Passwords: Am i a joke to you?

– So the fact that I'm cracking passwords that are, quote unquote,
weak, is not my fault. I don't use bad passwords. I use really good passwords. – It's not your fault
that I use a bad password. – Yeah. – Come on, it's your fault.
– Yeah, right? – That's not my fault. In the real world people
use weak passwords. That's just the name of the game. – Human nature. – Yes, it's just human nature. It's too hard to type this in. It's too weird, I can't remember it. I've got too many. And these are legit complaints against having to use a password, which is why password
managers are a godsend because they help us with that. I don't have to remember
anything, it does it for me. I only need to remember one,
only to make one good password. And that's the only one I got to remember when it comes to using something
like a password manager. So this is encouraged thing. – Yeah, I mean it's, I think it's good that
you highlighted that, because on other videos that I've created, the first complain I get is people say, you're using a simple password.

But, you know, a video, let's make the video
eight hours long Daniel. – Yeah, that sounds fun, right? Hey, are you still in there with me? Apparently, it's still going. Thanks for hanging in there, right? Exactly, you've got to do a demonstration. Just want people to
see how the tool works. That's the purpose of
what we're doing today. Alright, so I'm good to go. I'm gonna hit enter, and
now things are starting. And you'll notice that it says, warning
detected hash type md5crypt, but the string is also
recognized as mdcrypt-long.

So you see, it's trying
to make an educated guess and it tells us, if I want
to go with md5crypt-long, use the dash dash format
equals md5crypt-long option, to force loading that type instead, right? So it's gonna, I'm
gonna default with this, but if that ain't right, why don't you go ahead and try that.

So I like that about Hashcat. It kind of gives you some
helps and brings you along 'cause at the end of the
day, that's what I wanna do, is crack the passwords on these things. And if I'm not doing it right, it's great that the tool will
actually kind of feedback and say, "Oh, hey, have you
thought about this option?" "Maybe that'll work a
little better for you." So I like tools that do that. So we've already cracked
the root password. We've cracked B, which
we already knew that one but I threw it in there
because, what the heck. Of course ,horrible
password OPSEC here bug is, you know, obviously this is a
purposefully, you know, thing. We're doing a demonstration here. If you've never done
real password cracking, it's a time consuming operation. It's something that's gonna
take you a hot minute. Well, outside of the scope of being able to do a demonstration in some sort of time constraints.

(upbeat music) – Everyone, David Bumble, back with Daniel from ITProTV. Once again, really wanna thank them for sponsoring this video. Daniel, in this series, we looking at some of your
favorite hacking tools, which one are we looking at today? – Today I figured, you
know, kind of on the heels of our Metasploit demonstration, we were left there with the last thing we looked at and I said, "Oh, look at all these password hashes, we should probably break those, right?" Because that's something you do as, someone who's into ethical
hacking penetration testing. From time to time, you're
going to be confronted with, obfuscated, encrypted, even password. And how do you get around that? What do you do? Well, there are some
various and sundry tools for breaking those things. But today I figured one of the
oldest, one of the best tools for breaking hash words,
breaking hash words. Passwords that have hashes that are hashed is John the Ripper, it's
been around forever. It's a tried and true tool.

It's one that I just hold near
and dear to my heart because, hey, I cut my teeth on it. There are other password hashing or password cracking tools
out there but John the Ripper just seems to be my
go-to for the most part, because it's easy, as a couple of really cool
things you can do with it, and it's for the most part effective, and that's what I'm looking for. – Daniel, let's do the
script kiddie thing first. – Yeah. – And then we can go
through the documentation and you can teach us. – Yeah, absolutely. So what I'm looking at
right here on my screen is, instead of re-breaking into that machine, I just SSH into it.

We did find the username and
password, SSH was available. And now I have another avenue of attack for that specific box. But I'm looking at the Etsy shadow file, which in a Unix world is, you know, it's the thing, it's where you keep those hash passwords. So I say Unix is Linux as well. They're not the same
they're different, I know.

– Can you you show us
where that file is stored? – Sure, it's in etc slash shadow. So, if you do like an
LS, which lists files to etc slash shadow, that is the directory. If I do a dash L it'll actually give me some long listing format there. So, it's showing me here that
this is read, write and read, for, read write for root
and read for shadow, which is just like a service account, which can deal with this. So notice that that, that's
a pretty lockdown thing if you were looking at the shadow group you would realize that. Oh, the only thing it really
does is this right here, which is look into this. So if there are password
changing or manipulations that need to be done, it'll probably either use the root or the shadow group to
make those manipulations. So, it's in Unix and Linux.

