Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,869 --> 00:00:07,689
password attacks passwords are the most
2
00:00:04,930 --> 00:00:11,530
basic form of user account and service
3
00:00:07,689 --> 00:00:14,200
authentication by extension the goal of
4
00:00:11,530 --> 00:00:16,810
a password attack is to discover and use
5
00:00:14,200 --> 00:00:20,200
valid credentials in order to gain
6
00:00:16,810 --> 00:00:22,510
access to a user account or service in
7
00:00:20,200 --> 00:00:25,810
general terms there are a few approaches
8
00:00:22,510 --> 00:00:27,940
to password attacks we can either make
9
00:00:25,810 --> 00:00:30,310
attempts at guessing a password through
10
00:00:27,940 --> 00:00:33,370
a dictionary attack using various word
11
00:00:30,310 --> 00:00:36,090
lists or we can brute-force every
12
00:00:33,370 --> 00:00:39,190
possible character in a password in
13
00:00:36,090 --> 00:00:42,040
general a dictionary attack prioritizes
14
00:00:39,190 --> 00:00:45,220
speed offering less password coverage
15
00:00:42,040 --> 00:00:49,030
while brute-force prioritizes password
16
00:00:45,220 --> 00:00:50,440
coverage at the expense of speed both
17
00:00:49,030 --> 00:00:52,600
techniques can be used effectively
18
00:00:50,440 --> 00:00:56,260
during an engagement depending on our
19
00:00:52,600 --> 00:00:58,870
priorities and time requirements in some
20
00:00:56,260 --> 00:01:01,210
cases once we gain usually privileged
21
00:00:58,870 --> 00:01:04,000
access to a target and were able to
22
00:01:01,210 --> 00:01:07,240
extract password hashes we can leverage
23
00:01:04,000 --> 00:01:09,880
password cracking attacks that seek to
24
00:01:07,240 --> 00:01:13,840
gain access to the clear text password
25
00:01:09,880 --> 00:01:15,700
or pass the hash attacks which allow us
26
00:01:13,840 --> 00:01:19,060
to authenticate to a windows-based
27
00:01:15,700 --> 00:01:21,880
target using only a username and the
28
00:01:19,060 --> 00:01:24,100
hash in this module we'll discuss each
29
00:01:21,880 --> 00:01:26,590
of these concepts and techniques in more
30
00:01:24,100 --> 00:01:31,140
detail and demonstrate how they can be
31
00:01:26,590 --> 00:01:31,140
leveraged in various attack scenarios
32
00:01:31,510 --> 00:01:39,520
word lists word lists sometimes referred
33
00:01:36,130 --> 00:01:42,460
to as dictionary files are simply text
34
00:01:39,520 --> 00:01:46,290
files containing words for use as input
35
00:01:42,460 --> 00:01:48,850
to programs designed to test passwords
36
00:01:46,290 --> 00:01:50,710
precision is generally more important
37
00:01:48,850 --> 00:01:53,470
than coverage when considering a
38
00:01:50,710 --> 00:01:56,290
dictionary attack meaning it's more
39
00:01:53,470 --> 00:01:59,050
important to create a lean word list of
40
00:01:56,290 --> 00:02:03,010
relevant passwords than it is to create
41
00:01:59,050 --> 00:02:05,080
an enormous generic word list because of
42
00:02:03,010 --> 00:02:08,320
this many word lists are based on a
43
00:02:05,080 --> 00:02:11,280
common theme such as popular culture
44
00:02:08,320 --> 00:02:15,100
references specific industries or
45
00:02:11,280 --> 00:02:17,290
geographic regions Kali Linux includes a
46
00:02:15,100 --> 00:02:20,980
number of these dictionary files in the
47
00:02:17,290 --> 00:02:24,880
user share word lists directory and many
48
00:02:20,980 --> 00:02:27,310
more are hosted online when conducting a
49
00:02:24,880 --> 00:02:30,700
password attack it may be tempting to
50
00:02:27,310 --> 00:02:32,710
simply use these pre-built lists however
51
00:02:30,700 --> 00:02:34,900
we can be much more effective in our
52
00:02:32,710 --> 00:02:38,220
approach if we take the time to
53
00:02:34,900 --> 00:02:41,200
carefully build our own custom lists in
54
00:02:38,220 --> 00:02:43,360
this section we'll examine tools and
55
00:02:41,200 --> 00:02:45,840
approaches to create effective word
56
00:02:43,360 --> 00:02:49,709
lists
57
00:02:45,840 --> 00:02:51,480
standard word lists we can increase the
58
00:02:49,709 --> 00:02:54,420
effectiveness of our word lists by
59
00:02:51,480 --> 00:02:57,900
adding words and phrases specific to our
60
00:02:54,420 --> 00:03:00,959
target organization for example consider
61
00:02:57,900 --> 00:03:04,830
mega Corp 1 a company that deals with
62
00:03:00,959 --> 00:03:07,010
nanotechnology the company website lists
63
00:03:04,830 --> 00:03:10,890
various products that the company sells
64
00:03:07,010 --> 00:03:13,170
including the nano bot in a hypothetical
65
00:03:10,890 --> 00:03:17,989
assessment we were able to identify a
66
00:03:13,170 --> 00:03:20,579
low-level password of nano bot 93
67
00:03:17,989 --> 00:03:23,099
assuming this might be a common password
68
00:03:20,579 --> 00:03:25,470
format for this company we would like to
69
00:03:23,099 --> 00:03:27,329
create a custom word list that
70
00:03:25,470 --> 00:03:29,790
identifies other passwords with a
71
00:03:27,329 --> 00:03:32,780
similar pattern perhaps using other
72
00:03:29,790 --> 00:03:32,780
product names
73
00:03:34,610 --> 00:03:39,740
we could browse the website and manually
74
00:03:37,520 --> 00:03:42,680
add commonly used terms and product
75
00:03:39,740 --> 00:03:45,320
names to our custom word list or we
76
00:03:42,680 --> 00:03:48,700
could use a tool like cool to do the
77
00:03:45,320 --> 00:03:48,700
heavy lifting for us
78
00:03:50,110 --> 00:03:55,540
according to the help output cool can be
79
00:03:52,930 --> 00:04:00,690
configured by specifying several options
80
00:03:55,540 --> 00:04:00,690
but will focus on a few key arguments
81
00:04:02,000 --> 00:04:08,930
for example this command will scrape the
82
00:04:05,300 --> 00:04:12,680
make a Corp one website locate words
83
00:04:08,930 --> 00:04:16,750
with a minimum of 6 characters and write
84
00:04:12,680 --> 00:04:16,750
the word list to a custom file
85
00:04:21,459 --> 00:04:27,190
our grep output shows that cool located
86
00:04:24,520 --> 00:04:29,800
the name of several products including
87
00:04:27,190 --> 00:04:31,960
the nano bot we should consider the
88
00:04:29,800 --> 00:04:34,840
possibility that other product names may
89
00:04:31,960 --> 00:04:38,350
be used in passwords as well
90
00:04:34,840 --> 00:04:41,110
however these words by themselves would
91
00:04:38,350 --> 00:04:43,300
serve as extremely weak passwords and
92
00:04:41,110 --> 00:04:46,150
would not meet typical password
93
00:04:43,300 --> 00:04:48,400
enforcement rules these types of rules
94
00:04:46,150 --> 00:04:51,639
generally require the use of upper and
95
00:04:48,400 --> 00:04:55,720
lowercase characters the use of numbers
