1 1 00:00:00,314 --> 00:00:04,199 Escalation of Privileges, or I've got the power. 2 2 00:00:04,199 --> 00:00:05,502 As we've worked our way through, 3 3 00:00:05,502 --> 00:00:06,868 we have now performed our reconnaissance, 4 4 00:00:06,868 --> 00:00:09,264 we've scanned and enumerated, we've gained our access, 5 5 00:00:09,264 --> 00:00:11,322 and now we're trying to escalate our privileges. 6 6 00:00:11,322 --> 00:00:13,807 We want to go from being a normal user to a system 7 7 00:00:13,807 --> 00:00:17,527 level user and then eventually to a domain admin. 8 8 00:00:17,527 --> 00:00:19,891 This is our fourth step of the hacking process. 9 9 00:00:19,891 --> 00:00:21,631 It's our escalation of privileges. 10 10 00:00:21,631 --> 00:00:23,400 We're gonna gain administrative system 11 11 00:00:23,400 --> 00:00:26,672 or root access by escalating our account privileges. 12 12 00:00:26,672 --> 00:00:28,282 After we've escalated our privileges, 13 13 00:00:28,282 --> 00:00:30,029 the next thing we're gonna do is we're gonna have 14 14 00:00:30,029 --> 00:00:31,890 full control over the network or system, 15 15 00:00:31,890 --> 00:00:34,321 and we can gain administrative access over the work station, 16 16 00:00:34,321 --> 00:00:36,962 and then expand out to the domain if possible. 17 17 00:00:36,962 --> 00:00:38,727 This is gonna give us complete control of the network 18 18 00:00:38,727 --> 00:00:40,667 where we can do whatever we want. 19 19 00:00:40,667 --> 00:00:42,866 What are some methods of escalation? 20 20 00:00:42,866 --> 00:00:44,654 Well, we can exploit an administrator 21 21 00:00:44,654 --> 00:00:46,318 or a system to begin with. 22 22 00:00:46,318 --> 00:00:48,377 We can steal passwords with keyloggers 23 23 00:00:48,377 --> 00:00:50,541 or we can crack the password itself. 24 24 00:00:50,541 --> 00:00:52,828 We can do that through the SAM database in Windows 25 25 00:00:52,828 --> 00:00:57,253 or we can use the shadow database inside Linux. 26 26 00:00:57,253 --> 00:00:58,826 In Windows, the passwords that 27 27 00:00:58,826 --> 00:01:01,646 you have are stored as a binary encrypted hash. 28 28 00:01:01,646 --> 00:01:02,956 When I go to log into Windows, 29 29 00:01:02,956 --> 00:01:04,841 it actually hashes my password, 30 30 00:01:04,841 --> 00:01:07,170 and then it compares it to the hash that it has stored. 31 31 00:01:07,170 --> 00:01:10,056 If those two match, it then lets me into the system. 32 32 00:01:10,056 --> 00:01:11,805 Now because it has this database, 33 33 00:01:11,805 --> 00:01:14,335 the SAM database, if we can steal that database, 34 34 00:01:14,335 --> 00:01:16,175 we can take it offline, and we could try 35 35 00:01:16,175 --> 00:01:18,125 attacking it, and cracking it. 36 36 00:01:18,125 --> 00:01:19,436 Why would we wanna do that offline 37 37 00:01:19,436 --> 00:01:20,982 instead of just trying to fat-finger 38 38 00:01:20,982 --> 00:01:23,351 and try to brute force our way into the system? 39 39 00:01:23,351 --> 00:01:25,496 Well, most people have set up their systems now 40 40 00:01:25,496 --> 00:01:27,795 so you can only attempt the password three times 41 41 00:01:27,795 --> 00:01:30,153 and then it will lock you out for a certain amount of time. 42 42 00:01:30,153 --> 00:01:32,659 For example, let's say that I'm trying to guess 43 43 00:01:32,659 --> 00:01:35,185 the password for my user account. 44 44 00:01:35,185 --> 00:01:37,053 I go in there and I type in one, 45 45 00:01:37,053 --> 00:01:39,108 and then I type in two, and then I type in three. 46 46 00:01:39,108 --> 00:01:41,570 Now I gotta wait 15 minutes and then I can try it again. 