You're gonna look just in etc and it will be called shadow,
no extensions normally. Every now and then you do get to find a dot back file laying around somewhere. And that's probably a backup. If you can get your hands on that and it doesn't have a
strong permissions on it, might be a good place to
find some password hashes such as what we're looking at right now. But once I have access to
that file, to get it out and start cracking it
with John the Ripper, I just need to actually just
copy the things that I want. So I don't need, you know, NTP, PROFTP, all these servers accounts
that don't have passwords. They also don't have
log-ins or anything of that. So, I'm not really worried about that. I want these passwords because, you gotta remember where
we're at in the stage, we've already compromised machines.

So this would be in what's
called post-compromised phase of my hacking methodology. Now what can I do now that
I've gained some access? One of the best things to
do is to grab user accounts and try to crack their passwords. 'Cause you never know what access those user accounts
could give you access to. So it's something that you
always wanna engage in. It's like usually the first thing I do once I've gained some sort
of system access or ability to read the etc shadow file
is grab the user accounts and put them in a file
so that I can crack them with John the Ripper.

– So just for people who
don't know Linux very well, did you use a command like CAT tool? – Yeah. – How did you display that information? – And John, you have
been paying attention. Yes, absolutely. I use cat to do this. So cat is a way to either
put things together. Concatenate is what cat stands for, or you can use it to read files. They show me the contents
of a file though, just the word cat will do that for you. So you do cat then the file name, bam, you're good to go.

So it's just splitting this
out here on the screen for me. So I'm gonna do, is just
highlight what I want. So I've got a block of users right here. We've got another one
right here, which is B. We probably have a root account as well, and you can see it has a password as well. So we'll grab all this stuff. I'm just gonna highlight, copy that's. And what I'll do is I'll open another, one of these things right
here, and we'll just, a little bit of that, get
into where we're at hacking. And then I'm just gonna open up, an editor, which is, I'll just
use Nano and we'll call this, this was the B box, so we'll
call this B dot hashes.

Or you know, we'll call it shadow. It's a little more
descriptive than hashes. So it kinda gives you an
idea of what's the contents of this file, is a little
more descriptive, I like that. I'll make this box a little bigger. They give you such, I got to change the
preferences on this thing. Grab that corner, there we go. Alright, now we can see things. Alright, and just right
click, paste that in there. There is some, like
official way to do this where you actually use cat
or I think John the Ripper has some functionality where
you take the password file and the shadow file, and
it combines them into one, but I've never had to do that honestly.

I've always just grabbed the
shadow file and crack away, and it seems to work fine for me. If, there might be a good reason to do that but I just haven't seen it yet. Alright, let's get those
other two accounts. This one is B, and copy that. Put that in our little
file we got going on here, paste it in, and then of course reach. What is that root account? And of course this is a, this is kind of a
try-catch thing, you know. You're gonna try to crack passwords. I don't know what the
passwords are on this other than the one that
I'm used to log in with.

So this will be just as much
of a fun exercise for me as it will be for you
good folks out there. So I'ma paste that in there. So now that I have this file,
it's in the correct format John will be able to understand,
"Oh, this is that format." It's pretty good intuitively
understanding by looking at the type of hash that it sees in the file of, oh, this is that type of, or this is that type of. It'll make a guess, an educated
guess at what hash that is. But, sometimes it doesn't
do a great job of that and you'll have to tell it,
"Hey, this is the format." That's the word, list
formats or show formats, it's one of those two.

And it'll show you all the
different formats that you can, that John can crack against. So if you see like MD5 and then there's like another type of MD5, maybe that's the better one and you're not getting the
action you're looking for with standard MD5. You gotta go with something
a little off-kilter. So you'd just have to tell it that, feed it that information. Alright, now that we have
this, save and exits. And close this, and I'll log out of the B box here and just exit. So I just SSH into that. Alright, now we should have
a file called shadow hashes. Yay! And now we can run John
the Ripper against it. Know how to do that, you just invoke John, if it's not in your system path, you're gonna have to
give it the full path. But for me, I got it in my system path so I can just John shadow dot hashes.

Right? Now, that's a standard set of attack. It will just go with
basically it's defaults and maybe I'm good with that. I think what it ends up doing is it, it runs, the built-in dictionary file that it has that comes pre compiled for, and then it'll apply some basic rules if that doesn't work and sees it, if it gets anything out of that. Other than that, I would wanna
run my own dictionary file. One of the best ones
and the most widely used and for pretty good reason, is because how large it is,
is the rockyou.txt file. If you haven't seen
that, it's a great one. Just do a dash W, equals. Just break this off here, and then you give it the
path to your rockyou file.

