Sunday, September 13, 2009

Password Auditing with Fgdump, John the Ripper & PowerShell

As a break from my Cisco studying I thought I'd post how I perform a password audit in a Windows 2003 environment using freely available tools and a PowerShell script.


I dump the password hashes from AD using fgdump and the command below. Password history is also dumped out. Checking out users password history can be very useful at predicting future password choice as it will reveal patterns in password selection.

fgdump.exe -h Server01 -u home\administrator -p MySuperPassword -T 5

In the command above -h is the host I'm grabbing the passwords from. The -u and -p are valid username and password. -T 5 is running 5 threads to speed things up a bit.

The passwords are dumped out to Server01.pwdump in the same directory as where fgdump is located. From there I open the PWDump file with notepad and remove all the computer accounts from the bottom of the file so I am just left with usernames and password hashes.

John The Ripper

Now I use JTR to crack the Lan Manager hashes. I could use bruteforce or dictionary attacks againast the hashes but in the command below I'm just going to use bruteforce. All LM hashes cracked will display in uppercase, but the actual passwords will like be of mixed case depending on the security policy. Passwords over 14 characters long will display as "No Password" as these are stored as NTLM Hashes.

john --incremental=lanman --session=September Server01.pwdump

Pressing the spacebar whilst JTR is cracking will give you an update on the progress. If I need to abort the session (Ctrl-C) I can restore it later using:

john --restore=September

I can view the cracked passwords and output them to a file using:

john --show Server01.pwdump >Server01-Sept-Cracked.txt

The above command will output a list of all the accounts including those not cracked (password will be ???????). If I just wanted the passwords I would just pipe Johns output to the find command.

john --show Server01.pwdump >Server01-Sept-Cracked.txt | find /i /v "?????" >Server01-Sept-CrackedOnly.txt


Ok. So I have my cracked password file and I'm good to go. I've created a script that I run which prompts me for my cracked password file and gives me the following options:

  • Find a users password
  • Find a users password with history
  • View top 20 popular passwords
  • Search for occurrences of a particular password
  • Password count (not including history)


#This Section Imports Passwords from JTR file
$result = New-Object System.Collections.ArrayList;
get-content (read-host "Enter path to JTR export file. Large files may take a few minutes to import") |
Foreach-object {
$arr = $_.Split("/:");
$temp = ('' | Select-Object Name,Password);
$result.Add($temp) | Out-Null

#This is the Menu Section

Function Menu {
Write-Host "Press 1 to find a users password" -ForegroundColor Yellow
Write-Host "Press 2 to see a users password with history" -ForegroundColor Yellow
Write-Host "Press 3 to see top 20 popular passwords. This may take a few minutes" -ForegroundColor Yellow
Write-Host "Press 4 to search for occurrances of a particular password" -ForegroundColor Yellow
Write-Host "Press 5 for Password count (not including history)" -ForegroundColor Yellow
Write-Host "Press any other key to quit" -ForegroundColor Yellow

$Number = Read-Host "Select an Option"

switch ($Number) {
1 {
Write-Host "Users Password" -ForegroundColor Red
$Name = read-host "UserName?"
$Result | where { $_.Name -match "$Name" }| where { $_.Name -notmatch "_history_" }

2 {
Write-Host "Users Password with history" -ForegroundColor Red
$HistoryName = read-host "UserName?"
$Result | where { $_.Name -match "$HistoryName" }

3 {
Write-Host "Top 20 Passwords" -ForegroundColor Red
$result | group password | sort count -Descending | select Count,Name -First 20

4 {
Write-Host "Weak Passwords" -ForegroundColor Red
$Password = read-host "Password?"
$Result | where { $_.Password -match "$Password" }

5 {
Write-Host "Total Passwords (Not including History)" -ForegroundColor Red
($Result | where { $_.Name -notmatch "_history_" }).count

default {
"You pressed something else. Goodbye"
#Runs the menu

From here I can educate particular users regarding password choice or tailor user education to focus on problem areas.

I may well extend the script to look for other useful information when I have more time. The only thing I don't like is the output format if I choose option 3 (top 20 passwords) first.

Thanks to EBGreen in the Powershell Community forums for his help with some of the script.


Dave said...

Hey Syn, I'm glad to see something non-CCNA! I realise that you're bogged down with your studies and I hope that it's going well.

I'm studying for my MS certs so will certainly follow this brief tutorial.

SynJunkie said...

Hey thanks Dave. I am enjoying the cisco stuff but it did feel good to get back to a few of the fun tools ;-)

Good luck with the certs.