47 47 00:01:41,570 --> 00:01:43,471 That can take me forever if I was trying 48 48 00:01:43,471 --> 00:01:46,172 to guess the password password. 49 49 00:01:46,172 --> 00:01:49,558 Instead what we do is we try to steal the database itself. 50 50 00:01:49,558 --> 00:01:52,448 We could take it offline and then we can attack it 51 51 00:01:52,448 --> 00:01:54,668 millions of times a second with a fast computer 52 52 00:01:54,668 --> 00:01:56,697 and not have to worry about being locked out 53 53 00:01:56,697 --> 00:01:58,725 because the system isn't being tested, 54 54 00:01:58,725 --> 00:02:03,449 just the password to see if I've matched the encryption. 55 55 00:02:03,449 --> 00:02:05,219 How do we steal that SAM database? 56 56 00:02:05,219 --> 00:02:08,036 Well, one of the ways you can do it is physical access. 57 57 00:02:08,036 --> 00:02:09,801 Physical access means I actually have, 58 58 00:02:09,801 --> 00:02:12,489 I'm able to touch the machine I'm trying to attack. 59 59 00:02:12,489 --> 00:02:15,431 If I get into the office and I can copy the SAM 60 60 00:02:15,431 --> 00:02:17,524 using the NT Emergency Repair Disk, 61 61 00:02:17,524 --> 00:02:22,060 or I reset the user password using NTFSDOS or LINNT, 62 62 00:02:22,060 --> 00:02:23,657 then I can take that and just take that 63 63 00:02:23,657 --> 00:02:26,182 password from the physical access. 64 64 00:02:26,182 --> 00:02:27,630 Now if we're hacking remotely, 65 65 00:02:27,630 --> 00:02:29,293 that's not gonna be an option for us. 66 66 00:02:29,293 --> 00:02:31,041 In that case, we need logical access, 67 67 00:02:31,041 --> 00:02:32,336 using something like Meterpreter 68 68 00:02:32,336 --> 00:02:33,879 where we can do a hashdump. 69 69 00:02:33,879 --> 00:02:35,191 Now once we have that hashdump, 70 70 00:02:35,191 --> 00:02:37,325 we can then use that hashdump 71 71 00:02:37,325 --> 00:02:39,259 to try to crack those passwords 72 72 00:02:39,259 --> 00:02:41,094 and use something like Pwdump, 73 73 00:02:41,094 --> 00:02:44,074 LCP, Ophcrack, or John the Ripper. 74 74 00:02:44,074 --> 00:02:46,114 Lots of different password cracking tools out there 75 75 00:02:46,114 --> 00:02:49,307 once we have this database that we can then compare to. 76 76 00:02:49,307 --> 00:02:50,292 Now there's many different 77 77 00:02:50,292 --> 00:02:52,083 authentication types used in Windows. 78 78 00:02:52,083 --> 00:02:53,943 There's LANMAN authentication, 79 79 00:02:53,943 --> 00:02:55,937 there's NT LANMAN authentication, 80 80 00:02:55,937 --> 00:02:59,437 NT LANMAN v2 authentication, and Kerberos. 81 81 00:03:00,290 --> 00:03:02,640 We're gonna talk about LM authentication. 82 82 00:03:02,640 --> 00:03:05,456 LM authentication is LANMAN authentication. 83 83 00:03:05,456 --> 00:03:08,641 It was used by Windows 95, 98, and ME. 84 84 00:03:08,641 --> 00:03:11,717 It's based on DES, which is the data encryption standard, 85 85 00:03:11,717 --> 00:03:13,432 making it very easy to crack. 86 86 00:03:13,432 --> 00:03:16,198 DES is only 56-bits long, therefore most modern 87 87 00:03:16,198 --> 00:03:18,612 computers can crack it fairly easy. 88 88 00:03:18,612 --> 00:03:19,975 Now the reason why this is important 89 89 00:03:19,975 --> 00:03:22,096 is it's still used for backwards compatibility 90 90 00:03:22,096 --> 00:03:24,032 in some systems, so you may be able 91 91 00:03:24,032 --> 00:03:26,001 to find some LANMAN passwords. 92 92 00:03:26,001 --> 00:03:29,306 If you do, they're easy to crack, go and use those. 93 93 00:03:29,306 --> 00:03:31,669 Because LANMAN had gotten kind of outdated 94 94 00:03:31,669 --> 00:03:33,803 because of the sophistication of computers, 95 95 00:03:33,803 --> 00:03:36,509 they upgraded it and it became NT LANMAN. 