SlideShare a Scribd company logo

Don't Pick the lock

Download as PPTX, PDF
D
David Maloney
1 of 31
Exploiting passwords for fun and profit with Metasploit
 David Maloney a.k.a theLightCosine  Core Developer for Metasploit Commercial Editions  Metasploit Pro  Metasploit Express  Before That:  Community Contributor to the Metasploit Framework  Penetration Tester for Time Warner Cable  Contact Me  Twitter: @thelightcosine  Email: thelightcosine@metasploit.com
Clients  Convenience  Keeps users from having to remember them  Manages credentials for numerous systems in one place  Totally Avoidable  Usually done poorly  Authentication Purposes  Must store them to compare against provided creds  Unavoidable  Getting Better at doing this Servers
 Who needs an exploit if we have the password?  Looks like legitimate traffic/access  Who audits successful logons?  Shockingly easy to own all the things  Case of the winscp.reg file
The Where
 Often Stored in one of two places  HKEY_LOCAL_MACHINESOFTWARE  Available to all users all the time  HKEY_USERS<SID>Software  Available only to that user and Admins on the system  Usually client apps  CoreFTP is one example
 Old School way of storing data  Still in use in some applications  Mostly seems to be legacy support  Usually client-side not servers  WinSCP is an example
 Soooo much better than INI Files </sarcasm>  Still a flat file sitting on the file system  Even easier to parse than INI files really  Just grab your favorite XML parser  Seen both on Clients and Servers  FileZilla is an example of this
 Usually some custom format  Often Breaks down into common blocks with header groupings  Headers usually tell  Type of data  Length of data  Name of field  Etc  Can be a real pain to reverse engineer the format on these
 Windows started providing a Credential Store for saving certain types of credentials  Managed by the Operating System  Restricted by user access controls  Bypass these controls by calling the API functions as our victim user thanks to Railgun  See Kx499’s enum_credstore Post module for specifics
 Passwords stored in a backend database  How most webapps work these days  Usually server apps
How we keep you from just looking at the password…in theory
Pro  None  Never ever store passwords in plaintext  Password is wide open to the world  This happens more than you’d think!  Same for every user Con
Pro  Not in plaintext  Attacker has to figure out what the plaintext was XORed against  Easily reversed  Attacked finds the XOR value  XOR cipher text against the same value to recover plaintext  Same for every user Con
Pro  May be more difficult for attacker to figure out  More Complex than simple XOR encoding, usually  Feel 1337 for writing your own ‘encryption’  Unless you are a cryptographer, your algorithm sucks (sorry, it’s true)  Not really encryption  Easily defeated by reverse engineering  Same for every user Con
Pro  Real Encryption  Proven Technology  Not simple reversible procedure  Hardcoded static key used  Reverse Engineering can recover the key  Still the same for every user Con
Pro  Real Encryption  Proven Technology  Encryption Key is never given to userland  We can call the same APIs as the user with Railgun  Statically Coded Key material  Same for every user Con
Pro  Real Encryption  Proven Technology  Entropy added on user by user basis  Different for every user!  We can call the API as the user with Railgun  Machine hands decrypted Materials right over.  IN Soviet Russia…. Con
Pro  One Way Operation  Not Reversible (in theory)  Great for servers  Not an option for clients  Some hashing algorithms have weaknesses  Still always rainbow tables and bruteforcing Con
Pro  Real Encryption  Proven Technology  No Static Keys!  Different for every user  Your users still have to remember 1 password  Have to be careful about how master password is put into memory Con
FilezillaFTP Client •Saved Sites stored in XML File •Passwords in Cleartext •Filezilla offers ‘kisok mode’ to prevent password storage
mRemote •Saved Sites stored in XML File •AES-128-CBC Encryption •Weak static Encryption Key •OpenSource means everyone can see the encryption key
WinSCP •Saved Sessions stored either in the registry or an INI File •Passwords stored with weak custom encoding routine •OpenSource means everyone can see the routine for decryption
S,artFTP •Saved Sites stored in XML File •Encrypted with Microsoft CAPI •Weak Static Encryption Key •Called same CAPI Functions with Railgun
Wheredowego next? •Creds stored to database •Known creds are prioritized in the Pro Bruteforcer •Run Bruteforcer with all the stolen creds •Give it a few hours….
Let’s see you exploit that many systems without setting off alarms