96
00:04:51,639 --> 00:04:58,419
and perhaps special characters based on
97
00:04:55,720 --> 00:05:00,940
the nanobot 93 password we've discovered
98
00:04:58,419 --> 00:05:04,419
we could surmise that the password
99
00:05:00,940 --> 00:05:06,580
enforcement for mega Corp 1 requires at
100
00:05:04,419 --> 00:05:09,760
least the use of two numbers in the
101
00:05:06,580 --> 00:05:12,310
password and may further dictate however
102
00:05:09,760 --> 00:05:15,340
unlikely that the numbers must be used
103
00:05:12,310 --> 00:05:17,290
at the end of the password for the sake
104
00:05:15,340 --> 00:05:20,350
of this simple demonstration we'll
105
00:05:17,290 --> 00:05:22,690
assume that mega Corp 1 policy dictates
106
00:05:20,350 --> 00:05:25,660
that a password end in a two digit
107
00:05:22,690 --> 00:05:26,650
number to create passwords that meet
108
00:05:25,660 --> 00:05:29,620
this requirement
109
00:05:26,650 --> 00:05:31,630
we could write a bash script but instead
110
00:05:29,620 --> 00:05:34,780
we'll use a much more powerful tool
111
00:05:31,630 --> 00:05:37,600
called John the Ripper John the Ripper
112
00:05:34,780 --> 00:05:39,850
is a fast password cracker with several
113
00:05:37,600 --> 00:05:42,310
features including the ability to
114
00:05:39,850 --> 00:05:45,520
generate custom word lists and apply
115
00:05:42,310 --> 00:05:47,260
rule permutations moving forward with
116
00:05:45,520 --> 00:05:49,750
our assumption about the password policy
117
00:05:47,260 --> 00:05:52,750
we'll add a rule to the John the Ripper
118
00:05:49,750 --> 00:05:55,810
configuration file that will mutate our
119
00:05:52,750 --> 00:05:58,410
word list appending two digits to each
120
00:05:55,810 --> 00:05:58,410
password
121
00:06:00,199 --> 00:06:06,229
to do this we must locate the word list
122
00:06:03,169 --> 00:06:10,810
segment where word list mutation rules
123
00:06:06,229 --> 00:06:10,810
are defined and append a new rule
124
00:06:12,150 --> 00:06:16,919
in this example we'll append the
125
00:06:14,430 --> 00:06:21,360
two-digit sequence of numbers from
126
00:06:16,919 --> 00:06:23,930
double zero to 99 after each word in our
127
00:06:21,360 --> 00:06:23,930
word list
128
00:06:27,310 --> 00:06:32,080
we'll begin this rule with the dollar
129
00:06:29,350 --> 00:06:34,750
sign character which tells John to
130
00:06:32,080 --> 00:06:38,410
append a character to the original word
131
00:06:34,750 --> 00:06:40,990
from our word list next we specify the
132
00:06:38,410 --> 00:06:44,410
type of character we want to append in
133
00:06:40,990 --> 00:06:49,180
our case we want any number between 0
134
00:06:44,410 --> 00:06:53,130
and 9 finally to append double digits
135
00:06:49,180 --> 00:06:55,900
we'll simply repeat the 0 to 9 sequence
136
00:06:53,130 --> 00:06:58,840
now that the rule has been added to the
137
00:06:55,900 --> 00:07:02,590
configuration file we can mutate our
138
00:06:58,840 --> 00:07:05,250
word list which currently contains 312
139
00:07:02,590 --> 00:07:05,250
entries
140
00:07:09,010 --> 00:07:15,700
to do this will invoke John and specify
141
00:07:12,340 --> 00:07:19,210
the dictionary file activate the rules
142
00:07:15,700 --> 00:07:23,170
in the configuration file output the
143
00:07:19,210 --> 00:07:26,350
results to standard output and redirect
144
00:07:23,170 --> 00:07:28,850
that output to a file called mutated dot
145
00:07:26,350 --> 00:07:32,840
text
146
00:07:28,850 --> 00:07:35,030
the resulting file contains over 46,000
147
00:07:32,840 --> 00:07:39,250
password entries due to the multiple
148
00:07:35,030 --> 00:07:39,250
mutations performed on the passwords
149
00:07:40,680 --> 00:07:46,380
one of the passwords is nanobot 93 which
150
00:07:44,520 --> 00:07:48,919
matches the password we discovered
151
00:07:46,380 --> 00:07:51,449
earlier in our hypothetical assessment
152
00:07:48,919 --> 00:07:54,509
given the assumptions about mega Corp
153
00:07:51,449 --> 00:07:58,610
one password policy this word list could
154
00:07:54,509 --> 00:07:58,610
produce results in a dictionary attack
155
00:07:59,889 --> 00:08:03,849
although this demonstration is
156
00:08:01,349 --> 00:08:07,090
oversimplified it serves as a good
157
00:08:03,849 --> 00:08:09,669
example for how password profiling can
158
00:08:07,090 --> 00:08:12,870
be beneficial to the overall success of
159
00:08:09,669 --> 00:08:12,870
our password attacks
160
00:08:14,879 --> 00:08:21,849
brute-force word lists in contrast to a
161
00:08:19,360 --> 00:08:25,330
dictionary attack a brute force password
162
00:08:21,849 --> 00:08:27,849
attack calculates and tests every
163
00:08:25,330 --> 00:08:29,919
possible character combination that
164
00:08:27,849 --> 00:08:32,740
could make up a password until the
165
00:08:29,919 --> 00:08:34,690
correct one is found while this may
166
00:08:32,740 --> 00:08:37,390
sound like a simple approach that
167
00:08:34,690 --> 00:08:40,570
guarantees results it is extremely
168
00:08:37,390 --> 00:08:42,969
time-consuming depending on the length
169
00:08:40,570 --> 00:08:45,250
and complexity of the password and the
170
00:08:42,969 --> 00:08:48,370
computational power of the testing
171
00:08:45,250 --> 00:08:51,399
system it can take a very long time
172
00:08:48,370 --> 00:08:52,149
even years to brute-force a strong
173
00:08:51,399 --> 00:08:54,910
password
174
00:08:52,149 --> 00:08:57,360
we could even combine these two concepts
175
00:08:54,910 --> 00:09:00,010
and create brute-force word lists
176
00:08:57,360 --> 00:09:02,470
dictionary files that contain every
177
00:09:00,010 --> 00:09:06,370
possible password that matches a
178
00:09:02,470 --> 00:09:08,579
specific pattern for example consider a
179
00:09:06,370 --> 00:09:12,990
scenario that reveals a very specific
180
00:09:08,579 --> 00:09:12,990
password enforcement policy
181
00:09:13,740 --> 00:09:17,880
looking at the passwords we notice a
182
00:09:15,930 --> 00:09:19,900
distinct pattern in the password
183
00:09:17,880 --> 00:09:22,090
structure
184
00:09:19,900 --> 00:09:25,690
each password begins with a capital
185
00:09:22,090 --> 00:09:29,230
letter followed by two lowercase letters
186
00:09:25,690 --> 00:09:32,310
than two special characters and finally
187
00:09:29,230 --> 00:09:32,310
three digits
188
00:09:32,780 --> 00:09:36,890
armed with this knowledge it would be
189
00:09:34,550 --> 00:09:39,470
incredibly helpful to create a word list
190
00:09:36,890 --> 00:09:42,560
that contains every possible password
191
00:09:39,470 --> 00:09:45,050
that matches this pattern crunch
192
00:09:42,560 --> 00:09:47,300
included with Kali Linux is a powerful
