Cracking Windows Domain Passwords for Password Analysis

There’s no doubt that domain accounts with weak passwords can be a serious concern for companies, there are a few ways you can protect yourself against issues like this. The first is to set a domain and local account lockout policy and the second is to enforce password complexity. However if your users are using “Password1” as their password, neither of these steps will protect you.

An alternative approach would be to analyse the passwords being used by your users and re-educate any users who have chosen one of the common bad choices – such as, Password1, Companyname123, Summer2016 – you get the idea.

There are three main steps to the analysis:
1. Extract the Hashes from the Domain Controller
2. Crack the hashes using a cracking tool
3. Analyse the passwords used to determine weak accounts

Extracting hashes from a domain controller

When it comes to extracting hashes, you’ve got a couple of options and I’ve elaborated on those options previously – to summarise though, the simplest way is to use the tool FGDump. Be aware though that this is a hacking tool, so of course your Anti-virus scanner may flag it as such, if you’d like to extract hashes from your server for local extraction using Windows built in tools instead take a look at Volume Shadow Copies here.

Running the tool FGdump on a domain controller as an administrator will output a .pwdump file called which contains all of your user password hashes that can be “cracked” to reveal and analyse their plain passwords. To run an EXE as an administrator on modern Windows it’s not enough to be logged in as an administrator – you have to right click the EXE and select “Run As Administrator” to get full permissions.

Cracking Hashes to reveal Plaintext Passwords

Once password hashes are extracted you can feed them to a cracking tool such as OphCrack, Hashcat or John the Ripper. My personal preference is John the Ripper and I’ve posted about this tool previously although to summarise “John” is available for Linux, Mac and Windows you can supply it a hash file and it’ll do its best to crack the passwords but it really comes in to its own when you supply it with a wordlist of possible passwords. If you want to roll up your sleeves then I’ve talked about generating your own wordlist here or the simplest way is to use a pre-made wordlist such as one from a recent data breach – these have the benefit of being real world passwords users have chosen! (Although are non-context specific so might miss passwords like Companyname123).

A really good source for password lists is SkullSecurity, I’d recommend you take a look at the “rockyou” list. This file is a bz2 file so if you’re on Windows you’ll probably need something like 7-zip to open it.

Download your wordlist of choice and grab a copy of John the Ripper. You can invoke John the Ripper on your password hash file like this:

john.exe --wordlist=rockyou.txt --format=nt

It’ll churn away at your hashes and spit out passwords as it finds them, if you stop John at any point and just want to see passwords it has previously managed to crack you can use:

john.exe --show

Which will give you a neat list, this time including the password against the username.

Analysing the Passwords

The simplest analysis you can do is to simply flag users that are using passwords like “password”, “Password1”, “Password123” and remediate that issue – but if you want to go further then DigiNinja has created a Ruby tool called Pipal which will perform some great analysis for you and highlight issues such as common base words, the average password length, all sorts. His tool is available here and can be invoked by:

pipal crackedpasswords.txt

It’s a Ruby script so if you’re running on Windows don’t forget to install Ruby first!

Have fun hunting weak passwords!

Read More