How I pwned hundreds of users for less than $25?
As long as employees do not consider security as their responsibility and use insanely Easy to Guess Passwords, no matter how much time and money organizations invest in training, right tools, and strict policies, security compromises are inevitable.
A while ago, I was engaged in performing an internal Penetration test for a reputed organisation which heavily relied on Windows infrastructure. The infrastructure was spread across different locations with a design called for every location to have its own domain, complete with numerous domain controllers (DCs), DNS servers, WINS servers, DHCP servers and work stations with so many missing patches.
1) Starting with NTLM Relaying
Being an internal penetration test one of the first things I did was start up a rogue HTTP and SMB service to do Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) poisoning and capture NETNTLM hashes.
It worked for me and managed to capture a few hashes which let me gain initial foothold in the infrastructure as a Domain User with limited privileges. There are a number of different ways to do this, but the easiest is using a tool called Responder.
2) Firing up SharpHound
Without any other thought, I fired up SharpHound (the BloodHound ingestor) as a user that was a domain member to find relationships within the Active Directory (AD) domain to discover attack paths and uploaded the generated files into the bloodhound Interface. Sharphound Generates some csv files which needs to be uploaded to the Bloodhound interface.
3. Leveraging Crackmap and Mimikatz
I eventually managed to gain access to the Active Directory with Domain admin privileges with one of the techniques described in this amazing site with different Active Directory attack techniques and launched crackmapexec and mimikatz to dump the hashes from the Active Directory SAM.
4. How to crack those hashes?
So I’ve pwned an active directory — congratulations — now what? Rules of engagement permitted me to crack the passwords and now the challenge is cracking as many hashes as possible before I deliver the report to the client. So I decided to leverage a GPU instance and use Hashcat to crack the hashes for me.
Hashcat claimed to be a worlds fastest and advanced recovery tool is a popular and effective password cracker widely used by both penetration testers and sysadmins as well as cyber criminals and spies.
5. Why GPU is effective for password Cracking?
GPUs achieve great performance by using heavy parallelism, with hundreds (if not thousands) of cores. GPU’s often have up to 16 cores of processing, each operating in a 32-wide SIMB (Simple Instruction, Multiple Data) mode. That brings over 500 operations done in parallel. Common CPUs only have 4 to 8 cores and can operate in 4-wide SIMD which gives much lower parallelism.
Amazon has the next-generation of EC2 compute-optimized GPU P3 instances that are powered by up to 8 of the latest-generation NVIDIA Tesla V100 GPUs and are ideal for computationally advanced workloads such as machine learning (ML), high performance computing (HPC), data compression, and cryptography which can also aid pentesters in situations like this. In fact, Bitcoin farmers have been tapping GPU technology to calculate hashes for bitcoin farming.
6. Launch a p3.16xlarge instance with Kali Linux
I launched a p3.16xlarge AWS ec2 instance which costs $24.48 an hour and I ran it for approximately one hour to complete my job.
7. Gearing up the Beast with Nvidia and Hashcat
a) Update and upgrade the reboot the Kali Instance
sudo apt update && sudo apt -y full-upgrade -y && sudo rebootb) Install the Nvidia drivers, Cuda toolkit and reboot the instance
sudo apt install -y nvidia-driver nvidia-cuda-toolkit
sudo rebootc) Verify the Nvidia Installation
nvidia-smid) Installing the Hashcat
sudo apt install -y hashcat
8. Prerequisites for Cracking the hashes
Hashcat supports different types of cracking attacks such as Bruteforce, Hybrid, Combinator, Dictionary, Fingerprint, Mask, Permutation, Rulebased and other variants of attacks. If you want to deep dive into Hashcat, good documentation explaining different functionalities of the the tool on their website. I have used rulebased attack with the rule One Rule to Rule Them All along with the famous rockyou.txt wordlist.
9.Cracking the hashes
From Firing up the Hashcat through cracking hashes it took approximately one hour keeping my spending on ec2 instance less than $25.
hashcat --force -m1000 --status -w 4 -o cracked.txt --remove --potfile-disable -r OneRuleToRuleThemAll.rule Hashes_For_Wordlist.txt rockyou.txt-m 1000 — ntlm hashes
-r Rule — OneRuleToRuleThemAll.rule
Hashes to be cracked — Hashes_For_Wordlist.txt
Wordlist — rockyou.txt
-o — Output cracked hashes to Cracked.txt 
10. Not Surprised to see those cracked passwords!!
Despite Security awareness sessions, several reminders sent from security team and number of high-profile data breaches making the news employees are still not creating strong passwords. As long as employees use weak passwords such as Welcome123 attacks are bound to occur.
References:
https://www.c0d3xpl0it.com/2019/02/privexchange-one-hop-away-from-domain-admin.html
https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/