One Simple Trick, Really!
July 24, 2022
In our pandemic changed world, the annual IT conventions, summits, and meetups have movedonline. This year’s DEF CON was no different. Usually held in Las Vegas and noted for its “Spot theFed” contest, DEF CON is the largest, annual gathering of white and black hat hackers along with those interested in the knowledge they can share. These are not your typically corporate sponsored presentations you would see at AWS re:Invent or Microsoft Ignite. the quality of presentations is hit or miss at times. The presentations lacking in polish compensate you with the raw technical insight provided which can be applied to our everyday practices as administrators.
One notable presentation by Rick “Minga” Redman of KoreLogic focuses on the quality of passwords created by employees based on policy. Mr. Redman (Minga) is well known in the password cracking community and hosts the annual CrackMeIfYouCan contest at DEF CON, pitting teams of password crackers against each other.
In the presentation entitled Result of Longer Passwords in Real-World Application, Minga discusses a long history of password auditing for a particular client, and the patterns observed in the behavior of human-being generated passwords. He discusses how this behavior pattern can be encoded in HashCat and used to break a high percentage of passwords stored in his client’s Active Directory forest — claims of up to 75%. He demonstrates that using Active Directory’s complex password requirements still fall to the behavior of human beings and become predictable.
However, “One Simple Trick” introduced by his client changed everything. Enforce a 12-character password policy. Minga shows during his presentation the immediate impact of moving to the longer password policy to his ability to crack passwords. He highlighted 1,000 new password hashes he is confident he would never be able to break with his CUDA cores, and HashCat wordlists and rule sets.
It demonstrates the straight-forward notion that the longer the password, the greater the computational problem. Even with deep pockets, a good, long, random-ish password will defeat a fleet of AWS p3.16xlarge instance types crunching hashes. If you have to make a memorable humanderived password, Minga provides some insight there as well.
At a pure Active Directory administrator level, this is a fascinating presentation. Minga takes us through his tradecraft and methods of revealing passwords from NT hashes extracted from the Active Directory ntds.dit. He gives us great insight into what makes a password vulnerable to his tactics. But what Minga shows us but doesn’t directly say is that knowing a password is a terrible idea. Humans are a creature of patterns, and our memorable passwords tend to fall into them. As Active Directory administrators, we are leasing a fraction of our employee’s memory to store that precious asset. They are keeping their Active Directory password in the same brain with their social media, personal email, banking, photo printing sites, and other online services passwords. It leads to some uncomfortable questions. How are you going to ensure that the password they use in Active Directory wasn’t the same one exposed by an online breach of a Mom & Pop e-commerce site found on Have I Been Pwned? How many internet endpoints can that Active Directory password be used in your organization? Do I really know the quality of the password choices of my employees? There are many tools Innova Solutions have implemented with our clients to reduce the burden of password policy, management, and complexity on their employees. We would love to talk about how Innova Solutions can assist with your Active Directory infrastructure and ensure it is a solid foundation for your Cloud and SaaS initiatives. There are achievable, cost effective methods of abstracting the employee from the password, eliminating the concern of the predictable patterns of our employees.
But what can you do right now to understand the risk, improve your Active Directory password policy health, and reduce the number of privileged passwords created by human beings in your infrastructure? Microsoft provides many tools built into Active Directory to assist in these areas you can implement today.
Using the tools already in hand, Active Directory administrators can implement three straight forward solutions to meet these basic objectives, and set a foundation to build better password mitigation solutions in the future.