Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to the episode number 21 off the RCP course Password attacks. My name is Alejandro Gonna And I'll be your instructor for today's session.
00:11
The learning our fugitives as the of the session is to understand the concepts behind this attack and apply to makes to implement this attack. So let's get down to business, shall we?
00:23
Um,
00:25
Bozz, war tax can mean a lot of things. I mean, you can consider several techniques to be a buzz were attacked, but let me just give you two of the main concepts of follower tax or main techniques. One is the offline buzzword talk, which is basically having the password in, you know, maybe encrypted or hashed,
00:45
um, and actually trying to brute force that without any contact with the victim and also online possible attack, which is basically just contacting the victim directly to see if your password worked, or maybe try to brute force it to see if they packed the files were actually, you know,
01:02
applies to that machine. So for this scenario will be used in this module of the B Web machine. Just buzzwords we can see that will really know the buzzword, which is, you know, the user name is be in the puzzle is bark. Nothing to see here is just for to demonstrate you have this attacks can actually work.
01:21
So lame. Let me start by.
01:23
Amazing to tools, which is crunch and cool. I'm just typing here crunch
01:30
and cool.
01:32
Uh, these two tools I have have many uses, but, you know, I could I think the main usage for that is to create your own war list.
01:42
Maybe already know the policy on the machine that it has to include. I don't know. Four letters in three numbers. So what, you just went to create that,
01:53
uh, you know, you don't want to use any any already created world list like Rocky, dirty XY, which comes by the fourth ring colleague. But you want to grant your own wordless. That's where crunching and cool comes handy. So let me just start by type in this simple
02:12
crunch, uh,
02:15
hopes
02:15
crunch a tool and just type for four, which is basically, we generate words afford, uh, length.
02:24
You know, the size of the world over the bodies were will be four. Uh, you can, you know, change that I mean, maybe you know that you're trying to find out a being number, not a pas work. So you can actually defined the char set. You know, the character setting you want to use. For example,
02:45
let me just
02:46
is this for mint
02:47
hopes?
02:50
Let me just go to the location
02:54
charset list And I'm telling its numeric say, Well, you know, just generate the thing the same mouth off Bali's. But you know, it's numbers because I want to I want to find out or want to brute force. Ah ping number. That's four digits.
03:09
Ah, so maybe you'll really know that the password is, uh, the letters ABC in that order Or maybe the bean ABC are not in that order. But, you know, the only letters that that being can use this ABC and and a number one number, for example, a B C. One.
03:28
So I'm telling the foreman on and letters to use and as you can see, it will generate all this. Ah, this could be really cool. For example, you can generate
03:39
more tools or more words, for example, just pays that in here,
03:44
which is basically telling the same thing. I mean instead of instead for I'm guessing six characters and I'm telling you to use all of all of this, you know, from 0 to 9. And you know the first letters off the alphabet and just telling to put in in that
04:02
takes the wordless cold six charts. That's it. I mean, there's no magic in here. And if you if you say that it will, you'll see Ah, bunch off passwords that you know are made off these characters. So that's it.
04:21
The cool thing about this is that you can actually put something like, as we already know, that the password again is, um,
04:32
for example, tree tree. It's limited black.
04:34
Ah, it's ah,
04:39
it's being the puzzlers Bach, I'm telling you, this will be generated that will generate that. And if I actually just
04:48
dives for fun and the world will be in there, I mean,
04:54
this is how you know,
04:56
customizable, these two can be But another cool fool eyes called cool Tool is cool. Look at me. It's actually you can actually use coal to generate or list from a Web page, so it will go to, like, kind of a spider
05:14
mode alley But you know, it will generate wordless. That came from that webpage. For example. Let me just type copping paid this command so used to show you the example in here
05:30
based
05:32
and you know he generated Ah,
05:36
it would be went to in depth. It means that he went to this page and the next page.
05:44
Um, the letter number. The minimum little number length for this is five. Let me.
