[jg60533]

Hey folks,

I was recently tasked with auditing an AD environment for weak passwords. The main concern is to identify users who have matching user names and passwords. Once I identify these users I need to show what % of users have identical IDs and passwords. If anyone has ideas on how to accomplish this, please let me know.

I was planning on using THC Hydra but I am running into problems, as I am new to the using the tool. I have specified the user ID list (id.txt) and used the "-e s" option to try the user name as password.

Here is what I'm running:

hydra -L c:\id.txt -e s -o c:\weakpass.txt -t 1 ip.ip.ip.ip ldap2

I am targeting a domain controller using the ldap2 protocol and I have verified that port 389 is open on the DC. However hydra isn't giving me any results. Instead it just writes the following to the txt file:

# Hydra v5.4 run at 2009-10-29 11:57:33 on ip.ip.ip.ip ldap2 (hydra -L c:\id.txt -e s -o c:\weakpass.txt -t 1 ip.ip.ip.ip ldap2)

No user ID combos are listed. I know for sure that there are users with identical user names and passwords, what am I doing wrong? What else should I try or what other tools can I try?

I'm not sure If I'm targeting Active Directory correctly?

[webdevil]

You would want to see what is really happening behind the scenes.
Run wireshark, paste some relevant output and we might be able to help.

[jg60533]

Hey webdevil, Thanks for the response... I ran wireshark while using THC Hydra. I tested one username this time with a password list of four passwords (One of which was the correct password). In my wireshark capture I see 4 LDAP bind requests with my test username and I see 3 LDAP bind responses that say "invalid credentials" However one LDAP bind response says "success". This would be the expected behavior since one password was correct.

However when I go back and look at my Hydra results, there are no successful user ID / Pass combos recorded...none in the CLI and none in the output text file. If I were testing 10-12 users I could just look at wireshark's responses, but I have several 1000 accounts to test. Any other ideas?

One thing to note is that all of my LDAP bind requests show to have "invalid header checksums". I don't know if that is normal behavior or not: "Header checksum: 0x0000 [incorrect, should be 0x####]"

In regards to the invalid checksums, I know that Microsoft says "This behavior occurs because some Network Driver Interface Specification (NDIS) drivers allow Windows to offload the computation of checksums to the network adapter itself.". So it is probably a moot point...I just find it strange that only my LDAP requests have invalid header checksums.

[webdevil]

Can you try specifying a DN with -l option and then check.

You could also try using http://examples.orei.../bf_ldap.tar.gz

Quote

# bf_ldap
Eliel Sardanons <eliel.sardanons@philips.edu.ar>
Usage:
bf_ldap <parameters> <optional>
parameters:
-s server
-d domain name
-u|-U username | users list file name
-L|-l passwords list | length of passwords to generate
optional:
-p port (default 389)
-v (verbose mode)
-P Ldap user path (default ,CN=Users,)

[jg60533]

I tried specifying the DN, but still the same result - no output within Hydra. I may have to utilize a different protocol to do my testing. LDAP would just be the most convenient and the fastest. I am not familiar with bf_ldap Does it support trying username for password? I didn't see it in any notes I've found on the utility. Obviously I could make my user list the same as my pass list, but that would generate a lot more log-in attempts than I would like.

[Trajik]

I assume you have admin level access for the domain controller? If that is the case, the easiest thing to do is run fgdump (predecessor to pwdump) on the server and grab all of the hashes in the database. (will have to disable AV if it is active)

Then run run the dump file through John the ripper or any other NT hash cracker (or rainbow tables). You will be suprised at how quick it will crack passwords (using smart dictionary first then in to bruteforce). Should only take about 30 minutes and you will have 90% of the users passwords (assuming they are 'fairly ordinary passwords')

I did this exact same thing for my company. Worked a treat. I was actually suprised with the results. At the time, my personal admin level domain password was using 11 characters with captials and numbers and it got cracked in minutes. Was suprised to see it appear in the list :)

[jg60533]

Hey Trajik,

Thanks for the response. I do have admin level access however, one constraint is that I am not allowed to dump the hashes. I have decided to go after a different protocol, but I wish I was able to get the LDAP protocol to work with Hydra, just for future reference.

Yeah, it's surprising how easily rainbow tables can crack passwords...even 11 characters. Really anything 14 characters or less, in theory should be easily cracked by rainbow tables due to how the password is stored using LM hashes. Since LM hashes store passwords in two 7 character strings, the rainbow tables only have to contain values for passwords up to 7 characters.

Adding a 15th character into the mix will cause Windows to store the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack the hash will fail.