Mines in user, share, wordlists, and it's rockyou.txt. – So you'll explain all those
details in a moment, yeah? – Yeah, no problem. We'll go through that stuff. So, it's just a dictionary file with a bunch of crack passwords in it. And it's gonna try to check this for you. Alright, so good to
go, I'm gonna hit enter and now things are starting. And you'll notice that it says, warning
detected hash type md5crypt, but the string is also
recognized as mdcrypt-long. So you see, it's tryna
make an educated guess and it tells us, if I want to go md5crypt-long, use the dash dash format,
equals md5crypt-long option to force loading that type instead, right? So it's gonna, I'm gonna default with this,
but if that ain't right, why don't you go ahead and try that.

So I like that about Hashcat. It kinda gives you some
helps and brings you along, 'cause at the end of the
day, that's what I wanna do, is crack the passwords on these things, and if I'm not doing it right, it's great that the tool will
actually kind of feedback and say, "Oh, hey, have you
thought about this option?" "Maybe that'll work a
little better for you." So I like tools that do that. So we've already cracked
the root password. We've cracked B, which
we already knew that one but I threw it in there
because, what the heck. Of course, horrible
password OPSEC here bug is, you know, obviously this is a
purposefully, you know, thing. We're doing a demonstration here. If you've never done
real password cracking, it's a time-consuming operation. It's something that's gonna
take you a hot minute. Well, outside of the scope of being able to do a demonstration, in some sort of time constraint, right? Because passwords can be complex. Passwords can be difficult.

Maybe the password is
in your dictionary file but you got a big dictionary file. So it just takes time to
churn through those things, before it actually finds the passwords. When it comes to me actually
working with stuff like this in the real world, maybe I'm doing a CTF, or I'm actually just checking
the OPSEC of my users if I'm inside of an environment, and I say, hey, I wanna check
and make sure the people in my organization are
using strong passwords. I'll grab the file, dump it in here and just let it turn and burn, kind of set it and forget it
kind of thing and come back. So if I'm using a CTF, I probably don't go too
long on password cracking. Maybe if I've got the
time and I don't care, and I just want it to
go and see if I can get it to give me some password action.

Most people that create
CTF's are pretty smart about, for whatever reason they just don't want you
to have those passwords. I actually think that would be a good idea for people to have the
information beforehand because a lot of times things don't work, correctly, you need to go in and fix it so you can actually play the game. I ran into that a lot. But, hey, what are you gonna do, right? I don't create, I can create
my own, I guess, right? And say, I do appreciate the fact that a lot of people
now are starting to put, when you get to the login
screen of the machine itself, it'll tell you my IP is this. You're like, "Oh, good." Now I don't have to wonder whether or not the virtual adapters
are working correctly, which is so frustrating.

But as you can see, it's working, right? It's cracked a couple of passwords. It's turn it through. We had quite a few as far
as how long this will take. It just depends on whether
you're using CPU versus GPU, which it can do. I'm in virtualization here, so I'm not going after my GPU to try and make this fast again. It's a demonstration so we're not tryna get
too deep in the weeds. We wanna keep you just, hey, what does this tool do? How does it kinda work? Give me some of options and some of the standard things that can work with, and you could see how
that works itself out. – Yeah, I mean, it's, I think it's good that
you highlighted that, because on other videos that I've created, the first complaint I get is people say, "You're using a simple password." But, you know, a video, let's make the video
eight hours long Daniel.

– Yeah. That sounds fun, right? "Hey, are you still in there with me?" "Apparently, it's still going, thanks for hanging in there, right?" Yeah, right, exactly. A, you've got to do a demonstration. You just want people to
see how the tool works, that's the purpose of
what we're doing today. And I would say they
have a legitimate claim to their complaints, right? To say, "Hey, you're
using a weak password." Of course it's going to break it. Alright, and that's a funny thing. So, I've been confronted with that kind of thing
before as well, right? A, we set the expectation that, we're gonna crack some passwords, whether or not they're strong. If I've created them myself,
yes, I have control of that.

