So You Cracked a Bunch of Passwords. Now What?

hey everyone welcome my talk for so you cracked a bunch of passwords now what my name is chris timmons i'm presenting for b-sides vancouver 2021 and i figured that hockey intermission music might be a little comforting for those of us in calgary in vancouver who probably aren't going to see a hockey playoff game for the next little while tell you a little bit about myself so i am chris timmons i am the i.t security specialist team lead at ion united uh go by the twitter handle broken data i've been a pen tester and a security architect for about 27 years now i've had senior roles at various companies i've been a speaker at conferences subject matter expert on a lot of

different really various things i even made the cover of cio canada way back in march 2012. my god nine years uh and according to my loving wife my basement workshop can probably act as a nasa disaster recovery location although i should probably update that reference to spacex lately so a little more about me i've helped secure a bunch of companies you've heard of and a ton you probably will never ever hear of and i've done a little bit of everything else password cracking hardware hacking wireless smartphone forensics i even get to play with cool little robots like pepper there i mean i used to take dvd players and hack them and give away his christmas

presents back in 2005. it's pretty bad we can go into a walmart and read the serial number and know what chip was inside of it

why did i do these kind of things well i like shiny things i'm a chronic procrastinator uh and i like to build once and use many so a lot of the times you end up needing a tool doing something you figure something out you save the code snippet you do it again later on because if it takes you five minutes to do it once and then it takes 30 second the next time well it just gives me time to go play with another shiny toy

and the other thing is well i like cracking passwords i've got a pretty decent gpu rig in my basement part of the nasa center and you know i'm cracking on an ntlm hash i'm getting about 160 giga hashes per second which is 160 billion passwords per second so i've got a you know a large collection of breach data and passwords and dictionaries and i sit there and crunch them around all day and what does that really mean well i tell people i crack passwords for a living they don't really understand the concept of you know taking an active directory database and and sitting there and cracking the passwords and getting the passwords and and being able to get the password the

history that they used to have you know when a lot of people have never seen this kind of thing so when we've done these kind of exercises for our clients it's really interesting for them to see not only the the technology behind it with gpu crackers and dictionaries and password breaches and everything else but also really to understand what is the real output from it what do they really get from it and i have to admit covet has thrown an interesting mix into that everyone's working from home now i i actually was pretty lucky i uh i worked exclusively from home before i randomly went into clients offices for presentations and such but for the most

time i uh i'm wearing a hoodie or paired shorts and you know hit the treadmill and go up and then go back to work the only real difference with covid was there's a lot more people in my house during the day but interesting enough a lot of the fan testing is done at night so it really didn't make that much of a difference so what a company's pen test well most of the time it boils down to a few things they need shock and awe the entire security team knows that there's problems and they need an independent third party consulting company uh to tell them exactly what they need to do so that they can get the budget

to go do it in certain times it's a compliance it's a checkbox they they need a pen test done because they're pci compliant or asv or whatever the case may be a lot of the times it's for testing specific things they need to find out uh you know we implemented a large change we need to verify that it's good we're implementing a new product or a new system um or they're testing it a previous pen test and they said okay we fixed everything can is there a new hole or are we good now and of course you know it's understanding that it's a continual thing it's a maturity it's a process and just because you weren't exploitable

or vulnerable to something last year doesn't mean that you are this year because well new hacks and stuff come out all the time you know and some of the more mature clients that we have they're looking at things like purple teaming where you know they're actively red and blue uh trying to make sure that the defenses are improved or really getting into true adversarial simulation take a look at things like the pipeline going on right now and saying what happens if malware comes in what if there's a threat actor were to come in let's test that defense and see what it really means

so what did pen testers really do well according to sans it's a lot but i'm not going to talk about everything on that one today what i am going to talk about is this i'm not going to talk about all the things that pen testers do i'm here to talk about one thing reporting reporting is absolutely paramount to any kind of pen testing whether you're doing web app testing network penetration testing password spraying office 365 operational ot environments no matter what happens reporting is paramount because it is what shows your work and unless you can show your work you can't show your client what they're vulnerable to you can't show them how to fix it and that's the

reason that we're pen testing is to do that and what do customers really want well your customer is the executive they are the management the leadership team of the organization that you are doing the testing for they don't care about your elite hacks or skills they don't care that you found some really cool exploit or wrote some poc that you know popped a remote procedure call and and ended up getting you you know a remote code execution on a system they don't care they really care what's the impact and the risk to their organization and how to fix it you know for certain organizations that are very mature they may be understanding but understand if a customer has never had a

