Using Password Cracking for Password Recovery

BackStory

For in-person infrastructure/network testing, it’s not feasible to carry around large power-hungry GPU servers; but Windows regularly transmits hashed credentials over the network in the form of NTLM or NetNTLM hashes. With off-site password cracking power, captured password hashes can represent a ticket into the network especially if these belong to highly privileged users. Great advances have been made by the talented Hashcat team, meaning that NetNTLMv1 hashes can be recovered with 100% certainty where a downgrade is possible and where a downgrade isn’t possible, NetNTLMv2 hashes can be cracked very quickly.

Combining this with a web application to OCR hash dumps from a screen where data exfiltration is a concern, you reach a compelling business case for building a password cracking rig. After prototyping on spare hardware and demonstrating a proof-of-concept to leadership, the project received the green-light to move to more expensive hardware.

Software & Architecture

Security Considerations

As this application handles client data such as password hashes and wireless handshakes, security of the system is a top priority. Cracked password hashes may belong to high privilege accounts or offer direct access to the client’s network, reinforcing the confidentiality requirements for the system. Strong authentication is critical. Oauth2proxy allows close integration with an organisation’s directory services, requiring authentication and authorisation before allowing any traffic at all to reach the web application it is protecting. In combination with strong technical and managerial controls, this ensures that potentially sensitive data is kept secure.

Software Solution

Built on a standard LTS Ubuntu release, the system runs the Hashtopolis web application to provide a graphical web frontend and API for cracking hashes.

Supporting this is another web application, built in Golang, which performs OCR on PWDump format hashdumps, allows WPA capture uploads, and allows quick creation of Hashtopolis tasks with reasonable defaults. Between these two web applications, the majority of hash cracking needs during penetration testing are addressed.

Hardware

Once GPU supply issues began to ease in late 2022, it was decided that 2 Nvidia RTX 3070 GPUs offered good performance balancing financial investment against power consumption. In Hashcat benchmarks, these GPUs are estimated at around 70 billion NTLM hashes per second, each. With a combined benchmark of 140 billion NTLM hashes, this offers an excellent chance of recovery when attacking NTLM hashes. Backing the graphics cards is a somewhat standard gaming desktop build, an AMD Ryzen 5 5600G for a good number of cores at a low price, 32GB of RAM to allow quick transfers to and from video memory, and a 1TB SSD to store wordlists and hash lists. This hardware configuration represents a moderately funded attacker, putting real-world perspectives on the strength of passwords recovered during penetration testing.

Conclusion

The password cracking solution presented here allows SecQuest to offer realistic perspectives around password strength where password hashes are recovered, such as wireless security assessments, network penetration tests, and other technical assurance testing. In Microsoft Active Directory environments common to many businesses, recovered passwords offer an attacker wide reaching access to additional systems and sensitive information.