Cybersecurity

Cracking Active Directory passwords (Password audit part 2)

May 29, 2019 By Craig Hays Leave a Comment

Reading Time: 4 minutes

John the Ripper loves cracking Active Directory password hashes and your users love ‘Password1!’

(This is the second of a three-part series on Microsoft Active Directory password quality auditing and password cracking)

Following on from part 1 where we used DS-Internals to do some basic password quality auditing, in this post, we extract all of your password hashes from Active Directory and crack them with John the Ripper.

Cracking passwords with DS-Internals

In the previous post, we covered using DS-Internals to do a password quality audit. We did this by using the PowerShell module to examine account configurations for vulnerabilities and we provided a plain text password dictionary for brute forcing our users’ passwords. While the audit for configuration insecurities is excellent, the literal dictionary of passwords to use for cracking is not the most efficient way to do it. Nor is the output of sufficient quality to be as useful as it could be. This isn’t a criticism of the tool, it just isn’t what the tool specialises in.

When you provide a list of thousands of passwords, including globally well-known passwords and company-specific ones such as ‘Company1’ or ‘C0mp4ny123!’, DS-Internals will only tell you is a user password is found in that dictionary. It won’t suggest other similar formats such as ‘Company11111111’ which could also be in use. This is great for identifying users who need to change their passwords to something more secure, provided that you managed to create a comprehensive wordlist on your own. Which most of us probably can’t.

A better way to crack Active Directory passwords

DS-Internals is designed to let us overcome this challenge. Built in is an extensive hash export utility that will provide a range of hash table formats. My personal favourite cracking tool is John the Ripper and output support is built right in.

To export all user hashes from AD use the following:

[Read more…]

Brute force attack your own users (Password audit part 1)

May 29, 2019 By Craig Hays Leave a Comment

Reading Time: 6 minutes

The bad guys are already doing it. Here’s why and how you should do it too.

(This is the first of a three-part series on Microsoft Active Directory password quality auditing and password cracking)

If your company has anything exposed to the internet, attackers are already brute force attacking your user’s passwords. All day, every day. There are very few things you can do to stop them. Our best hope is to slow them down as they circumvent every countermeasure we put in place and ensure that users have passwords strong enough to withstand a low volume brute force attack.

[Read more…]

Bug Bounty Hunting Tips #3 — Kicking S3 Buckets

February 22, 2018 By Craig Hays Leave a Comment

Reading Time: 4 minutes

There has been a lot of press recently about misconfigured Amazon S3 buckets leaking confidential information. The root cause of this is that in the past S3 buckets have been incredibly easy to misconfigure. Sometimes buckets are made web accessible by anyone. Other times buckets are web restricted but can be accessed through Amazon S3 API by any authorised user.

Due to the nature and number of these breaches, Amazon have recently released their Trusted Advisor service for S3 for free to everyone to try to crack down on the problem. The challenge now is getting people to look at the new output and make changes based on the feedback. In the meantime, let’s have some fun kicking over S3 buckets to see what bounties fall out.

Finding S3 Buckets

S3 buckets are all reachable via a web interface, whether access is permitted or not. The URL format is:

[Read more…]

Bug Bounty Hunting Tips #2 —Target their mobile apps (Android Edition)

February 9, 2018 By Craig Hays 1 Comment

Reading Time: 6 minutes

If you read through the disclosed bug bounty reports on platforms such as hackerone.com it is clear that most bug bounty hunters are targeting web applications and neglecting the mobile application landscape. This is an opportunity that you can take advantage of.

Android app bug bounty — Photo by LOLIONI on Unsplash

I’ve had a lot of success recently looking at mobile apps, specifically android applications. After searching online for decent training material I stumbled upon the Udemy course Android Application Penetration Testing which has proven invaluable. (Disclaimer, I get no financial gain or anything else out of linking to this course, other than more competition in the android bug bounty space.) 4.5 hours of training at 2x regular playback speed and you’re in a good starting position.

Just like web applications, you can find the OWASP Mobile Top 10 very useful for identifying vulnerabilities to look for. My personal favourites are:

[Read more…]

Bug Bounty Hunting Tips #1— Always Read the Source Code

November 21, 2017 By Craig Hays Leave a Comment

Reading Time: 3 minutes

One of the first things I do when approaching a target is to search for and read through all of their public source code repositories on sites like github.com looking at every file in every directory. I also check through the commit history to see what has changed with each commit. Yes this takes time to do it and it isn’t as fun as jumping straight into hacker typer mode fuzzing inputs on web applications and APIs but it is invaluable. Once I’ve finished the official code repositories of the target I then look at contributors to each of the projects and do the same thing for each of those. Developers often share a lot of code, config, SSH keys, usernames, and passwords between work and personal projects. This has the following benefits:

[Read more…]