Gary Jones
Gary Jones
John the RipperNTLMPassword CrackingSecurity AssessmentCybersecurity

Cracking NTLM Hashes with John the Ripper

Cracking NTLM Hashes with John the Ripper
0 views
3 min read
#John the Ripper#NTLM#Password Cracking#Security Assessment#Cybersecurity
Table Of Content

Cracking NTLM Hashes with John the Ripper

Situation:

This exercise aimed to evaluate password security on costumes.artstailor.com by cracking NTLM hashes captured from a mimikatz log file. Using John the Ripper and the rockyou.txt wordlist, the goal was to assess the strength of the extracted passwords and highlight potential weaknesses in the organization’s password policies.

Obstacles:

  1. Formatting Challenges: Extracting and formatting the mimikatz log output into a proper hash file (username:hash) required attention to detail.
  2. Wordlist Limitations: The rockyou.txt wordlist was effective but might not have included all possible password variations.
  3. Partial Disclosure: Cracked passwords needed to be reported in a way that protects sensitive information while still demonstrating the breach.

Actions Taken:

  1. Hash Extraction:
    • Downloaded the mimikatz.log file generated during a previous exercise.
    • Formatted relevant hash data into a new file named hash, following the username:hash convention.
  2. Wordlist Preparation:
    • Copied the rockyou.txt wordlist from /usr/share/wordlists/ into the working directory.
  3. Password Cracking:
    • Executed the following John the Ripper command: 
      sudo john --format=NT --wordlist=rockyou.txt hash
    • Successfully cracked the password for the user n.nomen.
  4. Verification:
    • Confirmed the cracked password using the --show option in John the Ripper.
  5. Analysis:
    • Reviewed the cracked password against NIST Special Publication 800-63B standards for password security.

Results:

  1. Password Cracked:
    • User: n.nomen
    • Password (partial): m7!....os!
  2. Password Weaknesses:
    • Password lacked sufficient length and complexity.
    • Use of dictionary words and predictable patterns increased vulnerability.
  3. Risk Assessment:
    • Risk Level: Critical.
    • Cracking the password demonstrates the organization's inadequate password policies, which could lead to unauthorized access and data breaches.

Tool Purpose Overview:

mimikatz:

  • Extracted NTLM hashes from system memory during post-exploitation.

John the Ripper:

  • A password-cracking tool used to test the NTLM hashes against a predefined wordlist (rockyou.txt).

rockyou.txt:

  • A widely used wordlist containing millions of real-world passwords, employed to simulate dictionary attacks.

Recommendations:

  1. Enhance Password Policies:
    • Enforce a minimum password length of at least eight characters.
    • Require the use of uppercase, lowercase, numbers, and special characters.
    • Prohibit repetitive characters, dictionary words, and previously breached passwords.
  2. Adopt NIST 800-63B Standards:
    • Regularly validate passwords against updated breach datasets.
    • Educate users on creating secure passwords.
  3. Implement Multi-Factor Authentication (MFA):
    • Reduce reliance on passwords alone by using MFA for an additional layer of security.
  4. Periodic Audits:
    • Conduct routine audits of password policies and practices to ensure compliance with security standards.

View PDF Document