1 00:00:00,580 --> 00:00:03,100 Well, welcome back to the official start of Cup Series. 2 00:00:03,400 --> 00:00:06,850 This is the certified CALLY Linux pen tester course. 3 00:00:06,850 --> 00:00:09,880 Work onto the password attacks module. 4 00:00:10,180 --> 00:00:12,070 We're going to cover different password attacks. 5 00:00:12,400 --> 00:00:17,350 We're going to look at password hashing and the various tools that come with calling Linux in order 6 00:00:17,350 --> 00:00:19,510 to work with passwords. 7 00:00:22,000 --> 00:00:23,170 So this is our outline. 8 00:00:24,520 --> 00:00:26,830 We're going to go over some of the password attack types. 9 00:00:27,400 --> 00:00:30,400 Some of the different tools will even do some attack demos. 10 00:00:31,120 --> 00:00:36,910 We'll look at some of the different countermeasures that can be employed to foil these kinds of attacks. 11 00:00:37,660 --> 00:00:43,900 We'll look at rainbow tables and some of the online tools for generating hashes in such. 12 00:00:45,480 --> 00:00:46,740 This is our chapter flow. 13 00:00:48,590 --> 00:00:54,500 We're going to talk about the password attacks that was followed by labs and countermeasures, pretty 14 00:00:54,500 --> 00:00:56,090 similar to other modules we've done. 15 00:00:57,110 --> 00:00:59,870 So what our password attacks while password attacks are. 16 00:01:01,060 --> 00:01:03,190 Essentially the opposite of authentication. 17 00:01:03,730 --> 00:01:06,490 So passwords normally are. 18 00:01:07,830 --> 00:01:10,230 Not made complex by users. 19 00:01:10,260 --> 00:01:12,600 Users will do what is easier. 20 00:01:13,350 --> 00:01:14,370 Not necessarily. 21 00:01:14,610 --> 00:01:15,870 What is the most secure. 22 00:01:19,560 --> 00:01:23,370 So password attacks can be done online or offline. 23 00:01:23,850 --> 00:01:26,670 And essentially the. 24 00:01:28,900 --> 00:01:34,690 Online attacks are where you're trying to break into a system that's connected and you're trying to 25 00:01:35,050 --> 00:01:39,040 get into a system that's currently functioning. 26 00:01:39,040 --> 00:01:44,410 Offline attacks is where you just capture the information or capture the traffic and try to crack the 27 00:01:44,410 --> 00:01:47,290 password later on through various methods. 28 00:01:47,740 --> 00:01:48,190 So. 29 00:01:49,640 --> 00:01:52,790 Online attacks typically can be stopped by. 30 00:01:54,920 --> 00:02:01,850 A number of attempts causing the account to lockout or having a password lockout policy now. 31 00:02:03,030 --> 00:02:10,200 We all know that the number of passwords that people are using is increasing almost daily. 32 00:02:10,940 --> 00:02:13,050 If we go and look at some statistics. 33 00:02:15,270 --> 00:02:17,490 There's a website called Have I Been Phoned? 34 00:02:17,490 --> 00:02:25,530 And this website has over 572 million real world passwords that have been exposed in data breaches. 35 00:02:25,920 --> 00:02:30,930 So you can actually type in a password and see if it's been found. 36 00:02:31,020 --> 00:02:36,130 So I just typed in the word password and we could see that it's been found over 3 million times before. 37 00:02:36,150 --> 00:02:43,710 Now, what this means is that this password has been used as one of the most common passwords, or it's 38 00:02:43,710 --> 00:02:49,620 been brought out and dumped out on the dark web, or maybe a site like Pastebin. 39 00:02:49,890 --> 00:02:55,380 And the main thing to remember here is that everyone, at some point or another will reuse a password 40 00:02:55,710 --> 00:02:59,910 from one side to the other because it's hard to generate complex passwords. 41 00:02:59,940 --> 00:03:06,030 Of course, you can use a password manager like one pass or LastPass. 42 00:03:07,330 --> 00:03:08,140 Things like that. 43 00:03:10,120 --> 00:03:12,610 So, of course, two factor authentication. 