504.3 Flashcards
Password Spraying
Attackers choose a small number of potential passwords to try. They then spray these potential password guesses across a large number of account names and machines, hoping that one works.
THC Hydra
Online password guessing tool. Target a single username and password, list of usernames, or a list of passwords and usernames. Supports many different protocols: SSH, RDP, SMTP, SMB, VNC and more.
Credential Stuffing
An adversary will collect username and password lists from popular website breaches, merging them into a single file or other searchable index. Then, when the adversary has a target organization in their sights, they search the breached username and password list for their target organization, identifying valid usernames and passwords that worked for the breached site, and reuse that username and password against the target.
Password Guessing
Identify a valid user ID > Create list of possible passwords > Try typing in each password > If system allows you in, success > if not, try again
Bucket Finder
requires a wordlist and it will go off and check each word to see if that bucket name exists in the Amazon’s S3 system. Any that it finds it will check to see if the bucket is public, private or a redirect
gcpbucketbrute
identifies and enumerates permissions on google compute buckets. uses a permutation wordlist to create common variations on a single bucket name or searches all bucket names in a supplied file. does not download fles; use gsutil.
bucket squatting
an attacker may register a bucket that uses an organization name (or a similar) as part of a phishing attack or other social engineering engagement, or even reuse a bucket name where prior references still exist that point to a deleted bucket
netcat
a computer networking utility for reading from and writing to network connections using TCP or UDP.
client mode
starts a connection to a listening node ip and port.
listening mode
waits for connections on a specific port
Domain Password Audit Tool (DPAT)
An analysis tool to characterize password selection in your windows domain. Not a password cracker; it analyzes the cracked data stored in the POT file from John the Ripper and Hashcat to identify systemic problems in how users select their passwords.
LANMAN Hash
- The user’s password is restricted to a maximum of fourteen characters.
- The user’s password is converted to uppercase.
- The user’s password is encoded in the System OEM code page.
- This password is NULL-padded to 14 bytes.
- The “fixed-length” password is split into two 7-byte halves.
- These values are used to create two DES keys, one from each 7-byte half
- Each of the two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”,[Notes 2] resulting in two 8-byte ciphertext values
- These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.
- No salt
NT Hash
- ASCII password is converted to Unicode (if necessary)
- Unicode password is hashed using the MD4 function to create a 16 byte hash, which is then stored in SAM
- Case sensitivity is preserved
- Used if password is greater than 14 characters
- no salt
Salt
Adds entropy (randomness or lack of probability) to the password before hashing. Makes password cracking much more difficult
Rainbow Tables
Pre-calculate hashes and store them in tables for direct comparisons. Each password is generates a unique password hash value. For any given number of passwords (from a wordlist, or an exhaustive list of possible characters for a given character set and length) the attacker generates and stores the hashes such that they can look it up again later. Harder to use when a password Salt is included.
ntdsutil
Built in windows tool used for gathering domain hashes. Designed to manage active directory data. Also requires gathering SYSTEM registry hive data. Backup data to new folder.
secretsdump.py
Tool used after downloading the NTDS.dit and SYSTEM registry hive data, an attacker needs to decrypt the NTDS.dit data (using the registry hive keys) and extract the password hashes.
Meterpreter
attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code. Deployed using in-memory DLL injection. As a result, it resides entirely in memory and writes nothing to disk.
Mimikatz
Tool used to recover password hashes from windows 10.
- retrieve contents of HKLM\sam and HKLM\system registry hives
- make the hives available to tool
Am All Day Baffled By Difficult Choices For Encrypted Data
Recognize empty LANMAN and NT hashes as an indicator of disabled accounts, or possible tool failure
Single Crack Mode
Creates it’s password guesses by starting with the GECOS field information. It then applies various hybrid alterations of those fields to create it’s guesses.
Wordlist Mode
relies on a dictionary as the source of guesses. It then applies hybrid techniques to alter the dictionary terms and use them as guesses.
Incremental mode
tries all possible character combinations to determine the password in a brute force attack. this mode could theoretically run virtually forever, as the number of permutations available can take many years.
External Mode
John doesn’t formulate its own guesses but instead relies on some separate program to provide guesses. This feature provides john with an added degree of modularity. if you can write a program that creates password guesses better than john, you can integrate it with john
John the Ripper
- password cracking tool
- supports (and auto-detects) many password hash formats.
- many more hash formats supported with jumbo patch (windows)
- cracked password stored in pot file
- exfiltrate copies of /etc/passwd and /etc/shadow files from a target system. then merge them into single file using combine command
Hashcat
- takes advantage of GPUs for password cracking. will take the hash and try to crack over thousands of GPUs at the same time
- extensive password hash support
- supports brute force, hybrid, wordlist. also supports a wide variety of tuning via a robust rules file
combinator
Uses two wordlist files. Each word in the first worldist file is prepended to every word in the second wordlist file (or you can use the same file twice). this is useful to recover passwords where users combine two words
Straight
uses a simple wordlist attack. each word in the file is used as a potential password.
Brute Force/Mask Attack
Performs a brute force password guessing attack using a pattern that you specify. The syntax for this attack can be complex. but its a powerful attack technique capable of recovering even very complex passwords
Hybrid Wordlist + Mask
Combines features of the straight and mask attack, appending the specified mask value to each word in the wordlist file
Hybrid Mask + Wordlist
combines features of straight and mask attack. Mask is prepended to each word in the word-list file
Pluggable Authentication Modules
Can link UNIX and linux login to various systems. Can enforce password complexity.
Named Pipes
used to provide communication between processes on the same computer or between processes on different computers across a network
Hashdump
Tool used to obtain Windows ocal password hashes. Used via meterpreter shell, migrate to lsass process then run hashdump
$1, $2, $5, $6 (No $)
MD5, Blowfish, SHA-256, SHA-512, DES
PBKDF2
Password based key derivation function 2 - password hashing function recommended by NIST. multiple hashing rounds.
Bcrypt
hashing function that uses multiple hashing rounds, requires significant memory. password value cannot contain null bytes and has a max value of 72 characters
basic blob finder
tool to identify and scan azure blobs. will identify publicly accessible blobs and enumerate its files
