Thursday, May 1, 2008

Password Attacks in Windows

Okay there are plenty of tools to launch password attacks within Windows but I like this one because it needs no tools other than those that are native to Windows.

The only difficult bit is getting the wordlist together. If anyone knows of a funky way to generate one using native windows tools and existing files on a PC I would love to hear from you. In lieu of a funky solution and without a wordlist that I have got to the box by other means I make my list by creating a file with popular passwords and hope for the best. Remember, if you are making the wordlist, tune it for the company or organisation you are pentesting against.

This attack is going to bruteforce a password using a FOR loop and a text file with some passwords in.

How it Works

Make sure you have a wordlist or create one with possible password in. The password file just needs to be a normal test file with a word on each line.

At the command prompt on one line type:

FOR /F "tokens=1*" %i in (passwords.txt) do net use \\\IPC$ %i /u:Administrator

The password.txt file must be in the same directory that you run the command from.

Whats happening here is the command attempting to connect to the IPC$ share on and is going through the file password.txt trying every word as a password for the Administrator account.

You don't have to specify the IPC$ share. If there is another share available you can use that.

Obviously this attack can be done on other accounts but remember that they may be subject to lockout after so many failed logins. The Administrator account does not get locked out.

If you find that the account lock out policy is not enforced then you can create a password file with usernames and password in (separated by a space), then throw the file at it using a FOR loop shown in my screenshot.

If you have found a successful pair the outcome will be a open session (net use) and the file out.txt will list the valid credentials.

Lessons learned for Admins

  • Pick a good Administrator password that will not be in a dictionary. and enforce complex passwords for users.
  • Make sure that account lock out policies are enforced.
  • Educate users and helpdesk staff. If they notice that accounts are constantly locked out and the user is not too stupid then they might be your early warning system that something is wrong.
  • Check logs. Account lockouts should be logged and you should be seeing this type of activity in you daily log monitoring routine.


LonerVamp said...

Mozille Firefox, if installed, plops a dictionary file into : C:\Program Files\Mozille Firefox\dictionaries\en-US.dic.

Office has one, but I don't know how to open it in a way you can read it: :\Program Files\Common Files\Microsoft Shared\Proof\MSSP3EN.LEX.

There is also C:\WINDOWS\srchasst\nls302en.lex, but I don't know how to read that properly either.

SynJunkie said...

Many thanks for the comment lonervamp. i'll update the post with your suggestions.