44 00:03:12,610 --> 00:03:14,140 Those things can help to an extent. 45 00:03:14,500 --> 00:03:16,930 But what is Nist's guidance say? 46 00:03:16,950 --> 00:03:23,950 So they created this pond password service in August of 2017 after NEST released guidance, specifically 47 00:03:24,160 --> 00:03:28,450 recommending that user provided passwords be checked against data breaches. 48 00:03:28,810 --> 00:03:35,620 So there was this large password dump of around 306 million passwords, and then another version came 49 00:03:35,620 --> 00:03:36,790 out in 2018. 50 00:03:37,960 --> 00:03:47,200 And then the third release, another 16 million passwords to a total of 551 million passwords by July 51 00:03:47,200 --> 00:03:48,130 of 2019. 52 00:03:50,110 --> 00:03:58,780 And version six just arrived here in June of 2020, bringing the total password list to 573 million. 53 00:03:59,140 --> 00:04:04,870 You can actually go and download this password database of the most commonly known passwords. 54 00:04:05,560 --> 00:04:12,310 So now this is actually run by a security researcher by the name of Troy Hunt. 55 00:04:12,970 --> 00:04:15,700 He was worked for many, many years in the industry. 56 00:04:15,970 --> 00:04:19,820 It's a great site for keeping people safe. 57 00:04:19,840 --> 00:04:27,220 They even have an API so you can integrate their functionality of the passwords into your programs. 58 00:04:27,220 --> 00:04:31,360 So there's no excuse to have bad passwords, but this still does happen. 59 00:04:32,080 --> 00:04:35,740 So if you look at all the different organizations that have been breached. 60 00:04:37,270 --> 00:04:39,790 It's almost just too many just to scroll through. 61 00:04:39,790 --> 00:04:47,990 I mean, MySpace, BitTorrent banks, web stores, mobile apps. 62 00:04:49,250 --> 00:04:50,650 Doesn't matter the target size. 63 00:04:50,650 --> 00:04:53,320 Eventually everyone gets a data breach. 64 00:04:54,340 --> 00:04:58,210 You can actually have it set up to notify you when your email address is compromised as well. 65 00:04:58,220 --> 00:05:00,340 So a lot of useful functionality there. 66 00:05:00,340 --> 00:05:03,820 But the main point we want to make sure we understand is that. 67 00:05:05,160 --> 00:05:09,870 Passwords and password dumps are easily located. 68 00:05:10,860 --> 00:05:15,720 And once you have one password success finding it. 69 00:05:16,350 --> 00:05:20,910 Essentially, an attacker can use it to another site that you might do business with. 70 00:05:20,920 --> 00:05:25,950 So if they get your Amazon password, maybe that's the same password as you use for your banking website. 71 00:05:26,490 --> 00:05:31,530 So this this graphic here actually depicts how people pick passwords. 72 00:05:31,540 --> 00:05:37,830 So a lot of times they pick up a place or a thing or something that's meaningful to them, maybe a number 73 00:05:37,830 --> 00:05:43,950 that they're interested in, possibly some, you know, short phrase. 74 00:05:44,280 --> 00:05:49,170 Now, obviously, rather than doing passwords, the better option is to do pass phrases where you can 75 00:05:49,170 --> 00:05:53,100 pick maybe the first letter of each word as your password. 76 00:05:53,430 --> 00:05:57,900 But it shouldn't be something that you have posted on your website, on Facebook. 77 00:05:58,440 --> 00:06:06,030 And what happens a lot of times is users will post their security question information to one of their 78 00:06:06,030 --> 00:06:13,290 sites and not realizing that attackers can go to websites that have password recovery enabled and based 79 00:06:13,290 --> 00:06:19,980 on their, you know, dog's name or their girlfriend's name or their birth date, they can try and gas 80 00:06:19,980 --> 00:06:22,740 and work out some of these passwords. 81 00:06:23,940 --> 00:06:29,520 So these categories of password attacks are generally broken down as follows. 