From the course: Security Testing Essential Training
Password cracking
From the course: Security Testing Essential Training
Password cracking
- [Narrator] There is tremendous value in helping an organization identify vulnerabilities that an attacker could potentially exploit. There's even greater value in providing them with guidance on how to address those vulnerabilities. At some point, however, you'll be challenged to prove that the vulnerability actually exists and that the vulnerability could be exploited by a potential attacker. That's why you need to spend some time learning tools and techniques for vulnerability validation. One of the most useful vulnerability validation techniques you should have at your disposal is the ability to crack passwords. The security vendor F5 analyzed a decades worth of data breaches, and in December, 2017, they published their findings. One of their goals was to determine the initial attack vectors for those breaches. Based on their data, they determined that the initial attack vector for 87% of these data breaches was either an application security weakness, an identity and access management weakness, or some combination of the two. To put that another way, attackers were able to either guess or brute-force passwords, log in as existing users and wreak havoc. As a penetration tester, I can attest to this firsthand. When I'm hired to target an organization, I found the most success in compromising accounts with weak passwords and then using those accounts to impersonate an authorized user. In order to understand how to crack passwords, it helps to understand how passwords are stored. When a user creates a new account in an application. Security-minded developers often hash that password so that they don't have to store it in plaintext. This hashing process takes the initial value and performs a one-way function on that string to generate a new value, one that ideally can't be reverse-engineered to reveal the initial password. When a user logs into that application, the application takes the user's plaintext password, performs the exact same hashing function on that string and compares it to the original value. If they match, then the original password string must also match, so the application lets the user in. If they don't match, that means the user provided a different string than what the application expected. No password, no access. Password cracking tools and techniques often rely on a wordlist that contains all of the possible passwords that you'd like to include in your test. Determining which words to include in your wordlist is where the art and the science of password cracking overlap. Fortunately, the information security industry was built on the shoulders of giants, and you're able to rely on work that security researchers have contributed to the field. In 2009, the media website rockyou.com was breached and a security researcher published the list of 32 million passwords that were exposed in just that one breach. This list represented the largest collection of passwords that we knew people were actually using to log into this website. And the RockYou list has been a favorite of pen testers ever since. Variations of the RockYou wordlist have been built into Kali Linux directly, and we're going to take a look at using Hashcat with the RockYou list to crack some passwords. But as I mentioned earlier, we're just scratching the surface when it comes to password cracking.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.