1 00:00:06,410 --> 00:00:08,520 - So, let's start out by covering the easy way 2 00:00:08,520 --> 00:00:10,240 to hack passwords. 3 00:00:10,240 --> 00:00:12,950 Honestly, sometimes it feels like cheating, 4 00:00:12,950 --> 00:00:16,080 but hey, we're hackers, so it doesn't count. 5 00:00:16,080 --> 00:00:18,400 We all know the vendors of software and hardware 6 00:00:18,400 --> 00:00:20,960 many times use default passwords. 7 00:00:20,960 --> 00:00:25,290 And we also know that users of that software and hardware 8 00:00:25,290 --> 00:00:28,180 don't always change their passwords like they should. 9 00:00:28,180 --> 00:00:30,310 As an attacker, we can use that against them. 10 00:00:30,310 --> 00:00:33,160 There are a number of websites out there for instance, 11 00:00:33,160 --> 00:00:37,620 that you can simply search for default passwords, 12 00:00:37,620 --> 00:00:41,040 based on what you're trying to attack. 13 00:00:41,040 --> 00:00:44,150 So, if you're looking for a specific type of router, 14 00:00:44,150 --> 00:00:46,040 you can search for that specific type of router 15 00:00:46,040 --> 00:00:47,650 in that list. 16 00:00:47,650 --> 00:00:50,578 We live in a world where we have to remember 17 00:00:50,578 --> 00:00:52,670 a lot of different passwords. 18 00:00:52,670 --> 00:00:55,149 In fact, if you have a lab environment, 19 00:00:55,149 --> 00:00:57,180 you probably have a ton of devices, 20 00:00:57,180 --> 00:00:59,150 and they all require passwords. 21 00:00:59,150 --> 00:01:03,330 So, one approach is, one password to rule them all, right? 22 00:01:03,330 --> 00:01:06,450 Well that's not really the best way to do things. 23 00:01:06,450 --> 00:01:10,110 The truth is, though most people do use the same password 24 00:01:10,110 --> 00:01:15,110 for websites and devices and computers. 25 00:01:15,860 --> 00:01:18,010 If we can find one password, 26 00:01:18,010 --> 00:01:22,260 we can likely use that on other accounts that they use. 27 00:01:22,260 --> 00:01:26,310 Of course, last but not least the Administrator account. 28 00:01:26,310 --> 00:01:29,980 If we can find the Administrator account for a domain, 29 00:01:29,980 --> 00:01:32,680 we can likely compromise the rest of the computers 30 00:01:32,680 --> 00:01:34,110 on the network. 31 00:01:34,110 --> 00:01:36,840 One of the easiest ways to capture credentials 32 00:01:36,840 --> 00:01:40,060 is actually, just sniffing them right off thin an air. 33 00:01:40,060 --> 00:01:45,060 A perfect example of this is, using hotspot at a hotel 34 00:01:45,390 --> 00:01:48,560 or Starbucks, something like that. 35 00:01:48,560 --> 00:01:50,110 Most of those connections actually, 36 00:01:50,110 --> 00:01:54,540 don't have the security mechanisms built into them, 37 00:01:54,540 --> 00:01:59,490 or enabled to encrypt the traffic between network nodes. 38 00:01:59,490 --> 00:02:02,810 So, what that means is that, once you're connected 39 00:02:02,810 --> 00:02:05,560 to that network, someone can sniff the traffic 40 00:02:05,560 --> 00:02:08,950 of any user that's connected. 41 00:02:08,950 --> 00:02:12,490 So, the next time you're at a public hotspot or hotel, 42 00:02:12,490 --> 00:02:14,323 make sure you're using a VPN. 43 00:02:15,380 --> 00:02:18,780 This is also possible, of course, with physical connections 44 00:02:18,780 --> 00:02:20,040 to the network. 45 00:02:20,040 --> 00:02:22,960 Of course, depending on the switch configuration, 46 00:02:22,960 --> 00:02:24,810 it may be a little bit more difficult, 47 00:02:24,810 --> 00:02:27,780 but there's tools that we can use to get around that. 48 00:02:27,780 --> 00:02:30,760 There are also ways to capture credentials 49 00:02:30,760 --> 00:02:33,040 other than sniffing traffic. 50 00:02:33,040 --> 00:02:34,650 With the man-in-the-middle attack, 51 00:02:34,650 --> 00:02:38,430 you essentially own the traffic that's passing through you, 52 00:02:38,430 --> 00:02:41,580 so you can capture it and pull out the credentials 53 00:02:41,580 --> 00:02:43,560 from that traffic. 