1 00:00:06,680 --> 00:00:08,450 - [Instructor] Now, let's explore some of the tools 2 00:00:08,450 --> 00:00:11,140 for credential-base attacks. 3 00:00:11,140 --> 00:00:13,810 One of the most popular tools out there 4 00:00:13,810 --> 00:00:18,130 for cracking passwords offline is called John the Ripper. 5 00:00:18,130 --> 00:00:20,210 It's a very, very popular tool, 6 00:00:20,210 --> 00:00:21,720 and in many cases, actually, 7 00:00:21,720 --> 00:00:23,900 people just refer to it as John. 8 00:00:23,900 --> 00:00:26,150 It actually uses search patterns, 9 00:00:26,150 --> 00:00:29,680 as well as password files, or wordlists, 10 00:00:29,680 --> 00:00:31,160 to crack passwords. 11 00:00:31,160 --> 00:00:33,580 It actually supports different cracking modes, 12 00:00:33,580 --> 00:00:37,110 and understands many different cipher text formats, 13 00:00:37,110 --> 00:00:40,960 including different variants of encryption 14 00:00:40,960 --> 00:00:42,910 and hashing algorithms. 15 00:00:42,910 --> 00:00:45,210 You can download John the Ripper from the link 16 00:00:45,210 --> 00:00:49,130 that I'm actually showing on the screen, openwall.com/john. 17 00:00:49,130 --> 00:00:51,340 Now, let's take a look at an example 18 00:00:51,340 --> 00:00:55,914 of using John the Ripper using a hash file 19 00:00:55,914 --> 00:00:58,280 that you already obtained from a compromised system. 20 00:00:58,280 --> 00:01:02,140 So, let's suppose you already got a foothold of a system, 21 00:01:02,140 --> 00:01:04,660 you compromise a system, you have a shell, 22 00:01:04,660 --> 00:01:09,260 and now you we're able to obtain a hash file 23 00:01:09,260 --> 00:01:12,270 from that system, then, in this case, 24 00:01:12,270 --> 00:01:15,910 we're actually using John the Ripper to crack that password 25 00:01:15,910 --> 00:01:19,885 using wordlist, so using a series of words 26 00:01:19,885 --> 00:01:23,030 in a specific list than can contain 27 00:01:23,030 --> 00:01:25,260 even legitimate passwords. 28 00:01:25,260 --> 00:01:27,960 Nowadays, there are many wordlists out there 29 00:01:27,960 --> 00:01:31,330 that contain passwords that have been exposed 30 00:01:31,330 --> 00:01:33,690 because of many different breaches out there. 31 00:01:33,690 --> 00:01:35,710 Now, cracking passwords can take anywhere 32 00:01:35,710 --> 00:01:39,190 between a couple of minutes, a couple of seconds, 33 00:01:39,190 --> 00:01:41,870 a couple of days, a couple of weeks, months, 34 00:01:41,870 --> 00:01:46,620 or years even, depending on your computing power, 35 00:01:46,620 --> 00:01:50,370 depending on the efficacy of your wordlist, 36 00:01:50,370 --> 00:01:53,980 and also, whether you're using GPU's, 37 00:01:53,980 --> 00:01:57,120 or you're just using your CPU, and so on. 38 00:01:57,120 --> 00:02:00,760 In many cases, in real pent testing activities, 39 00:02:00,760 --> 00:02:04,050 you have a separate system, a dedicated system, 40 00:02:04,050 --> 00:02:06,910 to perform password cracking. 41 00:02:06,910 --> 00:02:08,900 You're probably not gonna be doing this in your laptop 42 00:02:08,900 --> 00:02:10,400 unless it's actually something 43 00:02:10,400 --> 00:02:12,880 extremely simple to actually crack, 44 00:02:12,880 --> 00:02:16,360 but in many cases, of course, you'd have dedicated systems. 45 00:02:16,360 --> 00:02:20,194 It also depending on the salt mechanism 46 00:02:20,194 --> 00:02:23,696 that the system actually use to encrypt 47 00:02:23,696 --> 00:02:25,820 or hash the password. 48 00:02:25,820 --> 00:02:26,940 So, in this case, actually, 49 00:02:26,940 --> 00:02:30,560 we know since we are doing a quick demo here, 50 00:02:30,560 --> 00:02:34,180 we had a hash file that was actually cracked 51 00:02:34,180 --> 00:02:36,120 within a couple of seconds. 52 00:02:36,120 --> 00:02:38,840 Now, another tool that is very, very popular, 53 00:02:38,840 --> 00:02:40,850 it's called Hashcat. 54 00:02:40,850 --> 00:02:43,040 And it's somewhat similar to John the Ripper, 55 00:02:43,040 --> 00:02:46,060 it actually has a lot of different options, 56 00:02:46,060 --> 00:02:48,701 and also can be used in systems 57 00:02:48,701 --> 00:02:51,742 that are dedicated with different GPU's. 58 00:02:51,742 --> 00:02:55,232 OclHashcat is the equivalent of Hashcat 59 00:02:55,232 --> 00:02:58,410 to run in those systems. 60 00:02:58,410 --> 00:03:01,120 Now, let's cover a concept that has been used 61 00:03:01,120 --> 00:03:05,356 for many attackers for many years called rainbow tables. 62 00:03:05,356 --> 00:03:08,960 And basically, attackers often use rainbow tables 63 00:03:08,960 --> 00:03:11,010 to accelerate password cracking. 64 00:03:11,010 --> 00:03:13,850 It is possible to use a rainbow table 65 00:03:13,850 --> 00:03:17,690 to derive a password by actually looking at the hash value. 66 00:03:17,690 --> 00:03:20,047 And basically what a rainbow table is, 67 00:03:20,047 --> 00:03:23,050 it's a precomputed table for reversing 68 00:03:23,050 --> 00:03:25,380 cryptographic hash functions. 69 00:03:25,380 --> 00:03:29,290 Now, the tool Rainbow Crack, or Rcrack, 70 00:03:29,290 --> 00:03:32,640 can actually be used to automate the cracking of passwords 71 00:03:32,640 --> 00:03:34,150 using rainbow tables. 72 00:03:34,150 --> 00:03:38,900 C-E-W-L, or cool, that's how you actually pronounce it, 73 00:03:38,900 --> 00:03:42,350 is a great tool that can be used to create wordlists. 74 00:03:42,350 --> 00:03:46,170 You can you Cewl to crawl websites and retrieve words. 75 00:03:46,170 --> 00:03:49,450 For example, I can actually just point it to any website, 76 00:03:49,450 --> 00:03:52,983 like the hackit.org, or theartofhacking.org, 77 00:03:52,983 --> 00:03:56,620 and actually obtain a lot of different lists, 78 00:03:56,620 --> 00:03:59,253 and save those lists to a specific file.