Passwords

MITRE ATT&CK Main Tactics

Based on the flow of the lecture.

Plaintext:

• Input Capture
• Unsecured Credentials
• Network Sniffing

Online guessing:

• Brute Force: Password Guessing
• Brute Force: Password Spraying
• Brute Force: Credential Stuffing

Offline guessing:

• Brute Force: Password Cracking

Dictionaries

Common and default passwords

• SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, web shells, and many more (including default passwords).
• Search for github password dictionary.
• Search worst passwords of 2023. Github ready to use dictionary.
• Rainbow tables download Tables of hashed passwords (for offline guessing).

Compromised passwords

• Haveibeenpnwed Check if your account has been compromised in a known data breach (account specified as email address). It offers these highly recommended services:

  • Notify me: if your email address appears in a future breach, you will be notified
  • Domain search: administrators of an email domain can be notified of all breaches of that domain (every organization should definitely use that service; I have seen very, very "interesting" examples in practice).

• Pwned Passwords are hundreds of millions of real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts. They're searchable online on this website.

• Search for milioni password email Useful for finding dumps from data breaches and news about them.

Modern password policies prohibit users from choosing passwords known to have been used in data breaches. For example, the NIST guidelines (see the Appendix of this page) state:

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: Passwords obtained from previous breach corpuses.

This important requirement can be satisfied, for example, with the list or the API made available by Pwned Passwords:

• haveibeenpwned-downloader a tool to download all Pwned Passwords hash ranges and save them offline so they can be used without a dependency on the k-anonymity API.
• Pwned Passwords in Practice: Real World Examples of Blocking the Worst Passwords
• Validating Leaked Passwords with k-Anonymity A very interesting, but somewhat complex, description of an important property of the API: the fact that one can query that API without disclosing "an excessive amount of information" about the password being queried (you don't want to tell the service which password your user would like to choose).

Analyses of Password Attacks

• PWDB - New generation of Password Mass-Analysis Interesting facts and statistics from the analysis of hundreds of millions of leaked passwords.
• Your Pa$$word doesn't matter (2019) An analysis of password attacks observed by Microsoft Threat Intelligence.
• STRONTIUM: Detecting new patterns in credential harvesting (2023) Rates of spraying observed in this particular campaign (4 per hour and account, each attempt from a different IP address). Microsoft Threat Intelligence.

Online guessing

The techniques below are all part of the Discovery tactic.

Finding Login pages

• OKadminFinder: Easy way to find admin panel of website: More than 1000 potential admin panels. Random User-Agents. Proxies and Tor.
• Logsensor

Constructing Usernames

Account discovery technique.

• Username Anarchy Tools for generating usernames. Format string style username format definitions. Substitutions. e.g. when only a first initial and lastname is known (LinkedIn lists users like this), it will attempt all possible first names. Country databases of common first and last names.
• Kerbrute A tool to enumerate valid Active Directory accounts without causing any login failure (see also its usage for bruteforcing, below).

Finding and attacking legacy protocols within organizations

• NTLMRecon Given a single URL, an IP address/range, it returns a list of URLs where NTLM over HTTP is used.
• spraycharles Low and slow password spraying tool, designed to spray on an interval over a long period of time.
• Password spraying and MFA bypasses in the modern security landscape Detailed description of how to use the above tools.
• Kerbrute A tool to quickly brute force Active Directory accounts (guessing, stuffing, spraying).

Secure Password Storage

• 14.7. Password hashing from Computer Security at Berkeley (CS161). Everything in this book is more than ok.

• Salted Password Hashing - Doing it Right

• Password Storage Cheat Sheet - OWASP This cheat sheet provides guidance on the various areas that need to be considered related to storing passwords.

• Cyberchef Online webapp for executing many infosec-related calculations, including bcrypt hashes and NT hashes.

Offline guessing (Password Cracking)

• Password cracking: Past, Present and Future (May 2024) All you might want to know about password cracking. History, optimization techniques, speed and much, much more.

Stealing password hashes from SAM / NTDS

Techniques in the OS Credential Dumping tactic.

• Windows Authentication and Attacks 101 — Part C One of the many, many tutorials out there. This one based on an offensive tool available on Githib and called Lazagne.
• Security Account Manager (SAM) and NTDIS Examples with screenshots of several different tools, from the excellent "Pentest Everything" website.
• Dumping Domain Password Hashes Step-by-step examples with several software tools (Mimikatz, Empire and others)
• Search for "Domain of Thrones: Part I" on this website. You will find an excellent description of several attacks to Active Directory environments, including three of them that steals password hashes from the domain controller.

Benchmarks / Cracking speed

• Nvidia RTX4080 FE latest Hashcat benchmark (2023) Includes results for each hashcat benchmark (on this particular hw, 2023).
• John the Ripper benchmarks Not easy to interpret and understand.

Brute Forcing the Full Password Space

The resources below estimate the time required for completing a brute force attack over a predefined password space.

Always keep in mind that this kind of calculations do not reflect what attackers usually do as a first step, i.e., trying commonly used passwords.

• Hive Systems Password Table Colorful infographic table (released every year) that showed the relative strength of a hashed password against a cracking attempt, based on:
  • the password’s length,
  • complexity,
  • hashing algorithm used by the victim,
  • and the hardware used by the attacker.
• Password cracking speed NTLM (SAM hashes) (2020)
• Entropy vs Password length vs Cracking speed
• Brute force calculator

Appendix - Password Policy

• Password Best Practice - NIST No complexity, no expiration, use password managers. The original NIST document is here.
• Password policy: updating your approach - NCSC UK Advice for system owners responsible for determining password policies and identity management within their organisations. "Don't enforce regular password expiry: Regular password changing harms rather than improves security. "
• Password policy recommendations - Microsoft "Current research strongly indicates that mandated password changes do more harm than good.".

Interestingly, this is the suggestion I receive from a website that is crucial in my job (a suggestion in clear conflict with the above guidelines):