Remembering passwords is hard, for regular users and administrators alike. Human nature will gravitate to easy-to-remember passwords. What’s easier for a user is often easier for an attacker as well. Protecting users and organizations from a breach becomes a top security priority.
How do you protect users against themselves and the use of weak or breached passwords? Using weak password lists, a password can be checked before use to ensure a user won’t become victim to the next attack!
This post is kindly sponsored by Specops Software.
What Makes a Weak Password in 2022
When you think of weak passwords, the old standby of “password” probably comes to mind. You are right, but a weak password is much more than a simple word. Not only are there many existing methods of password cracking, decryption, and brute-force techniques but they have become increasingly automated and sophisticated.
So what is a weak password in 2022? According to the Specops Software Weak Password Report for 2022, it’s not just length or complexity. Since a cracked password may already have been cracked and hash created, even one that is 12 characters long with special characters is trivial to use in a hack attempt. In fact, 93% of passwords used in brute-force attacks include 8 or more characters!
For example, here are the top 10 passwords used in real brute-force attackers with over 12 characters from the Specops Software Weak Password Report.
^_^$$wanniMaBI:: 1433 vl
almalinux8svm
dbname=template0
shabixuege!@#
P@$$W0rd0123
P@ssw0rd5tgb
adminbigdata
Pa$$w0rdp!@#
adm1nistrator1
administrator!@#$
Worse yet, reused passwords provide ample opportunities for an attacker to attempt a hack against multiple services, known as password spraying. Some services may have weak hash or encryption schemes and once broken, it is easy for an attacker to then use that password against even the most secure services.
Long and difficult passwords are hard to remember, so many individuals use common themes in their passwords such as movies, sports, and artists. Some common passwords used based on themes (top 2 used in each category according to the Specops Weak Password Report):
R.E.M.
– Music ArtistsCher
– Music ArtistsCincinnati Reds
– BaseballLos Angeles Angels
– BaseballChelsea
– Premier League ClubsLiverpool
– Premier League ClubsRocky
– MoviesHook
– MoviesLoki
– Marvel vs DCThor
– Marvel vs DC
Individuals tend to use what they know and like, but this makes cracking passwords easier on the attacker as well!
The Ease of Cracking Passwords in the Real World
All too often, an IT professional has a theoretical understanding of the ease of cracking weak passwords. IT professionals “know” it can be easy, but typically do not see what a real attack looks like. The NTLM protocol has been around since the early days of Windows and is still in active use as a backup to the Kerberos protocol in Active Directory domains. Therefore, it is still susceptible to interception and use.
NTLM is a one-way hash, which takes a string input of any size and outputs an algorithmically generated string of fixed size (the text “password” has the same output size as “a super long password”). It cannot be reversed or decrypted, but the hash value is quickly computed. Generate enough results and a matching value will be found.
This article shows the speed at which an NTLM hash of a weak password, can be cracked. To demonstrate, Mimikatz is used to retrieve an NTLM hash and then Hashcat is used to crack the password.
Locating Users with Active Directory Replication Privileges
For the sake of brevity, this article assumes that through some phishing attempt, an account with the domain rights of Replicating Directory Changes and Replicating Directory Changes All has been compromised.
To help locate those accounts that have the replication rights I used the following PowerShell code to find all accounts that have the DS-Replication-Get-Changes
or DS-Replication-Get-Changes-All
rights, which is necessary to perform the DCSync attack.
Import-Module ActiveDirectory
# The ObjectType values are for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb
(Get-ACL -Path "AD:$(Get-ADDomain | Select-Object -ExpandProperty 'DistinguishedName')").Access |
Where-Object {$PSItem.ObjectType -EQ '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' -Or $PSItem.ObjectType -EQ '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'} |
Select-Object -Property 'IdentityReference'
The account used in this example is a member of the built-in Administrators group and therefore has the necessary replication rights.
Retrieving an Accounts NTLM Hash
With the necessary privileged account in hand, an attacker will proceed to utilize a tool, such as Mimikatz, to retrieve the NTLM hash of one or more users. This hash can then be used for lateral attacks or further privilege escalation.
During a DCSync attack, Mimikatz mimics a domain controller (DC) and utilizes the Directory Replication Service Remote Protocol (MS-DRSR). Mimikatz sends a replication request to a DC, to which the DC responds, and Mimikatz then extracts the NTLM hash from the response.
