MITRE ATT&CK™ Sub-technique T1110.002


Attacking Active Directory domains often leads to obtaining password interesting, but either hashed or encrypted data. When this information cannot be directly leveraged for higher privileges (like with pass-the-hash, overpass-the-hash), it is required to crack it.

Cracking is an operation that can be carried out through different types of attacks:

  • Brute-force: every possibility for a given character set and a given length (i.e. aaa, aab, aac, ...) is hashed and compared against the target hash.

  • Dictionary: every word of a given list (a.k.a. dictionary) is hashed and compared against the target hash.

  • Rainbow tables: the hash is looked for in a pre-computed table. It is a time-memory trade-off that allows cracking hashes faster, but costing a greater amount of memory than traditional brute-force of dictionary attacks. This attack cannot work if the hashed value is salted (i.e. hashed with an additional random value as prefix/suffix, making the pre-computed table irrelevant)

There are many other and more complex types of attacks (incremental, mask, rules, hybrid types, ...) but the major/core ones are the three above.


One of the greatest tools that can be used for cracking is hashcat (C). It implements different types of attacks and many types of hashes. It has many other great features like

  • it is cross-platform (support for Linux, Windows and macOS) and supports anything that comes with an OpenCL runtime (CPU, GPU, APU, ...)

  • it can crack multiple hashes at the same time and use multiple devices at once (distributed cracking networks supported too)

  • it can save and restore sessions

  • it has a builtin benchmarking system

Below is a short list of the most useful hash types for Active Directory hunting.

Dictionnary attack

Below is an example of how to use hashcat for a dictionary attack.

hashcat --attack-mode 0 --hash-type $number $hashes_file $wordlist_file

Dictionary and rules attack

Hashcat has the ability to inject the plain passwords cracked into the dictionary and start the attack again, and this recursively until no new passwords are found. This can be done with the --loopback argument.

Nota bene: the new passwords are added to dictionnary caches that will be temporary and deleted after the bruteforce+rules+loopack attack ends.

Hashcat can also be used in a hybrid mode by combining a dictionary attack with rules that will operate transformations to the words of the list.

hashcat --loopback --attack-mode 0 --rules-file $rules_file --hash-type $number $hashes_file $wordlist_file

Brute-force attack

TL; DR: here is a hashcat command that bruteforces any password from 4 to 8 characters long. Each character can be any printable character.

hashcat --attack-mode 3 --increment --increment-min 4 --increment-max 8 --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a?a?a?a?a"

Hashcat has the following built-in charsets that can be used.

?l = abcdefghijklmnopqrstuvwxyz
?d = 0123456789
?s =  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

Below are examples of hashcat being used with built-in charset.

# Passwords are like : 1 capital letter, 3 letters, 4 numbers, 1 special char
hashcat --attack-mode 3 --hash-type $number $hashes_file "?u?l?l?l?d?d?d?d?s"

# Password are 8 chars-long and can be any printable char.
hashcat --attack-mode 3 --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a"

Hashcat can also be started with custom charsets in the following manner.

hashcat --attack-mode 3 --custom-charset1 "?u" --custom-charset2 "?l?u?d" --custom-charset3 "?d" --hash-type $number $hashes_file "?1?2?2?2?3"

Hashcat also has an incremental feature that allows to bruteforce passwords up to a certain length whereas the commands above only try the specified mask's length.

# Password are up to 8 chars-long and can be any printable char.
hashcat --attack-mode 3 --increment --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a"

# Password are 4 to 8 chars-long and can be any printable char (mask length is 12 so that --increment-max can be upped to 12).
hashcat --attack-mode 3 --increment --increment-min 4 --increment-max 8 --hash-type $number $hashes_file "?a?a?a?a?a?a?a?a?a?a?a?a"

More information on how to fully use hashcat can be found here.

Hashcat alternative

A robust alternative to hashcat is John the Ripper, a.k.a. john (C). It handles some hash types that hashcat doesn't (Domain Cached Credentials for instance) but it also has a strong community that regularly releases tools in the form of "something2john" that convert things to a john crackable format (e.g. bitlocker2john, 1password2john, keepass2john, lastpass2john and so on).

Tips & tricks

  • Google offers services like Colab and Cloud Shell that can be used for "cloud cracking". There are projects like penglab, google-colab-hashcat and cloudtopolis that can help testers to setup a cracking session on such resources

  • Other solutions, cloud-based or not, can be used to improve cracking speed: setting up a rig for instance.

  • LM and NTLM ChallengeResponses can be cracked really fast (and for free depending on the hash) on, a remote service that cracks the hash with rainbow tables (here's how to capture those hashes).

  • Testers that manage to pwn a domain admin or a distributed local admin should try to operate multiple LSASS dumps to create a custom wordlist for a dictionary attack

  • Cracking LM and NT hash can be optimized by following these advice.

Last updated