Case Study

 < Day Day Up > 

This case study chains several steps together to show how easily password cracking can take place. Hopefully systems are more secure than the one described here, but you can never rely on this being true.

Do you remember Evil Jimmy, the hacker who compromised the Cisco IDS sensor back in Chapter 7? As you might recall, Evil Jimmy used session hijacking to compromise the new IDS system of the company and turn off all the alarms that he might trigger while port scanning the network computers.

Well, Evil Jimmy is back, and he has just finished port scanning dozens of computers. He has concluded that the target network Little Company Network (LCN) is composed of a Windows 2003 domain. This is great news. Evil Jimmy now sets himself a new goal: obtain the domain administrator password and subsequently the password of every user within the new 2003 Active Directory of LCN.

Step 1.

Jimmy gathers his tools for the attack:

- Telephone for a bit of social engineering

- Brutus.exe for password guessing

- Pwdump3.exe for extracting the usernames and password hashes from 2003 Active Directory

- L0phtcrack and John the Ripper for cracking the passwords dumped from Pwdump3.exe

- Coffee and a Twix candy bar

- The Matrix movie for watching while password cracking is taking place

Step 2.

Evil Jimmy decides to do a little bit of social engineering just to see what he can find from the domain administrators. He calls the domain administrators and asks, "What kinda Windows domain are we using here? Is it that new cool 2003 Directory stuff?" Proudly, the administrator replies with "Yes, and we just installed it last month." With this bit of information, Jimmy understands that LCN is new to 2003, and perhaps the company has not implemented all the security features needed yet. The system is probably backward compatible with LANMAN hashes. Next, Jimmy starts complaining about forgetting his password and asks whether he can get a new one. LCN administrators are wise to this trick. They never give out passwords over the phone. They inform him that he has to come to the office to collect the new password. Jimmy has just learned some of the LCN policies. He tells them he will by right there after the (fictitious) meeting he is in is over.

Note that this step is optional but does help provide a basic feel of how the domain administrators are handling telephone calls relating to passwords.

Step 3.

Evil Jimmy pulls out a network-based password-guessing tool called Brutus. You can configure Brutus for dictionary attacks or brute force attack against Telnet, FTP, NetBIOS, and more. Jimmy configures Brutus for NetBIOS password guessing against the domain controller directly. He also uses \\ip address\IPC$ network share that all Windows computers contain. That way, he does not have to guess about share names on the server. Figure 9-28 shows a screen shot of the Brutus tool configured. A summary of the configuration is as follows:

- Target username: administrator

- Target: \\ip address\IPC$

- Password Mode: First dictionary, and then brute force

Figure 9-28. Brutus


After about 2 minutes, Brutus successfully guesses the correct administrator password 123 and proves that the domain administrators are not locking accounts!

Step 4.

Next, Jimmy goes back connecting as the domain administrator to the domain controller. It is possible to do this in several ways, but using the command prompt syntax to force a connection as the administrator is sufficient:

C:/>Net use \\192.168.1.10\ipc$ 123 /u:administrator The command completed successfully.

This allows any connection to a domain controller to connect as the administrator rather than as Evil Jimmy's interactive desktop user.

Step 5.

Now it is time to extract all the usernames and hashed passwords from the domain controller. Jimmy pulls out pwdump3 and enters the following command to extract this list:

C:\>pwdump3 192.168.1.10 coolLCN.txt pwdump3 (rev 2) by Phil Staubs, e-business technology, 23 Feb 2001 Copyright 2001 e-business technology, Inc. This program is free software based on pwpump2 by Todd Sabin under the GNU General Public License Version 2 (GNU GPL), you can redistribute it and/ or modify it under the terms of the GNU GPL, as published by the Free Software Foundation. NO WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THIS PROGRAM. Please see the COPYING file included with this program (also available at www.ebiz-tech.com/pwdump3) and the GNU GPL for further details. Completed.

Step 6.

It is time for a little cleanup operation, so Evil Jimmy connects to the domain controller 192.168.1.10 and clears the security Event Log. Figure 9-29 shows clearing the Event Log.

Figure 9-29. Event Log


Step 7.

With the extract created with pwdump3, Evil Jimmy can load the file into L0phtcrack or John the Ripper for offline brute forcing while he is at home watching The Matrix. It is only a matter of time before he has all the passwords for the Windows 2003 Domain of LCN. It is almost too easy, really.

This case study shows how you can execute a basic step-by-step process to extract the username and password lists of an entire domain. You can easily use the same method during a penetration test for good purposes.

     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net