193
00:09:45,050 --> 00:09:50,330
word list generator that can handle this
194
00:09:47,300 --> 00:09:53,670
task to use it we must first describe
195
00:09:50,330 --> 00:09:56,100
the pattern we need crunch to replicate
196
00:09:53,670 --> 00:10:00,740
and for this we'll use placeholders that
197
00:09:56,100 --> 00:10:00,740
represent specific types of characters
198
00:10:01,170 --> 00:10:06,239
to generate a word list that matches our
199
00:10:03,389 --> 00:10:08,850
requirements we'll specify a minimum and
200
00:10:06,239 --> 00:10:15,230
maximum word length of eight characters
201
00:10:08,850 --> 00:10:15,230
and describe our rule pattern with - t
202
00:10:15,660 --> 00:10:21,860
the command works as expected but as
203
00:10:18,330 --> 00:10:24,470
noted the output would consume a massive
204
00:10:21,860 --> 00:10:26,790
160 gigabytes of disk space
205
00:10:24,470 --> 00:10:29,610
remember that brute force techniques
206
00:10:26,790 --> 00:10:32,880
prioritize password coverage at the
207
00:10:29,610 --> 00:10:37,110
expense of speed and in this case disk
208
00:10:32,880 --> 00:10:40,470
space we can also define a character set
209
00:10:37,110 --> 00:10:42,780
with crunch for example we can create a
210
00:10:40,470 --> 00:10:45,210
brute force word list accounting for
211
00:10:42,780 --> 00:10:48,780
passwords between four and six
212
00:10:45,210 --> 00:10:51,390
characters in length containing only the
213
00:10:48,780 --> 00:10:55,050
characters zero through nine and a
214
00:10:51,390 --> 00:10:57,680
through F and we'll write the output to
215
00:10:55,050 --> 00:10:57,680
a file
216
00:10:59,520 --> 00:11:04,740
notice that the file output size is
217
00:11:02,160 --> 00:11:06,930
significantly smaller than the previous
218
00:11:04,740 --> 00:11:09,450
example primarily due to the shorter
219
00:11:06,930 --> 00:11:12,260
password length as well as the limited
220
00:11:09,450 --> 00:11:12,260
character set
221
00:11:12,290 --> 00:11:17,479
however the word list file itself is
222
00:11:14,600 --> 00:11:20,019
impressive containing over 17 million
223
00:11:17,479 --> 00:11:20,019
passwords
224
00:11:21,200 --> 00:11:28,089
in addition we can generate passwords
225
00:11:23,540 --> 00:11:28,089
based on predefined character sets
226
00:11:28,600 --> 00:11:34,930
for example we can specify the path to
227
00:11:31,780 --> 00:11:38,020
the character set file with - F and
228
00:11:34,930 --> 00:11:43,170
choose the mixed alpha set which
229
00:11:38,020 --> 00:11:43,170
includes all lower and uppercase letters
230
00:11:43,939 --> 00:11:48,889
although this particular command
231
00:11:45,319 --> 00:11:49,729
generates an enormous 131 gigabyte word
232
00:11:48,889 --> 00:11:52,309
list file
233
00:11:49,729 --> 00:11:56,269
it offers rather impressive password
234
00:11:52,309 --> 00:11:58,849
coverage spend time with jtr and crunch
235
00:11:56,269 --> 00:12:01,479
and think of how each one can be used
236
00:11:58,849 --> 00:12:01,479
most effectively
237
00:12:02,350 --> 00:12:06,970
as we'll discover in the next section we
238
00:12:04,570 --> 00:12:10,150
need to avoid the temptation to rely on
239
00:12:06,970 --> 00:12:12,430
massive and generic word lists as they
240
00:12:10,150 --> 00:12:15,900
can have adverse effects on our clients
241
00:12:12,430 --> 00:12:15,900
production environment
242
00:12:17,020 --> 00:12:22,050
common Network service attack methods
243
00:12:22,430 --> 00:12:26,960
now that we understand how to create
244
00:12:24,770 --> 00:12:29,600
effective word lists for various
245
00:12:26,960 --> 00:12:31,790
situations we can discuss how they can
246
00:12:29,600 --> 00:12:34,640
be used for password attacks against
247
00:12:31,790 --> 00:12:36,950
common network services bear in mind
248
00:12:34,640 --> 00:12:39,670
that password attacks against network
249
00:12:36,950 --> 00:12:43,520
services are noisy and in some cases
250
00:12:39,670 --> 00:12:46,070
dangerous multiple failed login attempts
251
00:12:43,520 --> 00:12:49,070
will usually generate logs and warnings
252
00:12:46,070 --> 00:12:51,410
on the target system and may even lock
253
00:12:49,070 --> 00:12:54,620
out accounts after a predefined number
254
00:12:51,410 --> 00:12:56,870
of failed login attempts keep this in
255
00:12:54,620 --> 00:12:59,690
mind before blindly running a network
256
00:12:56,870 --> 00:13:01,790
based brute-force attack once we've
257
00:12:59,690 --> 00:13:04,280
weighed the risks and considered the
258
00:13:01,790 --> 00:13:06,200
well-being of the target network we can
259
00:13:04,280 --> 00:13:08,740
take several steps to improve the
260
00:13:06,200 --> 00:13:11,600
efficiency of our password tests
261
00:13:08,740 --> 00:13:13,970
depending on the protocol and password
262
00:13:11,600 --> 00:13:16,340
cracking tool we can increase the number
263
00:13:13,970 --> 00:13:19,270
of login threads to boost the speed of
264
00:13:16,340 --> 00:13:21,740
an attack however in some cases
265
00:13:19,270 --> 00:13:24,200
increasing the number of threads may not
266
00:13:21,740 --> 00:13:26,570
be possible due to protocol restrictions
267
00:13:24,200 --> 00:13:30,320
and our optimisation attempt could
268
00:13:26,570 --> 00:13:32,030
instead slow down the process on top of
269
00:13:30,320 --> 00:13:35,300
this it's worth noting that the
270
00:13:32,030 --> 00:13:38,150
authentication negotiation process for
271
00:13:35,300 --> 00:13:42,440
protocols such as RDP are more
272
00:13:38,150 --> 00:13:44,540
time-consuming than say HTTP the hidden
273
00:13:42,440 --> 00:13:47,150
art behind network service password
274
00:13:44,540 --> 00:13:50,270
attacks is choosing appropriate targets
275
00:13:47,150 --> 00:13:53,570
user lists and password files carefully
276
00:13:50,270 --> 00:13:56,690
and intelligently before initiating the
277
00:13:53,570 --> 00:13:58,970
attack to successfully attack a password
278
00:13:56,690 --> 00:14:01,580
on a network service we must not only
279
00:13:58,970 --> 00:14:04,700
match the target user name and password
280
00:14:01,580 --> 00:14:06,550
but also honor the protocol used in the
281
00:14:04,700 --> 00:14:09,590
authentication process
282
00:14:06,550 --> 00:14:13,430
fortunately popular tools such as THC
283
00:14:09,590 --> 00:14:15,740
Hydra Medusa crowbar and spray can
284
00:14:13,430 --> 00:14:16,160
handle these authentication requests for
285
00:14:15,740 --> 00:14:18,710
us
286
00:14:16,160 --> 00:14:20,600
in this section we'll examine each of
287
00:14:18,710 --> 00:14:22,730
these tools and way they're effective
288
00:14:20,600 --> 00:14:25,940
protocol and service handling
289