82 00:06:32,460 --> 00:06:39,690 So we have get password guessing this is pretty much just using the most common passwords like 123, 83 00:06:39,690 --> 00:06:43,050 four, five, six or the something like that. 84 00:06:44,040 --> 00:06:49,890 Or if you know facts about the user and you can, you can steal their password, it potentially can 85 00:06:49,890 --> 00:06:56,400 also be trying to sniff it over the network if you're not using secure transmission like on a banking 86 00:06:56,400 --> 00:06:56,970 website. 87 00:06:57,300 --> 00:07:04,800 And most of the banking websites have have gotten on to the idea of using digital certificates to secure 88 00:07:04,800 --> 00:07:06,660 their traffic and using TLS. 89 00:07:06,990 --> 00:07:13,080 But any website that doesn't use issued IPS, essentially everything can be seen in plain text, and 90 00:07:13,080 --> 00:07:18,570 if your password or your account happens to go over that, then that can be captured. 91 00:07:18,570 --> 00:07:24,720 If your password goes out over email and that email's unencrypted, that password can be obtained. 92 00:07:25,800 --> 00:07:31,470 The second type of password attack is the dictionary attack, which is essentially automated password 93 00:07:31,470 --> 00:07:37,020 guessing by loading in a predetermined list of possible values or a word list. 94 00:07:39,450 --> 00:07:44,580 And then you have the brute force password attack, which is using every possible combination. 95 00:07:46,520 --> 00:07:48,350 With password cracking software. 96 00:07:49,490 --> 00:07:52,250 So if you have a seven character password, then it will try. 97 00:07:52,610 --> 00:07:56,130 Aye, aye, aye, aye, aye. 98 00:07:56,150 --> 00:08:05,390 And then a a a B and it'll try every permutation and every variation of those passwords until it gets 99 00:08:05,390 --> 00:08:05,900 a match. 100 00:08:06,290 --> 00:08:10,000 This is prone to errors and essentially time consuming. 101 00:08:10,010 --> 00:08:14,570 So A Better Way is doing something called a rainbow table. 102 00:08:14,900 --> 00:08:19,730 A rainbow table is essentially a set of plaintext passwords and they're hashes. 103 00:08:20,120 --> 00:08:28,070 And so the rainbow table works by the work being done beforehand, which saves computer time or CPU 104 00:08:28,070 --> 00:08:29,720 time during the actual attack. 105 00:08:30,560 --> 00:08:32,600 So a hybrid attack is essentially. 106 00:08:34,000 --> 00:08:37,030 A combination of several different attacks. 107 00:08:37,030 --> 00:08:42,880 And then you have the birthday attack, which exploits weaknesses in the mathematical algorithms which 108 00:08:42,880 --> 00:08:45,310 is used to generate hashes using a birthdate. 109 00:08:45,320 --> 00:08:52,210 So essentially, what is the probability that two different hash values or two different plain texts 110 00:08:52,480 --> 00:08:53,890 have the same hash value? 111 00:08:54,340 --> 00:09:01,420 The plaintext is essentially your plaintext password, which then gets hashed using MD5 or SHA one and 112 00:09:01,420 --> 00:09:05,260 gets stored in your operating system or stored in a database. 113 00:09:05,560 --> 00:09:13,540 So the birthday attack exploits that weakness and certain hashing algorithms like MD5 and SHA one where 114 00:09:13,540 --> 00:09:16,750 there's a greater risk of there being potentially a collision. 115 00:09:18,870 --> 00:09:22,230 So there are some there are lots of password cracking tools. 116 00:09:24,100 --> 00:09:26,860 They're out there with Calleigh Lennox. 117 00:09:32,060 --> 00:09:32,300 All right. 118 00:09:32,300 --> 00:09:36,080 So let's look at some of the different statistics on the most commonly used passwords. 119 00:09:36,650 --> 00:09:44,900 So even in 2020, you can Google search, you know, the some of the top most used passwords. 120 00:09:44,900 --> 00:09:50,690 So, you know, one, two, three, four, five, six or a clarity or you know, let me and these are 121 00:09:50,690 --> 00:09:54,050 just bad passwords and they can be easily. 122 00:09:56,430 --> 00:10:00,240 Figure it out via brute force or some other type of password method. 123 00:10:00,750 --> 00:10:05,550 And so there are some there are different tools that come with Kali, like John the Ripper, Hash, 124 00:10:05,550 --> 00:10:13,350 Cat, Medusa, Hydra, and these are all in the password cracking section. 125 00:10:13,740 --> 00:10:21,000 If you go to the Kali start menu and you look at password attacks, there are all kinds of tools, word 126 00:10:21,000 --> 00:10:21,450 list. 127 00:10:21,450 --> 00:10:27,240 There's off crack, there's and they're even categorized by offline versus online. 128 00:10:29,040 --> 00:10:33,840 And they're even tools where you can pass the hash instead of the password to a program. 129 00:10:36,570 --> 00:10:38,100 So first, let's look at a hash cap. 130 00:10:41,470 --> 00:10:46,330 Cash cat is a open source Malta operating system. 131 00:10:46,810 --> 00:10:52,270 Depending on your graphics card and your system, you may be able to utilize different versions of Hash 132 00:10:52,270 --> 00:10:52,630 Cat. 133 00:10:54,300 --> 00:10:55,230 They even have. 134 00:10:56,790 --> 00:11:00,980 If you have an invalid driver, you can use the CUDA Toolkit. 135 00:11:01,710 --> 00:11:05,100 So it's generally considered to be the fastest password cracker. 136 00:11:05,970 --> 00:11:08,670 Best at cracking multiple hashes at the same time. 137 00:11:09,330 --> 00:11:16,950 It's multi-device multi hash, multi type, and also supports distributed password attacks over the 138 00:11:16,950 --> 00:11:17,490 network. 139 00:11:18,390 --> 00:11:23,640 It supports salting and many other different types of hashes. 140 00:11:32,910 --> 00:11:36,120 So the way in which we run a hash cat is we can open up a terminal. 141 00:11:38,130 --> 00:11:38,940 And we can. 142 00:11:43,810 --> 00:11:48,400 We can run it from the link or we can just open up the terminal and I'll go ahead and close down some 143 00:11:48,400 --> 00:11:48,850 of these. 144 00:12:05,210 --> 00:12:06,290 So there's the hash cap. 145 00:12:07,530 --> 00:12:14,180 So that gives you some example commands if you want to crack different types of hashes. 146 00:12:18,750 --> 00:12:23,010 So let's say we wanted to run a brute force command. 147 00:12:27,340 --> 00:12:32,200 All you have to have is just the list of hashes that you have. 148 00:12:32,740 --> 00:12:38,290 So let's go ahead and run hash, cat and brute force mode. 149 00:12:42,810 --> 00:12:43,040 Okay. 150 00:12:47,560 --> 00:12:50,990 Then we have to give it the number of characters long we want. 151 00:12:51,020 --> 00:12:52,060 So we want a. 152 00:12:56,870 --> 00:12:58,610 Six character long password. 153 00:13:02,030 --> 00:13:03,650 We would do something like this. 154 00:13:07,290 --> 00:13:08,790 And it has some preloaded. 155 00:13:11,720 --> 00:13:13,790 Word lists plus rules as well. 156 00:13:15,710 --> 00:13:20,840 So it's going to start and says not a native until open seal runtime. 157 00:13:21,290 --> 00:13:23,930 I can use dash force to override. 158 00:13:25,450 --> 00:13:26,290 Let's do that. 159 00:13:47,110 --> 00:13:49,600 So this is a sample of what you might see on your hash cat. 160 00:13:49,600 --> 00:13:53,770 Essentially, it's hash cat, dash am for the type of hash. 161 00:13:54,010 --> 00:13:56,230 Dash A for the mode you want it to run in. 162 00:13:56,620 --> 00:14:02,760 So this case, it's loading a hash that's on the desktop and it's picking the word list rock you don't 163 00:14:02,790 --> 00:14:03,250 text. 164 00:14:04,270 --> 00:14:09,310 And so it's found five matches for that particular list. 165 00:14:11,080 --> 00:14:12,490 Then we have John the Ripper. 166 00:14:12,520 --> 00:14:19,900 John the Ripper is an open source password cracking software uses dictionary attack, does encrypted 167 00:14:19,900 --> 00:14:24,190 sample dictionary words and compares those to the encrypted password. 168 00:14:29,690 --> 00:14:39,020 It supports DC based on the data encryption standard and supports extended DC based the Cisco and Linux 169 00:14:39,830 --> 00:14:43,670 MD5 based passwords as well as Blowfish on some distributions. 170 00:14:44,030 --> 00:14:51,770 It also supports Kerberos and Windows, Elm Password Hashes and Mac OS as well. 171 00:14:52,700 --> 00:14:53,690 So basically. 172 00:14:57,520 --> 00:15:03,910 Once we get the the password, the hash file that we want to actually crack. 173 00:15:12,750 --> 00:15:21,060 So what we're going to do here is we're going to we we set the mask on the system at 077, we're going 174 00:15:21,060 --> 00:15:25,550 to run shadow the Etsy shadow and Etsy password file. 175 00:15:25,570 --> 00:15:30,880 I'm going to write it out to a file called my pay stub. 176 00:15:31,390 --> 00:15:39,630 And then we're going to use John the Ripper to make some decisions on cracking those passwords. 177 00:15:42,940 --> 00:15:49,720 So it's going to load three password hashes with different salts, and that's going to do some different 178 00:15:49,720 --> 00:15:50,560 iterations. 179 00:15:53,350 --> 00:15:56,980 If you press just spacebar, it'll keep on giving you. 180 00:15:57,370 --> 00:15:58,210 It's not just spacebar. 181 00:15:58,270 --> 00:15:59,320 Pretty much any other key. 182 00:15:59,650 --> 00:16:03,970 It'll keep giving you updates as various attempts it's making. 183 00:16:06,280 --> 00:16:08,890 So it's working with the rule, the rule list. 184 00:16:10,070 --> 00:16:10,940 That is in the US. 185 00:16:10,940 --> 00:16:11,390 Our share. 186 00:16:11,420 --> 00:16:12,590 John the Ripper directory. 187 00:16:17,900 --> 00:16:21,590 It's continuing different attempts until it gets a match. 188 00:16:38,600 --> 00:16:41,990 Depending on your system's performance, it may take a little bit of time. 189 00:16:44,840 --> 00:16:47,000 So there is a pro version of John the Ripper. 190 00:16:47,600 --> 00:16:49,310 This is kind of what it would look like. 191 00:16:55,820 --> 00:16:57,320 So let's talk about Hydra. 192 00:16:57,650 --> 00:16:58,640 Hydra is a. 193 00:16:59,820 --> 00:17:02,160 Password cracker that has many different protocols. 194 00:17:02,160 --> 00:17:06,270 It's very flexible and works with lots of different types of devices. 195 00:17:09,330 --> 00:17:13,410 But you need to know the IP address of whatever machine you're going to. 196 00:17:13,860 --> 00:17:17,340 Essentially, the SSA changed from the Kinect with Hydra. 197 00:17:27,300 --> 00:17:29,430 So let's go ahead and go back to our virtual machine here. 198 00:17:29,430 --> 00:17:30,660 We'll open up a new tab. 199 00:17:39,170 --> 00:17:42,020 So this is Zohydro, which is the gooey based version. 200 00:17:42,710 --> 00:17:43,790 You pick your target. 201 00:17:46,030 --> 00:17:47,890 That you want to be able to crack. 202 00:17:49,240 --> 00:17:54,910 So I'm going to go after my local host system. 203 00:17:56,650 --> 00:17:58,450 You pick the protocol that you want. 204 00:18:03,930 --> 00:18:08,460 And it actually gives you the the equivalent command you would enter. 205 00:18:14,140 --> 00:18:15,040 And what protocol. 206 00:18:15,040 --> 00:18:17,560 You want to go after your passwords. 207 00:18:19,510 --> 00:18:22,840 Put the username if you have a username. 208 00:18:25,030 --> 00:18:29,080 My system happens to be that you can put in. 209 00:18:30,670 --> 00:18:32,890 The password list if you have one. 210 00:18:36,770 --> 00:18:37,310 From here. 211 00:18:46,000 --> 00:18:49,060 And then from there, it will actually attempt to. 212 00:18:51,090 --> 00:18:52,200 Find the passwords. 213 00:18:52,230 --> 00:18:56,430 So we have to move this down a little bit so we can see it. 214 00:18:58,500 --> 00:19:00,930 You can give it a proxy method if you need one. 215 00:19:04,270 --> 00:19:07,360 Then once you're done, go ahead and click start. 216 00:19:08,800 --> 00:19:10,300 And it will attempt to run. 217 00:19:12,850 --> 00:19:13,900 The password crack. 218 00:19:16,530 --> 00:19:21,250 He's not using military or Secret Service organizations. 219 00:19:21,880 --> 00:19:23,080 Again, password cracking. 220 00:19:23,080 --> 00:19:26,350 This is anything that can be done illegally. 221 00:19:27,010 --> 00:19:30,550 You can save out the output as well. 222 00:19:35,790 --> 00:19:41,330 There's a lot of functionality with this platform and it's very user friendly. 223 00:19:41,340 --> 00:19:47,940 You can set up multiple targets if you have a target list, you could do it in a text file. 224 00:19:48,540 --> 00:19:51,780 You could set up different ports and protocols you wanted to connect on. 225 00:19:52,410 --> 00:19:54,570 If you want the output to be more verbose. 226 00:19:57,600 --> 00:20:00,060 You can even have it just generate passwords. 227 00:20:01,730 --> 00:20:01,990 Have it. 228 00:20:01,990 --> 00:20:03,160 Just try everything. 229 00:20:10,530 --> 00:20:11,490 We see it's still. 230 00:20:13,200 --> 00:20:14,160 Still running here. 231 00:20:16,090 --> 00:20:17,920 So that is hydro. 232 00:20:28,270 --> 00:20:31,450 So the command line version very similar. 233 00:20:31,780 --> 00:20:36,040 You can essentially everything you can do in the Google, you can do in the command line. 234 00:20:44,310 --> 00:20:46,320 So you can pick the protocol you want. 235 00:20:46,320 --> 00:20:48,750 You can choose how you want it to connect. 236 00:20:50,890 --> 00:20:52,390 And so on and so forth. 237 00:20:58,660 --> 00:21:00,960 There are several different options for Hydra. 238 00:21:00,970 --> 00:21:07,780 So if you want to go to a default set of credentials or maybe common passwords. 239 00:21:12,690 --> 00:21:13,830 A lot of different options. 240 00:21:13,840 --> 00:21:18,540 So how do we mitigate password cracks? 241 00:21:18,540 --> 00:21:20,400 Well, we can use a. 242 00:21:23,040 --> 00:21:24,590 Program called Fail to Man. 243 00:21:24,600 --> 00:21:31,830 Essentially, this will set to watch certain log files and record any specific activity. 244 00:21:33,190 --> 00:21:37,060 Such as blocking the number of attempts. 245 00:21:38,690 --> 00:21:44,330 So once you've configured failed to ban Hydra, brute force attacks will not work. 246 00:21:45,890 --> 00:21:47,160 So then we have rainbow table. 247 00:21:47,160 --> 00:21:48,440 What are our rainbow tables? 248 00:21:48,770 --> 00:21:55,130 These are pre-computer tables for reversing cryptographic hash functions, usually for cracking password 249 00:21:55,130 --> 00:21:55,670 hashes. 250 00:21:56,660 --> 00:22:03,140 The idea is that you can recover a password up to a certain length consisting of a limited set of characters. 251 00:22:10,700 --> 00:22:16,040 The main thing is that you run the plaintext through a hashing function and then you try and reduce 252 00:22:16,040 --> 00:22:22,040 the amount of possible attempts you have to make. 253 00:22:22,520 --> 00:22:27,830 So the tables get hashed and then the hash tables are essentially a group of words stored in the table. 254 00:22:31,310 --> 00:22:35,450 So there's a program called our Tea Gen or Rainbow Tea Table Generation. 255 00:22:41,100 --> 00:22:49,170 And if it's not installed in Kelly Lennox, you can always do an app to get install. 256 00:22:57,980 --> 00:23:01,580 And so you may have to go to the website. 257 00:23:05,730 --> 00:23:07,530 This is Hash Katz website. 258 00:23:12,360 --> 00:23:15,060 So rainbow table generation and sort. 259 00:23:15,990 --> 00:23:18,960 So this is an example of running it. 260 00:23:21,490 --> 00:23:26,290 You can actually purchase the rainbow tables as well to save the processing time. 261 00:23:34,710 --> 00:23:37,290 These are some of the different programs that are available. 262 00:23:41,630 --> 00:23:46,370 There's rainbow crack or ah, crack for the guilty based version. 263 00:23:53,220 --> 00:23:58,230 So there are some online tools with which you can use to crack online passwords. 264 00:24:00,230 --> 00:24:01,790 I mean, these are MD5. 265 00:24:03,680 --> 00:24:10,400 Online dot com as well as crack station essentially with MD5 what it really is a lookup table. 266 00:24:10,910 --> 00:24:19,040 So if you type in one, two, three, four, five, six and want to get the hash of that, takes it 267 00:24:19,040 --> 00:24:19,430 a minute. 268 00:24:24,540 --> 00:24:25,800 There's the MD5 hash. 269 00:24:25,830 --> 00:24:31,650 Now, if I want to check the hash to make sure it works, I can go to the decryption part of my related 270 00:24:31,650 --> 00:24:33,480 crypto because I'm not reversing the hash. 271 00:24:33,480 --> 00:24:35,580 I'm just looking it up in a table. 272 00:24:38,060 --> 00:24:42,020 And then when I get back, I should get my original password, which I do. 273 00:24:42,540 --> 00:24:43,850 So that's the is over. 274 00:24:44,030 --> 00:24:46,130 What is a billion hashes in the database? 275 00:24:46,730 --> 00:24:49,400 So this is one example. 276 00:24:51,740 --> 00:24:56,150 Crack station is another dot, net is another password cracking. 277 00:24:56,650 --> 00:24:59,690 Also, you can enter in your hashes here. 278 00:25:01,200 --> 00:25:01,860 Her password. 279 00:25:01,870 --> 00:25:03,180 So let's go over to 280 00:25:09,000 --> 00:25:16,230 the SC shadow file and we'll go ahead and just grab one of these hashes that we've created and we'll 281 00:25:16,230 --> 00:25:18,520 see if we can get the 282 00:25:21,390 --> 00:25:22,800 the crack station to. 283 00:25:27,860 --> 00:25:29,240 You ought to find out what it is. 284 00:25:29,270 --> 00:25:30,710 Of course, I'll say I'm not a robot. 285 00:25:33,330 --> 00:25:35,320 I think these hashes are salted. 286 00:25:35,320 --> 00:25:38,560 So this may not work necessarily with this is just one example. 287 00:25:38,950 --> 00:25:41,110 You can actually even download their word list. 288 00:25:41,590 --> 00:25:43,900 So it says it's an unrecognized hash format. 289 00:25:44,620 --> 00:25:49,890 If you want to download their word list, they have over 4.2 gigabytes compressed, uncompressed. 290 00:25:49,900 --> 00:25:51,280 It's 15 gigabytes. 291 00:25:51,850 --> 00:25:56,290 So a lot of password recovery options there. 292 00:25:58,850 --> 00:26:06,620 There are many other sites by which you can use it to reverse engineer password hashes. 293 00:26:08,590 --> 00:26:12,190 So we talked about password attacks that are. 294 00:26:14,280 --> 00:26:16,320 Using to circumvent authentication. 295 00:26:17,620 --> 00:26:22,900 Whether it's password resets, whether it's online attacks, offline attacks. 296 00:26:23,860 --> 00:26:27,370 We looked at John the Ripper with dictionary attack. 297 00:26:27,370 --> 00:26:30,340 We looked at some different options with that. 298 00:26:30,350 --> 00:26:34,540 We also looked at Hydra and TFC Hydra, the graphical version. 299 00:26:35,830 --> 00:26:37,630 We talked about rainbow tables. 300 00:26:38,050 --> 00:26:44,380 So this is a pre-computer table for reversing cryptographic hash functions to offload some of the processing 301 00:26:44,380 --> 00:26:47,920 work by doing it beforehand. 302 00:26:49,210 --> 00:26:54,160 And then we looked at some of the online tools which run on various password encryption algorithms and 303 00:26:54,160 --> 00:26:57,610 give you the plaintext for the the hashed version of the password. 304 00:26:58,910 --> 00:27:00,890 Is some of the acronyms we talked about. 305 00:27:05,120 --> 00:27:06,650 And now some practice questions. 306 00:27:08,990 --> 00:27:14,420 Question one Password attacks are attacks that attempt to circumvent the blank of a service. 