summoning the password cracking beast - netwrix€¦ · • build an awesome cloud-based...

Summoning the Password Cracking Beast

Password 123456

Bob CordiscoSystems EngineerNetwrix

Brian JohnsonSecurity Enthusiast / Podcaster7 Minute Security

Housekeeping

• All attendees are on mute

• Ask your questions!

• Questions will be answered during

the session or at the Q&A at the end

• You will receive a copy of slides and

webinar recording in the follow-up

email

• Duration: Up to 60 minutes

We hope you enjoy!

Type your question

here

Click “Send”

Agenda

• Introduction

• Build an awesome cloud-based password-cracking rig

• Download millions of known “pwned” passwords

• Dump and crack user accounts from Active Directory

• Make sure your password policy is strong enough to resist password cracking

Who’s this guy?

Security engineer for 7 Minute Security

Podcaster Not famous Tiny movie star

Build the password-cracking beast

Deploy the VM

Test the SSH connection

Protect the SSH connection

Protect the SSH connection

Change the host name

Change the paperspace password

Install essential software

Install essential software

Install NVIDIA drivers

Check out our sweet benchmarks!

Gather wordlists

Grab a bunch of wordlists for cracking

Grab a bunch of wordlists for cracking (singing “We will, we will, rock you!”)

Grab a bunch of wordlists for cracking

Grab a bunch of wordlists for cracking

Grab a bunch of wordlists for cracking

Grab a bunch of wordlists for cracking

Grab a bunch of wordlists for cracking

Optimise the password lists!

Tweak the Hatecrack config

Adjust the config files

Adjust the config files

Crack our first hash!

Our first crack job!

Dump and crack AD user hashes!

Import test users into Active Directory

Create AD backup (with hashes!)

Upload hashes to the beast

It’s cracking time!

It’s cracking time!

Conclusion

• Password cracking is (relatively) cheap and (relatively) easy! o Create a cracking VM in Paperspace

o Download a ton of wordlists

o Optimise them with Hatecrack

o Dump hashes out of Active Directory

o It’s cracking time!

Netwrix Auditor

Know Your Data. Protect What Matters.

Email: Bob.Cordisco@netwrix.com

Bob CordiscoPre-Sales Engineer

About Netwrix Corporation

Year of foundation: 2006

Headquarters location: Irvine, California

Global user base: over 300,000

Recognition:

7 years among the fastest growing

software companies in the US

More than 140 industry awards

Make sure your password policy is strong enough to resist password cracking

This policy determines the minimum number of characters needed to create a password. You would generally want to set the Minimum Password Length to at least 8 characters since long passwords are harder to crack.

Minimum Password

Length policy

By enabling this policy, you’ll go beyond the basic password and account policies and ensure that every password is secured.

Passwords Must Meet Complexity

Requirements policy

This policy should only be enabled on a per-user basis and then only to meet the user’s actual needs. If your company uses an application that needs to read a password in a password database which is normally encrypted, then that is the only time you would want to enable this setting.

Store Password Using Reversible

Encryption for All Users policy

This policy will set how often an old password can be reused. It will discourage users from reusing a previous password, thus preventing them from alternating between several common passwords.

Enforce Password

History policy

This policy determines how long users can keep a password before they are required to change it. It forces the user to change their passwords regularly.

Maximum Password

Age policy

This policy determines how long users must keep a password before they can change it. It will prevent a user from dodging the password system by using a new password and then changing it back to their old one.

Minimum Password

Age policy

1 2 3

4 5 6

Useful links

Join our next session

Password123456: Protecting Your Active Directory Castle on February 20 @ 1 pm AEDT / 10 am GMT+8

Read our Password Policy Best Practices Guide https://www.netwrix.com/password_best_practice.html

Check out Netwrix Auditor for Active Directory https://www.netwrix.com/active_directory_auditing.html

and its password expiration notification tool https://www.netwrix.com/password_change_reminder.html

If you want to learn more about Netwrix Auditor, register now for the upcoming Product Demo!

Questions?

Thank you!

Bob CordiscoSystems EngineerNetwrix

Brian JohnsonSecurity Enthusiast / Podcaster7 Minute Security