H3-2022-0093¶

Weak or Default Credentials - Cracked Credentials from Active Directory Services Database (NTDS)

Description¶

After obtaining domain administrator access, NodeZero dumped all domain-user NTLM (NT LAN Manager) hashes from a domain controller, and attempted to crack them. It successfully cracked at least one hash for an active domain user.

Impact¶

Where an account's password hash is cracked, an attacker will likely be able to compromise that account through attacks such as password spray, man-in-the-middle attacks, and other means. Once an account is compromised, an attacker can openly maneuver throughout an environment and access data with the privileges of that account.

NodeZero cracks hashes using a variety of methods:

• Empty password.

• Exact match with a known, breached password.

• Password based on username.

• Credential stuffing (password is an exact match with a known, breached password for this username).

• Credential tweaking (password is a simple mutation of a known, breached password for this username).

• Based on contextual term (password is based on a well-known organization term – like the organization's name, domain name, or brands – plus any Weak Password Terms specified in an AD Password Audit's OSINT step).

• Based on a common breach term for the organization (password is based on words/patterns seen in real breaches tied to the organization).

View the proof for a summary report.

References¶

• NIST Special Publication 800-63B: Digital Identity Guidelines
• MITRE ATT&CK Technique: T1110.002: Brute Force: Password Cracking