Skip to content

Cracking NTLMv2 Hashes with Cthulhu

Cracking NTLMv2 Hashes with Cthulhu

Why Password Managers and MFA are Important in your Security Stack

The subject of password strength and complexity requirements has been discussed and debated ad nauseam in the security industry. It is a subject as old as information security itself and will not be going away any time soon.

We, as penetration testers, absolutely love passwords because they can be abused to achieve the objectives of a client’s assessment. Malicious actors also love passwords, many of the mass phishing campaigns seen in the wild have the sole objective of harvesting credentials from gullible users.

But what happens when we don’t find passwords written down on post-it notes attached to your monitor? This is where cracking password hashes comes in to play.

There are numerous methods to obtain hashed credentials whether it is from capturing a WPA handshake on your Wi-Fi, passwords stored in a database within an application, or capturing Windows domain credentials passing over a corporation’s network. However, that is a much longer discussion outside the scope of this entry. The important thing to take away is that your super-secret password may not be as safe as you think.

CyberOne’s penetration testing team, TEAMARES, has designed and constructed a purpose-built password cracking server, affectionately named Cthulhu.

At the heart of this beast lies 8 Nvidia Titan V graphics cards. Nvidia touts these cards as the world’s most powerful GPU. The Titan V utilizes Nvidia’s Volta supercomputing architecture, which is used in machine learning, deep learning, and artificial intelligence research.

While that is all well and good, how does this translate to the password strength discussion?

An industry favorite is the password recovery tool hashcat, which is also the weapon of choice used by TEAMARES. During penetration testing engagements, this hardware and software duo enable our assessors to quickly and efficiently crack captured password hashes on the fly.

A common source of domain credentials abused by red teamers and malicious actors alike are Windows NTLMv2 hashes captured from the network. These hashes are from a challenge-response authentication protocol that Windows clients use to authenticate to other Windows servers like network shares. The screenshot below shows the hashcat benchmark output for NTLMv2 hashes.

To put it simply, this system can crack hashes at over 27.8 Billion guesses per second. These hashes are the more cryptographically “strong” method employed within a Windows environment, but what about weaker algorithms?

A common post-exploitation step for CyberOne’s penetration testing team is to obtain a copy of the Windows Active Directory database file NTDS.dit. This file stores user credentials in an older and weaker algorithm simply called NTLM. These hashes are even easier to crack.

NTLM hashes dumped from Active Directory are cracked at a rate of over 715 Billion guesses per second. For comparison’s sake, the laptop I am writing this from has a single Nvidia Quadro M1000M GPU, that cracks hashes at a rate approximately 150 times slower than Cthulhu. Below is the hashcat NTLM benchmark output of my laptop’s GPU.

In more tangible numbers, Cthulhu can brute-force all combinations of upper case, lower case, space, number, and symbols (the entire keyspace) from a single character to 8-character passwords iteratively in roughly 6 hours. It is shocking how often we see passwords of 8 or fewer characters still in use today. Cracking hashes of passwords 6 characters or less are almost instant and 7 characters take about 4 minutes. A list of benchmarks for additional common algorithms can be found at the end of this post.

The increase in difficulty and time required to crack is an exponential increase as the character length of passwords increments. For instance, a 9 character brute-force requires approximately 24 days. Increasing to a length of ten or beyond will create issues if using the full keyspace, as it is way too large for hashcat to handle and will error out before attempting to crack.

At this point, people might say “Our policy requires a minimum length of 10 with numbers and special characters so we are safe!”, and to that, we say hashcat has features beyond raw brute-forcing. These features allow a wordlist or dictionary to be used along with a “rule” file. A single rule can take a single word from a dictionary and use it as a seed to create multiple permutations. An example of this is taking the base word ‘password’ and replacing some characters with numbers like passw0rd, p4ssw0rd, pa55word, etc. While that can help with complexity, other rules will take 2 or more entries from a list and concatenate them to create longer passwords (e.g. correcthorsebatterystaple). With large wordlists and complex rules, we can create password candidate lists that contain quadrillions of unique entries. Using a wordlist that is roughly 20 GB (about 1.1 billion entries) along with a file with 310,372 individual rules will create over 335 trillion unique passwords to guess. The real kicker there is that running a cracking session with those options against a list of NTLM hashes takes roughly 45 minutes to complete.

Inevitably there will be plenty of passwords that are not cracked by our team in a given collection of hashes, but if we can crack 70-80% of passwords in an environment, it may be time to take a hard look at authentication policies with your organization.

Yes, that is a lot of doom and gloom, but what steps can be taken to defend your organization against a group of malicious actors that now have your passwords in plain text? The answer there is the same as in all of security, defense-in-depth.

One step is to limit or remove the human element from password creation using a password management solution. Humans have and will always be one of the weakest links when it comes to security.  A password manager helps to eliminate password re-use across multiple accounts as well as creating longer and more complex passwords without the individual having to remember each one for each account. There are numerous password managers on the market ranging from freeware, open-source applications, all the way to enterprise-grade solutions.

Another is implementing multi-factor authentication (MFA) solutions for any and all applications or systems that support it. While not totally infallible, MFA solutions offer an added layer of complexity to a malicious actor’s attack chain that is often a decent deterrent from further action. These solutions can also serve a canary function, alerting users that their credentials are being used by someone other than them.

As with everything in security, and life in general, there is no single “silver bullet” that will protect you and your organization from everything. However, layering security and taking steps to identify and mitigate authentication policy shortcomings is one of the many ways to improve your organization’s security posture.

Hash TypeCracking SpeedMD5391.2 GH/sSHA1131.7 GH/sSHA2-25653285.2 MH/sSHA2-51216782.2 MH/sWPA-EAPOL-PBKDF2 (Iterations: 4095)6120.2 kH/sMS Office 2013 (Iterations: 100000)155.2 kH/sMSSQL (2012, 2014)16768.8 MH/sPostgreSQL379.2 GH/sNTLM715.6 GH/sLM332.3 GH/sNetNTLMv1 / NetNTLMv1+ESS381.5 GH/sNetNTLMv227795.0 MH/sdescrypt, DES (Unix), Traditional DES13361.11 MH/smd5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000)175.3 MH/sbcrypt $2*$, Blowfish (Unix) (Iterations: 32)515.7 kH/ssha512crypt $6$, SHA512 (Unix) (Iterations: 5000)2676.8 kH/sKerberos 5, etype 23, AS-REQ Pre-Auth7191.1 MH/sKerberos 5, etype 23, TGS-REP6826.3 MH/sDPAPI masterkey file v1 (Iterations: 23999)1050.4 kH/sDPAPI masterkey file v2 (Iterations: 12899)584.4 kH/smasOS v10.8+ (PBKDF2-SHA512) (Iterations: 1023)6957.6 kH/s7-Zip (Iterations: 16384)4895.2 kH/sRAR3-hp (Iterations: 262144)728.7 kH/sRAR5 (Iterations: 32799)611.5 kH/sTrueCrypt RIPEMD160 + XTS 512 bit (Iterations: 1999)4742.4 kH/sKeePass 1 (AES/Twofish) and KeePass 2 (AES) (Iterations: 24569)779.5 kH/sLastPass + LastPass sniffed (Iterations: 499)39651.7 kH/sBitcoin/Litecoin wallet.dat (Iterations: 200459)77929 kH/s

Please note: H/s refers to hashes per second, kH/s is a thousand per second, MH/s is a million per second, GH/s is a billion per second.