Recently there has been a lot of publicity given to hashcat and password cracking (see this article on Wired). The reason for this is that due to its speed, hashcat can pose a major threat. Combine its quickness with a couple of decent graphics cards and the right set of wordlists/rules it can produce significant results in a matter of seconds. Before I go into this in more detail, we should first take a look at the history of password cracking/recovery and in particular the impact of this on windows systems as opposed to just websites.


(image via


Way back in the early days of Windows there was the LMHash. This was a hash that catered to passwords of up to 14 characters in length, but (and this was a fatal flaw) the hash was stored as 2 hashes that covered 7 characters each, which was also case insensitive. This meant that, using even a modestly sized rainbow hash table, it was trivial work to crack almost every possible combination of upper case, lower case and number passwords with relative ease and in a usable time frame. This was the default up to and including Windows XP. On XP, however, an NTLM hash was also created that was case sensitive. If the password was less than 14 characters though there was still an LM hash that you could easily crack and then just had to vary the case till it matched with the NTLM hash. Once the password exceeded 14 characters there was only the NTLM hash, which was considerably harder to crack.

On Vista and newer operating systems the NTLM hash became the default and no LM hash was stored. The time required to crack passwords increases exponentially with each extra digit and so passwords of over 9 or 10 letters could take years to crack even on a powerful machine. This meant that the use of rainbow tables and brute force cracking was expensive in terms of time needed to crack it, as a result, attention shifted away from brute force cracking to more intelligent methods using word-lists, masks and pattern matching.

The RockYou Incident

In 2009 there was the “rock you” incident (TechCrunch and The Guardian have more on this) that provided hackers with millions of real life passwords, albeit from a site with very poor password hygiene. Using this list and adding variants such as pre-pending or appending random numbers it is then often possible to guess a large number of other passwords with very little effort. The focus was then switched to these word-lists, especially after a few exploits of well-known sites provided yet more examples of real-world passwords.

Easy to Crack

Then hashcat came along... This piece of software has been used to demolish a number of website's md5 passwords. The reason for its success is the ability to offload the cracking onto the graphics cards, meaning it is reasonably cheap to create a very powerful password cracking setup capable of trying tens of millions of combinations a second simply by shoving 4 or 5 cards into a desktop machine. By default, modern versions of Windows servers enforce some rudimentary password complexity. For instance, your password must contain at least 3 features from the list of upper case characters, lower case characters, numbers and symbols. You are also prevented from using your name as part of the password and usually must exceed 8 characters.

Whilst this provides sufficient protection against brute force attacks, due to human nature the passwords still tend to be vulnerable to dictionary/pattern based attacks. If we use the wired article as an example, 60% of 16,000 passwords were cracked within 20 minutes. In the hands of someone with more advanced resources and increased knowledge, it is not unreasonable to expect them to crack between 70% and 80% of those passwords and even up to 90% in one of the examples used. It is entirely reasonable to expect the same rates on a windows domain  even with the standard password complexity requirements enabled due to the way these dictionary and rule based attacks work. This represents a very real risk to network security if somebody can get hold of the password hash, so let’s look at how it’s possible to crack so many passwords.


Common Mistakes

After the “rock you” breach there was a lot of statistical analysis conducted on the passwords (Passcape and Reusable Security) and it showed that the word 'password' and variants of it were exceedingly common. Given the complexity requirements above and assuming there is a minimum password length of 10 characters, then 'Password12' would be acceptable, however for a hacker, cracking it would be trivial.

Of course, we all like passwords that are easy to remember so it is human nature to choose a familiar word with numbers before, after or between. If you're feeling particularly clever you might substitute '3' for 'e' or '$' for ’s’ etc. unfortunately these substitutions fall into the category of predictability and are therefore vulnerable.

There are still techniques that can defeat these sorts of attacks and the simplest is to use non-standard characters in your password such as those accessible with ALT codes (have you ever tried holding down the ALT key and typing 248 on the keypad of a normal keyboard?). This vastly increases the entropy of the password as each position suddenly has 255 possible variations and forces the use of a brute force method as none of the characters are standard. Whilst this requires 3 extra key presses for 1 character and the entropy of an extra 2 alphanumeric characters can be shown to be much greater, but if space is limited (Office 365 has a maximum of 16 characters in a password) then this is one way to increase password complexity.  However, it isn’t possible to enter ALT codes on mobiles or tablets so this is of limited use if a portable device is required.

Take Precautions

Protecting the encrypted hashes is becoming more and more important, but getting hold of a password hash is irrelevant if further precautions are not taken. It takes no more than a couple of minutes to boot up a laptop and copy the local password and any other cached network credentials, leaving no trace of the activity and the victim none the wiser. This then provides the hacker with the hash which, given time, they will be able to crack. If they are really lucky then their IT support team credentials will also be cached on the laptop providing domain administrator access to the network, enabling the hacker to plunder the system at will.

This sort of attack can easily be mitigated by simply making sure that all laptops are encrypted using a number of methods. If an attacker tries to boot up the computer and they haven't got the right password then all the data is already encrypted and useless to them. On a domain it can be configured to only cache the last set of credentials used. Therefore if it is compromised, only 1 account is breached as opposed every user of the laptop. The local administrator account should have no network access and should be a distinct password from any other network password too.

Pass The Hash

Perhaps the most serious type of hack is a ‘pass the hash’ attack (more information in a white paper on sans which also covers a lot of the basic password theory touched upon here). In essence a password hash is captured and played back to the server by a hacker to impersonate the user; the plain text password isn’t even needed. This type of attack can be prevented by protecting the hash by using the methods mentioned previously. Also on modern systems the network by configured to only accept NTLMv2 which has part of a challenge/response encoded with it and as such is not vulnerable to being replayed in this manner.

Passwords are becoming increasingly vulnerable which has prompted services such as banks to employ two factor authentication. On a network that contains sensitive data good password hygiene is essential and should ideally be combined with encryption of the data. It is recommended that the domain administrator and other privileged accounts are put through numerous password crackers to ensure they are able to resist at the very least a basic attack. Finally, you should consider changing your passwords on a semi-regular basis, avoiding basic alterations and creating a unique one from scratch.

Written By: Jason Ede



1 Comment