Despite having decades to address the issue, user passwords continue to top the list of critical security vulnerabilities. Weak policies have allowed users to create short and guessable passwords and many organizations are reluctant to require passphrases. Service account passwords often go decades without being changed and password reuse can be rampant. Combine this with missing or lacking multifactor authentication and your organization could be in serious trouble.
Authentication systems store and use hashes rather than passwords to authenticate users. Hashing is a one-way cryptographic function that converts a password into a representative value. One-way means that unlike encryption, a hash can’t be reversed or unencrypted with a key. So, when somebody says, “password cracking” they probably mean to say, “hash cracking”.
SynerComm’s penetration testers routinely need to guess and crack passwords. With most engagements limited by time, cracking performance is critical. Your company shouldn’t wait for a pentest (or a breach) to learn that you have weak passwords. SynerComm provides Hash Analysis, Hash Cracking and Password Recovery as a standalone service. Our team can attempt to recover passwords for nearly any hash type, but our most common crack jobs are for Microsoft Windows NTLM hashes.
Hash Analysis | Hash Analysis Plus | |
---|---|---|
Check for Weak Hashing Algorithm (LANMan) | ||
Check for Blank/Default Passwords | ||
Check for Password Reuse | ||
Password Policy Review (Active Directory Default Domain Policy) |
||
SynerComm’s Custom Hash Attack Playbooks (dictionary + rules, brute-force & hybrid masks) |
||
Custom Report (Executive summary, analysis and vulnerability findings) |
||
Password Analysis Spreadsheet (Including cracked/recovered passwords) |
||
Multiple AD Group Policy Review | ||
Identify Privileged Accounts and Group Members | ||
Additional Hash Attack Playbooks Tailored to Your Organization (dictionary + rules, brute-force & hybrid masks) |
||
Trend Analysis *Requires Hash Analysis Plus Quarterly Assessments |
Many hashes (like MS Windows NTLM hashes) can be analyzed for security violations without cracking. Password reuse is a critical flaw and can be easily detected by identifying duplicate hashes.