05:50
Um
05:53
Well, it's five and the world Liss will be written to this location and the weapons where we went to take all the possible words with a minimum minimum length off five is this one. So if I go in here and cat this weapon h
06:09
I'm sorry. These were list just type
06:13
ducks.
06:14
You can see that the minimum is five, but it can go higher in number. But, you know, if I go in here and I grab for B, I will not find anything. Why do you think is that?
06:26
Well, because, uh
06:28
I told the command to Onley take words that are minimal, have minimal limped off five. So if I change that
06:38
you made previous command until it Okay, trees. Fine.
06:43
Let me just grabbing that
06:45
hope that I can actually great that in. Yet
06:47
You can see that the world, because at the end, is actually in here.
06:51
And they were being the world. Bach is actually there.
06:57
Okay, Box buck and boggy.
06:59
So this is a really cool tool. I mean, I do believe that this could pick This could come in handy when you're trying to actually brute force. Allah game page, for example. But yeah, this is all the static. So far. So working. How can we actually use these war list? Well, let's use some online attack techniques first,
07:19
For example, we can use hydra, hydra, Hydra King, actually, brute force, Logan pages and basically other bases well, to actually find users.
07:32
And it means
07:33
on impossible a swell. So let me just copy this Atlantic Command so I can explain it to you one by one.
07:42
Let me just go to the beginning. Dash l dash capital L. It tells it to
07:48
use all this. Oh, but it's included in this world list as a user name. But, you know, let's not waste time on that because we already know that the elf not capital l but But l you know, lower case l eyes be because the user is actually be. And the possible is actually included in this, uh,
08:07
world list.
08:09
What's the appeal here? That's that pee off be bak machine, which I'm just
08:16
driving it so you can see it.
08:18
And,
08:22
um, let's continue. Ah. Http. Post for me, this is the form that I'll be using or the module obvious in it goes to this weapons, which is, you know, be a underscore. Appealed the d
08:37
be a piece of the attacks on school one and that GHB
08:43
and then until to use the looking all of this
08:46
all of you can see in here. Well, maybe, except for this.
08:50
But you know, they again. The possible deformed the cookie, they cook itself the security level. All this a ll the stocks, you know, Sq life manager, current team, and ask your life and your current language. All of this I took it from
09:07
barf it I mean, I don't really knew. I intercepted the connection, and I saw that whenever I look in Burford was capturing this and the server that the weapon was actually the browser was actually sending that to the word server. So this is how I know how to use all of this.
09:26
And, you know, I'm just learning to use in this case,
09:31
I cannot use this anymore for the Usery's actually be
09:39
and the but Well, you can Actually, I can actually leave it like that. Let me just
09:45
face it again.
09:46
Um and you know
09:50
that I'm telling you that the invalid or, you know, the fail text is invalid credentials did not. You forgot the password. And that's because if I go here and put test test,
10:03
he says involving tradition that you forget your password. And I'm telling you every time that this is this comes. Um
10:09
this it means that, but the username password are incorrect. Now, this can launch several several false positives, because at the end, maybe the text didn't came complete. Or maybe it came in a different format. So this guy this concealed, um,
10:28
several false positives.
10:31
Let's give it its right. Oh,
10:33
dash. Except when I wait,
10:37
okay? He's lugging in okay. A lot of false positives. I believe what you get the point. This will actually try to look in here to to the webpage. And you can actually, uh, I'm just cutting here because this machine is be back machine is actually really old. It can take a lot off concurrent
10:56
connections.
10:56
Let me just got being phasing here. Maybe I will. Not being here, maybe.
11:01
Aah! These tests, the 60. So you can actually see the command, their whole story.
11:09
Oh, let me just face it in. In, in, in, in the terminal.
11:13
I didn't want to waste in the terminal story, but, you know,
11:16
whatever.
11:18
Yeah,
11:24
You can also use Medusa instead of Hydra, which we know will achieve the same, um,
11:31
gold. You know, it's the same thing. I'm telling that the user is be the puzzle. His route, Um, the foreign, the deny seeing now which is the same. The form data, You know, the luggage and the password is still form the cookie. Everything is the same. You can achieve exact same thing
11:48
with Medusa. Hydra.