Recommended

Medium Trust for Umbraco
Medium Trust for UmbracoMedium Trust for Umbraco
Medium Trust for UmbracoWarren Buckley
 
PHP Frameworks, or how I learnt to stop worrying and love the code
PHP Frameworks, or how I learnt to stop worrying and love the codePHP Frameworks, or how I learnt to stop worrying and love the code
PHP Frameworks, or how I learnt to stop worrying and love the codeMichal Juhas
 
Asjad Ali Watto
Asjad Ali WattoAsjad Ali Watto
Asjad Ali WattoASJADALi21
 
Robot framework
Robot frameworkRobot framework
Robot frameworkboriau
 
2310 b 01
2310 b 012310 b 01
2310 b 01Krazy Koder
 
Robot Framework Introduction
Robot Framework IntroductionRobot Framework Introduction
Robot Framework IntroductionPekka Klärck
 
Robot framework - Lord of the Rings
Robot framework - Lord of the RingsRobot framework - Lord of the Rings
Robot framework - Lord of the RingsAsheesh Mehdiratta
 
Robot Framework :: Demo login application
Robot Framework :: Demo login applicationRobot Framework :: Demo login application
Robot Framework :: Demo login applicationSomkiat Puisungnoen
 

Recommended

Medium Trust for Umbraco
Medium Trust for UmbracoMedium Trust for Umbraco
Medium Trust for UmbracoWarren Buckley
 
PHP Frameworks, or how I learnt to stop worrying and love the code
PHP Frameworks, or how I learnt to stop worrying and love the codePHP Frameworks, or how I learnt to stop worrying and love the code
PHP Frameworks, or how I learnt to stop worrying and love the codeMichal Juhas
 
Asjad Ali Watto
Asjad Ali WattoAsjad Ali Watto
Asjad Ali WattoASJADALi21
 
Robot framework
Robot frameworkRobot framework
Robot frameworkboriau
 
2310 b 01
2310 b 012310 b 01
2310 b 01Krazy Koder
 
Robot Framework Introduction
Robot Framework IntroductionRobot Framework Introduction
Robot Framework IntroductionPekka Klärck
 
Robot framework - Lord of the Rings
Robot framework - Lord of the RingsRobot framework - Lord of the Rings
Robot framework - Lord of the RingsAsheesh Mehdiratta
 
Robot Framework :: Demo login application
Robot Framework :: Demo login applicationRobot Framework :: Demo login application
Robot Framework :: Demo login applicationSomkiat Puisungnoen
 
JavaCro'14 - Test Automation using RobotFramework Libraries – Stojan Peshov
JavaCro'14 - Test Automation using RobotFramework Libraries – Stojan PeshovJavaCro'14 - Test Automation using RobotFramework Libraries – Stojan Peshov
JavaCro'14 - Test Automation using RobotFramework Libraries – Stojan PeshovHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Java notes
Java notesJava notes
Java notesChaitanya Rajkumar Limmala
 
Session i(introduction)
Session i(introduction)Session i(introduction)
Session i(introduction)Shrijan Tiwari
 
Codemotion Rome 2014
Codemotion Rome 2014Codemotion Rome 2014
Codemotion Rome 2014Ugo Lattanzi
 
Scripting robot
Scripting robotScripting robot
Scripting robotChonlasith Jucksriporn
 
Create a Bot with Delphi and Telegram - ITDevCon 2016
Create a Bot with Delphi and Telegram - ITDevCon 2016Create a Bot with Delphi and Telegram - ITDevCon 2016
Create a Bot with Delphi and Telegram - ITDevCon 2016Marco Breveglieri
 
Titan
TitanTitan
TitanPeter Cheung
 
Microsoft dot net framework
Microsoft dot net frameworkMicrosoft dot net framework
Microsoft dot net frameworkInstantenigma
 
The Python in the Apple
The Python in the AppleThe Python in the Apple
The Python in the ApplezeroSteiner
 
ATDD Using Robot Framework
ATDD Using Robot FrameworkATDD Using Robot Framework
ATDD Using Robot FrameworkPekka Klärck
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Virtual world
Virtual worldVirtual world
Virtual worldSaifan92
 
