summoning the password cracking beast - netwrix ¢â‚¬¢ build an awesome...

Download Summoning the Password Cracking Beast - Netwrix ¢â‚¬¢ Build an awesome cloud-based password-cracking rig

Post on 04-Apr-2020

1 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Summoning the Password Cracking Beast

    Password 123456

    Bob Cordisco Systems Engineer Netwrix

    Brian Johnson Security Enthusiast / Podcaster 7 Minute Security

  • Housekeeping

    • All attendees are on mute

    • Ask your questions!

    • Questions will be answered during

    the session or at the Q&A at the end

    • You will receive a copy of slides and

    webinar recording in the follow-up

    email

    • Duration: Up to 60 minutes

    We hope you enjoy!

    Type your question

    here

    Click “Send”

  • Agenda

    • Introduction

    • Build an awesome cloud-based password-cracking rig

    • Download millions of known “pwned” passwords

    • Dump and crack user accounts from Active Directory

    • Make sure your password policy is strong enough to resist password cracking

  • Who’s this guy?

    Security engineer for 7 Minute Security

    Podcaster Not famous Tiny movie star

  • Build the password-cracking beast

  • Deploy the VM

  • Test the SSH connection

  • Protect the SSH connection

  • Protect the SSH connection

  • Change the host name

  • Change the paperspace password

  • Install essential software

  • Install essential software

  • Install NVIDIA drivers

  • Check out our sweet benchmarks!

  • Gather wordlists

  • Grab a bunch of wordlists for cracking

  • Grab a bunch of wordlists for cracking (singing “We will, we will, rock you!”)

  • Grab a bunch of wordlists for cracking

  • Grab a bunch of wordlists for cracking

  • Grab a bunch of wordlists for cracking

  • Grab a bunch of wordlists for cracking

  • Grab a bunch of wordlists for cracking

  • Optimise the password lists!

  • Tweak the Hatecrack config

  • Adjust the config files

  • Adjust the config files

  • Crack our first hash!

  • Our first crack job!

  • Dump and crack AD user hashes!

  • Import test users into Active Directory

  • Create AD backup (with hashes!)

  • Upload hashes to the beast

  • It’s cracking time!

  • It’s cracking time!

  • Conclusion

    • Password cracking is (relatively) cheap and (relatively) easy! o Create a cracking VM in Paperspace

    o Download a ton of wordlists

    o Optimise them with Hatecrack

    o Dump hashes out of Active Directory

    o It’s cracking time!

  • Netwrix Auditor

    Know Your Data. Protect What Matters.

  • Email: Bob.Cordisco@netwrix.com

    Bob Cordisco Pre-Sales Engineer

    mailto:CordiscoBob.@netwrix.com mailto:Cordisco@netwrix.com

  • About Netwrix Corporation

    Year of foundation: 2006

    Headquarters location: Irvine, California

    Global user base: over 300,000

    Recognition:

    7 years among the fastest growing

    software companies in the US

    More than 140 industry awards

  • Make sure your password policy is strong enough to resist password cracking

    This policy determines the minimum number of characters needed to create a password. You would generally want to set the Minimum Password Length to at least 8 characters since long passwords are harder to crack.

    Minimum Password

    Length policy

    By enabling this policy, you’ll go beyond the basic password and account policies and ensure that every password is secured.

    Passwords Must Meet Complexity

    Requirements policy

    This policy should only be enabled on a per-user basis and then only to meet the user’s actual needs. If your company uses an application that needs to read a password in a password database which is normally encrypted, then that is the only time you would want to enable this setting.

    Store Password Using Reversible

    Encryption for All Users policy

    This policy will set how often an old password can be reused. It will discourage users from reusing a previous password, thus preventing them from alternating between several common passwords.

    Enforce Password

    History policy

    This policy determines how long users can keep a password before they are required to change it. It forces the user to change their passwords regularly.

    Maximum Password

    Age policy

    This policy determines how long users must keep a password before they can change it. It will prevent a user from dodging the password system by using a new password and then changing it back to their old one.

    Minimum Password

    Age policy

    1 2 3

    4 5 6

  • Useful links

    Join our next session

    Password123456: Protecting Your Active Directory Castle on February 20 @ 1 pm AEDT / 10 am GMT+8

    Read our Password Policy Best Practices Guide https://www.netwrix.com/password_best_practice.html

    Check out Netwrix Auditor for Active Directory https://www.netwrix.com/active_directory_auditing.html

    and its password expiration notification tool https://www.netwrix.com/password_change_reminder.html

    If you want to learn more about Netwrix Auditor, register now for the upcoming Product Demo!

    https://www.netwrix.com/password123456_nemea.html https://www.netwrix.com/password_best_practice.html https://www.netwrix.com/active_directory_auditing.html https://www.netwrix.com/password_change_reminder.html https://www.netwrix.com/product_demo_nemea.html

  • Questions?

  • Thank you!

    Bob Cordisco Systems Engineer Netwrix

    Brian Johnson Security Enthusiast / Podcaster 7 Minute Security