11:52
But I don't want to waste any time in disguise. I already told you the same text in euros are the results. I want to show you that you can actually do the same thing. But for different service is on. Let me show you that by using a different tool. Now I really created Ah. Use her name. She's called Alejandro Pena.
12:11
Ah, my local machine. Let me just show it to you.
12:22
And he's already in there. Has a release. Shameful password, I believe. But, you know, the point remains Let me just echo here the buzzword
12:31
to my war list.
12:35
Oops, it was. Replace it. Oh, my God. Okay, there you go.
12:39
Um, And if I don't go to these, um
12:45
I mean, just type that that this
12:48
syntax in here and cracked which again? Same as Medusa. You can't do that. This is what I'm about to do in here, which is basically brute force and sshh service. You can do it as you can do as well on Medusa intern Hydra is the same thing. I'm just trying to show you three different tools to do the same thing. So let me just
13:07
put in here and crack. Um, that's really,
13:09
uh, you know, local host. Because he's the local host.
13:13
But that's you, sir.
13:16
Um Well, Handra, Gina
13:18
Aah! Dash P, which is the buzzword
13:20
capital because I'm gonna introduce,
13:24
um,
13:26
the word list.
13:28
And
13:31
what I'm about to hit his s S h
13:33
You know it will take a while because at the end it will brute force every possible combination.
13:41
And he says that he's finished some some seconds from actually close Euro timeouts Europe roof sent one white proof sense one.
13:52
Maybe I
13:54
did mess up That were list.
13:56
I mean, check it out.
14:01
Mommy has a lot,
14:05
but that's the That's the syntax, so I can actually use that. You, sir, All the hand Drew Ginna
14:13
in the buzzword list is a stricken sitting here. And you know that the module is sshh
14:20
And you can do to, you know, brute force this again. Ah, with, um,
14:26
can't we have the service up
14:28
service? Sshh, To start
14:35
another. Another cool thing that you can use. And actually, this came from from the sisters sees internal guys is f d dump. Um,
14:46
and W c, which is basically Windows credential editor. Ah, but every dumb with dump the passwords off the off the user that are actually online on a window service. Let me just create our lived is running so we can go back in here and check the results.
15:03
But you know, every dump is an executable. You can using windows.
15:07
I have my windows extinguishing here. And, you know, this comes by the fall lover in Carly's. Let me just copy and paste this here to carpet your Webroot,
15:20
which is basically a year, you know, Windows, wineries in the Colin x box and just, you know, copy phase the Abadan that excusable, which again is just dump the hashes of the used. The possible rashes hashes off the users that are online on the machine.
15:39
Maybe you're trying thio escalated privileges,
15:41
So just you Can you You can just that.
15:46
So let me just carpeting here and go to my, uh
15:50
when those machine here, let me just drag this so you can see it.
15:54
So I go to my crom
15:56
Web h and I go to
16:00
my You know, I p
16:03
in here
16:18
now that I have it. Ah, fire up. I could just run it
16:23
and he will create. Oh, I didn't tell you what to say. The data. My bad. Sorry.
16:30
Name? Yes.
16:32
Go to the download senior year
16:34
and just Oh, you're really dumping here so you can see it Created some files. Um,
16:41
two we can actually
16:45
up in these files, You know, there's some of them are just informational. And this is what we're interested in. It has. It has all the hashes until M hash is, by the way, which is the best under four windows. He has all the intel. Um, hash is so we can
17:03
try to put forth. Um you know, uh, this this file itself, we can copy that, or those hash is, um
17:15
22 are back to her Carly machine.
17:18
Oh, are you know, we can let me just
17:21
refresh your memory here, launching this
17:25
on actually
17:27
performing kind of, um, malicious fast attack. I remember These are famous PS except attack from from Maris Ploy.
17:40
I just use this one
17:44
and no, actually, uh, exploit the Windows machine itself.