Acronis Universal Restore - Guía de usuario
Acronis Universal Restore - Guía de usuarioAcronis Universal Restore - Guía de usuario
Acronis Universal Restore - Guía de usuariodegarden
 
GURE GAILUEN OSAGAI TOXIKOAK
GURE GAILUEN OSAGAI TOXIKOAKGURE GAILUEN OSAGAI TOXIKOAK
GURE GAILUEN OSAGAI TOXIKOAKMikelAbedillo
 
Toyota The Five Principles of 5S
Toyota The Five Principles of 5SToyota The Five Principles of 5S
Toyota The Five Principles of 5SForklift Trucks in Minnesota
 
Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...
Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...
Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...Premezclas Energéticas Pecuarias
 
Lipofeed en brangus de Sonora
Lipofeed en brangus de SonoraLipofeed en brangus de Sonora
Lipofeed en brangus de SonoraPremezclas Energéticas Pecuarias
 
Document1
Document1Document1
Document1Collin Mutlwane
 
Virsec FB ppt
Virsec FB pptVirsec FB ppt
Virsec FB pptRanjana Totla
 
Apache thrift
Apache thriftApache thrift
Apache thriftducdv
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Os note
Os noteOs note
Os notekaiderellachan
 

More Related Content

What's hot

Session i(introduction)
Session i(introduction)Session i(introduction)
Session i(introduction)Shrijan Tiwari
 
Codemotion Rome 2014
Codemotion Rome 2014Codemotion Rome 2014
Codemotion Rome 2014Ugo Lattanzi
 
Create a Bot with Delphi and Telegram - ITDevCon 2016
Create a Bot with Delphi and Telegram - ITDevCon 2016Create a Bot with Delphi and Telegram - ITDevCon 2016
Create a Bot with Delphi and Telegram - ITDevCon 2016Marco Breveglieri
 
Microsoft dot net framework
Microsoft dot net frameworkMicrosoft dot net framework
Microsoft dot net frameworkInstantenigma
 
The Python in the Apple
The Python in the AppleThe Python in the Apple
The Python in the ApplezeroSteiner
 
ATDD Using Robot Framework
ATDD Using Robot FrameworkATDD Using Robot Framework
ATDD Using Robot FrameworkPekka Klärck
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 

What's hot (11)

JavaCro'14 - Test Automation using RobotFramework Libraries – Stojan Peshov
JavaCro'14 - Test Automation using RobotFramework Libraries – Stojan PeshovJavaCro'14 - Test Automation using RobotFramework Libraries – Stojan Peshov
JavaCro'14 - Test Automation using RobotFramework Libraries – Stojan Peshov
 
Java notes
Java notesJava notes
Java notes
 
Session i(introduction)
Session i(introduction)Session i(introduction)
Session i(introduction)
 
Codemotion Rome 2014
Codemotion Rome 2014Codemotion Rome 2014
Codemotion Rome 2014
 
Scripting robot
Scripting robotScripting robot
Scripting robot
 
Create a Bot with Delphi and Telegram - ITDevCon 2016
Create a Bot with Delphi and Telegram - ITDevCon 2016Create a Bot with Delphi and Telegram - ITDevCon 2016
Create a Bot with Delphi and Telegram - ITDevCon 2016
 
Titan
TitanTitan
Titan
 
Microsoft dot net framework
Microsoft dot net frameworkMicrosoft dot net framework
Microsoft dot net framework
 
The Python in the Apple
The Python in the AppleThe Python in the Apple
The Python in the Apple
 
ATDD Using Robot Framework
ATDD Using Robot FrameworkATDD Using Robot Framework
ATDD Using Robot Framework
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
 

Viewers also liked

Virtual world
Virtual worldVirtual world
Virtual worldSaifan92
 
Acronis Universal Restore - Guía de usuario
Acronis Universal Restore - Guía de usuarioAcronis Universal Restore - Guía de usuario
Acronis Universal Restore - Guía de usuariodegarden
 
GURE GAILUEN OSAGAI TOXIKOAK
GURE GAILUEN OSAGAI TOXIKOAKGURE GAILUEN OSAGAI TOXIKOAK
GURE GAILUEN OSAGAI TOXIKOAKMikelAbedillo
 
Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...
Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...
Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...Premezclas Energéticas Pecuarias
 
Apache thrift
Apache thriftApache thrift
Apache thriftducdv
 

Viewers also liked (9)

