges (like with pass-the-hash, ), it is required to crack it.

Cracking is an operation that can be carried out through different types of attacks:

• Brute-force: every possibility for a given character set and a given length (i.e. aaa, aab, aac, ...) is hashed and compared against the target hash.

• Dictionary: every word of a given list (a.k.a. dictionary) is hashed and compared against the target hash.

• Rainbow tables: the hash is looked for in a pre-computed table. It is a that allows cracking hashes faster, but costing a greater amount of memory than traditional brute-force of dictionary attacks. This attack cannot work if the hashed value is salted (i.e. hashed with an additional random value as prefix/suffix, making the pre-computed table irrelevant)

There are many other and more complex types of attacks (incremental, mask, rules, hybrid types, ...) but the major/core ones are the three above.

Practice

One of the greatest tools that can be used for cracking is (C). It implements different types of attacks and many types of hashes. It has many other great features like

• it is cross-platform (support for Linux, Windows and macOS) and supports anything that comes with an OpenCL runtime (CPU, GPU, APU, ...)

• it can crack multiple hashes at the same time and use multiple devices at once (distributed cracking networks supported too)

• it can save and restore sessions

• it has a builtin benchmarking system

Below is a short list of the most useful hash types for Active Directory hunting.

Dictionnary attack

Below is an example of how to use hashcat for a dictionary attack.

hashcat --attack-mode 0 --hash-type $number $hashes_file $wordlist_file

Dictionary and rules attack

Hashcat can also be used in a hybrid mode by combining a dictionary attack with rules that will operate transformations to the words of the list.

hashcat --loopback --attack-mode 0 --rules-file $rules_file --hash-type $number $hashes_file $wordlist_file

Brute-force attack

hashcat --attack-mode 3 --increment --increment-min 4 --increment-max 8 --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a?a?a?a?a"

Hashcat has the following built-in charsets that can be used.

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

Below are examples of hashcat being used with built-in charset.

# Passwords are like : 1 capital letter, 3 letters, 4 numbers, 1 special char
hashcat --attack-mode 3 --hash-type $number $hashes_file "?u?l?l?l?d?d?d?d?s"

# Password are 8 chars-long and can be any printable char.
hashcat --attack-mode 3 --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a"

Hashcat can also be started with custom charsets in the following manner.

hashcat --attack-mode 3 --custom-charset1 "?u" --custom-charset2 "?l?u?d" --custom-charset3 "?d" --hash-type $number $hashes_file "?1?2?2?2?3"

Hashcat also has an incremental feature that allows to bruteforce passwords up to a certain length whereas the commands above only try the specified mask's length.

# Password are up to 8 chars-long and can be any printable char.
hashcat --attack-mode 3 --increment --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a"

# Password are 4 to 8 chars-long and can be any printable char (mask length is 12 so that --increment-max can be upped to 12).
hashcat --attack-mode 3 --increment --increment-min 4 --increment-max 8 --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a?a?a?a?a"

Hashcat alternative

Tips & tricks