17:51
I mean, just
17:52
show options really quickly set our host on our windows XB
17:59
run
18:00
really quick.
18:03
Nothing to see here, folks. I just hacked a machine. And, you know, I can't actually, uh, try to ah, gain. You know, I really gain a shell in here, so I can just go shell
18:18
and, you know, surf to this.
18:21
Ah,
18:22
to through the, um
18:27
let me just get the matter of predator again. I can just serve to to the Windows location, which is basically, um let me just show it to you.
18:45
You're real quick
18:48
is seen the downloads. Okay, documents in savings.
18:55
Okay, let me just get shell.
19:03
And what was the path again? I'm really bad with bats
19:08
that coming since settings
19:11
owned, Which is the user, by the way. My documents downloads.
19:21
Okay?
19:22
My documents.
19:26
Okay. Remember the directory city, my duck. You meant
19:30
city down. Let's.
19:33
And I can just use the common type
19:36
because that's that's kind of the,
19:38
um,
19:41
equivalent equivalent of cat of the cat command in Windows. Second, just type type
19:48
and, you know,
19:49
but they
19:51
the person here and I can have the hash is in here. That was just a refresher to do you guys to see how it is to catch a windows machine. So I can just, you know, type.
20:02
Uh, copy that file in the full on commands. No,
20:07
Let me just copy all this
20:12
and
20:14
see if this really finished. Okay? It finished. Okay. Told me. Okay. The password is test. Went to tree and the use room is this one so Yeah, all good in that front. So let me just, uh, create here, huh?
20:26
Bus and tell him
20:29
the 60.
20:30
Yeah, let me just pay sitting here. So I just have all of this. Let me just eliminate all of this because I'm not interested in any of this information. I'm just interested in this one.
20:41
And I saved it. And then, you know,
20:44
I already have the word owned. Remember, we already know the buzzword, but, you know, this is the command that that you should you should use for offline, which is what I'm about to do. Right now. Off line parts were cracking. You can use the tool, John. No. I said it was a reference to John the Reaper. Um,
21:03
just let let me give you the syntax in here, John
21:07
on DI stash for months,
21:10
which is, uh lm
21:12
Dash. Dash were list
21:17
and basically just point
21:19
to to that to the world is we have created from from cool, remember
21:30
ducks. What's the word? Ducks words. The 60. And then the file where we actually have work or
21:41
what was the five all the way out, boss. And tell him
21:45
and tell him
21:47
So we really tell John to use this for mint and to take the words from this world is which is basically we we already know that the password want to treat This is the password that generated thes anti lm hash s o. We just went to execute that.
22:07
Okay, that's 12 tree A C c. Is that so? We can see how you know we can perform several types off. Actually. Ah, Bahs were attacks, but I really more dangerous one. I don't want to show you guys because this is just downloaded the application and running. It is
22:25
Thio the WC that win this great credential editor.
22:29
Let me just go to the web page
22:30
and these go these guys created on Execute Herbal again the WC or Windows credential editor, which is basically the same as if you'd done, but it dumps. The bodies were in plain text.
22:44
This is kind of amazing for me. The first time I saw this, I would know it blew my mind, so yeah, I don't waste time. Just downloaded an executable and running because that's all it takes. So you can actually see the results from that.
23:00
What is the main usage for crunch and cool. Well, you can create your own war list. For example, You can actually get the world is from a webpage by using cool. So this is
23:15
to two nice tools. Two years.
23:18
Can we actually gained remote control to this attack? Yeah, we can. We can. We can figure out passwords we can Brute force Logan sessions. I mean, yeah, we can definitely gain remote control.
23:29
Ah, and this video will learn the concepts of this attack. And we planted something mix to execute this attack, and we saw also. So, how militias this attack can be,
23:40
uh, supplemental materials, the hikers playbook again. Nothing new in this in this front.
23:47
And, you know, every possible service you can find on Google and YouTube.
23:52
And looking forward in an Expedia, we will cover public exploits.
23:56
Well, that's it for today, folks. I hope you you're the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor