7MS #478: Password Cracking in the Cloud - Part 4
7 Minute Security29 Heinä 2021

7MS #478: Password Cracking in the Cloud - Part 4

Hey friends, today we're continuing our discussion of password cracking by sharing some methodology that has helped us get a high cred yield, and some tips on taking cracked passwords from multiple sources and Frankensteining them into a beautiful report for your customer.

For some background, when 7MS started as a biz, we used to crack passwords in Paperspace but invested in an on-prem cracking rig a few years ago. That rig has been flipping sweet, but had some heating issues which prompted me to send the system in for warranty and use an awesome cracking rig in AWS in the meantime.

Whether you're cracking locally or in the cloud, here's a quick methodology that has cracked many a hash for us:

  • Do a straight-up hashcat crack against the PwnedPasswords list (at time of this writing I don't have a good source for the cracked versions of these passwords. I used to grab them at hashes.org. Anybody got an alternative?

  • Do a straight-up hashcat crack through the RockYou2021 list

  • Run the hatecrack methodology, including the quick crack, the quick crack with rules (I'm partial to OneRuleToRuleThemAll), and brute-forcing all 1-8 character passwords

Once I'm ready to wrap up all the cracked passwords and put them in a nice shiny report for the customer, I do the following (using hashcombiner and pipal):

# Run hash_combiner on hashcat's pot file and write results to a file python /opt/hc/hash_combiner.py user_hash /opt/hashcat/hashcat.potfile > /tmp/round1.txt # Run hash_combiner on hatecrack's pot file and write results to a file python /opt/hc/hash_combiner.py user_hash /opt/hatecrack/hashcat.pot > /tmp/round2.txt # Cat the two files together into a third file cat /tmp/round1.txt /tmp/round2.txt > /tmp/round3.txt # Sort and de-dupe the third file cat /tmp/round3.txt | sort -uf > /tmp/nice-and-clean.txt # Take just the passwords out of the "nice and clean" output cut -d ':' -f 2 /tmp/nice-and-clean.txt > /tmp/pipal-temp.txt # Score the passwords using pipal /opt/pipal/pipal.rb /tmp/pipal-temp.txt > /tmp/pip-final.txt

Now you've got a nice-and-clean.txt list of users and their cracked passwords, as well as the pip-final.txt with deeper analysis of cracked passwords, their commonalities, etc.

Jaksot(703)

7MS #110: Hacking WPA Enterprise-Part 1

7MS #110: Hacking WPA Enterprise-Part 1

This episode is about my experience hacking WPA enterprise. Huge mega tiger uppercut thanks to this site for giving me the fixes I needed to get this working on Kali2! https://warroom.securestate.com/index.php/evil-twin-attack-using-hostapd-wpe/

17 Marras 20158min

7MS #109: OFFTOPIC-It Follows and Backcountry

7MS #109: OFFTOPIC-It Follows and Backcountry

Movie reviews of It Follows and Backcountry.

13 Marras 20157min

7MS #108: I'm Going to PWAPT!-Part 2

7MS #108: I'm Going to PWAPT!-Part 2

Here's part 2 (of probably several to come) about my experience with PWAPT (Practical Webapp Pentesting) training last week!

11 Marras 201510min

7MS #107: I'm Going to PWAPT!

7MS #107: I'm Going to PWAPT!

Hey I'm going to PWAPT this week (http://www.eventbrite.com/e/practical-web-application-penetration-testing-with-tim-tomes-lanmaster53-tickets-16718889649), so in this episode I talk about that...and how I'll probably be too info-overloaded to record anything on Thursday :-). Oh, and I had a fun Web app pentest this week that I wanted to share some fun bits on.

3 Marras 20157min

7MS #106: A Day in the Life of an Information Security Analyst

7MS #106: A Day in the Life of an Information Security Analyst

A listener wrote in asking some questions about "a day in the life of" a security analyst, so here's my best stab at it!

30 Loka 201510min

7MS #105: OFFTOPIC-Big Bag of Random Sauce

7MS #105: OFFTOPIC-Big Bag of Random Sauce

Today's totally random episode covers: 1. How bad does this podcast's logo suck? 2. Does this podcast need a theme song? 3. Some interesting training I'm taking next week. 4. The Walking Dead - who should die? 5. Metal Gear Solid and my personal godmode strategy.

28 Loka 20159min

7MS #104: LANTurtle First Impressions

7MS #104: LANTurtle First Impressions

Hey I just got a LANTurtle and....these are my first impressions!

22 Loka 20157min

7MS #103: OFFTOPIC-I Was in a Movie Once

7MS #103: OFFTOPIC-I Was in a Movie Once

This is an off-topic episode about the time I was in the holiday comedy super-smash laugh-fest, Jingle All the Way.

20 Loka 20157min

Suosittua kategoriassa Politiikka ja uutiset

rss-ootsa-kuullut-tasta
aikalisa
tervo-halme
ootsa-kuullut-tasta-2
politiikan-puskaradio
otetaan-yhdet
rss-podme-livebox
et-sa-noin-voi-sanoo-esittaa
rss-vaalirankkurit-podcast
rss-lets-talk-about-hair
aihe
linda-maria
rss-polikulaari-humanisti-vastaa-ja-muut-ts-podcastit
rss-kaikki-uusiksi
rss-merja-mahkan-rahat
rss-kuka-mina-olen
rss-mikin-takana
rss-raha-talous-ja-politiikka
rss-terveisia-seelannista
rss-toisten-taskuilla