But let's talk realism here for a second. I don't know if you know this,
but if you do a Google search for top 10 passwords of 2021, guess what number one with a bullet is? – Is it password? – No, that's number three or four. The word password is number three or four on the top 10 used passwords in 2021. Alright, so that's already scary. The number one with a bullet is one, two, three, four, five, six. Number two is one, two, three, four, five, six, seven, eight, nine. Number three is QWERTY. And number four is password. – So the point you're trying to make or the points you're making, sorry is, even though we know it's a bad password, people still use those? – Right. And put yourself in an attackers, right? So a lot of times you got
to kind of play the role, put yourself in an attacker's position. Okay, let's say they're
cracking wifi passwords or they've gotten a hash dumped somewhere and they're cracking passwords.

Do they feel like less
of a hacker because, they found a bunch of easy
passwords and a hash dump? No, they are happy as a clam
because now they have passwords and that's exactly what they wanted. They don't care how hard your password, actually they probably
would hope you were using an easy password. And guess what? A lot of people do, a lot
of people use bad passwords. Which is why we tell people, okay, we, for whatever reason, we can't solve the bad password riddle. So how about this? Let's go ahead and enable
2FA or MFA of some kind, so that we can, you can
have your weak password and still have some sort
of security around it. So the fact that I'm cracking passwords that are quote unquote,
weak, is not my fault. I don't use bad passwords. I use really good passwords. – It's not your fault
that I use a bad password. Come on, it's your fault. – Yeah, right? That's not my fault. In the real world, people weak passwords. That's just the name of the game. – Human nature.

– Yes, it's just human nature. It's too hard to type this in. It's too weird, I can't remember it. I've got too many. And these are legit
complaints against having to use a password, which is why password
managers are a godsend, because they help us with that. I don't have to remember
anything, it does it for me.

I only need to remember one. I need to make one good password, and that's the only one I
got to remember when it comes to using something like
a password manager. So this is encouraged thing. – Which is your favorite? Sorry. – My favorite? That's a hard one. I use LastPass, they've had their issues. They've had breaches and
things of that nature. But, you know, whatever, it's fine. There are other things out on the market. I'm sure that they are possibly, it doesn't matter how big you are. Apple has been hacked,
Facebook's been hacked. Everyone's been hacked, if it was gonna get hacked, it's all about just like
giving me some security. So, yeah. Do I default to LastPass? Yeah, well, my company uses LastPass. That's not my call. I don't make that call. So my company uses it, therefore I use it. – And tell me, you know, we've talked about like
Facebook getting hacked. – Yeah. – Can you explain, sorry to
interrupt, the rockyou file, because that's kind of pertinent
if you like or relevant to this discussion on
Facebook getting hacked.

– Really interesting story behind that. If you wanna know like the details, there is a dark net diaries episode, I highly recommend you checking out. And he kind of goes into detail on that. But the gist of the story
was it was a website rockyou and they got breached and they had a massive amount of users. And from that breach, there were a ton of passwords recovered and it was put into a dump
called the Rockyou.txt file. And the interesting thing about this or that came out of
that was the fact that, there were so many
passwords that were cracked, it led us kind of get a glimpse into the common man and
the common woman's idea of what they thought a good password was.

I kind of played around
with it the other day. And I was like, I wonder
what the longest password is in the rockyou file because, you know. You gotta understand
the difference between, a dictionary attack versus
a brute force attack, right? – Yeah, could you explain that? – Yeah, and I think that is so
relevant to the conversation. So a brute force, technically they're both
brute force attacks, either a dictionary attack or
a per se brute force attack. Okay, so a brute force
attack, we'll start there, 'cause then we can kind
of work our way down to what a dictionary is.

So a brute force attack says, okay, I'm gonna, you tell me some parameters, A, what characters to use, how long to go. So, you know, is it eight, ten, two, or a range between zero and twenty, or whatever, just infinity,
if that's what you like. And I'm gonna just start
with the very first character in that character set and try it. So let's say that first character is A. So I tried A, didn't
work, not the password. Okay. Let's try AA, alright. AA is not the password.

Yeah, next one. And so on and so on and so forth, right? Then until it works its
way through the entire, every single combination of
the entire character sets that you have fed it and the parameters. So it's doing just that. It's just trying everything
until something sticks. Alright, so compare that
with a dictionary file which does the same thing in a way. What I mean is, is it tries things that
you have told it to try which is a list of words. So instead of just every possible set, I'm gonna feed you a file
with possibly good passwords, try each one, if they don't
work move to the next one, and so on and so forth. So it is also a type
of brute force attack. We just don't call it that, we just call it because
we wanna differentiate it between a true brute force versus using a dictionary
file to brute force it. So with brute force, a true brute force is gonna take you a lot longer. Well, it can, then it would
be with a dictionary file because all your machine has to do with a dictionary file is just run through each one of those
things, giving it a try.

