In my previous article, I talked about how the LSASS process can be dumped. Now let’s try to find out which password the resulting NT hash belongs to.
First of all, I should point out that hash values are irreversible. In other words, we can encrypt a data and decryp it with the key and obtain the same data again, but this is not valid for the hash.
So, if you ask how we can obtain a password from a hash information, the answer depends on having a large password database, that is, a dictionary. With the help of the Hashcat tool, we can check whether the hash information we have matches our password database. Let ‘s do it.
Requirements
->Hashcat
->Password Dictionary
Let’s note the NT hash information of the user I logged into the endpoint as follows and save it in a file called hash.
Afterwards, I prepared a simple Password Dictionary for myself and added the clear version of the password with which I logged in (Donthackme1*).
Password Dictionary
Now we have come to the stage of using Hashcat. If you want, you can use Hashcat as the built-in version that comes on Kali Linux, but I prefer to use it on Windows, so let’s download hashcat.(https://hashcat.net/hashcat/)
Now let’s go to CMD and run command
hashcat.exe -a 0 -m 1000 hash.txt PasswordDictionary.txt --show
hashcat.exe
: This indicates that the hashcat program is being invoked.-a 0
: This parameter specifies the attack mode.0
represents brute-force attack and dictionary attack.-m 1000
: This parameter specifies the target hash type.1000
indicates that the hash type is MD5(also NTLM). Hashcat can be used to crack different hash types, and this parameter tells it which type to target.hash.txt
: This is the name of the file containing the hash values you’re trying to crack.PasswordDictionary.txt
: This represents the name of a dictionary file containing passwords. Hashcat will attempt to match the passwords in this dictionary with the target hash values.--show
: This parameter is used to display successfully cracked passwords on the screen.
To protect yourself against dictionary attacks and similar password cracking attempts using tools like Hashcat, you can take the following precautions:
- 1.Use Strong Passwords: Employ strong, complex, and hard-to-guess passwords that include a mix of uppercase, lowercase, numbers, and special characters.
- 2.Increase Password Complexity: Use long and randomly generated passwords to make brute-force or dictionary attacks more challenging.
- 3.Regularly Change Passwords: Change your passwords regularly within a defined timeframe. This reduces the chances of an attacker using the same password for an extended period.
- 4.Use Two-Factor Authentication (2FA): Implementing two-factor authentication enhances your account security. It requires not only the password but also an additional authentication factor such as a verification code.
- 5.Utilize Salting: If you’re developing a website or application, use “salting” when storing user passwords. Salting ensures that the same password results in different hash values for different users, making attacks using rainbow tables more difficult.
- 6.Implement Password Lockout: Employ an automatic lockout mechanism that limits the maximum number of password attempts, making brute-force attacks less effective.
- 7.Keep Hash Algorithms Up-to-Date: Use up-to-date and secure hash algorithms. Avoid older or compromised hash algorithms.
- 8.Use Security Software and Monitoring: Employ security software and monitoring systems to detect and respond to attacks.
- 9.Download Software from Trusted Sources: When using password cracking tools like Hashcat, download them from reputable sources to avoid versions containing malicious code.
- 10.Training and Awareness: Provide training and awareness programs to educate users about strong password practices and security awareness. Informed users are less susceptible to social engineering attacks.
These measures are some fundamental steps you can take to enhance your password security against tools like Hashcat and similar attacks. Additionally, specific security measures may be necessary depending on your application or system, so consider your unique requirements.
Leave a Reply