Introduction to Windows Dictionary Attacks written by Scott Sutherland | April 9, 2012 Based on my experience, nine out of ten environments will have at least one account configured with a weak or default password. Those weak configurations usually lead to the compromise of the entire Windows Domain, so it is important to understand how to audit for them. Default passwords can usually be identified by your favorite vulnerability scanner or through manual review. However, weak passwords typically need to be identified through dictionary attacks (although there are other methods). Also, commonly referred to as “password guessing attacks”, dictionary attacks have proven to be almost as affective today as they were 20 years ago. Although they’re not very sexy, dictionary attacks should be part of every penetration tester’s approach. In this blog I will cover the basics of how to perform dictionary attacks against Active Directory accounts safely. Below is an overview of the steps that will be covered: 1. Identify domains 2. Enumerate domain controllers 3. Enumerate users from domain controllers 4. Enumerate password policy from domain controllers 5. Perform dictionary attack Note: Most of the tools and techniques will be done from Windows systems. Also, just as an FYI, I use the UNIX Windows ports for parsing in some of the examples. Identify Domains Below are a few common methods for enumerating Windows domains as an unauthenticated user. ipconfig / ifconfig In most cases, simply using the IPCONFIG command will provide the domain associated with a DHCP assigned IP address. This is nice because it’s an easy solution that uses native technology. 1. Command: IPCONFIG NBTSTAT NBTSTAT is also a native Windows command line tool that allows users to enumerate some basic information about a remote Windows system like the domain, workgroup, computer name etc. Below I’ve shown how to issue a basic NBTSTAT command to enumerate the domain associated with a remote Windows system. 1. Command (Basic command – single IP): nbtstat -AN 2. Command (Parse Domain- single IP): nbtstat -AN | grep -i “<1E>” | gawk -F ” ” “{print $1}” | uniq | sort <1E> 3. Command (Parse Domains- IP list): FOR /F “tokens=*” %i in (‘type iplist.txt’) do nbtstat -AN %i | grep -i “<1E>” | gawk -F ” ” “{print $1}” | uniq | sort >>domainlist.txt NMAP List Scans Combining some basic scripting with Nmap list scan output can return a list of domains associated with systems on known network segments. 1. Command: nmap -sL -oA output_rnds 2. Command: grep -i -v “()” output_rdns.gnmap | grep -i -v “nmap” | gawk -F “(” “{print $2}” | gawk -F “)” “{print $1}” | sed s/^./:/1 | gawk -F “:” “{print $2}” | sort | uniq Reverseraider The Reverseraider tool found on the Backtrack Linux distribution is capable of doing the same thing as an Nmap list scan. 1. Command: ./reverseraider -r Sniffing Sniffing can usually reveal some domain information from browser and DNS traffic. Common tools for network monitoring (sniffing) include Wireshark, TCPdump, Cain, and Network Minor. 1. Start sniffer and review for domains. RDP This is not a very efficient method, but it still works. Simply remote desktop to a Windows system on the network and view domains from the standard drop down. 1. Command (Get list of Windows systems with RDP): nmap –sS –PN –p3389 2. Log into the RDP using the RDP client and view available domains via the “Log on to:” drop down list. Additional domains can be enumerated using some of the basic methods below. NLTEST Nltest is a diagnostic tool that has many uses, one being the ability to enumerate trusted domains. It should be noted that many other tools including, but not limited to, Nessus, NeXpose, IP360, Super Scan, can do this as well if null smb logins are possible. 1. Command: NLTEST /DOMAIN_TRUSTS DNSWALK DNSwalk should be able to enumerate subdomains via domain transfer. Also, there are quite a few DNS brute force tools available that could be used. 1. Command: ./dnswalk victem.com. Enumerate Domain Controllers When attacking domain controllers it really helps to know where they are. To help with that I’ve provided a few common methods that can be used from a Windows system for an unauthenticated perspective. DNS Lookup This is by far the quickest method I know of at the moment. To my knowledge, when a server is promoted to a domain controller, a DNS service entry is automatically added for LDAP, Kerberos, etc. This allows users to issue a basic DNS service query to get a list of those servers. This can be accomplished with the native Windows nslookup command from non-domain Windows system. 1. Command: nslookup -type=SRV _ldap._tcp. NLTEST Nltest test has the ability to query for a list domain controllers via broadcast request as well. This tool has been a Native Windows command line tool since Windows 7, but I believe it has been available in the admin toolkit since Windows 2k. 1. Command : nltest /dclist: FindPDC FindPDC is a tool by Joe Richards from joeware.com that will identify the primary domain controller via native Window API calls. 