Now we have a copy of the hashes we can sling them through John. There are several approaches to this, but for the purposes of simulating an attack its best to use 2. They are:
- A default JTR crack
- A company specific wordlist crack
Basically JTR has certain options for rules. I’ve found that if you’re willing to let the machine run cracking for a day its quite successful. If you want to perform “intelligent cracking” you’ll need to look deeper into custom rules for JTR which are out of scope of this article.
Default JTR “All Rules” Crack
We can simply fire up john using
john --rules=All --pot=gotToLove.pot nthashdump
The pot file will record all passwords cracked, but not with their corresponding usernames, these will actually appear on the screen anyways. Just leave this running for several hours. I’ve had some great successes running this on a 4GB VM on an 8GB i5 Surface over the course of a day. If you have a dedicated machine the results will evidently be elevated to a new level.
The “All” rules will essentially blend its default dictionary with alphanumeric changes and additions. So with the dictionary word ‘password’ it may well try:
Company Specific Wordlist Crack
This is about as creative as I ever feel like getting on internal password checks. We essentially need to build a list of all words relating to the company and the industry that its in. This will (in theory) snag all passwords referencing things like the company name, departments, some key names, process or products related to them etc.
Now you can do this manually but things may get missed. If you use CeWL to obtain this list it will spider the website looking for words over a certain length. Should you find yourself unable to access the site as its behind CloudFlare, try WLGen.
With your custom wordlist you can now kick off JTR with the following addition
john --rules=Jumbo --pot=loot.pot --wordlist=/path/to/wordlist.txt nthashdump
Now the “All” rules might be a bit severe for this so you may want to change “All” to “Jumbo” which is significantly less time to complete.
Ive Cracked a Few Passwords Now What?
Congratulations you uber 1337 haxor you!!! Now you can overview to see if your password policy is actually being adhered to, or if its not stringent enough.
A suitable metric to provide is the amount of passwords cracked of active accounts. Very rarely should you be concerned with disabled accounts (although they can indicate bad practices on the helpdesk with passwords).
Provide information such as
“Out of our current 100 users and 20 service accounts we managed to crack 12 (14.4%) of their passwords within an allotted timeframe using techniques and tools freely available to the public. These were found not to be in accordance with our password policy and as such this requires immediate review.”
This should be a brief enough summary to the execs/board about the state of the estate.