Introduction
In this lab, you will gain practical experience in cracking NTLM (NT LAN Manager) hashes using John the Ripper, a powerful password cracking tool. NTLM hashes are commonly used in Windows environments for storing user passwords. Understanding how these hashes can be cracked is crucial for comprehending password security vulnerabilities and implementing stronger security measures.
You will start by simulating the extraction of NTLM hashes, then learn how to format them correctly for John the Ripper. Subsequently, you will use two primary cracking methods: dictionary attacks with a wordlist and brute-force attacks using incremental mode. Finally, you will reflect on the security implications of NTLM hashes and the importance of strong password policies. This lab provides a hands-on approach to a fundamental concept in cybersecurity.
Extract NTLM Hashes from a System
In this step, you will simulate the extraction of NTLM hashes. In a real-world scenario, NTLM hashes can be extracted from various sources, such as the Security Account Manager (SAM) database on Windows systems, Active Directory, or network traffic. For this lab, we have already provided a file named hashes.txt in your ~/project directory, which contains sample NTLM hashes.
First, let's verify the presence of the hashes.txt file and examine its content. This file contains several lines, each representing a user entry with their NTLM hash. The format typically includes username, user ID, LM hash (often empty or default), NTLM hash, and other fields. We will focus on the NTLM hash part.
Use the ls command to list the files in your current directory and then use the cat command to display the content of hashes.txt.
ls -l ~/project/hashes.txt
cat ~/project/hashes.txt
You should see output similar to this, showing the file details and its content:
-rw-r--r-- 1 labex labex 300 Mar 10 10:00 /home/labex/project/hashes.txt
user1:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
user2:501:aad3b435b51404eeaad3b435b51404ee:209c6174efb4b710:209c6174efb4b710:::
user3:502:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad065adec1000000:::
user4:503:aad3b435b51404eeaad3b435b51404ee:e52cac67419a9a224a30370a31323334:::
user5:504:aad3b435b51404eeaad3b435b51404ee:d41d8cd98f00b204e9800998ecf8427e:::
The NTLM hash is the fourth field in each line, separated by colons. For example, for user1, the NTLM hash is 31d6cfe0d16ae931b73c59d7e0c089c0.
Format NTLM Hashes for John the Ripper
In this step, you will prepare the NTLM hashes for John the Ripper. While John the Ripper can often handle various hash formats automatically, it's good practice to understand the expected input. For NTLM hashes, John the Ripper typically expects the format username:NTLM_hash.
Our hashes.txt file contains additional fields. We need to extract only the username and the NTLM hash. We can use the cut command to achieve this. The cut command can extract sections from each line of files. We will use : as the delimiter and select the first and fourth fields.
Execute the following command to extract and format the hashes, then redirect the output to a new file named ntlm_hashes.txt in your ~/project directory.
cut -d ':' -f 1,4 ~/project/hashes.txt > ~/project/ntlm_hashes.txt
cat ~/project/ntlm_hashes.txt
You should see the formatted hashes, ready for John the Ripper:
user1:31d6cfe0d16ae931b73c59d7e0c089c0
user2:209c6174efb4b710
user3:8846f7eaee8fb117ad065adec1000000
user4:e52cac67419a9a224a30370a31323334
user5:d41d8cd98f00b204e9800998ecf8427e
This ntlm_hashes.txt file now contains only the username and the corresponding NTLM hash, which is the ideal format for John the Ripper.
Crack NTLM Hashes with a Wordlist
In this step, you will use John the Ripper to crack the NTLM hashes using a wordlist (also known as a dictionary attack). A wordlist is a file containing a list of common passwords, dictionary words, or previously leaked passwords. This is often the most effective method for cracking weak passwords.
We have provided a simple wordlist file named wordlist.txt in your ~/project directory. Let's first inspect its content.
cat ~/project/wordlist.txt
You should see the following content:
password
123456
qwerty
admin
test
Now, use John the Ripper with the wordlist.txt to crack the hashes in ntlm_hashes.txt. The command john --format=NT --wordlist=wordlist.txt ntlm_hashes.txt specifies the hash format as NTLM (NT), the wordlist to use, and the file containing the hashes.
john --format=NT --wordlist=~/project/wordlist.txt ~/project/ntlm_hashes.txt
John the Ripper will attempt to crack the hashes. You might see output similar to this, indicating which hashes were cracked:
Using default input encoding: UTF-8
Loaded 5 password hashes with no different salts (NT [MD4 HASHES])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456 (user4)
test (user2)
password (user1)
3g 0:00:00:00 DONE (2023-10-27 08:00) 100.0% (ETA: 08:00) 3.750g/s 11.25p/s 11.25c/s 11.25C/s 123456...test
Session completed.