00:14:22,730 --> 00:14:29,090
capabilities these tools mostly have
290
00:14:25,940 --> 00:14:32,270
similar capabilities and speeds the
291
00:14:29,090 --> 00:14:35,290
correct tool to use often depends on the
292
00:14:32,270 --> 00:14:37,210
preferred syntax and output format
293
00:14:35,290 --> 00:14:39,730
this can only be determined by
294
00:14:37,210 --> 00:14:42,040
experimenting with each tool in a test
295
00:14:39,730 --> 00:14:47,220
environment and learning the strengths
296
00:14:42,040 --> 00:14:47,220
weaknesses and idiosyncrasies of each
297
00:14:49,610 --> 00:14:57,710
HTTP htx s attack with Medusa
298
00:14:55,160 --> 00:15:00,470
according to its authors Medusa is
299
00:14:57,710 --> 00:15:05,920
intended to be a speedy massively
300
00:15:00,470 --> 00:15:05,920
parallel modular login brute force err
301
00:15:06,920 --> 00:15:12,199
we'll use Medusa to attempt to gain
302
00:15:09,290 --> 00:15:14,799
access to an HT access protected web
303
00:15:12,199 --> 00:15:14,799
directory
304
00:15:20,010 --> 00:15:25,590
first we'll set up our target an Apache
305
00:15:23,400 --> 00:15:27,690
web server installed on our Windows
306
00:15:25,590 --> 00:15:30,860
client which will start through the
307
00:15:27,690 --> 00:15:30,860
xampp control panel
308
00:15:36,499 --> 00:15:38,559
you
309
00:15:44,740 --> 00:15:51,060
with our services started will return to
310
00:15:47,260 --> 00:15:51,060
Cali and explore Medusa
311
00:15:55,590 --> 00:15:57,650
you
312
00:16:01,190 --> 00:16:07,220
we'll attempt to gain access to an HT
313
00:16:04,100 --> 00:16:10,810
access protected folder named admin on
314
00:16:07,220 --> 00:16:10,810
our Windows web server
315
00:16:16,040 --> 00:16:21,740
we'll use the rock you wordlist for this
316
00:16:19,010 --> 00:16:24,640
example which we must first decompress
317
00:16:21,740 --> 00:16:24,640
with guns if
318
00:16:27,750 --> 00:16:32,579
next we'll launch Medusa and initiate
319
00:16:30,629 --> 00:16:36,569
the attack against the HD access
320
00:16:32,579 --> 00:16:39,930
protected URL on our target host will
321
00:16:36,569 --> 00:16:42,769
attack the admin user with passwords
322
00:16:39,930 --> 00:16:48,470
from our rock you word list file and
323
00:16:42,769 --> 00:16:48,470
we'll use an HTTP authentication scheme
324
00:16:51,430 --> 00:16:58,290
in this case Medusa discovered a working
325
00:16:54,550 --> 00:17:00,720
password of freedom
326
00:16:58,290 --> 00:17:03,019
let's try out these credentials in our
327
00:17:00,720 --> 00:17:03,019
browser
328
00:17:08,000 --> 00:17:10,060
you
329
00:17:10,919 --> 00:17:15,909
excellent our medusa attacks
330
00:17:13,529 --> 00:17:18,689
successfully retrieved the password for
331
00:17:15,909 --> 00:17:18,689
this directory
332
00:17:22,390 --> 00:17:27,730
Madusa has many additional options and
333
00:17:25,390 --> 00:17:30,640
settings and can interact with a variety
334
00:17:27,730 --> 00:17:34,850
of network protocols these can be
335
00:17:30,640 --> 00:17:37,340
displayed with the dash d option
336
00:17:34,850 --> 00:17:40,360
for more information about medusa refer
337
00:17:37,340 --> 00:17:40,360
to your lab guide
338
00:17:41,770 --> 00:17:46,120
remote desktop protocol attack with
339
00:17:44,620 --> 00:17:48,130
crowbar
340
00:17:46,120 --> 00:17:51,160
crowbar is a network authentication
341
00:17:48,130 --> 00:17:52,930
cracking tool primarily designed to
342
00:17:51,160 --> 00:17:55,750
leverage SSH keys
343
00:17:52,930 --> 00:17:57,850
rather than passwords it's also one of
344
00:17:55,750 --> 00:18:00,520
the few tools that can reliably and
345
00:17:57,850 --> 00:18:03,160
efficiently perform password attacks
346
00:18:00,520 --> 00:18:05,950
against the RDP service on modern
347
00:18:03,160 --> 00:18:09,190
versions of Windows let's try this tool
348
00:18:05,950 --> 00:18:11,620
against our Windows client machine first
349
00:18:09,190 --> 00:18:14,490
we need to install crowbar from the Kali
350
00:18:11,620 --> 00:18:14,490
repository
351
00:18:20,560 --> 00:18:26,000
next we'll create a small word list that
352
00:18:23,960 --> 00:18:28,540
contains the password for our Windows
353
00:18:26,000 --> 00:18:28,540
client
354
00:18:31,860 --> 00:18:37,050
to invoke crowbar we specify the
355
00:18:34,559 --> 00:18:42,620
protocol
356
00:18:37,050 --> 00:18:45,970
the target server a username
357
00:18:42,620 --> 00:18:45,970
a word list
358
00:18:46,590 --> 00:18:49,460
number of threads
359
00:18:50,930 --> 00:18:57,350
great crowbar discovered working
360
00:18:54,120 --> 00:19:00,200
credentials for the admin user
361
00:18:57,350 --> 00:19:02,900
note that we only specified a single
362
00:19:00,200 --> 00:19:04,970
thread since the remote desktop protocol
363
00:19:02,900 --> 00:19:07,570
does not reliably handle multiple
364
00:19:04,970 --> 00:19:07,570
threads
365
00:19:10,260 --> 00:19:18,460
SSH attack with THC Hydra
366
00:19:15,370 --> 00:19:20,890
THC Hydra is another powerful network
367
00:19:18,460 --> 00:19:23,710
service attack tool under active
368
00:19:20,890 --> 00:19:25,540
development and it's worth mastering we
369
00:19:23,710 --> 00:19:27,540
can use it to attack a variety of
370
00:19:25,540 --> 00:19:32,410
protocol authentication schemes
371
00:19:27,540 --> 00:19:35,650
including SSH and HTTP the standard
372
00:19:32,410 --> 00:19:39,520
options include - L to specify the
373
00:19:35,650 --> 00:19:43,120
target username - capital P to specify a
374
00:19:39,520 --> 00:19:45,910
word list and the protocol and IP in the
375
00:19:43,120 --> 00:19:50,919
URI format to specify the target
376
00:19:45,910 --> 00:19:53,619
protocol and IP address respectively
377
00:19:50,919 --> 00:19:57,369
in this first example will attack the
378
00:19:53,619 --> 00:20:01,289
SSH service on our Kali VM let's start
379
00:19:57,369 --> 00:20:01,289
OpenSSH before proceeding
380
00:20:03,610 --> 00:20:10,990
now we'll use Hydra to attack the ssh
381
00:20:07,450 --> 00:20:14,740
protocol on our local machine focus on
382
00:20:10,990 --> 00:20:18,570
the kali user and again use the small
383
00:20:14,740 --> 00:20:18,570
word list we created earlier
384
00:20:20,110 --> 00:20:24,760
in this output we can see that Hydra
385
00:20:22,570 --> 00:20:27,550
discovered a valid login against the
386
00:20:24,760 --> 00:20:30,520
local SSH server
387
00:20:27,550 --> 00:20:33,550
THC hydra supports a number of standard
388
00:20:30,520 --> 00:20:36,700
protocols and services
389
00:20:33,550 --> 00:20:40,170
refer to the Hydra man page to view all
390
00:20:36,700 --> 00:20:40,170
of its available options
391
00:20:41,750 --> 00:20:49,970
