Kerberos, NTLM and SAM: 3 Ways Attackers Can Crack Passwords

Posted by Yaron Zinar on Mar 23, 2017 9:25:12 AM
Find me on:

In a previous blog, we discussed the prevalence of weak passwords in the Enterprise. The fact of the matter is, once an attacker gains access to password challenges and exfiltrates them for offline cracking, they can crack them in most cases.

So, the big question is: How does an attacker get their hands on password challenges for cracking?

Let me demonstrate three common techniques an attacker uses to get password challenges: Kerberos tickets, NTLM challenges and (SAM) account databases.

[To learn more about the security Risks of NTLM, download our latest white paper.]
Kerberos tickets

Kerberos is justifiably considered a more secure protocol than NTLM. The main reason is that when two network entities authenticate they don’t send password challenges to each other. However, there are two common scenarios where (questionable) network configurations allows for password cracking:

  1. Cracking Ticket Granting Server (TGS) to a service account (Kerberoasting)
    In this attack, an attacker requests a TGS to a service. As it turns out, in many cases, the TGS is signed with the credentials for the service account running the service. The attacker can then take the generated TGS and send it for offline password cracking (using this code for example).

    This attack is very appealing for several reasons:
    1. No special permissions are needed to run this attack. Any authenticated user is able create any TGS they desire.
    2. The service principal names (SPN) for these TGSs can be scanned for and detected automatically without previous knowledge on the network.
    3. In many cases the service accounts behind these services have elevated privileges.

      For more details about this attack check out Sean Metcalf
      great blog on the subject.

  2. Cracking Ticket Granting Tickets (TGT)
    Here an attacker can take advantage of two attack vectors.

TGT with no pre-auth
This is somewhat less well-known attack vector. In the past, any user could issue a TGT with any user principal under the assumption that only the real user would be able to use the generated ticket as it was generated with their master key (derived from user’s password).

It was later discovered that this means that any attacker with network access could create password challenges in the form of TGTs and crack them. To combat this, Kerberos V5 introduced pre-authentication. Our research here at Preempt revealed that in many networks pre-authentication is sometimes turned-off for certain users to enable testing and automation.

Kerberos Sniffing
When an attacker is able to see the communication between workstations and domain controllers, he can sniff the TGT requests and crack them. When a workstation is located physically in the network, ability to sniff Kerberos traffic probably means the network was already severely compromised. But, another interesting scenario is what happens when a user connects his workstation from an insecure network (e.g. WiFi). In this case, if the attacker has access to the network’s traffic they will be able to crack a user’s password. This is one of the reasons that Preempt alerts and raises the risk score of privileged accounts using unsecured networks (e.g. WiFi, VPN).

NTLM challenges

As I mentioned in a previous blog post about NTLM, one of the major risks with NTLM is the fact that it enables offline password cracking. Basically, this means that every time a user authenticates with NTLM, they expose their password to offline cracking. An attacker can take advantage of this in two main ways:

  1. Wait for challenges
    After an attacker gets a foothold in the network and assumes control over several endpoints, they can simply wait for users to authenticate and expose their credentials. As it turns out, in many organizations there are privileged users that perform scheduled tasks on all endpoints (e.g. AV management) and their credentials are easily exposed in this manner.

  2. Induce challenges
    Attackers can create malicious emails or internet pages (typically with an IMG tag) that induces users to send out an NTLM challenge. This challenge can either be redirected or simply just cracked.
Security Accounts Manager (SAM) databases

When an attacker takes control over an endpoint, they can dump all password hashes from the local (SAM) account database. This is especially easy as local NTLM hashes contain no salt. This makes offline cracking especially easy. A common attack vector in this scenario is to simply dump all password hashes from the domain controller.

Now, I know what you are thinking, if the attacker has access to the domain controller, does he even needs passwords any more?! The answer is a resounding yes.  Plain-text passwords are always important. One reason, it that even post-breach, many users will not change their already breached password exposing organization to years of lacking security.


Since more than half of all breaches are exploiting credentials, understanding all of the gaps that an attacker might be able to take advantage of to crack user passwords is critical.  Having this knowledge can help you better close the gaps and tighten up areas of vulnerability.
To learn more about the overall passworld health in your organization, try out Preempt's FREE Preempt Inspector to run an Enterprise Password Health Assessment report. 

Download the FREE App

Topics: Passwords, NTLM, kerberos, SAM