After the cracking process, you can view the cracked passwords using the john --show command.
john --show ~/project/ntlm_hashes.txt
The output will list the cracked hashes and their corresponding plain-text passwords:
user1:password
user2:test
user4:123456
3 password hashes cracked, 2 left
This shows that user1's password was password, user2's was test, and user4's was 123456. The other two hashes (user3 and user5) were not cracked by this wordlist, indicating their passwords might be stronger or not present in our simple wordlist.
Crack NTLM Hashes with Incremental Mode
In this step, you will explore John the Ripper's incremental mode, which performs a brute-force attack. Unlike wordlist attacks, incremental mode tries combinations of characters systematically, starting from short, simple combinations and gradually increasing complexity. This method is effective for cracking passwords that are not in a wordlist but can be very time-consuming for long or complex passwords.
John the Ripper's incremental mode uses character sets and rules to generate passwords. For NTLM hashes, we can specify the NT format and use the --incremental option. John the Ripper has built-in incremental modes (e.g., alnum, digits, all). We will use the default incremental mode, which tries various character sets.
Before running the incremental mode, it's good practice to reset John the Ripper's session to avoid conflicts with previously cracked hashes.
john --session=reset
Now, run John the Ripper in incremental mode against the ntlm_hashes.txt file. This process might take a few moments, depending on the complexity of the remaining uncracked hashes.
john --format=NT --incremental ~/project/ntlm_hashes.txt
You might see output similar to this as John the Ripper attempts to crack the remaining hashes:
Using default input encoding: UTF-8
Loaded 5 password hashes with no different salts (NT [MD4 HASHES])
Remaining 2 password hashes to crack
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
(user5)
(user3)
2g 0:00:00:00 DONE (2023-10-27 08:05) 100.0% (ETA: 08:05) 2.500g/s 7.500p/s 7.500c/s 7.500C/s
Session completed.
After the process completes, check the cracked passwords again using john --show.
john --show ~/project/ntlm_hashes.txt
You should now see all hashes cracked, including user3 and user5. The password for user3 is admin and for user5 is an empty string (which is represented as "" or nothing after the colon).
user1:password
user2:test
user4:123456
user3:admin
user5:
5 password hashes cracked, 0 left
This demonstrates the effectiveness of incremental mode for cracking passwords that might not be in a wordlist, especially short or simple ones.
Understand NTLM Hash Security
In this step, you will reflect on the security implications of NTLM hashes and the importance of strong password practices. You've seen how relatively simple passwords can be quickly cracked using wordlists and how even short, non-dictionary passwords can be found with brute-force methods like incremental mode.
NTLM hashes are known to be vulnerable due to several factors:
- Lack of Salting: Unlike modern hashing algorithms (e.g., bcrypt, scrypt), NTLM hashes do not use a "salt." A salt is random data added to a password before hashing, making each hash unique even for identical passwords. Without salting, attackers can use precomputed tables (rainbow tables) to quickly crack hashes.
- Weak Hashing Algorithm: NTLM uses MD4, which is a relatively old and cryptographically weak hashing algorithm.
- Case Insensitivity (for LM hash, though NTLM is case-sensitive): While NTLM itself is case-sensitive, its predecessor, LM hash, was not, leading to confusion and sometimes weaker password practices.
To mitigate the risks associated with NTLM hash cracking, organizations and users should:
- Enforce Strong Password Policies: Require long, complex passwords that combine uppercase and lowercase letters, numbers, and special characters. This makes both wordlist and brute-force attacks significantly harder.
- Implement Multi-Factor Authentication (MFA): MFA adds an extra layer of security beyond just a password, making it much harder for attackers to gain unauthorized access even if they crack a password.
- Use Modern Hashing Algorithms: For new systems or when migrating, prefer modern, salted, adaptive hashing algorithms like bcrypt, scrypt, or Argon2.
- Regularly Audit and Monitor: Continuously monitor for suspicious login attempts and audit password strength.
By understanding the vulnerabilities of NTLM hashes and implementing robust security measures, you can significantly enhance the security posture of systems and user accounts.
Summary
In this lab, you successfully learned how to use John the Ripper to crack NTLM hashes. You started by understanding how NTLM hashes are structured and then formatted them for optimal use with John the Ripper. You then applied two common password cracking techniques: wordlist attacks and incremental (brute-force) attacks, demonstrating their effectiveness against weak and simple passwords.
You also gained insight into the security weaknesses of NTLM hashes, such as the lack of salting and the use of a weaker hashing algorithm. This understanding is crucial for appreciating the importance of strong password policies, multi-factor authentication, and the adoption of modern, robust hashing algorithms to protect sensitive information. This hands-on experience provides a foundational understanding of password security and common cracking methodologies.