HTTP POST attack with THC Hydra
392
00:20:47,690 --> 00:20:53,450
as an additional example we'll perform
393
00:20:49,970 --> 00:20:57,679
an HTTP POST attack against our windows
394
00:20:53,450 --> 00:21:00,559
apache server using hydra when an HTTP
395
00:20:57,679 --> 00:21:03,110
POST request is used for user login it
396
00:21:00,559 --> 00:21:06,529
is most often through the use of a web
397
00:21:03,110 --> 00:21:10,879
form which means we should use the HTTP
398
00:21:06,529 --> 00:21:13,820
form post service module we can supply
399
00:21:10,879 --> 00:21:15,799
the service name followed by - capital
400
00:21:13,820 --> 00:21:20,350
you to obtain additional information
401
00:21:15,799 --> 00:21:20,350
about the required arguments
402
00:21:20,400 --> 00:21:24,720
from this output we determined that we
403
00:21:22,470 --> 00:21:26,670
need to provide a number of arguments
404
00:21:24,720 --> 00:21:30,020
that will require us to perform some
405
00:21:26,670 --> 00:21:30,020
application discovery
406
00:21:32,330 --> 00:21:37,850
first we need the IP address and the URL
407
00:21:35,539 --> 00:21:40,730
of the web page containing the webform
408
00:21:37,850 --> 00:21:43,370
on our windows client will provide the
409
00:21:40,730 --> 00:21:45,970
IP address as the first argument to
410
00:21:43,370 --> 00:21:45,970
Hydra
411
00:21:50,690 --> 00:21:55,999
next we must understand the webform we
412
00:21:53,749 --> 00:22:00,729
want to brute force by inspecting the
413
00:21:55,999 --> 00:22:00,729
HTML code of the target web page
414
00:22:01,450 --> 00:22:06,940
we can view the HTML by right-clicking
415
00:22:04,450 --> 00:22:10,529
the page and selecting view page source
416
00:22:06,940 --> 00:22:10,529
from the context menu
417
00:22:12,100 --> 00:22:18,670
the form indicates that the post request
418
00:22:14,590 --> 00:22:22,540
is handled by front page PHP which is
419
00:22:18,670 --> 00:22:25,270
the URL we will feed the Hydra the Hydra
420
00:22:22,540 --> 00:22:29,400
syntax requires the form parameters
421
00:22:25,270 --> 00:22:31,900
which in this case are user and pass
422
00:22:29,400 --> 00:22:33,670
since we're going to attack the admin
423
00:22:31,900 --> 00:22:36,370
user login with a word list
424
00:22:33,670 --> 00:22:40,690
the combined argument to Hydra becomes
425
00:22:36,370 --> 00:22:42,910
the following with pass acting as a
426
00:22:40,690 --> 00:22:45,430
placeholder for our word list file
427
00:22:42,910 --> 00:22:47,440
entries we must also provide the
428
00:22:45,430 --> 00:22:50,730
condition string to indicate when a
429
00:22:47,440 --> 00:22:50,730
login attempt is unsuccessful
430
00:22:54,790 --> 00:23:00,840
we can find this by attempting a manual
431
00:22:57,550 --> 00:23:00,840
login against the page
432
00:23:05,810 --> 00:23:13,130
in our example the webpage returns the
433
00:23:09,240 --> 00:23:13,130
text invalid login
434
00:23:19,090 --> 00:23:26,030
putting these pieces together we can
435
00:23:21,860 --> 00:23:30,429
complete the HTTP forum post syntax the
436
00:23:26,030 --> 00:23:33,590
complete command can now be executed
437
00:23:30,429 --> 00:23:37,639
will supply the admin username and
438
00:23:33,590 --> 00:23:42,470
RockYou word list request verbose output
439
00:23:37,639 --> 00:23:44,840
with - VV and used - f to stop the
440
00:23:42,470 --> 00:23:48,649
attack when the first successful result
441
00:23:44,840 --> 00:23:52,820
is found in addition will supply the
442
00:23:48,649 --> 00:23:55,360
service module name and its required
443
00:23:52,820 --> 00:23:55,360
arguments
444
00:24:00,410 --> 00:24:02,470
you
445
00:24:02,780 --> 00:24:06,590
although this required some
446
00:24:04,310 --> 00:24:09,200
investigation of the application the
447
00:24:06,590 --> 00:24:13,340
result is worth it as we discovered a
448
00:24:09,200 --> 00:24:17,050
valid password let's verify that this is
449
00:24:13,340 --> 00:24:17,050
indeed the correct password
450
00:24:22,330 --> 00:24:24,390
you
451
00:24:29,859 --> 00:24:37,570
excellent Hydra successfully found the
452
00:24:33,529 --> 00:24:37,570
correct admin password for us
453
00:24:40,830 --> 00:24:46,260
the other service modules included with
454
00:24:43,590 --> 00:24:49,010
Hydra are also well worth the effort to
455
00:24:46,260 --> 00:24:49,010
master
456
00:24:53,180 --> 00:24:59,300
leveraging password hashes
457
00:24:56,900 --> 00:25:02,200
next we turn our attention to attacks
458
00:24:59,300 --> 00:25:06,200
focused on the use of password hashes a
459
00:25:02,200 --> 00:25:09,410
cryptographic hash function is one way
460
00:25:06,200 --> 00:25:12,230
and implements an algorithm that given
461
00:25:09,410 --> 00:25:15,350
an arbitrary block of data returns a
462
00:25:12,230 --> 00:25:18,380
fixed size bit string called a hash
463
00:25:15,350 --> 00:25:20,810
value or message digest
464
00:25:18,380 --> 00:25:23,330
one of the most important uses of
465
00:25:20,810 --> 00:25:27,700
cryptographic hash functions is during
466
00:25:23,330 --> 00:25:27,700
the password verification process
467
00:25:30,280 --> 00:25:36,760
retrieving password hashes most systems
468
00:25:35,179 --> 00:25:39,830
that use a password authentication
469
00:25:36,760 --> 00:25:42,500
mechanism need to store these passwords
470
00:25:39,830 --> 00:25:44,260
locally on the machine rather than
471
00:25:42,500 --> 00:25:47,630
storing the passwords in clear-text
472
00:25:44,260 --> 00:25:49,900
modern authentication mechanisms usually
473
00:25:47,630 --> 00:25:51,950
store them as hashes to improve security
474
00:25:49,900 --> 00:25:54,350
this means that during the
475
00:25:51,950 --> 00:25:57,410
authentication process the password
476
00:25:54,350 --> 00:25:59,510
presented by the user is hashed and
477
00:25:57,410 --> 00:26:02,750
compared with the previously stored
478
00:25:59,510 --> 00:26:05,030
message digests identifying the exact
479
00:26:02,750 --> 00:26:06,890
type of hash without having further
480
00:26:05,030 --> 00:26:09,770
information about the program or
481
00:26:06,890 --> 00:26:11,870
mechanism that generated it can be very
482
00:26:09,770 --> 00:26:14,990
challenging and sometimes even
483
00:26:11,870 --> 00:26:18,080
impossible when attempting to identify a
484
00:26:14,990 --> 00:26:20,450
message digest type there are three
485
00:26:18,080 --> 00:26:24,110
important hash properties to consider
486
00:26:20,450 --> 00:26:27,110
these include the length of the hash the
487
00:26:24,110 --> 00:26:30,250
character set used in the hash and any
488
00:26:27,110 --> 00:26:32,720
special characters used by the hash a
489
00:26:30,250 --> 00:26:37,370
