504.3 Flashcards
(38 cards)
Password Spraying
Attackers choose a small number of potential passwords to try. They then spray these potential password guesses across a large number of account names and machines, hoping that one works.
THC Hydra
Online password guessing tool. Target a single username and password, list of usernames, or a list of passwords and usernames. Supports many different protocols: SSH, RDP, SMTP, SMB, VNC and more.
Credential Stuffing
An adversary will collect username and password lists from popular website breaches, merging them into a single file or other searchable index. Then, when the adversary has a target organization in their sights, they search the breached username and password list for their target organization, identifying valid usernames and passwords that worked for the breached site, and reuse that username and password against the target.
Password Guessing
Identify a valid user ID > Create list of possible passwords > Try typing in each password > If system allows you in, success > if not, try again
Bucket Finder
requires a wordlist and it will go off and check each word to see if that bucket name exists in the Amazon’s S3 system. Any that it finds it will check to see if the bucket is public, private or a redirect
gcpbucketbrute
identifies and enumerates permissions on google compute buckets. uses a permutation wordlist to create common variations on a single bucket name or searches all bucket names in a supplied file. does not download fles; use gsutil.
bucket squatting
an attacker may register a bucket that uses an organization name (or a similar) as part of a phishing attack or other social engineering engagement, or even reuse a bucket name where prior references still exist that point to a deleted bucket
netcat
a computer networking utility for reading from and writing to network connections using TCP or UDP.
client mode
starts a connection to a listening node ip and port.
listening mode
waits for connections on a specific port
Domain Password Audit Tool (DPAT)
An analysis tool to characterize password selection in your windows domain. Not a password cracker; it analyzes the cracked data stored in the POT file from John the Ripper and Hashcat to identify systemic problems in how users select their passwords.
LANMAN Hash
- The user’s password is restricted to a maximum of fourteen characters.
- The user’s password is converted to uppercase.
- The user’s password is encoded in the System OEM code page.
- This password is NULL-padded to 14 bytes.
- The “fixed-length” password is split into two 7-byte halves.
- These values are used to create two DES keys, one from each 7-byte half
- Each of the two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”,[Notes 2] resulting in two 8-byte ciphertext values
- These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.
- No salt
NT Hash
- ASCII password is converted to Unicode (if necessary)
- Unicode password is hashed using the MD4 function to create a 16 byte hash, which is then stored in SAM
- Case sensitivity is preserved
- Used if password is greater than 14 characters
- no salt
Salt
Adds entropy (randomness or lack of probability) to the password before hashing. Makes password cracking much more difficult
Rainbow Tables
Pre-calculate hashes and store them in tables for direct comparisons. Each password is generates a unique password hash value. For any given number of passwords (from a wordlist, or an exhaustive list of possible characters for a given character set and length) the attacker generates and stores the hashes such that they can look it up again later. Harder to use when a password Salt is included.
ntdsutil
Built in windows tool used for gathering domain hashes. Designed to manage active directory data. Also requires gathering SYSTEM registry hive data. Backup data to new folder.
secretsdump.py
Tool used after downloading the NTDS.dit and SYSTEM registry hive data, an attacker needs to decrypt the NTDS.dit data (using the registry hive keys) and extract the password hashes.
Meterpreter
attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code. Deployed using in-memory DLL injection. As a result, it resides entirely in memory and writes nothing to disk.
Mimikatz
Tool used to recover password hashes from windows 10.
- retrieve contents of HKLM\sam and HKLM\system registry hives
- make the hives available to tool
Am All Day Baffled By Difficult Choices For Encrypted Data
Recognize empty LANMAN and NT hashes as an indicator of disabled accounts, or possible tool failure
Single Crack Mode
Creates it’s password guesses by starting with the GECOS field information. It then applies various hybrid alterations of those fields to create it’s guesses.
Wordlist Mode
relies on a dictionary as the source of guesses. It then applies hybrid techniques to alter the dictionary terms and use them as guesses.
Incremental mode
tries all possible character combinations to determine the password in a brute force attack. this mode could theoretically run virtually forever, as the number of permutations available can take many years.
External Mode
John doesn’t formulate its own guesses but instead relies on some separate program to provide guesses. This feature provides john with an added degree of modularity. if you can write a program that creates password guesses better than john, you can integrate it with john