In this demonstration, I use a Windows 10 Client joined to an Active Directory Windows 2019 Datacenter server with several test accounts. The domain password policy is purposely relaxed to allow for weaker passwords. In addition, the latest versions of Hashcat and Mimikatz, as of the time of writing, are installed.
Keep in mind that your Antivirus program will most likely see Mimikatz or Hashcat as a threat, so you may need to temporarily whitelist that tool. In addition, these tools should only ever be used for approved pen-testing and learning.
First, I’ll launch Mimikatz and run the DCSync attack command against the user testaccount2
. Then I’ll locate the credentials section and copy the Hash NTLM value. I’ve saved the value to hash.txt to be used with the Hashcat program.
lsadump::dcsync /user:testaccount2
Cracking the Password Hash
Now that I have the accounts hash, it’s time to try and crack the password. One program that can utilize my systems graphics card (GPU) to quickly generate hashes, is Hashcat. With a large number of built-in hash functions, I am able to specify a range of options to hone in on the resulting hash necessary to crack a password. Here, I am using Hashcat to crack the hash that I previously retrieved and saved to the file hash.txt.
The -m 1000
option tells Hashcat to generate NTLM hashes, and the -a 3
option indicates the use of brute-force attack (versus using a wordlist and brute-force). By specifying -O
I am telling Hashcat to use optimized kernels for speed, but this does limit how long a password can be cracked (27 characters on my test system).
.\hashcat.exe -m 1000 -a 3 ..\hash.txt -O
As you can see, the password is found to be A123456
, which is admittedly a very simple password. But the result was found in only 7 total seconds. As you can tell, this is trivial to crack and with stored hash lists, known as rainbow tables, this becomes even easier to crack!
Creating a Weak Password List in Azure AD
Now that I have demonstrated just how easy it can be to crack certain weak passwords, how can I protect against this in an Active Directory domain? One way to combat weak passwords in Azure AD is to utilize the built-in Password Protection mechanisms.
Demonstrated below is the built-in ability for Azure AD joined devices to protect against banned passwords. For on-premise Active Directory domains, it is possible to integrate Azure AD Password Protection by installing and registering the Azure AD Password Protection proxy service, but I don’t demonstrate that here.
First, I need to make my way to the Azure AD Security, Password Protection blade in the Azure portal, as shown below.
Then I’ll turn on the protection by toggling the “Enforce custom list” option to Yes and add in a number of passwords to ban.
Now that I have created a banned password list, how complex could I get? Technically, I have the ability to add up to 1000 banned passwords in a custom list. In addition, the list is case insensitive and automatically tests for common substitutions such as “0
” for “o
”.
This upper limit also illustrates the inherent limitations in this implementation. 1000 passwords manually managed in a static list will not be able to keep up with evolving attempts at cracking. This list doesn’t integrate with continuously updated online lists nor do I have the ability to use regular expressions for complex rules.
Make Banned Password Lists Easier to Manage with Specops Password Policy
To take a banned password list to the next level, one option is the Specops Password Policy product. Offering both Hybrid Azure AD domains and on-premise only Active Directory, Specops Password Policy protects both.
Specops Password Policy offers the following password policies beyond the typical offerings.
- Require Unicode characters.
- Disallow username in a password either the full user name or part of the user name.
- Disallow digit as first or last character in a password.
- Disallow consecutive identical characters.
- Allow use of a regular expression to validate a password.
Even with the additional rules, custom password policies are not enough in the evolving security landscape. With the Specops Breached Password Protection list, a daily updated list of over 2 billion breached passwords are available for password updates to be evaluated.
Use the Express edition to utilize an optimized subset of the total list for nightly scans of vulnerable passwords and immediate blocks on insecure password changes. With the Complete edition, a user will be notified by email and/or text when a password is found in the breached password list.
Combined with strong internal password policies, Specops Password Policy helps your users to stay protected and avoid becoming targets!
Protecting Against Weak Passwords in 2022
As you’ve read, weak passwords are not as clear-cut as they once were. Not every hash or encryption scheme is the same, and that is particularly true with Active Directory. With relatively simple attacks, an attacker is able to gain access to a password. From there finding a matching password hash may be trivial depending on the type of weak password used.
For those companies integrated with Azure AD utilize the Azure AD Password Protection feature to disallow common weak passwords in your organization. Maintain the updated list regularly to protect against an evolving threat landscape.
Protect your users in-depth with daily updated breached password lists and complex policies through the Specops Password Policy product. Make sure your users understand when a password doesn’t meet the requirements or is used in a breached password list to help them proactively avoid weak password reuse!