useful tool that can assist with hash
490
00:26:32,720 --> 00:26:40,280
type identification is hash ID to use it
491
00:26:37,370 --> 00:26:43,840
we simply run the tool and paste in the
492
00:26:40,280 --> 00:26:43,840
hash value we wish to identify
493
00:26:45,940 --> 00:26:51,730
here we analyzed two different hashes
494
00:26:49,230 --> 00:26:54,700
while the first example returned
495
00:26:51,730 --> 00:26:57,570
multiple possible matches the second
496
00:26:54,700 --> 00:27:02,440
narrowed down the hash type to sha-512
497
00:26:57,570 --> 00:27:07,019
crypt next let's retrieve and analyze a
498
00:27:02,440 --> 00:27:07,019
few hashes on our Kali Linux system
499
00:27:07,160 --> 00:27:12,350
many Linux systems have the user
500
00:27:09,350 --> 00:27:15,320
password hashes stored in the Etsy
501
00:27:12,350 --> 00:27:17,850
shadow file which requires root
502
00:27:15,320 --> 00:27:21,030
permissions to read
503
00:27:17,850 --> 00:27:25,690
the shadow file entry starts with the
504
00:27:21,030 --> 00:27:29,080
username followed by the password hash
505
00:27:25,690 --> 00:27:32,130
the hash is divided into subfields the
506
00:27:29,080 --> 00:27:36,900
first of which references the sha-512
507
00:27:32,130 --> 00:27:40,360
algorithm the next subfield is the salt
508
00:27:36,900 --> 00:27:42,580
the salt is a random value that's used
509
00:27:40,360 --> 00:27:45,970
along with the clear-text password to
510
00:27:42,580 --> 00:27:48,820
calculate a password hash this prevents
511
00:27:45,970 --> 00:27:53,850
hash lookup attacks since the password
512
00:27:48,820 --> 00:27:53,850
hash will vary based on the salt value
513
00:27:54,180 --> 00:27:59,010
now let's turn our focus to windows
514
00:27:56,700 --> 00:28:01,320
targets and discuss the various hash
515
00:27:59,010 --> 00:28:04,020
implementations and how we can leverage
516
00:28:01,320 --> 00:28:06,660
them during an assessment on Windows
517
00:28:04,020 --> 00:28:09,950
systems hashed user passwords are stored
518
00:28:06,660 --> 00:28:13,800
in the Security Accounts Manager or Sam
519
00:28:09,950 --> 00:28:17,070
to deter offline Sam database password
520
00:28:13,800 --> 00:28:20,520
attacks Microsoft introduced the SIS key
521
00:28:17,070 --> 00:28:24,000
feature which partially encrypts the Sam
522
00:28:20,520 --> 00:28:27,780
file windows nt-based operating systems
523
00:28:24,000 --> 00:28:31,140
up to and including Windows 2003 store
524
00:28:27,780 --> 00:28:35,240
to different password hashes land
525
00:28:31,140 --> 00:28:40,470
manager or LM which is based on DES and
526
00:28:35,240 --> 00:28:43,370
NT land manager or ntlm which uses MD
527
00:28:40,470 --> 00:28:46,190
for hashing
528
00:28:43,370 --> 00:28:48,770
land manager is known to be very weak
529
00:28:46,190 --> 00:28:51,770
since passwords longer than seven
530
00:28:48,770 --> 00:28:55,730
characters are split into two strings
531
00:28:51,770 --> 00:28:58,940
and each piece is hashed separately each
532
00:28:55,730 --> 00:29:01,750
password string is also converted to
533
00:28:58,940 --> 00:29:05,180
uppercase before being hashed and
534
00:29:01,750 --> 00:29:08,270
moreover the LM hashing system does not
535
00:29:05,180 --> 00:29:11,470
include salts making a hash lookup
536
00:29:08,270 --> 00:29:11,470
attack feasible
537
00:29:12,029 --> 00:29:18,080
from Windows Vista on the operating
538
00:29:14,549 --> 00:29:21,059
system disables LM by default and uses
539
00:29:18,080 --> 00:29:24,210
ntlm which among other things is
540
00:29:21,059 --> 00:29:26,700
case-sensitive supports all Unicode
541
00:29:24,210 --> 00:29:31,169
characters and does not split the hash
542
00:29:26,700 --> 00:29:33,359
into smaller beaker parts however ntlm
543
00:29:31,169 --> 00:29:36,919
hash is stored in the Sam database are
544
00:29:33,359 --> 00:29:36,919
still not salted
545
00:29:37,170 --> 00:29:41,310
it's worth mentioning that the Sam
546
00:29:39,030 --> 00:29:43,680
database cannot be copied while the
547
00:29:41,310 --> 00:29:45,690
operating system is running because the
548
00:29:43,680 --> 00:29:49,340
Windows kernel keeps an exclusive
549
00:29:45,690 --> 00:29:49,340
filesystem lock on it
550
00:29:52,160 --> 00:29:56,780
however we can use Mimi Katz which is
551
00:29:55,100 --> 00:29:59,780
covered in much greater depth in another
552
00:29:56,780 --> 00:30:03,380
module to mount in-memory attacks
553
00:29:59,780 --> 00:30:05,240
designed to dump the Sam hashes among
554
00:30:03,380 --> 00:30:08,330
other things Mimi Katz modules
555
00:30:05,240 --> 00:30:10,850
facilitate password hash extraction from
556
00:30:08,330 --> 00:30:13,150
the L SAS process memory where they are
557
00:30:10,850 --> 00:30:13,150
cached
558
00:30:18,680 --> 00:30:20,740
you
559
00:30:28,390 --> 00:30:34,270
since L SAS is a privileged process
560
00:30:31,270 --> 00:30:36,430
running under the system user we need to
561
00:30:34,270 --> 00:30:39,540
launch Mimi Katz from an administrative
562
00:30:36,430 --> 00:30:39,540
command prompt
563
00:30:40,659 --> 00:30:46,779
extract password hashes we must first
564
00:30:43,299 --> 00:30:49,929
execute two commands the first is
565
00:30:46,779 --> 00:30:52,720
privileged debug which enables the SE
566
00:30:49,929 --> 00:30:55,960
debug privileged access write required
567
00:30:52,720 --> 00:30:58,450
to tamper with another process if this
568
00:30:55,960 --> 00:31:00,639
command fails me me Katz was most likely
569
00:30:58,450 --> 00:31:02,940
not executed with administrative
570
00:31:00,639 --> 00:31:02,940
privileges
571
00:31:04,809 --> 00:31:10,269
it's important to understand that L SAS
572
00:31:07,210 --> 00:31:12,700
is a system process which means it has
573
00:31:10,269 --> 00:31:15,149
even higher privileges than me me cats
574
00:31:12,700 --> 00:31:18,549
running with administrative privileges
575
00:31:15,149 --> 00:31:21,700
to address this we can use the token
576
00:31:18,549 --> 00:31:24,970
elevate command to elevate the security
577
00:31:21,700 --> 00:31:27,659
token from high integrity to system
578
00:31:24,970 --> 00:31:27,659
integrity
579
00:31:30,660 --> 00:31:37,640
if Mimi cats is launched from a system
580
00:31:33,330 --> 00:31:37,640
shell this step is not required
581
00:31:37,669 --> 00:31:43,459
now we can use LSA dump
582
00:31:40,639 --> 00:31:45,260
Sam to dump the contents of the Sam
583
00:31:43,459 --> 00:31:48,590
database
584
00:31:45,260 --> 00:31:50,720
nice Mimi Katz has elegantly and
585
00:31:48,590 --> 00:31:53,680
effectively dumped the hashes as
586
00:31:50,720 --> 00:31:53,680
requested
587
00:32:00,920 --> 00:32:07,800
