Brute Force: Password Cracking

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.[1] The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.

Angreifer können mit Hilfe von Passwort-Cracking versuchen, verwertbare Zugangsdaten wie Klartext-Passwörter wiederherzustellen, wenn sie Zugangsdaten wie Passwort-Hashes erhalten haben. Wenn OS Credential Dumping verwendet wird, um Passwort-Hashes zu erhalten, kann ein Angreifer damit nur so weit kommen, wenn Pass the Hash keine Option ist. Es gibt Techniken zum systematischen Erraten von Kennwörtern, die zur Berechnung von Hashes verwendet werden, oder der Angreifer kann eine vorab berechnete Rainbow-Tabelle zum Knacken von Hashes verwenden. Das Knacken von Hashes erfolgt in der Regel auf vom Gegner kontrollierten Systemen ausserhalb des Zielnetzwerks.(Zitat: Wikipedia Password cracking) Das Klartext-Passwort, das sich aus einem erfolgreich geknackten Hash ergibt, kann verwendet werden, um sich bei Systemen, Ressourcen und Diensten anzumelden, auf die das Konto Zugriff hat.

Les adversaires peuvent utiliser le craquage de mots de passe pour tenter de récupérer des informations d'identification utilisables, telles que des mots de passe en clair, lorsque des informations d'identification telles que des hachages de mots de passe sont obtenues. Le OS Credential Dumping est utilisé pour obtenir des hachages de mots de passe, mais cela ne peut mener un adversaire que jusqu'à un certain point lorsque Pass the Hash n'est pas une option. Il existe des techniques permettant de deviner systématiquement les mots de passe utilisés pour calculer les hachages, ou l'adversaire peut utiliser une table arc-en-ciel pré-calculée pour craquer les hachages. Le craquage des hachages est généralement effectué sur des systèmes contrôlés par l'adversaire en dehors du réseau cible.(Citation : Wikipedia Password cracking) Le mot de passe en clair résultant d'un hachage réussi peut être utilisé pour se connecter aux systèmes, ressources et services auxquels le compte a accès.

Gli avversari possono usare il cracking di password per tentare di recuperare credenziali utilizzabili, come le password in chiaro, quando si ottiene materiale di credenziali come gli hash di password. Si usa OS Credential Dumping per ottenere gli hash delle password, questo può portare un avversario solo fino a un certo punto quando Pass the Hash non è un'opzione. Sono disponibili tecniche per indovinare sistematicamente le password usate per calcolare gli hash, oppure l'avversario può usare una tabella arcobaleno precompilata per craccare gli hash. Il cracking degli hash viene solitamente effettuato su sistemi controllati dall'avversario al di fuori della rete di destinazione.(Citazione: Wikipedia Password cracking) La password in chiaro risultante da un hash crackato con successo può essere usata per accedere a sistemi, risorse e servizi a cui l'account ha accesso.

Login
ID: T1110.002
Sub-technique of:  T1110
Platforms: Azure AD, Linux, Office 365, Windows, macOS
Permissions Required: User
CAPEC ID: CAPEC-55
Version: 1.1
Created: 11 February 2020
Last Modified: 16 September 2020
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
G0022 APT3

APT3 has been known to brute force password hashes to be able to leverage plain text credentials.[2]

G0096 APT41

APT41 performed password brute-force attacks on the local admin account.[3]

G0074 Dragonfly 2.0

Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra and CrackMapExec.[4][5][6]

G0037 FIN6

FIN6 has extracted password hashes from ntds.dit to crack offline.[7]

S0056 Net Crawler

Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.[8]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

M1027 Password Policies

Refer to NIST guidelines when creating password policies. [9]

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0002 User Account User Account Authentication

It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as OS Credential Dumping or Kerberoasting.

Es ist schwierig zu erkennen, wenn Hashes geknackt werden, da dies in der Regel ausserhalb des Zielnetzwerks geschieht. Ziehen Sie in Erwägung, sich auf die Erkennung anderer Verhaltensweisen von Angreifern zu konzentrieren, die zur Beschaffung von Anmeldeinformationen verwendet werden, wie z. B. [OS Credential Dumping] (/techniques/T1003) oder [Kerberoasting] (/techniques/T1558/003).

Il est difficile de détecter lorsque les hachages sont craqués, car cela se fait généralement en dehors du périmètre du réseau cible. Envisagez de concentrer vos efforts sur la détection d'autres comportements adverses utilisés pour acquérir des informations d'identification, tels que [OS Credential Dumping] (/techniques/T1003) ou [Kerberoasting] (/techniques/T1558/003).

È difficile rilevare quando gli hash vengono craccati, dato che questo avviene generalmente al di fuori della rete bersaglio. Consideri di concentrare gli sforzi sul rilevamento di altri comportamenti avversari usati per acquisire materiale di credenziali, come OS Credential Dumping o Kerberoasting.

References