Hello, viewers, and welcome to the post exploitation, hacking, persistence and continued access core from your residence. Me, Joseph Perry. You're watching this on cyber ery dot i t This video is going to be a bit of an Aside from the other videos we've been doing, it's a subject that everyone really seems to enjoy because it definitely makes you feel like a
great hacker, and it's
kind of fun to do Anyway,
um, the specific subject, but which I'm speaking, is password cracking or password stealing.
we're going to in this video, we're going to examine
how to know how to go about cracking a password
and even actually look a simple And when I say simple, I mean really simple script I drew up
s so that you can actually see sort of how cracking is done. It's tends to be a subject that kind of mystifies people, one that everyone knows exists, but no one really knows how it works.
So I drove a script so that you can get a sense of what it actually looks like when passwords are being cracked.
So the first thing we want to do when we're looking at cracking the password is also part of our information gathering step.
Um, it's another file toe look at
This course is by no means all inclusive. No course really can be.
So if you're curious about all of the files and the various things that we do it that
you might want to know about, I would recommend a trip down Google Lane where you can kind of learn about all the different important files on the limits or a window system.
The main reason why I didn't include going through each and every file in this is because
most classes on this that
or rather I should say, any class on this that did include every single file that you should examine would be much, much longer and incredibly dry.
And that's not really something of yours you're looking for.
So if you're curious about other files, then I absolutely recommend you pulling them. If you're not
totally fine, we give you more than enough in this course to keep you busy.
So file we're looking at right now is the log in dot depths file. It's in the etc directory. Like most of the important files and it describes the password rules. We already saw a lot of those, but this one's got a specific rule we really want to check.
So we're gonna kind of skipped past a lot of these. A lot of these are interesting and worth examining later on, but most of them aren't especially
one that I do kind of think you should take a second to notice is that well, you re tries is limited at five.
Ah, it is overridden by Pam because Pam does have built in three.
But in case you're not actually using the pan, which is another important file, the pam dot defile
Did you not using that?
This is worth examining
the main reason why I wanted to get here. And here it is.
Is this line right here?
Pam modules have a specific invigoration as to how they want things to be hashed.
But this line right here tells you the actual encryption method it's using.
As you can see, this system uses 75 which is an extremely weak out of them,
um, in comparison to the alternatives that exist,
it's nowhere near as strong as some of the other options that are even available in Windows when in doubt, or when not in doubt or really at any time, ever use the shot. 5 12 It's the best that Lenin's offers,
and it's definitely enough to keep most hackers at bay. It's a
shot 5 12 Based on this is important. Based on that algorithm, Lennox implements its own things that are sort of correspondent to what BSD uses
so that it's not quite as easy. But it's still pretty easy.
So this what we see that again is encrypting using empty five MD five has lots of collisions,
um, that air known and their huge projects devoted to beating empty five.
A main reason for that is because 75 extremely popular, like most hashing based encryption
75 was considered a very strong, very handy, very versatile and very easy.
everyone started implementing it.
when everyone implements it, everyone targets it. And since everyone started targeting it, you find these huge database is online the consist of nothing but cracked 75 passwords.
Unless you use a very secure, very strange password
like I tend to, you're going to probably find your password on there. If it's any variation on a normal dictionary word, it's almost a certainty that it will be.
And even if it's not a variation, but it's within the top, let's say 10 to 100,000 most common passwords
probably gonna get caught with it.
So the reason why we looked at this is because we see the encrypt method is MD five.
we can look again, as we did before at our
And for this you will have to have gotten brood access in this case will just suit Oh, in as we have been. But taxes shadow,
you will always need
All right, so we see that this looks nothing like an MD five hash there. Siri's of reasons for this could be anything from a mistake or,
ah, trickery or whatever problem you care to name. Or it could be part of the implementation that Lennox uses. Either way, this exact hash is not one
that's quite correspondent.
I show you this so that you know that Lennox is a little bit a bun, too is a little bit clever than
simply allowing someone tohave an empty five or 95 hash for their password.
They recognize the security problems with it, and they take better steps to ensure that it's not going to be an issue.
Which is nice, however, and this is the important thing.
Not everyone does. Lots and lots and lots and lots and lots of passwords are still store to 75
and as a result of this, you can very often use 75 based cracking to gain all the passwords and organization has.
You can do the same with Shopper,
but it's gonna take you a lot longer. And if it's salted, it's not even really worth trying most of the time.
Unless, of course, you're you know, some gigantic agents, your corporation with millions of dollars of computers to throw at the problem, then, hey, maybe it's worth it for you.
It is important to know the more files are, the more passwords you get, the better, because that's the more that's the bigger target area. You have parallel eyes to target as many of them as possible at a time, and you're more likely to get a hit that way.
As I mentioned I did write up a simple and very, very, very simple script
in Python to show you what password cracking looks like under the hood.
So there are two ways to do it.
Two main ways that most people use.
And those air known as rainbow and brute force.
Rainbow cracking looks pretty much like this. Just kind of on a macro scale.