passing the hash in Windows as we'll
588
00:32:05,220 --> 00:32:09,840
discover in the next section cracking
589
00:32:07,800 --> 00:32:13,290
password hashes can be very
590
00:32:09,840 --> 00:32:16,290
time-consuming and is often not feasible
591
00:32:13,290 --> 00:32:18,990
without powerful hardware however
592
00:32:16,290 --> 00:32:21,930
sometimes we can leverage Windows based
593
00:32:18,990 --> 00:32:25,230
password hashes without resorting to a
594
00:32:21,930 --> 00:32:28,590
laborious cracking process
595
00:32:25,230 --> 00:32:30,809
the past the hash technique allows an
596
00:32:28,590 --> 00:32:34,039
attacker to authenticate to a remote
597
00:32:30,809 --> 00:32:37,860
target by using a valid combination of
598
00:32:34,039 --> 00:32:41,220
username and hash rather than a clear
599
00:32:37,860 --> 00:32:45,389
text password this is possible because
600
00:32:41,220 --> 00:32:48,360
LM and ntlm password hashes are not
601
00:32:45,389 --> 00:32:51,419
salted and remain static between
602
00:32:48,360 --> 00:32:54,510
sessions moreover if we discover a
603
00:32:51,419 --> 00:32:56,429
password hash on one target we can not
604
00:32:54,510 --> 00:32:59,070
only use it to authenticate to that
605
00:32:56,429 --> 00:33:02,250
target we can use it to authenticate to
606
00:32:59,070 --> 00:33:04,500
another target as well as long as that
607
00:33:02,250 --> 00:33:08,220
target has an account with the same
608
00:33:04,500 --> 00:33:12,620
username and password let's introduce a
609
00:33:08,220 --> 00:33:12,620
scenario to demonstrate this attack
610
00:33:12,970 --> 00:33:17,800
during our assessment we discovered a
611
00:33:15,490 --> 00:33:21,460
local administrative account that is
612
00:33:17,800 --> 00:33:23,770
enabled on multiple systems we exploited
613
00:33:21,460 --> 00:33:26,380
a vulnerability on one of these systems
614
00:33:23,770 --> 00:33:30,520
and have gained system privileges
615
00:33:26,380 --> 00:33:33,730
allowing us to dump local LM and ntlm
616
00:33:30,520 --> 00:33:36,190
hashes we've copied the hash of a user
617
00:33:33,730 --> 00:33:39,040
in the administrators group and can now
618
00:33:36,190 --> 00:33:41,740
use it instead of a password to gain
619
00:33:39,040 --> 00:33:45,280
access to a different machine which has
620
00:33:41,740 --> 00:33:48,760
the same local account and password to
621
00:33:45,280 --> 00:33:51,570
do this we'll use PTH Winx II from the
622
00:33:48,760 --> 00:33:55,740
passing the hash toolkit which performs
623
00:33:51,570 --> 00:34:00,190
authentication using the SMB protocol as
624
00:33:55,740 --> 00:34:02,980
a demonstration will invoke PTH Winx II
625
00:34:00,190 --> 00:34:05,560
on our Kali machine to authenticate to
626
00:34:02,980 --> 00:34:08,770
our target using a previously dumped
627
00:34:05,560 --> 00:34:10,840
password hash will gain a remote command
628
00:34:08,770 --> 00:34:13,530
prompt on the target machine by
629
00:34:10,840 --> 00:34:17,320
specifying the username and hash
630
00:34:13,530 --> 00:34:21,730
separated by a percent sign along with
631
00:34:17,320 --> 00:34:24,130
the SMB share in unc format and the name
632
00:34:21,730 --> 00:34:27,720
of the command to execute which in this
633
00:34:24,130 --> 00:34:27,720
case is CMD
634
00:34:28,500 --> 00:34:33,929
our command was successful using the
635
00:34:31,350 --> 00:34:37,250
captured hash as credentials we now have
636
00:34:33,929 --> 00:34:37,250
a shell on the target
637
00:34:38,480 --> 00:34:44,400
behind-the-scenes the format of the ntlm
638
00:34:41,430 --> 00:34:46,860
hash we provided was changed into net
639
00:34:44,400 --> 00:34:49,550
ntlm format during the authentication
640
00:34:46,860 --> 00:34:49,550
process
641
00:34:49,679 --> 00:34:54,510
we can capture these hashes using
642
00:34:52,619 --> 00:34:59,930
man-in-the-middle or poisoning attacks
643
00:34:54,510 --> 00:34:59,930
and either crack them or relay them
644
00:35:02,980 --> 00:35:08,380
password cracking encrypt analysis
645
00:35:07,060 --> 00:35:10,840
password cracking
646
00:35:08,380 --> 00:35:14,220
is the process of recovering a clear
647
00:35:10,840 --> 00:35:17,140
text pass phrase given its stored hash
648
00:35:14,220 --> 00:35:19,380
the process of password cracking is
649
00:35:17,140 --> 00:35:21,940
fairly straightforward at a high level
650
00:35:19,380 --> 00:35:23,530
once we've discovered the hashing
651
00:35:21,940 --> 00:35:26,140
mechanism we're dealing with in the
652
00:35:23,530 --> 00:35:28,960
target authentication process we can
653
00:35:26,140 --> 00:35:31,660
iterate over each word in a word list
654
00:35:28,960 --> 00:35:32,530
and generate the respective message
655
00:35:31,660 --> 00:35:35,440
digest
656
00:35:32,530 --> 00:35:37,540
if the computed hash matches the one
657
00:35:35,440 --> 00:35:40,260
obtained from the system we have
658
00:35:37,540 --> 00:35:43,330
obtained the matching plaintext password
659
00:35:40,260 --> 00:35:45,550
this is usually all accomplished with
660
00:35:43,330 --> 00:35:49,000
the help of a specialized password
661
00:35:45,550 --> 00:35:51,340
cracking program if a salt is involved
662
00:35:49,000 --> 00:35:53,460
in the authentication process and we do
663
00:35:51,340 --> 00:35:56,710
not know what that salt value is
664
00:35:53,460 --> 00:36:00,400
cracking could become extremely complex
665
00:35:56,710 --> 00:36:03,400
if not impossible as we must repeatedly
666
00:36:00,400 --> 00:36:07,180
hash each potential clear text password
667
00:36:03,400 --> 00:36:09,070
with various salts nevertheless and our
668
00:36:07,180 --> 00:36:11,350
experience we have almost always been
669
00:36:09,070 --> 00:36:14,200
able to capture the password hash along
670
00:36:11,350 --> 00:36:16,510
with the salt whether from a database
671
00:36:14,200 --> 00:36:20,170
that contains both of the unique values
672
00:36:16,510 --> 00:36:23,710
per record or from a configuration or a
673
00:36:20,170 --> 00:36:26,800
binary file that uses a single salt for
674
00:36:23,710 --> 00:36:28,990
all hashed values when both of these
675
00:36:26,800 --> 00:36:32,260
values are known password cracking
676
00:36:28,990 --> 00:36:34,720
decreases in complexity once we've
677
00:36:32,260 --> 00:36:37,359
gained access to password hashes from a
678
00:36:34,720 --> 00:36:39,400
target system we can begin a password
679
00:36:37,359 --> 00:36:41,530
cracking session running in the
680
00:36:39,400 --> 00:36:44,500
background as we continue on with our
681
00:36:41,530 --> 00:36:46,810
assessment if any of the passwords are
682
00:36:44,500 --> 00:36:49,480
cracked we could attempt to use those
683