And all it's doing is taking the word in the dictionary file, hashing it with the hash
value or the hash algorithm of which you're trying to crack, and once it has that
hash, it compares that with the hash password and
sees if they're the same, just as a comparison. If it's not, it moves
on to the next thing. So there is some overhead behind that, but with a brute force,
it can take much longer, and this is where the idea of, if you make your password long,
use multiple character sets.

So the longer and the more
characters that you use, the more difficult it's going to be for a brute force type of
attack to be successful. Now go back to your dictionary attack. It doesn't matter how long
or complex your password is, if it is in the dictionary, you are hosed, you are getting hacked, you are getting, your
password will be cracked. So you've gotta kind of, when you create good passwords you gotta keep both of those
ideas in mind that, okay, I want it to be of sufficient
length and complexity to defeat a true brute force.

But I also wanna make it weird enough that it's probably not in a
dictionary file somewhere, right? And that was it, that is what
will keep you out of this. Most people do not think that way, and therefore we can use, you know, dictionary files like rockyou and still be successful
with it as we have here. Now, this could have been, you know, any other thing as well, but,
or I could have made a couple of other passwords and
we could have tried that.

– Did you work out the maximum length? I think I'm not sure if you said it. – So, I got to 195
characters and was like, I'm tired of doing this. I'm tired of looking, you know? So I was just like, grepping, you know, and doing it for length and
trying to grip out the links. It was basically like,
hey, search for a string of characters this long
and return it if you find anything that's that long specifically. – So that's your point about like the, even if you use a long password, if it's part of a breach.

Like let's say you use
that password on Facebook. – Yeah. – That's now a breach password that hackers
have access to in wordlists. – Absolutely. – So that password could be cracked because it's gonna be in
a dictionary somewhere or wordlist somewhere. – You nailed it. And not only that, but you
can also mutate the word list so that it is now not just
running through the wordlist, then it will go back through
it giving it parameters. So kind of like taking
brute force and dictionary and putting them together and saying, okay, well, try these as well. You got the word password, say your dictionary says password, cool. Well, I also want you to
try uppercase P for password and try a number on the end of it.

Well, I can tell John, I can give it some rules
and John will try password. And then we'll capitalize the
first character of that word and add the number one at the end. So it can also do like a hybrid as well. So you add a couple of rules to it. Now if you have a really
robust password file, you put some rules in. I actually looked up
some rules for us here. Let me jump over here to this website. This is gracefulsecurity.com. Custom rules for John the Ripper:Examples. And this pen tester or security specialist named Holly, Holly Graceful I guess her name is. She posted the rules
that she has been using to help defeat windows
complexity requirements. Right? So you gotta have an
uppercase, gotta have this and these are easy, right? So this cAz thing, all
that means is C stands, capitalize the first letter, Az means append something to the end, and then I'll give you what that is which is
this set of characters.

So she gives it a range
of zero through nine. So now whatever's in my dictionary file, it'll run through that, and then it will try to
capitalize the first letter and add a one or zero,
actually, we'll start with zero, and then try capitalize with a one, and capitalize with a two,
capitalize with a three. And through that range, zero through nine. And as you can see, you can continue, you can add special characters in there. You can make it two
numbers and make that go through each iteration
of those two numbers. So you see you're adding, you're bolting on that brute force to your dictionary. You can make it much more robust, so. – That's because humans
often make a password where the first letter is upper case. – That's it. – And then they bolt on
digits or special characters at the end, yeah. – Human nature.
– Right. – Because, well, you know, the website or whatever the
authentication mechanism when you're creating your password, it complaints to you, right? It says, hey, that's not strong enough.

You need to add, you need to
have these character sets. Must have one upper case. Must have at least one lower case, must have a special character. Here's the range of special characters. It must include one number. You go, "Oh, okay." "Well, I'll just take that password, capitalize the first letter, add a zero zero one on the end of it and an exclamation point, and bam, I've met all the requirements." Now all I gotta do is just
add some of these mutations to my password list, and I'm gonna be more
successful because of it. People are still using the same passwords. They're just changing them to meet those new more complexity, more robust complexity requirements. We just gotta shuffle a little
bit to make it past that. – I mean, do you have
a place where you get like passwords from, like, I mean, the rockyou comes as part
of Keli or Kali Linux. Are there any other places where you would get the passwords? – So Kali actually has quite
a few word lists in it.