96 96 00:03:36,509 --> 00:03:39,728 NT LANMAN was used in the Windows NT systems, 97 97 00:03:39,728 --> 00:03:41,518 anything less than Service Pack 3. 98 98 00:03:41,518 --> 00:03:43,861 Again, very old systems, but it is still used 99 99 00:03:43,861 --> 00:03:46,313 some places for backwards compatibility. 100 100 00:03:46,313 --> 00:03:49,235 This was based on DES again, so 56-bit keys, 101 101 00:03:49,235 --> 00:03:51,658 as well as using a hash of MD4, 102 102 00:03:51,658 --> 00:03:55,159 which again is very antiquated these days. 103 103 00:03:55,159 --> 00:03:57,909 NTLM v2 is NT LANMAN version two. 104 104 00:03:58,795 --> 00:04:01,809 It was used in Windows NT Service Pack 3 and beyond. 105 105 00:04:01,809 --> 00:04:04,220 It was a replacement for the NT LANMAN 106 106 00:04:04,220 --> 00:04:07,058 that again had become old and antiquated. 107 107 00:04:07,058 --> 00:04:08,796 The newer version is Kerberos, 108 108 00:04:08,796 --> 00:04:09,924 and Kerberos was actually started 109 109 00:04:09,924 --> 00:04:12,582 in Windows 2000, and is still in use today. 110 110 00:04:12,582 --> 00:04:15,631 It was used in Windows 8 and Windows 2012. 111 111 00:04:15,631 --> 00:04:18,230 Now Windows 10 has moved on to a different system. 112 112 00:04:18,230 --> 00:04:21,560 But up through Windows 8 and Windows 2012, 113 113 00:04:21,560 --> 00:04:23,507 Kerberos was still what is being used, 114 114 00:04:23,507 --> 00:04:26,572 so it's one of the more modern authentication methods. 115 115 00:04:26,572 --> 00:04:29,159 Let's talk about LANMAN hashes work. 116 116 00:04:29,159 --> 00:04:30,945 Well essentially, you have a password 117 117 00:04:30,945 --> 00:04:32,932 and it's converted to all uppercases. 118 118 00:04:32,932 --> 00:04:35,275 Let's use the code of LETMEIN. 119 119 00:04:35,275 --> 00:04:37,995 The password is then padded with null, or blanks, 120 120 00:04:37,995 --> 00:04:39,747 to make it 14 characters long. 121 121 00:04:39,747 --> 00:04:43,414 So we have LETMEIN, and one, and then blank. 122 122 00:04:44,680 --> 00:04:45,616 We have that string. 123 123 00:04:45,616 --> 00:04:47,691 It's broken up into two sets of seven. 124 124 00:04:47,691 --> 00:04:49,458 We have LETMEIN, and one, blank, blank, 125 125 00:04:49,458 --> 00:04:51,128 blank, blank, blank, blank, blank. 126 126 00:04:51,128 --> 00:04:53,250 Each of those parts is then encrypted separately. 127 127 00:04:53,250 --> 00:04:56,398 We then push those back together with a kung-kay-shun 128 128 00:04:56,398 --> 00:04:59,539 and that gives us what our LM hash is gonna be. 129 129 00:04:59,539 --> 00:05:01,998 What is that gonna look like in the real world? 130 130 00:05:01,998 --> 00:05:04,372 Well, here's a hashdump of a system. 131 131 00:05:04,372 --> 00:05:06,993 Inside Meterpreter, we use the command hashdump. 132 132 00:05:06,993 --> 00:05:08,716 It's part of the Metasploit Framework 133 133 00:05:08,716 --> 00:05:10,989 and it allows us to collect the remote hashes off 134 134 00:05:10,989 --> 00:05:13,723 that remote system using an interactive shell. 135 135 00:05:13,723 --> 00:05:15,584 Notice here, we'll just run the hashdump 136 136 00:05:15,584 --> 00:05:18,807 and we'll be able to get the system key back. 137 137 00:05:18,807 --> 00:05:20,521 Here's what a hashdump looks like. 138 138 00:05:20,521 --> 00:05:22,179 Notice we have the administrator. 139 139 00:05:22,179 --> 00:05:26,843 He's a user 500 account and then we have his LM hash. 140 140 00:05:26,843 --> 00:05:27,676 We have the guest. 