Hackfest 2024 - 16-bit Edition

Your locale preferences have been saved. We like to think that we have excellent support for English in pretalx, but if you encounter issues or errors, please contact us!

Active Directory Password Insecurity
10-12, 13:30–14:20 (America/New_York), Track 2 (206a)
Language: English

This talk will be a primer on Active Directory Password Storage, and password cracking methodologies for NTLM and NTLMv1. This talk will discuss reversing NTLMv1 to NTLM as well as inefficient but effective hashcat methodologies.


Abstract:

This talk will be a primer on Active Directory Password Storage, and password cracking methodologies for NTLM and NTLMv1. This talk will discuss reversing NTLMv1 to NTLM as well as inefficient but effective hashcat methodologies.

Outline:

Intro: Active Directory has a type of password storage, NTLM, NTLM has multiple forms, NTLM the MD4 based hash type, and NTLMv1 and v2 Challenge Response. This password storage technique can be cracked, or in the case of NTLMv1 reversed to NTLM. NTLM is also password equivalent. This talk will discuss the nuances of NTLM as well as cover password cracking techniques by a member of "Team Hashcat"

Technical terms and level setting: This portion of the talk will define NTLM, NTLMv1, how it is used, password equivalencies and cover the basics of hashcat.

NTLMv1 reversion to NTLM and Silver Ticket: This portion of the talk will describe the technical details of the NTLMv1 challenge response and the operation of responder. This portion will demonstrate the reversion of NTLMv1 to NTLM and the generation of a silver ticket to compromise a DC. This talk will also discuss PEAP-MSCHAPv2 which is just NTLM (Technically UTF-16LE encoded password hashed with MD4 but I digress)

Password cracking methodologies: This section will cover evilmogs favorite password cracking methodologies.

Expander/Fingerprint - Expander.bin and -a1, the oldschool method of hash cracking with hashcat
Cutb/Takeout Attack - usage of cutb, recreation of the rants by chort takeout attack
PRINCE & purple rain - demonstration of purple rain, generator and shuffle
generated2.rule/raking - discussion of raking, how to setup a rake, and usage of -g and how generated2.rule was created
hashcat blender - repo of scripts used to execute the above attacks
insane rules - omgwtfbbq.rule and superevil.rule, rules created for breaking in GPU's that are insane

Talk Type:

50 min talk

What you expect from attendees?:

I expect attendees to be familiar with hashcat as this is not a hashcat 101 talk, I suspect most attendees will be familiar with active directory


Are you releasing a tool? – no

EvilMog is the Chief Architect of X-Force, a member of "Team Hashcat", Bishop of the "Church of Wifi", two time Hacker Jeopardy black badge winner at DEFCON, two time Hacker Jeopardy gold badge winner at THOTCON, a Special Effects Pyrotechnician, and adrenaline junky. He has 2 decades of Cyber Security experience and way too many certifications.