Password Attack

  • 2,665 views
Uploaded on

in this presentation we have discussed about different methodology in password cracking. Password bruteforce, social engineering attack , phishing attack, windows login cracking, web login cracking, …

in this presentation we have discussed about different methodology in password cracking. Password bruteforce, social engineering attack , phishing attack, windows login cracking, web login cracking, application password cracking, Gmail password and facebook password extracting

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,665
On Slideshare
0
From Embeds
0
Number of Embeds
8

Actions

Shares
Downloads
0
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Using Fake pages or application

Transcript

  • 1. Hackaway Hacking Methodology: Password Attacks EC-Council, Malaysia Instructor : Sina Manavi 15th May 2014 http://eccouncilacademy.org/home/hackaway- hacking-methodology/
  • 2. About Me My name is Sina Manavi , Master of Computer Security and Digital Forensics Contact : Manavi.Sina@Gmail.com Homepage: sinamanavi.wordpress.com
  • 3. Agenda  Password Security  Demo: Windows Password Reset  Demo: Google Dork  Demo: Password disclosure!  Demo: Gmail Password Extraction (Forensics Method)  Secure Password  Password Cracking Concept  Coffee time   Demo: Facebook Phishing Attack  Introducing Password Cracking Tools  Demo: Zip/Rar password File Cracking  Demo: Windows Login Password Hacking
  • 4. Type of Password Attacks  Dictionary Attack  Brute Force Attack  Rainbow table attack  Phishing  Social Engineering  Malware  Offline cracking  Guess
  • 5. Password Security  Don’t use your old passwords  Don’t use working or private email for every website registration such as games, news,….etc.
  • 6. Google Dork
  • 7. Demo: Windows Password Reset
  • 8. Gmail and Facebook Password Extraction (Dumping Physical Memory)  Dumpit (free Windows tool)  Or if you use win8, you can do dump specific process in task manager  Strings and Grep  Hex Editor
  • 9. Secure Password  Comprises: [a-zA-z, 0-9, symbols , space]  No short length / birthday / phone number / real name , company name  Don’t use complete words or Shakespeare quotes  ◦ Example: ◦ Hello123: Weak ◦ @(H311l0)@: Strong Easy to remember, hard to guess
  • 10. Demo Router password cracking
  • 11. Password Cracking Concept  Password Cracking is illegal purpose to gain unauthorized access  To retrieve password for authorize access purpose ( misplacing, missing) due to various reason. ( e.g. what was my password??)
  • 12. Password Cracking Types Brute Force, Dictionary Attack, Rainbow Table
  • 13. Password Cracking Types:(Guessing Technique) I have tried many friends house and even some companies that , their password was remained as default, admin, admin .
  • 14. Demo Facebook Phishing Attack
  • 15. Password Cracking Types: (Phishing)
  • 16. Password Cracking Types:(Social Engineering)  sometimes very lazy genius non-IT Geeks can guess or find out your password
  • 17. Application Password Cracking: (Malware)
  • 18. Demo: Application Password Cracking
  • 19. Lets work as software cracker or Reverse Engineer  Open the myprogram.exe file with your Hex Editor  Try to find the password inside of
  • 20. Password Cracking Types:(Offline Cracking)  We have enough time to break the password  Usually take place for big data  very strong and complicated password  After attack  Forensics investigation
  • 21. Password Cracking Tools  Brutus ◦ Remote online cracking tool, Windows base, free, supports:(HTTP, POP3, FTP, SMB, ...etc), resume/pause option .no recent update but still on top ranking.  RainbowCrack ◦ Hash cracker tool, windows/linux based, faster than traditional brute force attack, compare both plain text and hash pairs. Commercial and free version  Wfuzz ◦ Web application brute forcing (GET and POST), checking (SQL, XSS, LDAP,etc) injection  Cain and Able *** ◦ Few features of password cracking ability: Syskey Decoder,VNC Password decoder , MS SQl MYSQL and Oracle password extractor Based64, Credential Manager Password Decoder, Dialup Password Decoder,PWL Cached Password Decoder, Rainbowcrack-online client, Hash Calculator,  John the Ripper ◦ Offline mode, Unix/linux based, auto hash password type detector, powerful, contain several built-in password cracker  THC Hydra ◦ Dictionary attack tool for many databases, over 30 protocols (e.g. FTP.HTTP,HTPPS,...etc)  Medusa  AirCrack-NG ◦ WEP and WPA-PSK keys cracking, faster than other WEP cracker tools  OphCrack  L0phtCrack
  • 22. Demo 1- Cracking Zip Files 2- Cracking Rar Files
  • 23. Cracking Zip password Protected File Requirement:  Medusa/Hydra free open source tool (can be find on your Backtrack or Kali)  Having Password-list and Username- list for brute forcing  A Zip password protected File  And poor file owner 
  • 24. Password hardening
  • 25. Password Hardening  Techniques or technologies which put attacker, cracker or any other malicious user in difficulties  Brings password policy  Increase the level of web,network , application and physical access of to the company or organization.  Using biometric technologies such as fingerprint, Eye Detection, RFID Tag Cards….etc
  • 26. Password Hardening  All the Security solution just make it more difficult. Harder but possible
  • 27. Windows Login Cracking Requirement:  Medusa/Hydra free open source tool (can be find on your Backtrack or Kali)  nmap  Having Password-list and Username- list for bruteforcing  Target windows
  • 28. Password Cracking Depends on  Attacker's strengths  Attacker's computing resources  Attacker's knowledge  Attacker's mode of access [physical or online]  Strength of the passwords  How often you change your passwords?  How close are the old and new passwords?  How long is your password?  Have you used every possible combination: alphabets, numbers and special characters?  How common are your letters, words, numbers or combination?  Have you used strings followed by numbers or vice versa, instead of mixing them randomly?
  • 29. Demo: Web Site Login Cracking
  • 30. Any Question?  Manavi.sina@gmail.com  @sinamanavi  LinkedIn: Sina Manavi  Check my homepage for latest presentations/ tutorial