141 141 00:05:27,676 --> 00:05:30,038 He's a 501 account and his LM hashes. 142 142 00:05:30,038 --> 00:05:33,339 HelpAssistant, SUPPORT, Bazinga, track, troll, 143 143 00:05:33,339 --> 00:05:36,081 all those user accounts, all of those admin accounts, 144 144 00:05:36,081 --> 00:05:39,252 and you'll see those accounts there with their LM hashes. 145 145 00:05:39,252 --> 00:05:41,246 We can then take that information offline 146 146 00:05:41,246 --> 00:05:43,782 and use something Ophcrack or John the Ripper 147 147 00:05:43,782 --> 00:05:46,286 to then get the actual password from it. 148 148 00:05:46,286 --> 00:05:47,679 Another way to collect the hashes 149 149 00:05:47,679 --> 00:05:49,462 is using a program called L0phtcrack. 150 150 00:05:49,462 --> 00:05:51,012 L0phtcrack is gonna be able to extract 151 151 00:05:51,012 --> 00:05:53,121 the hashes from local or remote machines. 152 152 00:05:53,121 --> 00:05:54,560 It also can sniff passwords 153 153 00:05:54,560 --> 00:05:55,876 as they're going across the network. 154 154 00:05:55,876 --> 00:05:57,451 So if I am locally on that network, 155 155 00:05:57,451 --> 00:05:59,742 I can launch L0phtcrack, and I can start 156 156 00:05:59,742 --> 00:06:02,012 copying those hashes as they're going 157 157 00:06:02,012 --> 00:06:05,570 across the network, and then crack them using L0phtcrack. 158 158 00:06:05,570 --> 00:06:08,194 Again, this is good if you're in the local network. 159 159 00:06:08,194 --> 00:06:09,854 But if you're doing a remote exploitation, 160 160 00:06:09,854 --> 00:06:11,444 something like hashdump with Metasploit 161 161 00:06:11,444 --> 00:06:14,088 is gonna be more effective for you. 162 162 00:06:14,088 --> 00:06:17,073 Another way of doing this is using a program like Pwdump. 163 163 00:06:17,073 --> 00:06:19,209 Pwdump is a command-line tool that 164 164 00:06:19,209 --> 00:06:22,044 can bypass the SYSKEY encryption of the SAM 165 165 00:06:22,044 --> 00:06:23,754 if you have the admin rights already. 166 166 00:06:23,754 --> 00:06:26,672 It can collect the hashes and store them as a text file. 167 167 00:06:26,672 --> 00:06:29,229 Once you have them as a text file, that hashdump, 168 168 00:06:29,229 --> 00:06:32,317 you can again go through and crack those passwords. 169 169 00:06:32,317 --> 00:06:35,782 So what are some methods of actually cracking a password? 170 170 00:06:35,782 --> 00:06:37,908 Well, one of the ways is dictionary, 171 171 00:06:37,908 --> 00:06:41,006 another way is brute force, and another is hybrid. 172 172 00:06:41,006 --> 00:06:42,781 What is a dictionary attack? 173 173 00:06:42,781 --> 00:06:44,347 Well, a dictionary attack uses 174 174 00:06:44,347 --> 00:06:46,911 a dictionary or word list to crack a password. 175 175 00:06:46,911 --> 00:06:48,527 This is gonna be the quickest method 176 176 00:06:48,527 --> 00:06:51,450 of doing it, but it's only as good as the dictionary I have. 177 177 00:06:51,450 --> 00:06:52,847 So let's talk about this. 178 178 00:06:52,847 --> 00:06:55,635 Let's say I have 1,000 words in my dictionary 179 179 00:06:55,635 --> 00:06:57,900 and I'm trying to crack a password. 180 180 00:06:57,900 --> 00:06:59,356 Well, what ends up happening is I take 181 181 00:06:59,356 --> 00:07:01,291 the first word in the dictionary, 182 182 00:07:01,291 --> 00:07:03,692 I encrypt it, I compare that encrypted hash 183 183 00:07:03,692 --> 00:07:05,714 to the LANMAN hash I had stolen. 184 184 00:07:05,714 --> 00:07:07,873 If they match, I know my password. 