Virtual world
Virtual worldVirtual world
Virtual world
 
Acronis Universal Restore - Guía de usuario
Acronis Universal Restore - Guía de usuarioAcronis Universal Restore - Guía de usuario
Acronis Universal Restore - Guía de usuario
 
GURE GAILUEN OSAGAI TOXIKOAK
GURE GAILUEN OSAGAI TOXIKOAKGURE GAILUEN OSAGAI TOXIKOAK
GURE GAILUEN OSAGAI TOXIKOAK
 
Toyota The Five Principles of 5S
Toyota The Five Principles of 5SToyota The Five Principles of 5S
Toyota The Five Principles of 5S
 
Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...
Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...
Prueba de campo en gallinas de postura sustituyendo soya integral con Lipofee...
 
Lipofeed en brangus de Sonora
Lipofeed en brangus de SonoraLipofeed en brangus de Sonora
Lipofeed en brangus de Sonora
 
Document1
Document1Document1
Document1
 
Virsec FB ppt
Virsec FB pptVirsec FB ppt
Virsec FB ppt
 
Apache thrift
Apache thriftApache thrift
Apache thrift
 

Similar to Don't Pick the lock

Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
How a Windows Password Filters Works
How a Windows Password Filters WorksHow a Windows Password Filters Works
How a Windows Password Filters WorksnFront Security
 
Internet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaInternet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaSusmitha Reddy
 
Zookeeper big sonata
Zookeeper big sonataZookeeper big sonata
Zookeeper big sonataAnh Le
 
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...ITCamp
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
#nullblr bachav manual source code review
#nullblr bachav manual source code review#nullblr bachav manual source code review
#nullblr bachav manual source code reviewSantosh Gulivindala
 
Bp106 Worst Practices Final
Bp106 Worst Practices FinalBp106 Worst Practices Final
Bp106 Worst Practices FinalBill Buchan
 
Design Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesDesign Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesInductive Automation
 
C++ Restrictions for Game Programming.
C++ Restrictions for Game Programming.C++ Restrictions for Game Programming.
C++ Restrictions for Game Programming.Richard Taylor
 
Design Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesDesign Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesInductive Automation
 
Scalable Apache for Beginners
Scalable Apache for BeginnersScalable Apache for Beginners
Scalable Apache for Beginnerswebhostingguy
 

Similar to Don't Pick the lock (20)

Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Os note
Os noteOs note
Os note
 
How a Windows Password Filters Works
How a Windows Password Filters WorksHow a Windows Password Filters Works
How a Windows Password Filters Works
 
Internet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaInternet security evaluation system documentation nikitha
Internet security evaluation system documentation nikitha
 
Zookeeper big sonata
Zookeeper big sonataZookeeper big sonata
Zookeeper big sonata
 
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing on
 
Dev381.Pp
Dev381.PpDev381.Pp
Dev381.Pp
 
#nullblr bachav manual source code review
#nullblr bachav manual source code review#nullblr bachav manual source code review
#nullblr bachav manual source code review
 
Bp106 Worst Practices Final
Bp106 Worst Practices FinalBp106 Worst Practices Final
Bp106 Worst Practices Final
 
soa
soasoa
soa
 
Design Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesDesign Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best Practices
 
C++ Restrictions for Game Programming.
C++ Restrictions for Game Programming.C++ Restrictions for Game Programming.
C++ Restrictions for Game Programming.
 
Design Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best PracticesDesign Like a Pro: Scripting Best Practices
Design Like a Pro: Scripting Best Practices
 
It and ej
It and ejIt and ej
It and ej
 
Authenticated key exchange protocols
Authenticated key exchange protocolsAuthenticated key exchange protocols
Authenticated key exchange protocols
 
Authenticated key exchange protocols
Authenticated key exchange protocolsAuthenticated key exchange protocols
Authenticated key exchange protocols
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
 
Scalable Apache for Beginners
Scalable Apache for BeginnersScalable Apache for Beginners
Scalable Apache for Beginners
 

Don't Pick the lock

  • 1. Exploiting passwords for fun and profit with Metasploit
  • 2.  David Maloney a.k.a theLightCosine  Core Developer for Metasploit Commercial Editions  Metasploit Pro  Metasploit Express  Before That:  Community Contributor to the Metasploit Framework  Penetration Tester for Time Warner Cable  Contact Me  Twitter: @thelightcosine  Email: thelightcosine@metasploit.com
  • 3. Clients  Convenience  Keeps users from having to remember them  Manages credentials for numerous systems in one place  Totally Avoidable  Usually done poorly  Authentication Purposes  Must store them to compare against provided creds  Unavoidable  Getting Better at doing this Servers
  • 4.  Who needs an exploit if we have the password?  Looks like legitimate traffic/access  Who audits successful logons?  Shockingly easy to own all the things  Case of the winscp.reg file
  • 6.  Often Stored in one of two places  HKEY_LOCAL_MACHINESOFTWARE  Available to all users all the time  HKEY_USERS<SID>Software  Available only to that user and Admins on the system  Usually client apps  CoreFTP is one example
  • 7.  Old School way of storing data  Still in use in some applications  Mostly seems to be legacy support  Usually client-side not servers  WinSCP is an example
  • 8.  Soooo much better than INI Files </sarcasm>  Still a flat file sitting on the file system  Even easier to parse than INI files really  Just grab your favorite XML parser  Seen both on Clients and Servers  FileZilla is an example of this
  • 9.  Usually some custom format  Often Breaks down into common blocks with header groupings  Headers usually tell  Type of data  Length of data  Name of field  Etc  Can be a real pain to reverse engineer the format on these
  • 10.  Windows started providing a Credential Store for saving certain types of credentials  Managed by the Operating System  Restricted by user access controls  Bypass these controls by calling the API functions as our victim user thanks to Railgun  See Kx499’s enum_credstore Post module for specifics
  • 11.  Passwords stored in a backend database  How most webapps work these days  Usually server apps
  • 12. How we keep you from just looking at the password…in theory
  • 13. Pro  None  Never ever store passwords in plaintext  Password is wide open to the world  This happens more than you’d think!  Same for every user Con
  • 14. Pro  Not in plaintext  Attacker has to figure out what the plaintext was XORed against  Easily reversed  Attacked finds the XOR value  XOR cipher text against the same value to recover plaintext  Same for every user Con
  • 15. Pro  May be more difficult for attacker to figure out  More Complex than simple XOR encoding, usually  Feel 1337 for writing your own ‘encryption’  Unless you are a cryptographer, your algorithm sucks (sorry, it’s true)  Not really encryption  Easily defeated by reverse engineering  Same for every user Con
  • 16. Pro  Real Encryption  Proven Technology  Not simple reversible procedure  Hardcoded static key used  Reverse Engineering can recover the key  Still the same for every user Con
  • 17. Pro  Real Encryption  Proven Technology  Encryption Key is never given to userland  We can call the same APIs as the user with Railgun  Statically Coded Key material  Same for every user Con
  • 18. Pro  Real Encryption  Proven Technology  Entropy added on user by user basis  Different for every user!  We can call the API as the user with Railgun  Machine hands decrypted Materials right over.  IN Soviet Russia…. Con
  • 19.
  • 20. Pro  One Way Operation  Not Reversible (in theory)  Great for servers  Not an option for clients  Some hashing algorithms have weaknesses  Still always rainbow tables and bruteforcing Con
  • 21. Pro  Real Encryption  Proven Technology  No Static Keys!  Different for every user  Your users still have to remember 1 password  Have to be careful about how master password is put into memory Con
  • 22.
  • 23. FilezillaFTP Client •Saved Sites stored in XML File •Passwords in Cleartext •Filezilla offers ‘kisok mode’ to prevent password storage
  • 24. mRemote •Saved Sites stored in XML File •AES-128-CBC Encryption •Weak static Encryption Key •OpenSource means everyone can see the encryption key
  • 25.
  • 26. WinSCP •Saved Sessions stored either in the registry or an INI File •Passwords stored with weak custom encoding routine •OpenSource means everyone can see the routine for decryption
  • 27.
  • 28. S,artFTP •Saved Sites stored in XML File •Encrypted with Microsoft CAPI •Weak Static Encryption Key •Called same CAPI Functions with Railgun
  • 29.
  • 30. Wheredowego next? •Creds stored to database •Known creds are prioritized in the Pro Bruteforcer •Run Bruteforcer with all the stolen creds •Give it a few hours….
  • 31. Let’s see you exploit that many systems without setting off alarms