It's not just rockyou, and
let's go back over there, and I'll show you where that is. If we go into Cd slash user slash share there is the wordlists, directory and if you do an LS. I've got a few in here
that I've created myself. So I was noticing that some
wordlists would have things that other wordlists didn't. So I started mangling them together and making one large giant wordlist, and that's why you see
these dirmasters right here. But fasttrack is a good one. It's short, but if you're
looking for a quick win it might be in fasttrack.

If you're looking to not sit
here and wait for forever for this thing to actually crack, then that might be a
good way to go, right? So fasttrack is a really
quick and dirty one. If you wanna use it in
other areas as well. There's also, it looks like Metasploit. If you go into CD, metasploit, metasploit, metasploit. They've got some password lists
here, quite a few of them.

You see things like Unix passwords, right? That might be helpful. Hey, is anybody running Tomcat? There's default passwords for Tomcat. So if you wanna get really specific, some great passwords up
in here in Metasploit. Let's back it up though, there's also, seclists. And in here they're kind of
like broken down by type. So if you're trying to
do fuzzing or discovery, there's these dictionary lists for doing all those types of things, but one of them here is
called passwords, right? So CD into passwords, and do an LS. And you can see we've
got quite a few in here. We even have a directory
for common credentials. We've got a direct for cracked hashes. We've got some top 10 or top lists. So top 10, top 100 top 1000,
top 10,000 kind of thing from this dark 2017 dump,
we've got default creds. We love default creds, right? Again, going back, oh,
those are easy passwords.

People don't change passwords,
they're not good at security. So that's why we need to
be testing against that. If work engaged in a security audit and we're testing for vulnerabilities, we wanna check passwords
to see and make sure that people are actually
using quality strong passwords that will resist those
different types of attacks. As well as maybe even having
some multifactor authentication using more than one thing so
that if their password is weak, they still gotta get past another step. It's not impossible but it does make it more difficult, right? And increases their
chances of getting caught. This is all about that layer
defense and layered security. So tons of passwords
right here inside of Kali. – You gotta show us the stupid
ones in production file. – The stupid ones? Let's see here, yeah. Let's go into default creds here. Let's go see your default creds.

– Right where you are there's
a file called Stupid Ones. – Oh, it's there. Oh, yeah, I see it. Let's see here, let's go back. I'll just less than, less
stupid ones in production. And let's see here. So there's four. P, you, God, sex and secret. So that's from the movie Hackers. At least I remember God, sex
and secret being hackers.

But… – People put that in production. – People are gonna use this, right? This is a production thing, right? So funny kind of thing here. Let me quit out here. – Sorry Daniel, show us the
other one you were gonna show. – Yeah, I was gonna go on
default creds just to look and see what's in default creds. Let's see here default creds. And which one you got? You got one. We got a MySql one, we
got Oracle databases. Let's do Tomcat.

Better. Tomcat, better default pass. So let's cat, Tomcat
better default passes. So here is not only the passwords but the account that it goes to. And these are default
credentials for various and sundry things that have
to do with Tomcat, right? So, yeah. Admin, admin, right? Add secret, add Tomcat. These don't look to dope. Oh, look at there, password,
because they're defaults. They're meant to be changed
but people don't do that. Therefore, leaving themselves
exposed to someone, if they were running some
sort of cracking mechanism. Obviously this is against log-ins but I can snatch all these passwords out of there and use
it as a dictionary file and say, "Hey, give that a shot." Maybe somebody reuse
these passwords, right? So we have the idea of credential stuffing and password reuse, right? We don't wanna be reusing passwords. – Yeah, and the problem is,
you know, we say all this but people still do what
they're not supposed to do.

And that's why it's, you know, hackers can break into these systems. I mean, Facebook, like you
mentioned, got hacked recently. There's been these huge hacks
and people are still using, I mean, your example of the
top 10 passwords for 2021. People are still using
the same old password. – Yeah, and if you wanna
check your password, just to kinda see whether or
not it actually is strong. Well, hey, you can look
forward in one of these files. Like one of the things
I'll do is, if I think… – Come on, use one of your
real passwords, Daniel. – Yeah, that's happening,
that's happening. I'll use a password that I use for, like when I'm teaching that, you know, we'll check it there,
because it's a bit complex. – Your banking password, come on. – Yeah, that's not happening, my man. That's not happening, get real, come on, come on man.

