Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson discusses methods of cracking a password. Participants learn step by step instructions using a simple script to crack passwords. Participants learn step by step instructions in cracking passwords using MD5 hashing to discover passwords. The instructor also teaches about a simple script he wrote in the Python language to crack passwords and offers step by step instructions using rainbow or brute crack.

Video Transcription

00:04
Hello, viewers, and welcome to the post exploitation, hacking, persistence and continued access core from your residence. Me, Joseph Perry. You're watching this on cyber ery dot i t This video is going to be a bit of an Aside from the other videos we've been doing, it's a subject that everyone really seems to enjoy because it definitely makes you feel like a
00:21
great hacker, and it's
00:22
kind of fun to do Anyway,
00:25
um, the specific subject, but which I'm speaking, is password cracking or password stealing.
00:32
Uh,
00:33
we're going to in this video, we're going to examine
00:36
how to know how to go about cracking a password
00:39
and even actually look a simple And when I say simple, I mean really simple script I drew up
00:46
s so that you can actually see sort of how cracking is done. It's tends to be a subject that kind of mystifies people, one that everyone knows exists, but no one really knows how it works.
00:57
So I drove a script so that you can get a sense of what it actually looks like when passwords are being cracked.
01:03
So the first thing we want to do when we're looking at cracking the password is also part of our information gathering step.
01:07
Um, it's another file toe look at
01:12
and again.
01:14
This course is by no means all inclusive. No course really can be.
01:19
So if you're curious about all of the files and the various things that we do it that
01:25
you might want to know about, I would recommend a trip down Google Lane where you can kind of learn about all the different important files on the limits or a window system.
01:34
The main reason why I didn't include going through each and every file in this is because
01:40
most classes on this that
01:44
or rather I should say, any class on this that did include every single file that you should examine would be much, much longer and incredibly dry.
01:53
And that's not really something of yours you're looking for.
01:57
So if you're curious about other files, then I absolutely recommend you pulling them. If you're not
02:01
totally fine, we give you more than enough in this course to keep you busy.
02:06
So file we're looking at right now is the log in dot depths file. It's in the etc directory. Like most of the important files and it describes the password rules. We already saw a lot of those, but this one's got a specific rule we really want to check.
02:23
So we're gonna kind of skipped past a lot of these. A lot of these are interesting and worth examining later on, but most of them aren't especially
02:31
one that I do kind of think you should take a second to notice is that well, you re tries is limited at five.
02:38
Ah, it is overridden by Pam because Pam does have built in three.
02:44
But in case you're not actually using the pan, which is another important file, the pam dot defile
02:51
Did you not using that?
02:53
This is worth examining
02:55
the main reason why I wanted to get here. And here it is.
02:59
Is this line right here?
03:01
Pam modules have a specific invigoration as to how they want things to be hashed.
03:06
But this line right here tells you the actual encryption method it's using.
03:09
As you can see, this system uses 75 which is an extremely weak out of them,
03:15
um, in comparison to the alternatives that exist,
03:19
um,
03:20
it's nowhere near as strong as some of the other options that are even available in Windows when in doubt, or when not in doubt or really at any time, ever use the shot. 5 12 It's the best that Lenin's offers,
03:32
and it's definitely enough to keep most hackers at bay. It's a
03:38
shot 5 12 Based on this is important. Based on that algorithm, Lennox implements its own things that are sort of correspondent to what BSD uses
03:46
so that it's not quite as easy. But it's still pretty easy.
03:51
So this what we see that again is encrypting using empty five MD five has lots of collisions,
03:55
um, that air known and their huge projects devoted to beating empty five.
04:03
A main reason for that is because 75 extremely popular, like most hashing based encryption
04:09
75 was considered a very strong, very handy, very versatile and very easy.
04:15
Because of this,
04:16
everyone started implementing it.
04:18
But like anything
04:20
when everyone implements it, everyone targets it. And since everyone started targeting it, you find these huge database is online the consist of nothing but cracked 75 passwords.
04:30
Unless you use a very secure, very strange password
04:34
like I tend to, you're going to probably find your password on there. If it's any variation on a normal dictionary word, it's almost a certainty that it will be.
04:44
And even if it's not a variation, but it's within the top, let's say 10 to 100,000 most common passwords
04:49
probably gonna get caught with it.
