🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Password Cracking and Analysis

Service Overview

The objective of the Password Cracking and Analysis service is to subject the hashes in Customer-provided NTDS file to accelerated password-cracking efforts, recover as many plain text passwords as possible, and provide information about the recovered passwords to Customer. This Service helps organizations review their password policy enforcement and gain insight into how users are choosing passwords.

Service Methodology

Testing includes several iterations and varying combinations of exploit options to crack password hashes such as brute-force, wordlists, rules, and masks. In addition to varying the options, multiple software applications designed to crack passwords are used. The following exploit options will be used to derive the plain-text form of hashed and encrypted passwords.

Weak Hashes

In situations where multiple hashes of the password are available, such as LAN Manager (LANMan) and NT LAN Manager (NTLANMan) hashes from Windows authentication or Active Directory, the least computationally complex algorithm will be processed first. The plain-text passwords recovered from weaker hashes are likely to help crack the more complex hashes, or as is the case with LANMan/NTLANMan, they can be used to determine the case (uppercase/lowercase) of the letters within the password.

Weak Passwords

Passwords that are seven characters in length or shorter are considered weak. For many hash algorithms, it is possible to brute-force all possible characters quickly. Using this exploit option makes it possible to reduce the analysis performed in subsequent steps because password guesses shorter than eight characters do not need to be tried.

Wordlists and Rules

Pre-built wordlists, which are compiled from industry-wide dictionaries and passwords retrieved from previous compromises, are used as password guesses. The entries within the wordlists are also modified through the application of rules. The rules prepend and append characters to the entries within the wordlists, as well as replace characters to find complex forms of simple dictionary words, such as changing Friendship to Fr!3ndsh1p or Friendship02!.

Password Masks

Through the analysis of previously discovered passwords, masks representing the characters commonly used at various positions in a password—such as five lowercase letters followed by two numbers and a symbol—are generated. These masks are used to create password guesses by the cracking software.

Wordlists and Masks

Many passwords are composed of dictionary words followed by several letters, numbers, and symbols, such as Summer15!. Masks of no more than four characters in length are appended and prepended to wordlists. This exploit option is similar to the Wordlists and Rules exploit option, but is differentiated in that it requires a more complete set of guesses against the hashes.

Feedback

All of the passwords that have been cracked up to this point are re-used through both the Wordlists and Rules and the Wordlists and Masks exploit options again. This feedback exploit option recovers longer and more complex forms of commonly used passwords.

Brute Force

If time permits and there are hashes remaining for which the plain-text form of the password has not been recovered, a brute-force attack of all character combinations for passwords of eight characters or longer is performed.

Outcome

Upon completion of the above-listed methods, Secureworks performs a thorough review and analysis of the information that was collected during the engagement, and produces a final report for Customer that includes but is not limited to the following:

Scoping information

Scope Description
Password Cracking & Analysis A single NTDS export from one domain controller, containing up to 2 domains worth of credentials.

Scheduling and Booking Information

See Service Scheduling for information about scheduling this service.

 

On this page: