vault backup: 2025-03-16 18:59:42
This commit is contained in:
boris
44
Penetration Testing/Week 23/Week 23 - Password Attacks.md
Normal file
44
Penetration Testing/Week 23/Week 23 - Password Attacks.md
Normal file
@@ -0,0 +1,44 @@
|
||||
**Slide 1: Password Attacks**
|
||||
- People are not good at remembering passwords, choosing easy ones (e.g., 123456), and reusing them.
|
||||
- Password entropy increases with length and character variation. Longer passwords and those with mixed characters (upper/lowercase, numbers, special symbols) have more entropy.
|
||||
- Using password managers and multi-factor authentication is recommended.
|
||||
|
||||
**Slide 2: Real-World Password Attacks**
|
||||
- Most common attacks target weak or default user/system passwords.
|
||||
- Brute force and dictionary attacks are common. Tools like `medusa` and `ncrack` automate these attacks.
|
||||
- Online password attacks target networked services like HTTP, SSH, FTP, SNMP, RDP.
|
||||
- Offline password attacks use captured password files and tools like `john the ripper`.
|
||||
- Key space brute force generates all possible combinations of characters for a given set and length.
|
||||
- Social engineering and shoulder-surfing can also be used.
|
||||
|
||||
**Slide 3: Online Password Attacks Example**
|
||||
- Example of an HTTP brute force attack using `medusa` against a protected web directory.
|
||||
- Command: `medusa -h <target> -u <username> -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/npttest -T 10 -s`
|
||||
- Lessons: Be suspicious of the first password in a list, and don't put the correct one at the beginning when setting up demos.
|
||||
|
||||
**Slide 4: Key Space Brute-Force**
|
||||
- `crunch` tool generates custom wordlists with defined character sets and password formats.
|
||||
- Example: `crunch 6 6 0123456789ABCDEF -o test.txt` generates a list of 6-character hexadecimal passwords.
|
||||
- Password length quickly becomes unmanageable with more characters.
|
||||
|
||||
**Slide 5: John the Ripper Offline Cracking Tool**
|
||||
- `john` supports automatic mode, dictionary mode (using wordlists), and mangling rules.
|
||||
- Example commands:
|
||||
- Automatic mode: `john <password-file>`
|
||||
- Dictionary mode: `john --wordlist=/usr/share/wordlists/rockyou.txt <password-file>`
|
||||
- Mangling rules: `john --rules --wordlist=/usr/share/wordlists/rockyou.txt <password-file>`
|
||||
|
||||
**Slide 6: In-memory Attacks**
|
||||
- Abusing OS handling of passwords, particularly useful for Windows due to shared identities.
|
||||
- `pwdump` tool dumps SAM hashes by injecting a DLL into the LSASS process.
|
||||
|
||||
**Slide 7: Passing the Hash in Windows**
|
||||
- Pass-The-Hash (PTH) allows authentication using hashes rather than passwords.
|
||||
- `exploit/windows/smb/psexec` exploit with a reverse TCP meterpreter payload can be used for PTH.
|
||||
|
||||
**Slide 8: Task 3 – Password Attack**
|
||||
- Demonstrate various password attacks using different tools.
|
||||
- Target at least two protocols (e.g., HTTP, FTP, SSH, RDP).
|
||||
- Crack provided offline password hashes using wordlists and `crunch`.
|
||||
- Crack a password-protected Word file, `TradeSecret.docx`, using office2john or zip2john.
|
||||
- Perform an in-memory attack using PTH to authenticate into the Windows XP system.
|
||||
Reference in New Issue
Block a user