How to crack a corporate network in 60 seconds
>> Thursday, August 27, 2009
Ever seen the movie gone in 60 seconds? Well in the same way it is easy to steal a car, it is just as easy to steal passwords off a corporate network. Since the vast majority of corporate networks run Microsoft software such as Windows, it makes the task easy. Most enterprises are slow to upgrade even in situations where Microsoft told them to upgrade to Active Directory and that they will no longer be supported. Their lack of aggressiveness turns into an opportunity for those who want to crack a network in 60 seconds.
Lets look at the fastest way this can be accomplished...
Let me stand on my soapbox for a moment. If you are still running Windows NT and are a network administrator and/or responsible for IT security, go to your boss and ask him/her to fire you immediately!
The best way to attack a Windows network is to get hold of the Windows SAM file. The SAM file holds username, user ID (SID) and hashed passwords for all users. Once you have gotten a copy, you can use tools such as l0phtCrack and Cain & Abel. These tools can crack passwords in about eight hours. While not sixty seconds it is sufficient for most needs.
I have to keep my promise of telling you how to do it in sixty seconds though. In order to understand how it will be accomplished, you need to understand a little about how the SAM file is protected. First of all, the hashing routine used by SAM is based on the DES algorithm. Essentially, a 32 byte hash is generated from the password as follows:
Convert the password to uppercase
Truncate the password to 14 characters. If shorter then pad
Split the password into two 7 character halves and generate two 16 byte hashes using DES algorithm
Concatenate the two 16 byte hashes to form the 32 byte hash
If you understood the above steps, you would realize that cracking is reduced to cracking on or possibly two 7 character passwords without regard to case. This makes the number of combinations incredibly small.
To make the problem space even smaller, there are two different approaches one can use. The first is a dictionary-based approach where weak passwords are defined as any dictionary word or lame permutation of a dictionary word such as "password9". Precomputed hashes can be compared since the vast majority of users will use real words in their passwords instead of random character sequences (Security folks don't think for a second that changing your security policy is the answer). Secondarily, if you are on a non-switched network, a clever individual can use NetMon to sniffer the hashes off the wire.
Using this technique on a Pentium 4 3.2 Ghz machine (I have a Gateway), it takes 10 seconds to load the dictionary into memory but less than one second to actually crack the password. Subsequent runs will also take less than one second!
If you want to make it more difficult to perform this type of attack on your network, please see the following Microsoft Knowledge base articles.
Local Security Policy - 147706
Disabling hashing - 299656
Group policy enforcement of strong passwords - 225230