Let's see here. Let's go back. Where are we at here? Let's go to rockyou . So what I'll do is I'll CD into, I guess I gotta go back in one more. It's in wordlists. So I'll just grep for the password. So if I think, you know, is this password, zero zero one in the rockyou list? So I can just grep out, so rockyou. And look, hey, password
zero zero one in capital P is not in the rockyou list. – So that's the password
you're gonna use now. – That's a password you can use. And if someone's using
rockyou, they won't hack it. Or at least the, my version of it. Maybe if you've modified
it or something like that. Now, if I want to just see what about just the word password, right? Or let's take the top 10.

Let's see if it's in there. One, two, three, four,
five, six, oh, yeah. So that's in and not only that, but this is all the variations thereof I can kind of make some changes to this to try to, let's see here, make
it a little start with that, was a dollar sign, end with this. And yes it is in there, right? So if I'm using rockyou and your password which is the number one
password of 2020 is in rockyou, and it is, I'm gonna crack
your password, right? That's just that. Again, I don't use bad passwords. I make good passwords, and I check them against, like rockyou. You can also go to like,
let's open another tab here. You can go to, haveibeenpwned.com and I'm just doing a search for, go to Have I Been Pwned, increase this. And you can check if
your email of your phone has been involved in a data breach. So you put your email address in there, put your phone number in there. And it has, as you can see, it
has 11 billion pwned accounts that it can check and see
if it was part of any kind of data breach or dump.

And you can also go to passwords and check pwned passwords to see if a password has been in there. So you can type your password in. So if our password, I'm gonna use that, the one that wasn't in rockyou, P-A-S-S-W-O-R-D, zero zero one. And check has it been pwned. And oh no, this has been
seen 695 times before, as I'm sure it has, right? And it'll say, hey, you probably wanna take these steps. Step one, protect yourself to generate and have a strong password. They have a service that
does that and able to factor and subscribed to
notifications of other breaches so they offer this as a service. But it's a great website just to check, is my password secure? If it's not, you're gonna
get this, oh, no business. If you see this, you need
to change your password and you need to enable 2FA. If you don't have 2FA capabilities, I don't know what to tell you, you know, try another vendor that does do that. Or complain to the vendor
that you're using and say, "We really need to make
this a part of our security if you wanna keep my
business and honestly, you're just begging for
a breach at this point." So Have I Been Pwned is
always a great way to check to see if a password is weak or strong.

– Would you, can I ask you
some questions, Daniel? – Yeah, go ahead. – Would you, what's your favorite? Is it Hashcat or John the Ripper? – I just, I tend to
use John the Ripper, A, because when I started
learning this stuff, John the Ripper was kind of the standard. And this was back in the late nineties. When I just started, I
was a noob script Kiddie, didn't know much about much. And somebody told me
how to crack passwords. It was John the Ripper that did it, right? There are other great things. Hashcat is a phenomenal, it's objectionably, objectively, I'm not objectionally. But objectively faster and
better at cracking passwords. It's a little clunky and I'm not really great with
the syntax and stuff of it. I could spend more time with
it and get better at it. – It's quite alright.
– Yeah. – It's got some, the way
you gotta check the mode and a couple other things
you gotta work with. I'm bad at that so I tend to
default to John the Ripper and for the most part,
it does a great job.

So, I have… – It allows you to use GPU, does it? – It does allow you to GPU differently than the way that Hashcat does, but it still does allow you to do that. I think you have to choose
one method over the other whereas Hashcat will do
both at the same time. I think if I'm remembering
correctly, that's the thing. But they're not the only
game in town either. There's also like L0phtCrack, where if you pay for it's
phenomenal cracking thing. There's Ophcrack, O-P-H-C-R-A-C-K, Ophcrack. I don't know how you pronounce it, but… – Don't ask me. – Yeah, gooey driven. I might even have it in my
Collie machine here, I mean. Let me look that up real quick. Let's see here, O-P-H. Yeah, Ophcrack. Bam! So it's gooey driven,
works with Rainbow tables. So you download tables,
pre-calculated password hashes.

So instead of having
to do that function of, hey, here's the password, hash
it with the right algorithm then compare, that actually
for, I mean, it seems fast but for the computer,
it's actually really slow. You wanna speed that up exponentially, you use something like a rainbow table, which just has those
pre-calculated hash values and just checks it. If it finds it, hey,
there's your password. It works against windows. I think it used does Linux and just a couple of other things as well, which you can grab some rainbow
tables from their website and that's all built
into the machine itself.