185 185 00:07:07,873 --> 00:07:10,166 If not, I move on to the next one and I keep doing it. 186 186 00:07:10,166 --> 00:07:11,709 This can take some actual time. 187 187 00:07:11,709 --> 00:07:13,595 If I wanna do millions of millions 188 188 00:07:13,595 --> 00:07:16,003 of passwords, this will take a long time. 189 189 00:07:16,003 --> 00:07:17,186 So one of the ways we speed that up 190 190 00:07:17,186 --> 00:07:19,018 is we use what's called a rainbow table. 191 191 00:07:19,018 --> 00:07:20,417 What a rainbow table does is it's actually 192 192 00:07:20,417 --> 00:07:23,464 a dictionary, but it's already pre-hashed. 193 193 00:07:23,464 --> 00:07:25,413 So now I just compare hash to hash 194 194 00:07:25,413 --> 00:07:28,610 instead of having to create the hash and compare the hash. 195 195 00:07:28,610 --> 00:07:31,862 So that's one way to speed up a dictionary attack as well. 196 196 00:07:31,862 --> 00:07:33,186 Another way to do this is what's called 197 197 00:07:33,186 --> 00:07:34,457 a brute force attack. 198 198 00:07:34,457 --> 00:07:35,988 Now, a Bruce force attack will find 199 199 00:07:35,988 --> 00:07:38,814 the password every single time without fail. 200 200 00:07:38,814 --> 00:07:42,166 The only problem is this can take forever. 201 201 00:07:42,166 --> 00:07:43,725 So what ends up happening is it actually uses 202 202 00:07:43,725 --> 00:07:45,233 random numbers and letters, and it will 203 203 00:07:45,233 --> 00:07:46,879 actually start guessing passwords. 204 204 00:07:46,879 --> 00:07:49,159 If I say I wanna check every password 205 205 00:07:49,159 --> 00:07:51,739 up to eight characters, it's gonna start with A. 206 206 00:07:51,739 --> 00:07:53,061 Then it's gonna go AA. 207 207 00:07:53,061 --> 00:07:55,612 Then it's gonna go AB, AC, AD, 208 208 00:07:55,612 --> 00:08:00,283 and keep going until it gets out to AAAA, AAAB, AAAC. 209 209 00:08:00,283 --> 00:08:01,803 It will keep going until it finds it. 210 210 00:08:01,803 --> 00:08:04,062 This can take hours, years, or decades 211 211 00:08:04,062 --> 00:08:06,622 depending on how long and how complex the password is. 212 212 00:08:06,622 --> 00:08:09,088 But it is 100% successful. 213 213 00:08:09,088 --> 00:08:11,198 Now when I say a long time, there are some times 214 214 00:08:11,198 --> 00:08:14,086 that a brute force attack can take you a billion years. 215 215 00:08:14,086 --> 00:08:16,681 For instance, if you have a 16 character password 216 216 00:08:16,681 --> 00:08:19,599 that's uppercase, and lowercase, has special characters 217 217 00:08:19,599 --> 00:08:22,849 and numbers, that is gonna take millions of years 218 218 00:08:22,849 --> 00:08:25,226 to crack with a standard computer. 219 219 00:08:25,226 --> 00:08:27,415 A brute force attack is good if you 220 220 00:08:27,415 --> 00:08:29,394 can kinda give it some parameters. 221 221 00:08:29,394 --> 00:08:31,138 If I can say, "Hey, I know the password 222 222 00:08:31,138 --> 00:08:33,189 "is gonna be between 14 and 16 characters," 223 223 00:08:33,189 --> 00:08:34,984 that can help 'cause I can eliminate 224 224 00:08:34,984 --> 00:08:37,213 having to do all the work up to 14 characters. 225 225 00:08:37,213 --> 00:08:40,124 But again, it's still gonna take a long time. 226 226 00:08:40,124 --> 00:08:41,929 Now, one of the ways I can do this better 227 227 00:08:41,929 --> 00:08:43,987 is I can do what's called a hybrid attack. 228 228 00:08:43,987 --> 00:08:45,823 This is where I take a dictionary list 229 229 00:08:45,823 --> 00:08:48,085 and I can add some things to the beginning 230 230 00:08:48,085 --> 00:08:50,087 or the end of it, or even in between it, 231 231 00:08:50,087 --> 00:08:52,060 to work it a little bit better. 