Crazy Fast Password Recovery with Hashcat

I have been playing with Hashcat a little bit today and I am just stunned on how fast it is. Hashcat is an all purpose password cracker that can run off of your GPU or your CPU. The GPU version, OCLHashcat-plus is touted as the world’s fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker.

Hashcat is a multi-threaded cracker, so if your CPU can run several threads, it will use them. But the real speed comes into play when using the horsepower of a GPU. If your GPU can run hundreds of threads, all of this power is used to break passwords.

But just how fast is it?

I took just a simple password: “fred” and fed the NTLM password hash into Hashcat. I used just the slower CPU version and the Bruteforce option. The password was recovered as soon as I hit run:

It was so fast, the estimated and elapsed time didn’t even register.

You can also use password dictionaries to use as a guideline for Hashcat. For the next test, I downloaded the “RockYou.txt” password list. This is a list of actual passwords that have been sanitized (usernames removed). I pulled 4 random plain text passwords from RockYou and converted them to Windows NTLM passwords:

elizabeth1 – 6afd63afaebf74211010f02ba62a1b3e
francis123 – 43fccfa6bae3d14b26427c26d00410ef
duodinamico – 27c0555ea55ecfcdba01c022681dda3f
luphu4ever – 9439b142f202437a55f7c52f6fcf82d3

I placed the 4 password hashes into a file called hashes.txt, added in the RockYou plain text password list and fed them into Hashcat:

Hashcat recovered all five passwords in about the same amount of time it took to create the display screen, a second, maybe 2:

Remember that these are the NTLM hashes, not Window’s simpler LM hashes.

Add in the GPU version, advanced rules, attack methods, and Hybrid Masks and you really have a powerful tool to recover almost any password.

Advertisements

How to Log into Windows without the Password

I covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have legitimately lost the password to?

Well, there seems to be a couple utilities out there that claim to allow you to do this. We tried a Linux Live-CD based, one that was supposed to allow you to change any Windows password. But it didn’t work.

I even tried Kon-Boot, both the CD based and USB flash drive variety. Kon-boot sounds very cool, and comes highly recommended. You boot Kon-Boot first, then after it is booted, it loads your OS. Then you can put in any password, or hit enter and it bypasses the login and allows you into the users account. It is supposed to work on Windows and Linux systems. But unfortunately it also did not work on my systems.

What to do? Well, I figured I would give my article from last year a shot to see if it still worked. (Okay, just a quick disclaimer. Do not do this on a system that you do not own, or have permission to modify. And messing with system files could leave your system in an unstable state, if you chose to continue, you do so at your own risk.)

So I booted into Ubuntu, went to the Windows System 32 directory, renamed utilman.exe to utilman.old, copied cmd.com to utilman.exe and rebooted.  At the Windows log in prompt I hit the “Windows”+”U” key and open pops a system level command prompt. From here you can type any windows command, add users, etc.

The funny part is you can type “explorer.exe”, hit enter and a you get a System level desktop. From here you can open Internet Explorer, and surf the web. And while you are doing all this, the Windows login screen dutifully stays in the background  protecting(?) your system.

I found the Utilman modification solution on Microsoft’s Technet site, but it is not the only one that works. A comment on last year’s post pointed me to another trick on Adam’s Technical Journal.  Modifying the “Sethc.exe” command in the same way also allows you to bypass the Windows login screen. The “sethc” file is for the Windows Sticky Keys function. Under normal operation, if you hit the Shift key something like 5 times in a row, the sticky key dialog box will pop up.

Doing so when the sethc file has been replaced with a copy of command.com, opens up a system command prompt at the login screen, just like the utilman modification above.

This process still works on a fully patched and updated Windows 7 system. When I checked it last year, it also worked on all of Windows server products. Windows protects these system files from being modified when Windows is booted, but booting in Linux to alter them just takes a couple minutes at most.

These techniques can be a life saver if you have lost the password to an important system, but it also goes to show that strong physical security is also needed when securing your systems.

Windows Backdoor: System Level Access via Hot Keys

 

You hear it all the time in the support forums, “I lost my administrator password, what do I do?” Honestly, it makes you wonder how many times the request is really legit.

But, what if you were having a really bad day and you forgot your password. I mean the world ran out of coffee and your car radio got stuck on a country station on the way in to work. Yes, that kind of bad day. You arrive late to your office; well you did stop at every coffee place on the way in to make sure they were out, what did you expect? You rush to your desk, sit down at your keyboard to login and… nothing. It’s gone, you can’t remember it. You wrote your password on a sticky note on your monitor (of course), but wouldn’t you know, this was the day the cleaning crew actually visited your office, and threw it away. You could call IT support, but that would be you. What do you do? Better yet, how much time would you need? 

60 Seconds. This is how long it takes (minus boot times) to get a command prompt in the latest version of Windows, from the main login screen, with all of the security patches updated and an anti-virus program installed. That is, if you have physical access to the system and can reboot it. And this is not any old command prompt; this is a command prompt as the user “System”. If you know windows security, then you know that the “System” user is the highest level of authority that you can have. The operating system thinks you are the internal “system”. 

This hack requires physical access to the system and access to a DVD or USB drive. It is obtained by the manipulation of the Windows Hot-Keys “utilman.exe” file. This hack has been around (and known) since Windows XP and still works in the latest release of Windows 7. Because it is a manipulation of a windows service, it has never been patched. And actually, it is used as a solution, with instructions, on Microsoft’s Technet forum. 

After manipulation, once the hotkey is pressed, it instantly opens a command prompt window as the user “System” at the login screen. Typing “explorer.exe” in the command prompt gives you a desktop with the password prompt still visible in the background (See picture). From here, many of the features of windows are functional. In the following picture you can see the open “Start Bar” & “Internet Explorer” window, along with the login prompt in the background:

 

Amazingly, this works in Windows Server products as well. If someone had access to your computer and manipulated the hot-keys, they could get system level access to your server at a later date via the hot-key without rebooting your system. Therefore, it is imperative to keep physical security as a top concern in your business. Make sure that your server is in an area that is not available to public traffic and preferably in a locked room. Take extra care with your laptops. Do not leave them in areas that are unattended. 

It is always a good idea to disable services that are not needed. Also, disable booting to external devices and using boot passwords helps. Unfortunately, disabling the Windows hot-keys is not well documented. With Windows 7, Microsoft recommends a third-party program to tweak these settings. Supposedly you can also do this with a Windows policy edit, but I have not seen this documented either. I have also seen some sites recommend renaming the “utilman.exe” file to something else if not needed. But the best defense is strong physical security.