So you can just check that out. But that's another one but I just tend to run
to John for most things. I work in the terminal almost invariably and it's just an easy, hey
John, blah, blah, blah. Here's a file, go to work, and I'm done. So I tend to use this. – Do you wanna show some
of the options in John? – Yeah, sure let's… – Some of your favorite
options and things. – Let's see here. I'll do John was a dash help. Yeah, here we go. We've got a few options here. Let's see here. So, obviously word lists
is a big one, right? We're gonna throw that quite often.

Dupe suppression, that can be nice. If you put the same
user and a password hash in the file that's looking at, it'll go, oh, we've got multiple
versions and throw that out. It'll only do one of them. Let's see here. Rules is a good one, this
is how you enable your rule. So if you wanna mess around with creating those custom rules, like what we saw with
the graceful security, maybe copying and paste
that into the right area, you give it a nice label, and then you invoke those rules using the dash dash rules equals, and then you give it
the rules name, right? So really good for that.

Let's see here. What is it another, anything
else that I typically use? – What about the like hash types or do you just let John discover that? – Sometimes you run into that. I typically just see if John can do it because why
fiddle around with it? – Let it discover itself, yeah. – But yeah, you do have, here
it is, format, right there. And then you just say force hash type and then you give it to the hash type. If you wanna know what those formats are you've got lists formats. So if you do John dash dash list, equals formats. Here are all the different
hashing algorithms that it can crack against,
which is quite extensive. And it's not bad, it's a pretty good list. But like I said before, so like here's mssql and
here's mssql05 or mssql I guess it is, mssql12.

Sometimes that stuff comes into play. And if you know what the
format is, you just do dash. You look it up, make
sure that it supports it, then do dash dash format equals mssql12 and now it's gonna stick to just that. And hopefully that's what
gets you where you're tryna go because that's the right type of hash. If not, then you're moving on. – But it was great that
it just picks it up, yeah. – Yeah. It does a good job. – It makes it easy, yeah.
– Yeah. – Yeah, I've had some, mostly when I have to do
this is when I'm working with like windows passwords.

It'll go, oh, we've detected this as NTLM,
but maybe it's NTLM V2, maybe, you know, so on and so forth. So you kinda have to get a
little granular there once in a while and tell it, this is the hash I want you to try to use. – Any more options you wanna talk about? – You know for the most part
that's about what I do with it. For what I do and how I work, that's usually all I need. Maybe turning on the GPU functionality with it would give you a little more speed if you have a GPU available. I don't know if it's in the help file. I'm sure it's in the man file. So man, John, and just look for, do search for GPU.

Match, what, is it case sensitive maybe? That's not gonna tell me. I would say that it's in here somewhere, but there's an option. I can't remember it
off the top of my head, of exactly, but it's John
something and it invokes the GPU versioning of it. And just look through, I always tell you, you need to read the user
manuals for these things because there's a lot of
really cool details in there that might be specific. So at least give it a skim,
kind of just look your way through it and go, oh,
that looks interesting. That looks interesting. You don't have to read it word for word, but kind of look for those highlights and that's gonna make you much
more efficient and effective using the tool when you
run into those edge cases, where you have to make some
sort of weird modification to get where you're going.

But for the most part, John's
pretty straightforward. John, word list, file that
I wanna crack against, and bam, I'm done. – Daniel, thanks so much
for sharing your knowledge. Where can people learn
more and say from you, especially like, 'cause your sharing your knowledge here in like small
portions of your videos, but is there a course that you've created? Where can they learn more? – Yeah. If you wanna see more of this ugly mug then you just check this out over at itpro.tv, we've got all sorts of security courses
starting from security plus. So if you're new to security and you're like where do I begin? Security plus is usually a
really good place to land, less than I go through that. And it's very, in-depth,
it's very comprehensive. So we're gonna give
you a little bit of it, just about everything. And then you can move up into different security certifications, whether you into blue team or red team, I've got some blue team stuff, some CySA+, I've got CyberSec First
Responder in there as well.

We do things like forensics investigation. I think we work with Adam on
that, such good stuff in there, great courses, CISSP. And if you're on the
red team side of things, you'll see a whole lot more on
me because that's what I do. I have a penetration testing course. We've got CEH, we've got PenTest+ and I also have a hands-on hacking course where we take all those skills that you would learn
and something like that, and we apply it, learn to build a
methodology that's effective for doing something like a
penetration test or working away through a CTF great
supplemental type of information for those of you going through, you know, securities EGPT or ECPPT or offensive securities
OFCCP, that type of thing. – Daniel, thanks so much for your time. I really appreciate it man. – Hey, thanks for having me on David. You know, I enjoy it
and anytime you want me, just gotta hola.

(upbeat music).

You May Also Like