1. Command: findpdc / NMAP Port Scan Simply scanning for LDAP ports 636 and 389 should help you find domain controllers as well. It will not guarantee that every system found is a domain controller, but it will get you started in the right direction. 1. Command: nmap –sV –PN –p636,389 Here are a few methods that can be used as an authenticated domain user. Adfind (LDAP Query) Lots of information is available to regular domain users via LDAP queries. Adfind is another tool by Joe Richards from joeware.com that will allows users to query for a domain controller list. I should also note that if you are able to create a null/bind and get full access to the LDAP directory you may be able to accomplish this without being an authenticated Domain user. FYI – In the past I’ve also used LDAP Miner, LDAP Browser, and LDAP explorer in Windows. They can do the same thing and have pretty GUIs for screenshots. 1. Command: adfind -b -sc dcdmp -gc | grep -i “>name:” | gawk -F ” ” “{print $2}” | sort | uniq Net Group Command Hooray for native tools! The ‘net group’ is another native Windows command used to manage groups, and it is capable of listing members of the “Domain Controllers” OU (among others). This needs to be run from a Windows system already on the domain. 1. Command: net group “Domain Controllers” /domain Enumerate Users from Domain Controllers Some people like shooting in the dark by using a large list of potential usernames during dictionary attacks. I, on the other hand, am a little partial to saving time so I prefer to just dump a list of users from the domain controller via available services. For those who also prefer the latter I’ve provided some common user enumeration methods below. SMB RPC: Endpoints With a null SMB connection and a few poorly configured group policies you should be able to enumerate all of the users in the domain via SMB RPC endpoints. There are quite a few tools out there, but I have had some consistent success with Enum and Dumpsec. Sometimes one will work when the other one doesn’t. My guess is that it has something to do with what RPC endpoints are being accessed, but I don’t really know. If someone does know the actual answer please let me know! I haven’t had much luck with the Metasploit ‘smb_enumusers’ or ‘‘smb_enumusers_domain modules, but I could be missing something. Side note: Don’t forget to review the user comments in Active Directory for passwords. It’s incredibly common. 1. Command (null session): net use \ipc$ “” /user:”” 2. Command (enum opt1): enum –U 3. Command (enum opt2): enum –N 4. Command (dumpsec): dumpsec.exe /computer=\ /rpt=usersonly /saveas=csv /outfile=domain_users.txt SMB RPC: SID Brute Forcing The method brute forces SIDs associated with user accounts. There is a old tool called ‘getacct’ created by a company called Security Friday that still works and has a nice export, but I recommend using the Metasploit module for the sake of centralization. However, be sure to set the MaxRID parameter to 10000 or greate to make sure you can enumerate all of the domain users. The “sid2user” and “user2sid” tools combined with some scripting can accomplish the same goal if you would like another scriptable option . In the example below, I show how to call the module from msfcli on a Windows system, but it can be executed from the msfconsole as well. 1. Command: ruby c:metasploitmsf3msfcli auxiliary/scanner/smb/smb_lookupsid SMBDomain=. MaxRID=10000 RHOSTS= E > domain_users.txt SNMP Default Strings It’s kind of surprising how many domain controllers out there are configured with SNMP and a default community string of ‘public’. Such configurations will allow you to conduct an SNMP walk to enumerate all kinds of interesting information about the system, including a list of users. There are many tools that could be used for this but the most common seem to be snmpwalk, MIBBrowser, and the Metasploit ‘snmp_enumusers’ module. 1. Command: ruby c:metasploitmsf3msfcli auxiliary/scanner/snmp/snmp_enumusers SMBDomain=. RHOSTS= E Adfind (LDAP null base/bind Query) Adfind can also be used to dump domain users from domain controllers that allow a full anonymous null/bind. This is more typical on legacy Windows 2000 DCs; these days, I don’t see that often. Once again, in the past I’ve also used LDAP Miner, LDAP Browser, and LDAP explorer in Windows to do the same thing. 1. Command: adfind -b DC=,DC= -f “objectcategory=user” -gc | grep -i “sAMAccountName:” | gawk -F “:” “{print $2}” | gawk -F ” ” “{print $1}”| sort > domain_users.txt Sharepoint User Profile Page Although SharePoint sites usually don’t live on domain controllers, they do exist in most enterprise environments.