307 00:27:15,350 --> 00:27:17,240 Is it a authentication? 308 00:27:18,650 --> 00:27:19,970 B Availability. 309 00:27:22,970 --> 00:27:25,550 C group or. 310 00:27:25,550 --> 00:27:26,240 D None. 311 00:27:31,780 --> 00:27:33,550 The answer is a authentication. 312 00:27:35,690 --> 00:27:38,870 Number two, which of the following is not a common file permission? 313 00:27:40,610 --> 00:27:41,450 A Right. 314 00:27:43,010 --> 00:27:43,940 B Execute. 315 00:27:45,380 --> 00:27:46,370 C Stop. 316 00:27:48,190 --> 00:27:49,460 Or d read. 317 00:27:51,670 --> 00:27:53,050 The answer is stop. 318 00:27:53,440 --> 00:27:56,470 So read, write and execute our common file permissions. 319 00:27:57,130 --> 00:28:00,670 If you look at the Linux file structure, you can see that. 320 00:28:01,750 --> 00:28:09,230 So if we do the LS command with the LRA, we will get the file permissions. 321 00:28:09,250 --> 00:28:11,710 These are all the permissions read, write and execute. 322 00:28:12,250 --> 00:28:14,800 If it has a D in front of it, that means it's a directory. 323 00:28:21,750 --> 00:28:25,600 Rule number three Why is a one time password safe? 324 00:28:27,250 --> 00:28:28,480 It's easy to generate. 325 00:28:29,350 --> 00:28:30,670 B It cannot be shared. 326 00:28:31,990 --> 00:28:34,030 C It's different for every access. 327 00:28:34,450 --> 00:28:36,850 Or D It's a complex encrypted password. 328 00:28:44,720 --> 00:28:46,100 Correct answer is C. 329 00:28:50,810 --> 00:28:52,730 It is different for every access. 330 00:28:52,730 --> 00:29:00,830 So one time pads are usually designed to provide as close to a truly random number generation as possible 331 00:29:02,810 --> 00:29:06,170 number for which happens first authorization or authentication. 332 00:29:08,500 --> 00:29:09,850 A authorisation. 333 00:29:10,510 --> 00:29:11,650 B Authentication. 334 00:29:12,850 --> 00:29:17,440 C Authorisation and authentication are the same or none of the above. 335 00:29:30,240 --> 00:29:36,360 So authorization, authentication, authorization, authentication of the same or none of the above. 336 00:29:37,110 --> 00:29:40,620 The correct answer is be authentication. 337 00:29:40,620 --> 00:29:45,390 So you authenticate and then you get authorized access to resources. 338 00:29:45,390 --> 00:29:48,000 Authorization has to do with the access control. 339 00:29:48,450 --> 00:29:56,400 Authentication merely looks at your identity and says yes or no based on your provided credentials. 340 00:29:58,200 --> 00:30:01,860 Number five What is not a best practice for password policies? 341 00:30:02,890 --> 00:30:05,430 A deciding on the maximum age of passwords. 342 00:30:05,850 --> 00:30:08,370 B Restricting on password re-use and history. 343 00:30:09,120 --> 00:30:11,670 C Password encryption or. 344 00:30:11,670 --> 00:30:14,280 D Having to change the password every two years. 345 00:30:23,560 --> 00:30:29,950 Andy would not be a good password policy because every two years is not nearly often enough to prevent 346 00:30:29,950 --> 00:30:31,750 online or offline attacks. 347 00:30:33,400 --> 00:30:36,250 So in summer we talked about different password attack types. 348 00:30:36,610 --> 00:30:39,250 We looked at some of the different attack tools that exist. 349 00:30:39,700 --> 00:30:45,610 We conducted a demo attack on some different password hashes as well as some online resources. 350 00:30:45,650 --> 00:30:50,470 We looked at some of the countermeasures that you can do to prevent these types of attacks. 351 00:30:51,280 --> 00:30:53,860 And we also looked at rainbow tables. 352 00:30:57,850 --> 00:31:00,280 I appreciate your attention in this module. 353 00:31:00,790 --> 00:31:04,450 I hope you learned more about passwords than you knew before. 354 00:31:04,720 --> 00:31:07,240 And we'll see you guys in the next module.