boris/G4G0-2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
ae837183f1ec23c09316de550f35d9b3d6759834
G4G0-2/Penetration Testing/Week 23/Week 23 - Password Attacks.md
boris ae837183f1 vault backup: 2025-03-16 18:59:42
2025-03-16 18:59:42 +00:00

2.8 KiB
Raw Blame History

Slide 1: Password Attacks

  • People are not good at remembering passwords, choosing easy ones (e.g., 123456), and reusing them.
  • Password entropy increases with length and character variation. Longer passwords and those with mixed characters (upper/lowercase, numbers, special symbols) have more entropy.
  • Using password managers and multi-factor authentication is recommended.

Slide 2: Real-World Password Attacks

  • Most common attacks target weak or default user/system passwords.
  • Brute force and dictionary attacks are common. Tools like medusa and ncrack automate these attacks.
  • Online password attacks target networked services like HTTP, SSH, FTP, SNMP, RDP.
  • Offline password attacks use captured password files and tools like john the ripper.
  • Key space brute force generates all possible combinations of characters for a given set and length.
  • Social engineering and shoulder-surfing can also be used.

Slide 3: Online Password Attacks Example

  • Example of an HTTP brute force attack using medusa against a protected web directory.
  • Command: medusa -h <target> -u <username> -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/npttest -T 10 -s
  • Lessons: Be suspicious of the first password in a list, and don't put the correct one at the beginning when setting up demos.

Slide 4: Key Space Brute-Force

  • crunch tool generates custom wordlists with defined character sets and password formats.
    • Example: crunch 6 6 0123456789ABCDEF -o test.txt generates a list of 6-character hexadecimal passwords.
  • Password length quickly becomes unmanageable with more characters.

Slide 5: John the Ripper Offline Cracking Tool

  • john supports automatic mode, dictionary mode (using wordlists), and mangling rules.
  • Example commands:
    • Automatic mode: john <password-file>
    • Dictionary mode: john --wordlist=/usr/share/wordlists/rockyou.txt <password-file>
    • Mangling rules: john --rules --wordlist=/usr/share/wordlists/rockyou.txt <password-file>

Slide 6: In-memory Attacks

  • Abusing OS handling of passwords, particularly useful for Windows due to shared identities.
  • pwdump tool dumps SAM hashes by injecting a DLL into the LSASS process.

Slide 7: Passing the Hash in Windows

  • Pass-The-Hash (PTH) allows authentication using hashes rather than passwords.
  • exploit/windows/smb/psexec exploit with a reverse TCP meterpreter payload can be used for PTH.

Slide 8: Task 3 Password Attack

  • Demonstrate various password attacks using different tools.
  • Target at least two protocols (e.g., HTTP, FTP, SSH, RDP).
  • Crack provided offline password hashes using wordlists and crunch.
  • Crack a password-protected Word file, TradeSecret.docx, using office2john or zip2john.
  • Perform an in-memory attack using PTH to authenticate into the Windows XP system.