Passwords (part 3) Offline Password Attacks

00:04

All right, let's look at our offline password attacks. We have a couple of tools I like to use for this. The 1st 1 is John the Ripper.

00:13

Mrs. Call it with John

00:16

and there's lots of different things that John can do. Lots of formats.

00:22

And John is cool because one it will work with the form as we already have. And two, it'll automatically picked the format if possible.

00:32

So, for instance, we can put in

00:36

our windows X P password has is

00:42

what was over the third terminal.

00:45

We look at

00:47

knows houses, not text.

00:51

And if we compare these two,

00:55

I have a mama death. I wonder. Seven. Has your stop text

01:00

course. We have different users,

01:02

but

01:04

one thing to notice is that with our Windows seven ones,

01:10

all of these third fields here are the same.

01:15

Where us on this one.

01:19

A lot of them are different, like these two are the same. Maybe they have the same password.

01:26

This one's different.

01:29

This one's

01:32

different. It starts out kind of the same, but it's not completely the same in a couple of them have that same value that this one does.

01:41

So what's happening here is this is the user name. This is the user i D. This is the LM hash, which is the old Windows hashing algorithm that was still used for backwards compatibility and Windows x p days. And this is the newer intel, um, hash. With Windows seven,

01:59

we have Ellen hash off, so this is actually the

02:02

lank Ellen hi shear.

02:05

So it's

02:06

Window seven will be stuck cracking. Our intel, um, has is which are

02:10

stronger and harder to crack. So if the user uses a solid password that it's not based on a dictionary word and includes

02:20

lots of complexities of uppercase, lower case

02:23

symbols, numbers on get, it's not based on a dictionary word wolf, and it's sufficiently long will probably have a hard time, even with a good word list getting that password out.

02:35

Fortunately for us, his password crackers. Most people don't use passwords that are strong,

02:42

so even though we only have Intel him here, we may be able to get some passwords out here, though, when we have Ellen ha John, I can guarantee you we can get the passwords out.

02:53

Ellen has just completely broken even here on my virtual machine that doesn't have much memory.

03:00

Much CPU power, Aiken still brute floor. So try every possible combination for Ellen hashed passwords and a pretty reasonable amount of time.

03:12

So we can say that we should be able to very quickly get passwords out for administrator. Georgia James and Secret. We actually don't know what secret spots where it is.

03:22

Yeah,

03:24

well, with this one, it's all going to be based on

03:30

the strength of those passwords. So if George of Eichmann, Martin, Lisa and James used strong passwords, we may not be able to get them out. Administrators well,

03:40

Administrator's password. The same really blank,

03:46

probably disabled.

03:51

So the problem with Ellen has is a few things, and there are slides on this, so I encourage you to look at it like breaks it all down. Basically, it trunk aids at 14 characters. It has is

04:02

to seven character values independently is they're not based on each other, so your key space is really small. Also, it ignores lower case letters if you crack the El Amash password to actually have it in all upper case, and they only have the 1st 14 letter or 14 characters if they usually long when you could

04:21

lose parts of it, but it's not too hard. Based on what you get out with El Amash to try alot combinations

04:30

for correct case and get one.

04:34

So

04:35

let's try John on

04:39

Windows hazards dot text of

04:43

those Just have it do a brute force again. Windows Hydra is not text is our x p, but will have

04:49

Ellen has on. So we should be able to brute force and not use the word list.

05:00

It looks like James is password is Georgia

05:03

and they are all gonna be in upper case here.

05:08

It's like secrets. Password is password 123 and administrators. Prosperity is past Serge and Georges Password is password.

05:16

So again really fast, they're going to get the correct case. I mean, I always just try

05:24

like I do password shot text, and then

05:29

do you like password? 123 past were 123

05:35

And, you know, I could put in more, but generally those air gonna get it. Um, you said that Georgia's password was password, right? So I don't need these password ones,

05:47

so I just start out with, like, all over case,

05:51

I could also do this with rules. We'll see

05:55

some rules When movinto hash cat.

05:58

You can do that with you on the river as well.

06:01

Have a try

06:04

on, then. What was the other one? Georgia.

06:10

Just generally sufficient.

06:13

So this time I want to have it actually cracked the NT hashes. We have that value there.

06:21

We just had it crack off of the Ellen Hash. But we also have the intel in hash.

06:28

We only have the intel in ha's on window seven.

06:31

Would you, John, and do that for months

06:36

equals and two

06:40

until it we want. When those hazards stop text does dash word list equals

06:46

passwords, not text.

06:50

There, it looks like

06:57

we've got

07:03

password for administrator. Password for secret password for James. It doesn't have one for Georgia,

07:11

but it may be in the pot. Anything you've done previously, if you've tried this same has just before. It'll actually

07:21

not show

07:25

anything that

07:27

Oh,

07:29

but do

07:30

John, uh,

07:34

windows. Hauser's dot text.

07:44

But Georges is lower game. I'm not sure what it's not trying that.

07:48

So it cropped. Everybody What? Georgia

07:58

Weird.

08:03

Maybe because it was the same one,

08:07

so we can do the same sort of thing here. We did a word list, always told it to try everything that was in that word list

08:15

so we could do the same thing here

08:18

with our

08:22

window. Seven Hodja is just the desktop windows

08:28

so than houses dot text,

08:33

and we want a format

08:37

Peoples in T

08:39

but actually finds nothing with are really

08:43

silly pas word list

08:50

you should have

09:00

short of Reitman's password password. Most I put it in Something else

09:09

could have. Possibly

09:13

now I'm slightly curious

09:33

anyway. Well, that's doing what it's doing. Um, we can also use certainly a better word list.

09:41

There's one. If we go to

09:46

user share John

09:52

on, we have password dot l s t

09:54

probably really long. I really don't want to do this. Um,

09:58

worked out. All right, so it's got

10:01

passwords in here

10:13

who could use a better word list.

10:18

Well,

10:30

oops.

10:37

I found the administrator with blank. It's disabled, and Lisa's password is actually simple. Found that what it is missing by default here is it is missing anything of Scotland numbers on the end them stuff what we need to do

10:54

to make our numbers to make, like the first letter capital to turn like a into an apt symbol for the exclamation point at the end. The stuff that people do when they're trying to do passwords securely but still failing, they put football is the main part of their password.

11:13

Well, I guess Georgia right password is not, in fact, password, which I thought less of what It waas that

11:20

No. Um, so who knows what I said? It too might have to crack it.

11:26

Um,

11:28

think him a set of instructions that told you to set it to password. So who knows?

11:33

So, uh, again, we are gonna have to try a little harder to get those ones with the little more complexity with numbers and symbols and things. So what we gonna do for that is actually used rules? You can use rules, and John the Ripper will actually look. ATT rules. In the next section, we're gonna look a tool called Hash Cat. It's

11:54

John the Ripper and has got her both really good password cracking tools. I know a lot of people who, like

12:00

one of the others will think it's worthwhile. Don't know how to use both to look at a house cat as well. She may work some places where they absolutely want. You use John and some other places where they won't either use

12:11

hash cat. So it's certainly worth knowing both.