232 232 00:08:52,060 --> 00:08:54,062 So this takes more time than a dictionary attack, 233 233 00:08:54,062 --> 00:08:56,025 but less time than a brute force attack. 234 234 00:08:56,025 --> 00:08:59,011 For example, if I thought the password 235 235 00:08:59,011 --> 00:09:01,218 had something to do with password, 236 236 00:09:01,218 --> 00:09:03,299 then I can use things like 1password, 237 237 00:09:03,299 --> 00:09:06,523 or password123, or password but I replace 238 238 00:09:06,523 --> 00:09:10,142 the As for at and the S is for dollar signs. 239 239 00:09:10,142 --> 00:09:12,479 Those type of things are using a hybrid attack. 240 240 00:09:12,479 --> 00:09:13,840 Where is this really helpful? 241 241 00:09:13,840 --> 00:09:15,057 Well, if you did a good job in your 242 242 00:09:15,057 --> 00:09:17,158 reconnaissance phase, and you know 243 243 00:09:17,158 --> 00:09:19,542 some information about the person, most people tend 244 244 00:09:19,542 --> 00:09:21,848 to pick passwords that are familiar to them. 245 245 00:09:21,848 --> 00:09:24,682 Dogs' names, spouses' names, city they grew up in, 246 246 00:09:24,682 --> 00:09:26,942 high schools, their favorite football team. 247 247 00:09:26,942 --> 00:09:30,238 You start putting those things into your dictionary program 248 248 00:09:30,238 --> 00:09:32,931 with a hybrid attack, it can start having some good results 249 249 00:09:32,931 --> 00:09:34,760 and be able to find these complex passwords 250 250 00:09:34,760 --> 00:09:37,748 that are based off something the person knows. 251 251 00:09:37,748 --> 00:09:38,959 What are some of these password 252 252 00:09:38,959 --> 00:09:40,153 cracking tools that are out there? 253 253 00:09:40,153 --> 00:09:41,280 Well, one of the most popular ones 254 254 00:09:41,280 --> 00:09:43,056 out there is called Cane and Able. 255 255 00:09:43,056 --> 00:09:45,466 What Cane and Able is, it's a multipurpose tool 256 256 00:09:45,466 --> 00:09:47,273 that performs password cracking, 257 257 00:09:47,273 --> 00:09:49,405 Windows enumeration, and VOIP sniffing. 258 258 00:09:49,405 --> 00:09:50,507 But we're really talking about 259 259 00:09:50,507 --> 00:09:51,800 the password cracking portion here. 260 260 00:09:51,800 --> 00:09:55,181 It can do dictionary attacks, it can do brute force attacks, 261 261 00:09:55,181 --> 00:09:57,392 and it can do those rainbow table attacks. 262 262 00:09:57,392 --> 00:09:59,144 The nice thing with the rainbow table 263 263 00:09:59,144 --> 00:10:00,833 is that again, it's gonna speed up 264 264 00:10:00,833 --> 00:10:04,626 those dictionaries and become the fastest method out there. 265 265 00:10:04,626 --> 00:10:07,201 Now, what is this picture up here above my head? 266 266 00:10:07,201 --> 00:10:08,679 Well, you'll see on the left side 267 267 00:10:08,679 --> 00:10:11,111 it has length six, seven, eight, or nine. 268 268 00:10:11,111 --> 00:10:13,070 That's the length of the password. 269 269 00:10:13,070 --> 00:10:15,537 If I wanted to have every single possible password 270 270 00:10:15,537 --> 00:10:18,065 out there that is up to six characters long, 271 271 00:10:18,065 --> 00:10:20,766 that's about two gigabytes of text. 272 272 00:10:20,766 --> 00:10:22,290 If I wanted all the way up through 273 273 00:10:22,290 --> 00:10:26,495 nine characters, that's 60 terabytes of text. 274 274 00:10:26,495 --> 00:10:29,006 So again most people, their passwords, 275 275 00:10:29,006 --> 00:10:31,609 are up in the 12, 14, 16 characters. 276 276 00:10:31,609 --> 00:10:34,103 You can see how large these text files are and how long 277 277 00:10:34,103 --> 00:10:36,407 it's gonna take even with using a rainbow table, 278 278 00:10:36,407 --> 00:10:39,861 which has pre-encrypted, pre-hashed information. 279 279 00:10:39,861 --> 00:10:41,185 It's still gonna be tons and tons 280 280 00:10:41,185 --> 00:10:43,388 of information and it will take a long long time. 281 281 00:10:43,388 --> 00:10:45,758 That's why we say passwords and having strong passwords 282 282 00:10:45,758 --> 00:10:48,964 is by far the most important thing in security. 283 283 00:10:48,964 --> 00:10:51,217 Another one we have out there is John the Ripper. 284 284 00:10:51,217 --> 00:10:52,490 Now, John the Ripper can crack 285 285 00:10:52,490 --> 00:10:55,129 Kerberos, LANMAN hashes, and more. 286 286 00:10:55,129 --> 00:10:56,514 The password that are cracked though, 287 287 00:10:56,514 --> 00:10:57,627 they're not case-sensitive. 288 288 00:10:57,627 --> 00:10:58,949 So if I come back and it cracks it, 289 289 00:10:58,949 --> 00:11:01,213 and it says it's password, it could be all capital, 290 290 00:11:01,213 --> 00:11:03,469 all lowercase, or a mixture of the two. 291 291 00:11:03,469 --> 00:11:04,709 I don't really know, but at least 292 292 00:11:04,709 --> 00:11:07,643 I've gotten it down into something reasonable. 293 293 00:11:07,643 --> 00:11:09,685 Now the fact that I know that it's eight characters 294 294 00:11:09,685 --> 00:11:11,772 and it has password as the letters, 295 295 00:11:11,772 --> 00:11:13,320 I can start going through it and there's only 296 296 00:11:13,320 --> 00:11:14,439 a couple of options, and I'll be able 297 297 00:11:14,439 --> 00:11:17,227 to figure it out pretty quickly. 298 298 00:11:17,227 --> 00:11:19,171 Ophcrack is another one that we have out there for 299 299 00:11:19,171 --> 00:11:20,791 password cracking and this one is really 300 300 00:11:20,791 --> 00:11:23,985 efficient because it uses rainbow tables, so it's very fast. 301 301 00:11:23,985 --> 00:11:26,550 But again, those rainbow tables can be very large. 302 302 00:11:26,550 --> 00:11:29,170 Like I said, if I had up to nine characters, 303 303 00:11:29,170 --> 00:11:30,670 that means all the passwords between 304 304 00:11:30,670 --> 00:11:32,063 zero and nine characters long, 305 305 00:11:32,063 --> 00:11:34,757 every possible combination, there's 60 terabytes 306 306 00:11:34,757 --> 00:11:37,721 of text out there to symbolize that. 307 307 00:11:37,721 --> 00:11:39,490 What's one of the ways that we can do this faster? 308 308 00:11:39,490 --> 00:11:41,413 The one I'm gonna use is Crackstation. 309 309 00:11:41,413 --> 00:11:43,367 If you go to Crackstation.net, 310 310 00:11:43,367 --> 00:11:45,001 it uses rainbow tables for fast 311 311 00:11:45,001 --> 00:11:46,474 password cracking, but the nice thing 312 312 00:11:46,474 --> 00:11:48,333 is it's all done on their servers. 313 313 00:11:48,333 --> 00:11:50,489 For instance, if I take this LANMAN hash 314 314 00:11:50,489 --> 00:11:52,994 on the screen, and I copy it, and I paste it 315 315 00:11:52,994 --> 00:11:56,244 into Crackstation.net, what will I get? 316 316 00:11:58,693 --> 00:12:00,188 Passphrasefloppy. 317 317 00:12:00,188 --> 00:12:01,871 It comes back fairly quickly 318 318 00:12:01,871 --> 00:12:03,281 and you'll be able to find that. 319 319 00:12:03,281 --> 00:12:04,747 Now if instead I use that doing Ophcrack, 320 320 00:12:04,747 --> 00:12:06,373 it could've taken minutes to hours 321 321 00:12:06,373 --> 00:12:09,111 depending on where it was inside the rainbow table. 322 322 00:12:09,111 --> 00:12:10,714 But by using it in Crackstation, 323 323 00:12:10,714 --> 00:12:13,048 and using that cloud computing architecture they have, 324 324 00:12:13,048 --> 00:12:16,548 it can come back much much quicker for me.