04:54
So the reason why we looked at this is because we see the encrypt method is MD five.
04:59
Apparently, we cash
05:00
so
05:01
we can look again, as we did before at our
05:04
That's the shadow.
05:06
And for this you will have to have gotten brood access in this case will just suit Oh, in as we have been. But taxes shadow,
05:15
you will always need
05:17
root access.
05:24
There we go.
05:25
All right, so we see that this looks nothing like an MD five hash there. Siri's of reasons for this could be anything from a mistake or,
05:33
ah, trickery or whatever problem you care to name. Or it could be part of the implementation that Lennox uses. Either way, this exact hash is not one
05:43
that's quite correspondent.
05:46
I show you this so that you know that Lennox is a little bit a bun, too is a little bit clever than
05:50
simply allowing someone tohave an empty five or 95 hash for their password.
05:57
They recognize the security problems with it, and they take better steps to ensure that it's not going to be an issue.
06:02
Which is nice, however, and this is the important thing.
06:06
Not everyone does. Lots and lots and lots and lots and lots of passwords are still store to 75
06:14
and as a result of this, you can very often use 75 based cracking to gain all the passwords and organization has.
06:23
You can do the same with Shopper,
06:25
but it's gonna take you a lot longer. And if it's salted, it's not even really worth trying most of the time.
06:31
Unless, of course, you're you know, some gigantic agents, your corporation with millions of dollars of computers to throw at the problem, then, hey, maybe it's worth it for you.
06:41
It is important to know the more files are, the more passwords you get, the better, because that's the more that's the bigger target area. You have parallel eyes to target as many of them as possible at a time, and you're more likely to get a hit that way.
06:55
As I mentioned I did write up a simple and very, very, very simple script
07:00
in Python to show you what password cracking looks like under the hood.
07:06
So there are two ways to do it.
07:09
Two main ways that most people use.
07:13
And those air known as rainbow and brute force.
07:15
Rainbow cracking looks pretty much like this. Just kind of on a macro scale.
07:20
Ah, you see, you've got a word list. Usually it'll be a file containing lots of lots of
07:27
just words, or
07:29
you see variations on words or non words. They're commonly used.
07:33
The biggest can reach up to 10 15 gigabytes
07:36
of pre hashed
07:40
pears.
07:42
So, generally speaking, even if they don't actually find your password
07:46
no, find a collision.
07:48
Alternatively, they can use brute force cracking, which basically follows this general concept,
07:56
which is for everything in this range.
08:01
Just hash it and let me know when you find one which matches the hash I have got
08:07
Ah, that is not optimal.
08:11
As I mentioned,
08:11
MD five has lots and lots of collisions.
08:15
But with this number range right here, this huge number range of
08:18
no
08:22
99 million or so
08:24
You're scratching the surface. You're not going to your almost Certainly not going to get an MD five hash out of that.
08:31
Um,
08:33
that's unfortunate, obviously, because that makes it very hard to brute force your way through.
08:39
Now again, if your brute forcing, you're probably not going to do it in Python for a whole host of reasons that will be covered in
08:45
other classes by other people. But long story short, just know this python Not great for brute crack,
08:52
but it's possible
08:54
The reason I'm showing you this is because I want to demonstrate what it actually looks like when you
08:58
rainbow hash or when you brought cash so or when you brute crack rather. So we're gonna go ahead and do so I'm you see here the bottom of the script, the part that's gonna actually run first
09:07
I create using
09:11
this 75 from the crypto dot hash.
09:13
Ah, I create a new hash. I update it with
09:18
password three,
09:18
which we see is right here at the end of the words list.
09:22
And then the Hex Digest, which is the actual MD five hashes were used to looking at it
09:28
is printed on the screen so that we know what it's supposed to look like with that hashes. And then we were in Rainbow against that hash
09:35
rainbow puts it in here.
09:39
It just kind of takes Nash to pass it on. In a moment
09:41
it goes to ruin. It calculates all the hash is for all the words in its list, which is an inefficient means of doing it.
09:48
But I didn't want to just have the hash is sitting here so you could compare them by. I
09:52
hashes all the words in its list puts those into a dictionary, which would normally be populated right at the gate
09:58
and passes those two things to this actual cracker
10:01
Cracker is very, very simple,
10:03
and
10:05
occasionally rainbow. Hashing or rainbow tables and dictionary based attack
10:11
attacks are actually trivial enough
10:13
that you can do them with python. It's fast enough that you could just paralyze
10:18
to some extent with python and run that way. I never advocate using python or any scripting language to do password cracking, because if you do,
10:28
it's gonna take you
10:31
to the order of days. If you're lucky,
10:33
more likely to the order of weeks or months or, in some cases years
10:41
you're taking something like shot 5 12 They can take you to the tune of lifetimes.
10:46
But luckily we've got five options. We already know what the actual answer is gonna be.
10:52
So we're pretty safe in moving forward.
10:54
We're gonna write the comment, change that I made, and we're gonna just run the simple cracker.
11:03
So we run it
11:05
and bail. It spits out the password hash, you see, right here is the calculated hash of what we gave it. And then this is the corresponding string
11:15
as really all it looks like. It's very simple, very straightforward,
11:18
but just for comparison,
11:22
I want to show you what it looks like
11:24
to ah, the brute crack.
11:26
So we're gonna go ahead and change this. We're gonna come in this out instead.
11:31
We're gonna run comment that
11:35
No.
11:35
And then we're going to get something wrong because that happens pretty often
11:41
that
11:43
programming I'm a programmer more than I am. Anything else that I can tell you from experience that if it can go wrong and programming,
11:50
it'll go wrong a few times.
11:54
Here we go. So, python want to string for that update? Not a big deal.
11:58
Clear this. However quick and we're gonna run it and see if it will let us go this time.
12:03
There you go. So that's what it looks like when you're computing every hash for 99 million numbers.
12:09
As you may notice,
12:11
that's a lot.
12:13
But how many exactly is it that we've let it run for a couple seconds? And it was printing to the screen very quickly. Looking very hacker ish.
12:22
Maybe you got through a significant chunk.
12:24
There's an easy way to tell. We're gonna add to our print statement here
12:30
to print I, which is the actual number String I, which is the number that we're on Is the index, so to speak that we've cracked up too.
12:39
Right?
12:41
Clear this
12:41
and we're gonna execute.
12:45
Okay, look at that. We're making great time
12:48
spinning up.
12:48
We're 50,000 passwords already.
13:05
All right, Now, you may have noticed that was it around 200,000. It was about
13:09
10 15 seconds in,
13:11
So we were at 1/5 of a 1,000,000 worth of a 1,000,000 times 15.
13:16
We're looking to the tune of about a minute for a 1,000,000 probably a little bit longer when you actually factor in performance and that sort of thing,
13:24
but not that bad.
13:26
And then you consider, Well, you're looking 99 million.
13:31
Ah,
13:33
that's a little bit longer, little bit uglier.
13:37
And then you consider that 99 million is not a useful or reasonable fraction of the possible MD five passwords. And that explains why brute forcing takes a long time.
13:48
Um,
13:50
in reality MD five hashing MP five's uh, total sum is 128 characters,
13:58
possibly that could be fed into it.
14:00
And that means quite a bit of data
14:03
128 characters usefully fed into it,
14:07
and that equates to far farm. Or
14:11
then you're going to be able to actually
14:13
factor. It's essentially the equivalent of one. Times 10 to the 128 which is, you may notice, is a very big number. So, like I said, don't brood unless you must. And if you must, I recommend you do it with sea or a faster language than Python.
14:30
Obviously, there are all sorts of utilities and tools. Jack the Ripper is very popular,
14:35
but I wanted to kind of give you a sense of what the actual cracking looks like. The script and I'll bring back up here for you
14:43
is easy to write.
14:45
It looks just like this.
14:46
You know, if we wanted it toe be more accurate, actually. Break MD five hashes. It would look a little bit more like this,
14:56
but a
14:58
whatever point is you can crack this way. You can drop your own password, cracker, your own word list. You can download a word list from all the Internet and, uh, try your hand. You maybe learn something about
15:13
crypto or you may just have fun.
15:16
Either way, it'll be a learning experience in the world with while
15:20
No.
15:24
So that's really all there is for this video. A cz always I'm your smee Just Perry. And you're watching this on cyberia dot i t
15:33
and get out there and break something.

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor