summoning the password cracking beast - netwrix€¦ · • build an awesome cloud-based...
TRANSCRIPT
Summoning the Password Cracking Beast
Password 123456
Bob CordiscoSystems EngineerNetwrix
Brian JohnsonSecurity Enthusiast / Podcaster7 Minute Security
Housekeeping
• All attendees are on mute
• Ask your questions!
• Questions will be answered during
the session or at the Q&A at the end
• You will receive a copy of slides and
webinar recording in the follow-up
• Duration: Up to 60 minutes
We hope you enjoy!
Type your question
here
Click “Send”
Agenda
• Introduction
• Build an awesome cloud-based password-cracking rig
• Download millions of known “pwned” passwords
• Dump and crack user accounts from Active Directory
• Make sure your password policy is strong enough to resist password cracking
Who’s this guy?
Security engineer for 7 Minute Security
Podcaster Not famous Tiny movie star
Build the password-cracking beast
Deploy the VM
Test the SSH connection
Protect the SSH connection
Protect the SSH connection
Change the host name
Change the paperspace password
Install essential software
Install essential software
Install NVIDIA drivers
Check out our sweet benchmarks!
Gather wordlists
Grab a bunch of wordlists for cracking
Grab a bunch of wordlists for cracking (singing “We will, we will, rock you!”)
Grab a bunch of wordlists for cracking
Grab a bunch of wordlists for cracking
Grab a bunch of wordlists for cracking
Grab a bunch of wordlists for cracking
Grab a bunch of wordlists for cracking
Optimise the password lists!
Tweak the Hatecrack config
Adjust the config files
Adjust the config files
Crack our first hash!
Our first crack job!
Dump and crack AD user hashes!
Import test users into Active Directory
Create AD backup (with hashes!)
Upload hashes to the beast
It’s cracking time!
It’s cracking time!
Conclusion
• Password cracking is (relatively) cheap and (relatively) easy! o Create a cracking VM in Paperspace
o Download a ton of wordlists
o Optimise them with Hatecrack
o Dump hashes out of Active Directory
o It’s cracking time!
Netwrix Auditor
Know Your Data. Protect What Matters.
Email: [email protected]
Bob CordiscoPre-Sales Engineer
About Netwrix Corporation
Year of foundation: 2006
Headquarters location: Irvine, California
Global user base: over 300,000
Recognition:
7 years among the fastest growing
software companies in the US
More than 140 industry awards
Make sure your password policy is strong enough to resist password cracking
This policy determines the minimum number of characters needed to create a password. You would generally want to set the Minimum Password Length to at least 8 characters since long passwords are harder to crack.
Minimum Password
Length policy
By enabling this policy, you’ll go beyond the basic password and account policies and ensure that every password is secured.
Passwords Must Meet Complexity
Requirements policy
This policy should only be enabled on a per-user basis and then only to meet the user’s actual needs. If your company uses an application that needs to read a password in a password database which is normally encrypted, then that is the only time you would want to enable this setting.
Store Password Using Reversible
Encryption for All Users policy
This policy will set how often an old password can be reused. It will discourage users from reusing a previous password, thus preventing them from alternating between several common passwords.
Enforce Password
History policy
This policy determines how long users can keep a password before they are required to change it. It forces the user to change their passwords regularly.
Maximum Password
Age policy
This policy determines how long users must keep a password before they can change it. It will prevent a user from dodging the password system by using a new password and then changing it back to their old one.
Minimum Password
Age policy
1 2 3
4 5 6
Useful links
Join our next session
Password123456: Protecting Your Active Directory Castle on February 20 @ 1 pm AEDT / 10 am GMT+8
Read our Password Policy Best Practices Guide https://www.netwrix.com/password_best_practice.html
Check out Netwrix Auditor for Active Directory https://www.netwrix.com/active_directory_auditing.html
and its password expiration notification tool https://www.netwrix.com/password_change_reminder.html
If you want to learn more about Netwrix Auditor, register now for the upcoming Product Demo!
Questions?
Thank you!
Bob CordiscoSystems EngineerNetwrix
Brian JohnsonSecurity Enthusiast / Podcaster7 Minute Security