pen test before they're not going to know what to expect so you have to deliver your reporting to that company's maturity level some are going to be expecting you know if they have quarterly pen tests happen they're used to it they have a compliance program they have remediation programs in place sometimes this is the first time they have to do so you have to lead them through it and you have to be gentle right you need to identify what the root causes you have to identify the cost and the effort and the effort is not necessarily it's really it's not the same for every customer because some organizations are going to have certain technology or processes or policies in place which

make it easier to remediate those findings and there's costs sometimes it's a zero cost because it's just a policy that they need to implement but there's always a cost even if it's not technology dollars it's a human capital you know people have to go and do things and if you have to take them off another project to do this there's that cost but it needs to be specific it needs to be defined and it has to be actionable and it has to speak in their language if they're using nist will call out the nist reference in your remediation report if it if they're using the cis 20 call that out you have to map to their

framework so that when they go back and they report to their risk compliance management committee they know exactly and you're speaking their language and they can slap it into their risk register and move on a good example of this is reporting take a look at this report structure you know we've got table of contents executive summaries identified risks all of the methodology that you use so that you can walk through but the technical detail the really cool shiny stuff that's going to go down in one of the appendices and that's where the details is because what's going to happen is executive looks at the executive summary management looks at the next section but the technical people go here

looking at the executive summary you should be listing out what was the objectives when you scope out a pen test you're going to identify what are the crown jewels right what was the result did you get them did you not were there certain things that prevented you from doing it or certain issues that you found that enabled you to do it identify those identify what the risk is to the business identify three key findings that you had and tell management how they can do that if you have a bad password policy tell them implement a better password policy seems pretty straightforward but some people miss that basic step identify from an executive level put a pretty chart in

and say just how many issues that they have something that they can flip around copy and paste into a board report and keep moving on when you get into the risk summary think of one step down from the executives these are the managers these are the people who probably hired you for the engagement assume this is all that they're going to read put in your observation what's the implication of the impact or the risk to the to that organization put in a shortened recommendation we don't need 50 000 lines of technical details they just want a summary for example here we have privileged service accounts and active directory people who kerberos find bad passwords all the time number

of engagements you know i've been on we curb roast in the environment and you know we found a domain admin service account and the password was password happens all the time right key recommendation make sure they have long randomly generated passwords if the password policy allows users to or the password to be easily guessed because it's winter 21 again or winter 20 which are 21. you know got to go for the historical analysis tell them you know length is better than complexity require them to be longer and change less frequently and get them out of that seasonal rotation

and then detail out in the methodology detail every step you took somebody else another pen tester should be able to pick up your results and go step by step you may not be the people running the remediation test last year but a pen tester may ask for previous pen test reports to validate and you should be able to take that previous pen test report open up the tool of choice at the time for whatever pen tester did plug in the exact same thing and verify 100 or not is this a real issue or has it been fixed tell the story of how you got it fixed look at when you're going through step by step it should say i did this and

then i did this and then i did this plot the map abc and then finally you get to the juicy stuff the detailed findings this is the section for all put all the technical details pile it on make it complete make it actionable stick to the facts say exactly what you did what you didn't do put in recommendations actionable steps check this box make this change change the default password and and make references put as links to everything you can find microsoft articles knowledge based articles blog posts um you know anything you can find that's referencing this that gives them more context and proves that you're not making it up why because the rest of the internet agrees that this is

a problem and it gives a lot more references on not only how to exploit it but more importantly how to fix it

now you're probably saying well i thought we were here to talk about passwords and we are like i said if you're doing any kind of penetration testing or any kind of testing at all you have to be able to report on it great i can crack 160 billion ntlm passwords a second um what is that really going to mean when i try and report on it well taking a look at some of the current tool sets that we've got today a lot of people running for example are going to be very familiar with pac it's password analysis and cracking kit it doesn't really it's not really made for reporting it helps you generate password masks and rules to

help you be more efficient for cracking so you run through it takes a look at the results generates some pretty basic statistics uh but helps you generate rules so that you can then run more password cracks works really good i've taken some of this output over the years and used it in certain things but typically i end up taking it and then trying to you know format it into word or dump it into an excel csv table and make a pretty picture out of it domain password audit tool d-pad uh fantastic tool um kerry wrote a great one black hill supported on it fantastic and i stole some of the sample data completely shamelessly uh because it was great uh spent a lot

of time on it it's a fantastic tool it generates a lot of statistics it identifies people have been piling on a number of different add-ons to it over the years uh being able to generate output roles from things like power view and everything else and take those and feed them in so that you can say who's a member of the domain admins enterprise admins right really putting context and not saying hey it's just a username and a password that i've cracked oh crap that was the domain admins account yes right and it's great it's an html report it's got clickable links copy and paste into another report it's really good but i find the same thing you know i

sometimes you wanting more and it's in python 2.7 it does run on three but that's probably gonna break at some point um funny enough having the password cracking boxes means that some of the other guys who doesn't have quite the horsepower want access to it so i started looking through some of the web gui stuff just for multiple job submissions because if you ever try and put on two screen sessions and multiple cracking sessions on the same box people really don't like it you can use things like hash octopus and stuff like that but it's a bit of setup so i was looking for some click and go stuff for some of the guys and things like webhashcat uh not really

good for queuing but really good for being able to set up distributed sessions um great some good graphical statistics on that one but they're minimal right and it doesn't really say about anything about the users it just lets you kind of do your thing but you cannot load plain text files into it so i thought that was kind of interesting another one i found was a wave crack um user friendly yep it's mostly exactly as indicated for sharing a hashcat box with multiple users it keeps each user's information totally separate problem is the statistics that it provides are pretty minimal and it's same thing no no relation to any of the users it's pretty basic it's not its primary

function hash view was another one that i ran across and this is probably one i'm going to start looking at a little bit more so it separates and it has web application that runs hashcat in the background allows for multi-session management job queuing and even so much of when you're doing password cracking runs you can tell it to do this and then do this and then do this instead of having to manually remember that you know i ran the dead rule this time and next time i want to run this dictionary with this rule it's pretty great good graphical statistics you can include base words so if you script a website with cool you can feed those in and find out

you know how many passwords were generated related to the company but the statistics i find are a little bit lacking it's not its primary use but interesting nonetheless it does mention users because it you know we'll say total unique users but not quite as much i had to laugh though at this one because um this is a copy and paste right from their their web page and stuff and consistency was spelt wrong if i had to laugh so as i see so comparison well take a look at all the different tools you know some are made for one thing some are made for another we got a lot of pros and a lot of cons and

like most tools right pick the right tool for the right job if you if you're running for base statistics and you're going to be copying them out and you just need some html excel tables uh d-pad is great for some of the stuff it might just be exactly what you what you need because you're not needing to provide reports for executives looking at it though i mean if you were to take all these tools roll them into one you know you want great statistics you want graphics you want to be able to separate landman and ncln hashes because the number of times i've pulled a password database for a client and said hey you still got landman

hashes for service accounts that you built 10 years ago because they didn't realize that a windows server 2003 if you upgrade it it actually keeps landman enabled and there's actually a registry you can actually turn it on back on later so it's kind of fun that way but things like password history base words flexible output really get it generating some of the statistics and d-pad is the only one that actually did the history as well where you can say you know here's the pattern you know spring 18 spring or summer 19 winter 20 and keeps going on like that some of the tools are very specific around hashcat as well um you know if we were to have a new tool

i'd say hey what about using masks and rules if you generate if you crack passwords and you're seeing patterns where it's not typically like uppercase lowercase lowercase lowercase digital special you know like june 2021. um maybe they've got a 14 character uh password policy and they've got their own little thing and people call it company one two three password abc you'll never know but you what about being able to generate your own statistics and then generate a report on that you can do that with hashgraph and some pod file stuff right now that it's all bash trickery and well if we can make it automated why not interestingly enough i haven't seen a single password reporting tool written

in powershell so i wrote one introducing perp perp is the password excellent reporting powershell it's a tool for extracting information from john and hashcat pod files and generating excel workbook with pivot tables and and everything else to analyze the passwords that you've cracked and looking for those deep statistics uh and i've tried to include everything that i thought was missing in all the other tools so great statistics very similar to d-pat you know total hashes unique crack not cracked landman's how many of them are unique how many come from just standard english dictionaries derive from customary.com so using tools like cool for example how many passwords have a variation of the customer's name how many contain a variation of password

how many are in common cracking dictionary so rock you you know reach compilation take your pick how many of them are reused how many contain the name of the season special characters uppercase all those fun things uh even started looking into trying to integrate into have i been owned for example because we can actually check and see if those passwords have been breached why not as i mentioned about the graphics obviously that's one of the things that i was driving it so we've got all of the things that were in the previous table into a chart obviously these numbers are really off but they do show a few things uh here's a better example of actually some of those

the dashboards so not only just the standard patterns but also some of the more intricate patterns so things like having those pattern masks of uppercase lowercase what are the 10 most common passwords what's the variation of password crack versus not crack same thing we also wanted to be able to pull out landman hashes why it's a risk to customers if you've got passwords that are stored in landman hash it doesn't matter how good the password was a bad guy if they have your active directory database is going to pull out those landman hashes crack the password seconds it doesn't matter if the service account had 20 character complex random passwords if it's a domain admin and it's got a

lan man hash it's pretty much done same thing looking at relative to users roles this one only shows you know it being an administrator account but anything can be done you can look for members of specific groups a privileged group maybe you're looking for you're looking your business objective was financial controls and you managed to crack the passwords of all the accounting that have access to the sensitive accounting files password history this is an extremely important thing because when you take a look at the password history you can find out beyond just you know the the winter 2020 kind of things what kind of patterns are really showing up within the report and being able to

show on them year over year or quarter over quarter and being able to see what the effectiveness of any of the controls so if they implemented a 20 character password policy last month and then here's all the passwords they used to crack and now on this run you can't crack any that's a positive remediation same thing looking just talking about some of the base words again you know pretty much anything can be done and and the statistics you drive from this can be literally just driven by what files that you input as base words whether it's scraping the website or name of special products or whatever the case may be you can analyze it and of course a big thing was

reporting uh you know being able to generate an excel workbook with pivot tables is great but we can also take it because it's powershell and export although those excel pivot tables to html we can also even export all the csv so you take the pod files in and let's say you want to export all the passwords to csv hit the button uh i am working on a sanitize function on it as well uh i obviously don't necessarily want to always release all the passwords so i'm working on that as a feature as well and of course we want to be able to say we support any password cracking tool and honestly the output files from john and hashcat

are minimal at best uh literally john just puts in like an lm flag and that's it so being able to support both as an input output just makes it more tool agnostic and i mentioned about masks well has a bonus well you know hashtag comes with a bunch of built-in masks so the character real standard windows complexity you can run reports and say how many of the passwords you cracked actually meet that but what if you generate a bunch of statistics with with pac well fine upload those and you can report on those too and as i mentioned it's powershell i hadn't find a single tool written in powershell so why not um i am trying to be

cross-platform obviously you know you can run powershell on kelly and stuff now so why not um haven't run into any showstoppers yet on that one but we'll find out and of course you know i've i thought about just adding on or rewriting and forking uh d-pad and adding that in i decided to roll my own so yeah but at some point i may decide to write my own python version who knows we'll see uh you know what these are just what i've thought of i'm sure you guys have a lot of suggestions comments and i'd love to hear them let me know in the qa we'll hit you up on the discord i'd love to

hear the feedback i mean if it's a feature that you need let's add it rolling it back we talked about reporting so how does perp help drive the reporting well how do you improve password policy you have to prove that it is right audiences management they don't care about how you cracked a 20 character password they care if a domain admin service account was using password that usually actually gets fixed pretty quick um same thing delivering to the customer to the level is this your first pen test i can guarantee the first time i ever cracked a password database for a customer we have clients who give us their active directory database every year and we

perform this assessment and we provide these analytics for them so they can see those year-over-year improvements and you know flushing out landman passwords and everything else um the first time they ever got the report it was an eye-opener second third fourth time they got it uh you know it's pretty standardized at this point and they're able to hone in and fix on those um but like you know customers i've done where they've never been pen tested before we got in we stole the database we run some analytics on it for them it's a little eye opening right so they don't really understand what the danger is on some of this stuff so you have to

prove it and that's what the reporting is for but also take a look at some of the risk you know does the client have mfa enforcement is it used everywhere do they have a hole are they using passwords over and over are they using passwords that have been put out in breach data are they using the same password on external website logins and stuff what are the dangers on that um and you know what you take a look at all of this and the root cause is usually bad password policies you know who hasn't remembered the standard one you know it's got to be windows complexity eight characters uh you know three out of four rule

change it every 90 days well that just makes people want to do spring summer winter fall talking about things like cost and effort instituting a new password policy doesn't cost anybody anything it's a piece of paper implementing the password policy could be huge because you have to change service accounts there could be dependencies you could be running an old ancient system that doesn't support system characters beyond or beyond six character passwords been there done that it sucks be specific about the actions that they need to take where is the risk yes they may have land manager or lan man hashes in their password database but if they're you know they're using privilegex workstations and they're

you know they're doing all the right things the risk isn't as great because for somebody to get to the domain controller they have to pop mfa on an admin and do all these other things so take that into context and at the same time i mentioned before speak their language map to their framework if using things like ism itself they have password complexity requirement rules you can generate reports with things like you know 80 recon or any other tool to actually show exactly what the mapping is and so their password policy doesn't meet you know the pci compliance requirements so therefore you guys have to fix this or you're no longer pci compliant and they have to

file an exception and nobody likes doing that so as i mentioned the tools being released on my github please go take a look some features are still being worked on but it's going to be an active development for the next little while let's let's chat it up in the qa and see what's going on thank you everyone for attending and talk to you soon