August 12th, 2021

Password Audit

Why Password Audits need to be on your priority list ASAP. 

While many authentication mechanisms are adapting current technology trends such as Multi-Factor Authentication, Biometric sensors, and cryptographic tokens, there is one component that will remain prevalent for the foreseeable future – passwords.  Passwords control the access to many differing utilities:  computer logins, email systems, mobile devices, web applications, and even phone-based passphrase authorizations.  The main issues surrounding passwords revolve around their users and how they remember them, reset them, and choose them per system. 

Each year, security researchers and companies release their list of most commonly used passwords.  The list reveals the human tendency to choose weak, memorable passphrases, which opens the door for malicious adversaries to take advantage of the security risk.  Companies often enforce Password Policies to ensure both length and complexity; however, users can often find loopholes or disable settings to keep things easier for them, thus increasing the company’s risk posture. 

Password Audit Process 

The PLEX Cyber Password Auditing process investigates how effective a password policy is enforced, which settings have been bypassed or disabled, and reveal historical trends of the system’s users.  This data can help direct policy changes, security improvements, and risk reductions to a company’s assets. 

Windows Domain Analysis 

One main source of passwords within a company’s environment is the Domain Authentication.  The Domain Controller stores the NTLM hash for every domain object (which includes users and computers) in the domain.  These hashes are derived from the password for each account and represent the cryptographic information used for authentication. 

In order to audit the passwords in use for a Windows Domain, PLEX Cyber performs an audit against the hashes dumped from a Domain Controller.  The process to dump the hashes involves either ntdsutilImpackets secretsdump, or Mimikatz’s dcsync.  The audit consists of extracting current and historical hashes, analyzing the correlations and trends, and attempting to crack as many hashes as possible.  ‘Cracking’ refers to the process of discovering the password related to a hash, often through dictionary-based and brute force attacks. 

Dark Web Harvesting 

PLEX Cyber performs Dark Web queries for all our clients to discover what, if any, credentials have been compromised and/or leaked.  While the information gathered may not be the same credentials used for the associated user’s email account, it could reveal password trends or a list of a valid email addresses to target for phishing. 

Graphical user interface

Description automatically generated

Figure 1: Sample Dark Web Export 

Web Application Reviews 

Internal web applications often go untested, especially for ones included in network or Internet-of-Things (IoT) devices.  While gaining access to a printer using default credentials may not seem like a security concern, some printers can allow for access to historical print jobs, an email address list, or even LDAP configuration settings to the Windows Domain Controller.  Many built-in web applications contain hard-coded or default credentials that should be changed. 

Graphical user interface, application

Description automatically generated

Figure 2: Xerox Printer, default credentials, with Contacts List 

Common Findings 

During the numerous Password Audits PLEX Cyber has performed, there are common trends in the shortcomings and vulnerabilities present in the policies and configurations.  

Cracking Complexity 

PLEX Cyber uses the open-source tools and custom scripts to perform hash cracking, using the following techniques:  

  1. Generate custom word list related to the client 
  1. Download standard wordlists, available publicly  
  1. Add the custom wordlist to the public lists 
  1. Generate permutations via rule sets 
  1. Crack passwords  
  1. Add newly found passwords back to custom password list 
  1. Analyze cracked passwords for trends 
  1. Use suggested masks for smart brute forcing of longer passwords 
  1. Restart the process as needed until all lists and rules are exhausted  

After this process is complete, it can be combined with data pulled from Active Directory to reveal privilege levels for cracked accounts, password ages, password sharing/reuse trends, and providing statistics about percentage of enabled accounts that were cracked.  On average, our processes crack around 30% of the enabled accounts and around 45% of the historical credentials.  These figures adjust based on organization size, password complexity policy, expiration policy, and user awareness/training. 

Weak Historical Changes 

One security vulnerability often found in all circumstances:  users are lazy.  Because of this, users tend to find loopholes, avoid policy enforcements, or adjust as little as necessary.  If users are required to change their password every 90 days, it is more likely their passwords will only change by a small percentage.  The table below shows how simplistic passwords can be chosen, often still complying to the Domain’s password policy, and trivially guessed based on previous passwords and trends. 

Password Trends (from actual audits) 
Previous New 
Winter2020! Spring2021! 
Bubbles12 Bubbles13 
P@ssw0rd! P@ssw0rd!! 
September2020 December2020 
Welcome123 Welcome321 

LDAP Attributes 

While unconventional and insecure, it is fairly common to find Domain Users with passwords saved in their LDAP attribute fields such as ‘Description’ or ‘Title’.  These attributes are usually configured when an account is provisioned by a Domain Administrator and hold details describing the purpose of the account.  Even saving a password within the attributes of a disabled account could reveal password trends or reuse issues. 

Graphical user interface, text

Description automatically generated

Figure 3: Plaintext Password in LDAP Attribute 

Most password policies include a required password expiration to enforce accounts to change their password after a given duration.  There is a separate LDAP attribute for “Password Does Not Expire” which overrides the password policy of the domain.  Accounts with this LDAP attribute set can remain unchanged for years without detection.  This setting is most often applied to service accounts since they are maintained by the admins and do not belong to a specific person; however, these passwords should still be audited as the account’s privileges within the domain can be abused. 

NTLM-Relaying 

SMB Signing is an improvement to the NTLM authentication mechanism used by Windows services and accounts.  SMB Signing uses cryptographic protections to disable NTLM-Relaying attacks by ensuring the source and destination of authentication remains unchanged.  Without SMB Signing, a malicious network user may abuse ARP poisoning techniques to hijack NTLM authentication traffic to gain access to resources without any passwords or hashes needed.  Relaying the NTLM authentication can lead to the compromise of account credentials, effectively weakening the password policy. 

SMB Signing can be enforced with a simple GPO. 

Conclusion  

Passwords are an important aspect for many technology applications.  Auditing their usage, policies, and exposure can assist IT personnel with securing their environment. PLEX Cyber is well versed in performing Password Audits and is available to assist.  

For more information on how PLEX Cyber can help your organization secure its environment, please contact Christina Majernik, VP PLEX Cyber at christina.majernik@plex-llc.com