Ah, you see, you've got a word list. Usually it'll be a file containing lots of lots of
you see variations on words or non words. They're commonly used.
The biggest can reach up to 10 15 gigabytes
So, generally speaking, even if they don't actually find your password
no, find a collision.
Alternatively, they can use brute force cracking, which basically follows this general concept,
which is for everything in this range.
Just hash it and let me know when you find one which matches the hash I have got
Ah, that is not optimal.
MD five has lots and lots of collisions.
But with this number range right here, this huge number range of
You're scratching the surface. You're not going to your almost Certainly not going to get an MD five hash out of that.
that's unfortunate, obviously, because that makes it very hard to brute force your way through.
Now again, if your brute forcing, you're probably not going to do it in Python for a whole host of reasons that will be covered in
other classes by other people. But long story short, just know this python Not great for brute crack,
The reason I'm showing you this is because I want to demonstrate what it actually looks like when you
rainbow hash or when you brought cash so or when you brute crack rather. So we're gonna go ahead and do so I'm you see here the bottom of the script, the part that's gonna actually run first
this 75 from the crypto dot hash.
Ah, I create a new hash. I update it with
which we see is right here at the end of the words list.
And then the Hex Digest, which is the actual MD five hashes were used to looking at it
is printed on the screen so that we know what it's supposed to look like with that hashes. And then we were in Rainbow against that hash
rainbow puts it in here.
It just kind of takes Nash to pass it on. In a moment
it goes to ruin. It calculates all the hash is for all the words in its list, which is an inefficient means of doing it.
But I didn't want to just have the hash is sitting here so you could compare them by. I
hashes all the words in its list puts those into a dictionary, which would normally be populated right at the gate
and passes those two things to this actual cracker
Cracker is very, very simple,
occasionally rainbow. Hashing or rainbow tables and dictionary based attack
attacks are actually trivial enough
that you can do them with python. It's fast enough that you could just paralyze
to some extent with python and run that way. I never advocate using python or any scripting language to do password cracking, because if you do,
to the order of days. If you're lucky,
more likely to the order of weeks or months or, in some cases years
you're taking something like shot 5 12 They can take you to the tune of lifetimes.
But luckily we've got five options. We already know what the actual answer is gonna be.
So we're pretty safe in moving forward.
We're gonna write the comment, change that I made, and we're gonna just run the simple cracker.
and bail. It spits out the password hash, you see, right here is the calculated hash of what we gave it. And then this is the corresponding string
as really all it looks like. It's very simple, very straightforward,
but just for comparison,
I want to show you what it looks like
to ah, the brute crack.
So we're gonna go ahead and change this. We're gonna come in this out instead.
We're gonna run comment that
And then we're going to get something wrong because that happens pretty often
programming I'm a programmer more than I am. Anything else that I can tell you from experience that if it can go wrong and programming,
it'll go wrong a few times.
Here we go. So, python want to string for that update? Not a big deal.
Clear this. However quick and we're gonna run it and see if it will let us go this time.
There you go. So that's what it looks like when you're computing every hash for 99 million numbers.
But how many exactly is it that we've let it run for a couple seconds? And it was printing to the screen very quickly. Looking very hacker ish.
Maybe you got through a significant chunk.
There's an easy way to tell. We're gonna add to our print statement here
to print I, which is the actual number String I, which is the number that we're on Is the index, so to speak that we've cracked up too.
and we're gonna execute.
Okay, look at that. We're making great time
We're 50,000 passwords already.
All right, Now, you may have noticed that was it around 200,000. It was about
So we were at 1/5 of a 1,000,000 worth of a 1,000,000 times 15.
We're looking to the tune of about a minute for a 1,000,000 probably a little bit longer when you actually factor in performance and that sort of thing,
And then you consider, Well, you're looking 99 million.
that's a little bit longer, little bit uglier.
And then you consider that 99 million is not a useful or reasonable fraction of the possible MD five passwords. And that explains why brute forcing takes a long time.
in reality MD five hashing MP five's uh, total sum is 128 characters,
possibly that could be fed into it.
And that means quite a bit of data
128 characters usefully fed into it,
and that equates to far farm. Or
then you're going to be able to actually
factor. It's essentially the equivalent of one. Times 10 to the 128 which is, you may notice, is a very big number. So, like I said, don't brood unless you must. And if you must, I recommend you do it with sea or a faster language than Python.
Obviously, there are all sorts of utilities and tools. Jack the Ripper is very popular,
but I wanted to kind of give you a sense of what the actual cracking looks like. The script and I'll bring back up here for you
It looks just like this.
You know, if we wanted it toe be more accurate, actually. Break MD five hashes. It would look a little bit more like this,
whatever point is you can crack this way. You can drop your own password, cracker, your own word list. You can download a word list from all the Internet and, uh, try your hand. You maybe learn something about
crypto or you may just have fun.
Either way, it'll be a learning experience in the world with while
So that's really all there is for this video. A cz always I'm your smee Just Perry. And you're watching this on cyberia dot i t
and get out there and break something.