54 00:02:43,560 --> 00:02:46,420 There are ways that you can attack encryption 55 00:02:46,420 --> 00:02:48,540 to steal passwords as well. 56 00:02:48,540 --> 00:02:52,350 Obviously, these are more complex type of attacks. 57 00:02:52,350 --> 00:02:55,430 Some of 'em include SSL Certificate Spoofing, 58 00:02:55,430 --> 00:02:58,890 or SSH downgrade and Key Spoofing. 59 00:02:58,890 --> 00:03:02,230 The last thing I'll mention is stealing credentials directly 60 00:03:02,230 --> 00:03:04,000 from a network device. 61 00:03:04,000 --> 00:03:08,100 If you're able to compromise a router or a switch, 62 00:03:08,100 --> 00:03:12,600 or a wireless access point, you essentially own that traffic 63 00:03:12,600 --> 00:03:16,580 and can harvest credentials directly off of that device. 64 00:03:16,580 --> 00:03:20,140 But, if all else fails, you can always brute-force 65 00:03:20,140 --> 00:03:21,750 your way in. 66 00:03:21,750 --> 00:03:24,600 For this we'd need some tools, of course, 67 00:03:24,600 --> 00:03:26,320 there are many tools that can be used 68 00:03:26,320 --> 00:03:27,760 for this type of purpose. 69 00:03:27,760 --> 00:03:31,480 Most of them work by loading in some kind of dictionary 70 00:03:31,480 --> 00:03:34,430 or table of credentials or hashes. 71 00:03:34,430 --> 00:03:38,170 They would then use these credentials that are loaded in, 72 00:03:38,170 --> 00:03:41,700 in an automated way to basically test the credentials 73 00:03:41,700 --> 00:03:44,060 against whatever your target is. 74 00:03:44,060 --> 00:03:47,210 So, it would iterate through that list of credentials 75 00:03:47,210 --> 00:03:49,883 that it has, until it finds one that works. 76 00:03:50,780 --> 00:03:53,880 A few that we mentioned here that I would recommend 77 00:03:53,880 --> 00:03:58,880 are Medusa, THC Hydra, Brutus and of course, 78 00:03:59,840 --> 00:04:02,190 Metaspoit has some great auxiliary modules, 79 00:04:02,190 --> 00:04:03,920 that you can use as well. 80 00:04:03,920 --> 00:04:06,340 You can use brew-forcing for purposes 81 00:04:06,340 --> 00:04:08,680 other than credentials as well. 82 00:04:08,680 --> 00:04:11,850 For instance, there's a tool called Dirbuster, 83 00:04:11,850 --> 00:04:13,760 it's built into Collie Linux 84 00:04:13,760 --> 00:04:17,390 and that's used for discovering directories 85 00:04:17,390 --> 00:04:19,410 and files on Web servers. 86 00:04:19,410 --> 00:04:23,660 It actually uses a dictionary of well known website files 87 00:04:23,660 --> 00:04:26,750 and directories, and again, it iterates through that list 88 00:04:26,750 --> 00:04:29,633 until it finds the ones that actually respond. 89 00:04:30,810 --> 00:04:35,220 Wfuzz is also a great Web application tool. 90 00:04:35,220 --> 00:04:37,960 The first goal of credential attacks, 91 00:04:37,960 --> 00:04:41,740 is to actually identify the valid users, 92 00:04:41,740 --> 00:04:44,500 and then we can attack the passwords. 93 00:04:44,500 --> 00:04:48,510 There's some methods that we can use to enumerate users 94 00:04:48,510 --> 00:04:49,970 over the network. 95 00:04:49,970 --> 00:04:52,830 Some of them simply require you to send a request 96 00:04:52,830 --> 00:04:55,180 to the service, asking for names, 97 00:04:55,180 --> 00:04:57,790 others require more complex methods. 98 00:04:57,790 --> 00:05:02,790 For instance, for SMB/NetBIOS/SAMBA as it's known as, 99 00:05:04,270 --> 00:05:07,530 you can enumerate users in a Window Share 100 00:05:07,530 --> 00:05:10,460 using the Security Accounts Manager 101 00:05:10,460 --> 00:05:13,550 by Brute-forcing the RPC interface. 102 00:05:13,550 --> 00:05:17,100 Metaspoit also includes some tools for this. 103 00:05:17,100 --> 00:05:22,100 One of them is in the auxiliary/scanner/smb module, 104 00:05:23,330 --> 00:05:25,643 the specific modules called smb_enumusers. 105 00:05:27,830 --> 00:05:29,780 And then last but not least, Nmap. 106 00:05:29,780 --> 00:05:33,910 Nmap has tons of scripts as we've said before, 107 00:05:33,910 --> 00:05:37,100 one of them that you can use for this type of attack, 108 00:05:37,100 --> 00:05:40,803 is the snmp_enumusers script.