Tales from the Road: The Anatomy of Password Attacks

It’s time to rethink your password policy to prevent modern password attacks. 

If you think your company’s policy of requiring passwords to have a minimum length of eight characters, in addition to other complexity requirements, is sufficient to effectively prevent modern password attacks, think again.  

Our client, a global corporation with business units in more than 30 countries, thought so too. That was before a penetration test, during which DirectDefense was able to crack 90% of the passwords tested. 

Keep reading to learn how adapting your password policies will significantly improve your cybersecurity maturity and give you a stronger security posture overall. 

Penetration Test, Pandemic Style 

DirectDefense was asked to perform a penetration test for every business unit our client owned – 30 plus – in more than 30 countries over the course of 3 months with 2 employees. Did we mention that this was during a global pandemic? Our answer? No problem – thanks to a virtual appliance that we uploaded to the individual business units to allow us to set up remote penetration testing. 

As we got the penetration testing engagement underway, we leveraged exploitable vulnerabilities to gain unauthorized access to privileged accounts that eventually led us to compromise the entire network. It didn’t take us long to realize that the company’s password policies across all of its business units were highly ineffective. We were easily able to crack 4,100 of the 4,600 passwords in use within  hours! 

The Anatomy of Password Attacks 

In an effort to help our client better understand the sequence of events that occurred during the internal penetration test, we created an attack narrative depicting the sequence of events that took place to demonstrate how each vulnerability was chained together to eventually compromise the organization. 

Even though the testing was performed virtually, our internal appliance allowed us to simulate an attack from the inside. An actual attacker could have hypothetically obtained this vantage point by compromising an end-user device, via attack vectors such as phishing, or via a physical breach of the facility. 

10 Steps to Total Network Control  

Our testing team identified vulnerabilities on the internal network that would allow a suitably skilled and motivated attacker to gain privileged access to our client’s systems and data assets from within the internal network.  

Lucky for our client, we were not an actual attacker. Had we been, the sky would have been the limit: launch ransomware, delete everything, shut everyone out, misuse their customer’s credit card information and other personal information – leading to big-time financial and reputational damage. 

Here’s how it happened (and how it could and does happen all the time): 

  1. We began by performing a legacy protocol poisoning attack. The objective of this attack was to obtain hashed credentials for Active Directory users. 
  2. We were able to obtain the password hash for a service account.
  3. We were then able to crack this password in less than five minutes as the password was neither long nor complex (even though it passed the stated password policy). 
  4. We then proceeded to extract the local account password hashes from a machine using the administrative access provided by the compromised service account.
  5. Next, we were able to determine that the local Administrator password was the same across a majority of systems.
  6. We then performed a “Pass-The-Hash” attack using the local Administrator account and password hash to extract cached credentials from memory across many Windows systems.
  7. We were then able to extract cached, hashed, and plain-text credentials from memory. We were able to extract the plain-text passwords for several domain accounts.
  8. Next, we discovered that one of the compromised accounts had Domain Admin privileges.
  9. Utilizing the account, we extracted a database from a Domain Controller. The database contained the password hashes for all users and computers that exist in the Active Directory. Using this, we could recover plain-text passwords of 90% of the accounts as well as impersonate any user or computer through pass-the-hash techniques.
  10. Finally, we were able to create a new user, and add that user to the Domain Admin’s group. This was done to test our client’s security events monitoring and alerting. This new privileged account was not noticed by our client. Can you say red flag? 

Six Steps to a Stronger Network 

In a nutshell, our team was able to compromise our client’s Active Directory domain due to these six areas of weakness. The good news? There are six things you can do  right now to strengthen your security posture and avoid being vulnerable to an internal attack: 

  1. Legacy Protocol Poisoning: We were able to obtain domain credentials due to legacy protocols being allowed.
    Recommendation: Disable legacy protocols.
  2. Weak Passwords: We were able to crack weak passwords.
    Recommendation: Increase the domain password length to 15 characters.
  3. Local Admin Privilege Abuse: We were able to leverage excessive local admin permissions in order to extract the default local administrator NT password hash. 
    Recommendation: Remove local admin permissions where possible.
  4. Pass-the-Hash: The password hash for the default administrator account is the same across systems.
    Recommendation: Disable the local administrator account, or deploy LAPS (Local Administrator Password Solution).
  5. Credential Theft: We were able to extract cached plain-text and hashed credentials from systems.
    Recommendation: Utilize the “Protected Users” group for privileged accounts (Note: This may require upgrading the AD Domain/Forest Level). We also recommend reviewing the endpoint protection solution to ensure that LSA/LSASS access is protected.
  6. Security Monitoring: A majority of the significant activities performed by DirectDefense were generally undetected and did not trigger notification alerts to our client’s IT staff.
    Recommendation: Strengthen monitoring and alerting capabilities pertaining to information security events within the internal network and re-evaluate current security monitoring tools.

The Bottom Line: Test Before You’re Tested 

This engagement was a perfect example of how regular penetration testing is critical for businesses to identify areas of vulnerability that leave their data open to attack. Penetration testing empowers businesses to identify significant security gaps and take action.  

Armed with this information, our client is able to go back and implement critical changes that will have an immediate impact on protecting their business from a major security breach. 

Put Your Business to the Test! 

If you’d like to know how you can make your organization more secure inside and out, let’s talk


2023 Security Operations Threat Report