00:36:46,810 --> 00:36:53,109
passwords on other systems to increase
684
00:36:49,480 --> 00:36:55,660
our control over the target network this
685
00:36:53,109 --> 00:36:58,660
like other penetration testing processes
686
00:36:55,660 --> 00:37:01,359
is iterative and we will feed data back
687
00:36:58,660 --> 00:37:04,390
into earlier steps as we expand our
688
00:37:01,359 --> 00:37:07,600
control to demonstrate password cracking
689
00:37:04,390 --> 00:37:09,880
will again turn to John the Ripper as it
690
00:37:07,600 --> 00:37:12,810
supports dozens of password formats and
691
00:37:09,880 --> 00:37:16,180
is incredibly powerful and flexible
692
00:37:12,810 --> 00:37:18,910
running John in pure brute force mode
693
00:37:16,180 --> 00:37:21,609
attempting every possible character
694
00:37:18,910 --> 00:37:24,250
combination and a password is as simple
695
00:37:21,609 --> 00:37:26,559
as passing the filename containing our
696
00:37:24,250 --> 00:37:30,869
password hashes on the command line
697
00:37:26,559 --> 00:37:30,869
along with the hashing format
698
00:37:31,490 --> 00:37:36,950
since we know the type of hash we're
699
00:37:33,740 --> 00:37:39,260
cracking we use the format option to
700
00:37:36,950 --> 00:37:41,830
crack the hashes that we dumped using
701
00:37:39,260 --> 00:37:41,830
Mimi Katz
702
00:37:42,040 --> 00:37:47,530
John recognizes the hash type correctly
703
00:37:44,350 --> 00:37:50,080
and sets out to crack it a brute-force
704
00:37:47,530 --> 00:37:52,600
attack such as this however will take a
705
00:37:50,080 --> 00:37:55,080
long time based on the speed of our
706
00:37:52,600 --> 00:37:55,080
system
707
00:37:57,370 --> 00:38:02,920
as an alternative we can use the word
708
00:38:00,040 --> 00:38:05,740
list parameter and provide the path to a
709
00:38:02,920 --> 00:38:08,710
word list instead which shortens the
710
00:38:05,740 --> 00:38:11,250
process time but promises less password
711
00:38:08,710 --> 00:38:11,250
coverage
712
00:38:11,460 --> 00:38:17,010
if any passwords remain to be cracked we
713
00:38:14,250 --> 00:38:22,160
can next try to apply JT ARS word
714
00:38:17,010 --> 00:38:22,160
mangling rules with the rules parameter
715
00:38:25,030 --> 00:38:31,510
next we'll see how John the Ripper deals
716
00:38:27,650 --> 00:38:31,510
with Linux password hashes
717
00:38:32,030 --> 00:38:36,920
in order to crack linux-based hashes
718
00:38:34,280 --> 00:38:39,470
with John we will first need to use the
719
00:38:36,920 --> 00:38:41,780
unshadowed utility to combine the
720
00:38:39,470 --> 00:38:44,450
password and shadow files from the
721
00:38:41,780 --> 00:38:46,880
compromised system let's quickly add a
722
00:38:44,450 --> 00:38:49,220
new user to our system with a relatively
723
00:38:46,880 --> 00:38:52,660
weak password so we can give John
724
00:38:49,220 --> 00:38:52,660
something easy to crack
725
00:38:58,160 --> 00:39:00,220
you
726
00:39:03,980 --> 00:39:10,400
now we'll use grep to extract the victim
727
00:39:07,280 --> 00:39:13,130
user details from Etsy password and Etsy
728
00:39:10,400 --> 00:39:13,940
shadow into two files in our home
729
00:39:13,130 --> 00:39:16,730
directory
730
00:39:13,940 --> 00:39:20,080
note that root permissions are required
731
00:39:16,730 --> 00:39:20,080
to read Etsy shadow
732
00:39:25,710 --> 00:39:27,770
you
733
00:39:27,970 --> 00:39:31,619
great let's continue
734
00:39:33,410 --> 00:39:38,710
John the Ripper requires a special hash
735
00:39:35,990 --> 00:39:41,990
format that is generated with unshadowed
736
00:39:38,710 --> 00:39:44,690
to use unshadowed we simply pass the
737
00:39:41,990 --> 00:39:46,670
password and shadow file names as
738
00:39:44,690 --> 00:39:49,819
arguments
739
00:39:46,670 --> 00:39:52,750
let's save this to a file so we can pass
740
00:39:49,819 --> 00:39:52,750
it to John
741
00:39:56,170 --> 00:40:01,599
we can now run John passing the word
742
00:39:58,839 --> 00:40:04,410
list and the unshadowed text file as
743
00:40:01,599 --> 00:40:04,410
arguments
744
00:40:10,500 --> 00:40:16,030
newer versions of John the Ripper are
745
00:40:13,170 --> 00:40:18,100
multi-threaded by default and this can
746
00:40:16,030 --> 00:40:21,940
be enabled on older versions with the
747
00:40:18,100 --> 00:40:23,860
fork option we can also distribute the
748
00:40:21,940 --> 00:40:28,080
cracking load across multiple computers
749
00:40:23,860 --> 00:40:28,080
with the node option
750
00:40:28,319 --> 00:40:33,640
refer to your lab guide for more
751
00:40:30,760 --> 00:40:38,280
information let's clean up our system
752
00:40:33,640 --> 00:40:38,280
and get rid of that new user we created
753
00:40:39,500 --> 00:40:44,810
while John the Ripper is a great tool
754
00:40:41,960 --> 00:40:47,360
for cracking password hashes its speed
755
00:40:44,810 --> 00:40:50,570
is limited to the power of the CPUs
756
00:40:47,360 --> 00:40:53,630
dedicated to the task in recent years
757
00:40:50,570 --> 00:40:56,600
GPUs have become incredibly powerful and
758
00:40:53,630 --> 00:40:59,380
are of course found in every computer
759
00:40:56,600 --> 00:40:59,380
with a display
760
00:41:01,930 --> 00:41:08,180
GPU cracking tools like hash cat
761
00:41:04,880 --> 00:41:11,900
leverage the power of both the CPU and
762
00:41:08,180 --> 00:41:15,410
the GPU to achieve incredible password
763
00:41:11,900 --> 00:41:18,680
cracking speeds if you'd like to learn
764
00:41:15,410 --> 00:41:20,839
more about GPU password cracking refer
765
00:41:18,680 --> 00:41:23,510
to your lab guide and the ample
766
00:41:20,839 --> 00:41:26,080
documentation available on the hash cat
767
00:41:23,510 --> 00:41:26,080
wiki
768
00:41:30,350 --> 00:41:35,020
wrapping up
769
00:41:33,040 --> 00:41:37,510
there are so many password attack tools
770
00:41:35,020 --> 00:41:39,910
and word lists available that it can be
771
00:41:37,510 --> 00:41:42,880
tempting to just jump in and fire away
772
00:41:39,910 --> 00:41:45,240
in search of that often elusive break
773
00:41:42,880 --> 00:41:47,890
during a penetration test however
774
00:41:45,240 --> 00:41:50,590
success lies in not only deeply
775
00:41:47,890 --> 00:41:53,470
understanding the usage and strengths of
776
00:41:50,590 --> 00:41:55,980
each tool but in learning to step back
777
00:41:53,470 --> 00:41:58,270
and apply these tools with wisdom
778
00:41:55,980 --> 00:42:01,690
honoring the balance of speed and
779
00:41:58,270 --> 00:42:03,790
precision as well as prioritizing the
780
00:42:01,690 --> 00:42:06,570
safety of the clients production
781
00:42:03,790 --> 00:42:06,570
environment
57550
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.