**Slide 1: Password Attacks** - People are not good at remembering passwords, choosing easy ones (e.g., 123456), and reusing them. - Password entropy increases with length and character variation. Longer passwords and those with mixed characters (upper/lowercase, numbers, special symbols) have more entropy. - Using password managers and multi-factor authentication is recommended. **Slide 2: Real-World Password Attacks** - Most common attacks target weak or default user/system passwords. - Brute force and dictionary attacks are common. Tools like `medusa` and `ncrack` automate these attacks. - Online password attacks target networked services like HTTP, SSH, FTP, SNMP, RDP. - Offline password attacks use captured password files and tools like `john the ripper`. - Key space brute force generates all possible combinations of characters for a given set and length. - Social engineering and shoulder-surfing can also be used. **Slide 3: Online Password Attacks Example** - Example of an HTTP brute force attack using `medusa` against a protected web directory. - Command: `medusa -h -u -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/npttest -T 10 -s` - Lessons: Be suspicious of the first password in a list, and don't put the correct one at the beginning when setting up demos. **Slide 4: Key Space Brute-Force** - `crunch` tool generates custom wordlists with defined character sets and password formats. - Example: `crunch 6 6 0123456789ABCDEF -o test.txt` generates a list of 6-character hexadecimal passwords. - Password length quickly becomes unmanageable with more characters. **Slide 5: John the Ripper Offline Cracking Tool** - `john` supports automatic mode, dictionary mode (using wordlists), and mangling rules. - Example commands: - Automatic mode: `john ` - Dictionary mode: `john --wordlist=/usr/share/wordlists/rockyou.txt ` - Mangling rules: `john --rules --wordlist=/usr/share/wordlists/rockyou.txt ` **Slide 6: In-memory Attacks** - Abusing OS handling of passwords, particularly useful for Windows due to shared identities. - `pwdump` tool dumps SAM hashes by injecting a DLL into the LSASS process. **Slide 7: Passing the Hash in Windows** - Pass-The-Hash (PTH) allows authentication using hashes rather than passwords. - `exploit/windows/smb/psexec` exploit with a reverse TCP meterpreter payload can be used for PTH. **Slide 8: Task 3 – Password Attack** - Demonstrate various password attacks using different tools. - Target at least two protocols (e.g., HTTP, FTP, SSH, RDP). - Crack provided offline password hashes using wordlists and `crunch`. - Crack a password-protected Word file, `TradeSecret.docx`, using office2john or zip2john. - Perform an in-memory attack using PTH to authenticate into the Windows XP system.