1 00:00:06,630 --> 00:00:10,090 - [Instructor] There are several password attacks out there. 2 00:00:10,090 --> 00:00:12,870 And here are a few examples of the most common ones. 3 00:00:12,870 --> 00:00:15,350 The first one is password guessing, 4 00:00:15,350 --> 00:00:18,110 and password guessing is actually one of the most type, 5 00:00:18,110 --> 00:00:20,530 most common type of password attacks. 6 00:00:20,530 --> 00:00:24,390 But some of these techniques may be very inefficient. 7 00:00:24,390 --> 00:00:27,500 Threat actors can guess passwords locally or remotely, 8 00:00:27,500 --> 00:00:31,670 using either a manual or an automated approach. 9 00:00:31,670 --> 00:00:33,861 Now, there are several tools that can automate the process 10 00:00:33,861 --> 00:00:36,040 of password guessing. 11 00:00:36,040 --> 00:00:38,590 And here I'm actually showing a few examples. 12 00:00:38,590 --> 00:00:39,830 The first one is Hydra, 13 00:00:39,830 --> 00:00:43,140 a tool that can be downloaded from THC.org. 14 00:00:43,140 --> 00:00:44,760 The second one is called TSGrinder, 15 00:00:44,760 --> 00:00:47,400 and the third one is called SQLRecon. 16 00:00:47,400 --> 00:00:50,160 And again, there are many other automated password 17 00:00:50,160 --> 00:00:51,570 attack tools out there. 18 00:00:51,570 --> 00:00:53,160 Some of them actually use a method 19 00:00:53,160 --> 00:00:55,250 called the brute force attack. 20 00:00:55,250 --> 00:00:58,040 And basically a brute force is when the attacker 21 00:00:58,040 --> 00:01:01,330 tries every possible combination of characters 22 00:01:01,330 --> 00:01:03,540 for a specific password. 23 00:01:03,540 --> 00:01:05,880 Another technique that they use 24 00:01:05,880 --> 00:01:10,250 is a password guessing attack called a dictionary attack. 25 00:01:10,250 --> 00:01:14,130 Since most passwords consist of whole words, 26 00:01:14,130 --> 00:01:16,730 either dates or numbers, 27 00:01:16,730 --> 00:01:20,820 this tool uses a dictionary of words 28 00:01:20,820 --> 00:01:23,460 or even phrases, and, you know, 29 00:01:23,460 --> 00:01:25,250 even most commonly used passwords 30 00:01:25,250 --> 00:01:29,390 like qwerty or password1 or cisco123, 31 00:01:29,390 --> 00:01:30,223 or et cetera. 32 00:01:30,223 --> 00:01:32,450 So matter of fact, there has been recent studies 33 00:01:32,450 --> 00:01:34,118 by you know, security companies, 34 00:01:34,118 --> 00:01:35,697 and what they actually have found 35 00:01:35,697 --> 00:01:40,370 that the password password1 is one of the most commonly used 36 00:01:40,370 --> 00:01:41,610 passwords out there. 37 00:01:41,610 --> 00:01:44,209 And especially even by administrators, 38 00:01:44,209 --> 00:01:46,570 which is kind of scary. 39 00:01:46,570 --> 00:01:50,130 Now, there are other tools like John the Ripper, 40 00:01:50,130 --> 00:01:53,618 Cain and Abel, that can take a hybrid approach 41 00:01:53,618 --> 00:01:58,120 between brute force attacks and a dictionary attack. 42 00:01:58,120 --> 00:02:02,330 Another password attack is password resetting attacks. 43 00:02:02,330 --> 00:02:05,710 And in many cases it's actually easier to reset passwords 44 00:02:05,710 --> 00:02:08,430 than to use tools to guess them. 45 00:02:08,430 --> 00:02:11,750 There's several track cracking tools, you know, out there 46 00:02:11,750 --> 00:02:13,440 that just attempt to reset passwords 47 00:02:13,440 --> 00:02:17,640 instead of actually just, you know, steal them. 48 00:02:17,640 --> 00:02:22,100 Now, most of password resetters contain a bootable version 49 00:02:22,100 --> 00:02:25,790 of Linux that can mount NTFS volumes or, you know 50 00:02:25,790 --> 00:02:28,697 any other type of volumes that can help you locate 51 00:02:28,697 --> 00:02:32,080 and reset the administrator's password. 52 00:02:32,080 --> 00:02:34,780 Another technique is password cracking. 53 00:02:34,780 --> 00:02:37,790 And these attacks work by taking a password hash 54 00:02:37,790 --> 00:02:41,520 and then converting it to the original plain text. 55 00:02:41,520 --> 00:02:44,670 And in this case the attacker actually needs tools 56 00:02:44,670 --> 00:02:47,450 such as extractors for hash guessing, 57 00:02:47,450 --> 00:02:50,570 rainbow tables for looking up plain text passwords, 58 00:02:50,570 --> 00:02:51,870 and password sniffers 59 00:02:51,870 --> 00:02:55,600 to actually extract authentication information. 60 00:02:55,600 --> 00:02:58,800 Now, the concept of a rainbow table is 61 00:02:58,800 --> 00:03:02,940 where the attacker actually computes all possible passwords 62 00:03:02,940 --> 00:03:05,920 and their hashes in a given system. 63 00:03:05,920 --> 00:03:07,640 And then they actually put the results 64 00:03:07,640 --> 00:03:10,120 in a lookup table called that, you know 65 00:03:10,120 --> 00:03:12,710 like I mentioned before, a rainbow table. 66 00:03:12,710 --> 00:03:15,960 Now this allows an attacker to just get a hash 67 00:03:15,960 --> 00:03:20,520 from the victim and then just search for that hash 68 00:03:20,520 --> 00:03:24,110 in the rainbow table to get the plain text password. 69 00:03:24,110 --> 00:03:27,470 Now to mitigate a rainbow table attack, 70 00:03:27,470 --> 00:03:30,340 you can disable LM hashes 71 00:03:30,340 --> 00:03:33,660 and use long and complex passwords, right? 72 00:03:33,660 --> 00:03:36,840 So the longer and the more complex the password is, 73 00:03:36,840 --> 00:03:40,980 the harder it is actually to enumerate passwords 74 00:03:40,980 --> 00:03:44,660 in a rainbow table and use a rainbow table attack. 75 00:03:44,660 --> 00:03:46,920 Now, another technique is password sniffing 76 00:03:46,920 --> 00:03:49,870 and the threat actor just sniffs authentication packets 77 00:03:49,870 --> 00:03:53,840 between a client and a server and extracts, you know, 78 00:03:53,840 --> 00:03:57,870 the password hashes or enough authentication information 79 00:03:57,870 --> 00:04:01,440 to begin the cracking pass process. 80 00:04:01,440 --> 00:04:03,720 Now the last one is password capturing 81 00:04:03,720 --> 00:04:07,030 and this typically is done using key loggers, 82 00:04:07,030 --> 00:04:10,560 whether it's physical or software key loggers, 83 00:04:10,560 --> 00:04:12,703 or Trojan horses as well.