1 00:00:00,900 --> 00:00:09,000 Password policy problems know passwords are the key elements of an authentication system right there, 2 00:00:09,000 --> 00:00:15,240 like the keys to open a door so the application should have a strong password policy. 3 00:00:16,050 --> 00:00:17,300 But you do have to be careful. 4 00:00:17,340 --> 00:00:21,720 I don't mean just password complexity with the word policy. 5 00:00:23,220 --> 00:00:26,040 Password policy is way more comprehensive. 6 00:00:26,880 --> 00:00:30,390 The complexity is just a property of this policy. 7 00:00:31,610 --> 00:00:37,670 So a password policy sets how to transport and store passwords as well. 8 00:00:38,620 --> 00:00:44,770 All right, so here is Pantazis, we got to figure out three things, password, complexity, rules. 9 00:00:45,960 --> 00:00:47,730 Password transmission rules. 10 00:00:48,730 --> 00:00:55,900 And password storage rules, so last thing is, is basically how the passwords are stored on the back 11 00:00:55,900 --> 00:00:56,160 end. 12 00:00:57,250 --> 00:01:07,150 So it's not directly a pen Testim, but passwords should be salted and encrypted and then stored. 13 00:01:07,600 --> 00:01:16,390 See my meaning, because even you cannot bypass the login mechanism, but you can reach the database 14 00:01:16,390 --> 00:01:20,950 over an Escuela injection and have passwords are not stored properly. 15 00:01:21,830 --> 00:01:22,870 They're going to be dumped. 16 00:01:24,460 --> 00:01:27,650 But we're going to talk about password, complexity and transmission. 17 00:01:27,760 --> 00:01:35,380 So the first thing that we should check is to see if the target has a policy or not, because this is 18 00:01:35,380 --> 00:01:39,080 going to shape how to attack the login mechanism of the application. 19 00:01:39,940 --> 00:01:45,670 So if the target has password complexity rules, we should generate the dictionary based on these rules. 20 00:01:47,530 --> 00:01:55,000 So now go to Caleigh and open up your terminal and we're going to use Krunch to generate a password 21 00:01:55,000 --> 00:01:55,420 list. 22 00:01:56,990 --> 00:02:01,040 And the simple usage of the help screen is printed. 23 00:02:02,000 --> 00:02:08,150 So Krunch can create a wordlist based on, well, criteria that you specify, for example, if you type 24 00:02:08,150 --> 00:02:11,020 Krunch four for a one that. 25 00:02:12,430 --> 00:02:19,870 It will print for character words to the screen by using a uppercase be one and. 26 00:02:22,750 --> 00:02:25,480 So now let's have a look at the man page of Krunch. 27 00:02:27,570 --> 00:02:34,080 Grunge has a well planned band page with examples to scroll down to see some example uses. 28 00:02:35,750 --> 00:02:37,010 And you can quit from here. 29 00:02:38,820 --> 00:02:41,160 So let's use some options. 30 00:02:42,370 --> 00:02:49,000 So it generates word lists based on a character set, and you need to provide crunchier char set to 31 00:02:49,000 --> 00:02:49,420 start. 32 00:02:50,640 --> 00:02:57,030 So thankfully, it has its prepared list in this directory already, and then you can choose one of 33 00:02:57,030 --> 00:02:58,290 them or add a new one. 34 00:02:58,320 --> 00:02:58,770 If you want. 35 00:03:00,190 --> 00:03:11,750 OK, type crunch eight eight slash user slash share slash, crunch slash char set dot list L a l P.H. 36 00:03:11,770 --> 00:03:13,750 A and hit enter. 37 00:03:14,770 --> 00:03:18,910 So it's going to produce a long output, but I'm going to stop it here. 38 00:03:21,070 --> 00:03:23,470 And now I'm going to provide my custom, Char said. 39 00:03:26,590 --> 00:03:28,850 So I was along output and I'll stop it here. 40 00:03:29,710 --> 00:03:30,910 OK, so let's have a look. 41 00:03:30,940 --> 00:03:35,410 As you can see, the output contains only the characters in my set. 42 00:03:36,750 --> 00:03:39,570 So then you may want to add some special characters like. 43 00:03:40,750 --> 00:03:42,640 Double quotes or space's. 44 00:03:43,820 --> 00:03:46,790 And it will cause an error like this if you do that. 45 00:03:47,750 --> 00:03:50,060 So you're going to need to escape like this. 46 00:03:51,840 --> 00:03:55,500 Or you need to put your set in between devil quotes. 47 00:03:58,940 --> 00:04:02,630 So also, I'm going to add a space like this. 48 00:04:03,730 --> 00:04:06,310 And output is very long, so I'm going to stop it here. 49 00:04:07,540 --> 00:04:11,770 So you can see the crunch is a very powerful command line, wordlist generator. 50 00:04:12,820 --> 00:04:14,530 So it helps us to play with characters. 51 00:04:16,090 --> 00:04:17,470 So by tapping this line. 52 00:04:24,140 --> 00:04:28,010 T the parameter will produce a special output. 53 00:04:29,700 --> 00:04:35,130 And the first two characters will be lower case, the next two characters will be upper case, next 54 00:04:35,130 --> 00:04:39,480 to will be numbers, the last two will be special symbols. 55 00:04:41,400 --> 00:04:46,100 Now, the order in which you specify the characters you want is important. 56 00:04:47,480 --> 00:04:53,930 So it means that you need to specify your car sets order as lowercase character, uppercase, character 57 00:04:54,260 --> 00:04:56,120 number and then symbol. 58 00:04:57,180 --> 00:05:03,150 Now, you aren't going to use a particular charge set, you must use a plus sign as a placeholder. 59 00:05:04,620 --> 00:05:10,890 So let me just add a plus sign instead of C, D and change it here to lower case. 60 00:05:12,990 --> 00:05:19,650 So if I use a placeholder for uppercase letters, then I will use all uppercase letters in the English 61 00:05:19,650 --> 00:05:20,340 alphabet. 62 00:05:21,060 --> 00:05:25,710 OK, so we can also limit the number of duplicate characters. 63 00:05:28,060 --> 00:05:32,290 That you just use a deep parameter to add a limit. 64 00:05:33,470 --> 00:05:37,190 And this will limit duplicate lowercase letter to one. 65 00:05:38,970 --> 00:05:42,000 Which means the winner will not present after the same letter. 66 00:05:43,730 --> 00:05:48,590 Also, we can expand this to uppercase letters as well, numbers and symbols to. 67 00:05:51,530 --> 00:05:55,760 So Krunch can also print the list after a specific word. 68 00:05:56,920 --> 00:06:09,220 So using the as parameter with a word about DC one, two, it will trim words before a BDC one to. 69 00:06:10,370 --> 00:06:15,710 And using the E parameter, we can trim the output from the end like that. 70 00:06:20,020 --> 00:06:23,950 Then the output from Krunch can be sent to the screen file or to another program. 71 00:06:25,700 --> 00:06:27,380 Not having the whole parameter. 72 00:06:28,780 --> 00:06:32,860 We can then save the output to a file called WORDLIST. 73 00:06:34,580 --> 00:06:37,220 And I'll show you the generated output. 74 00:06:39,100 --> 00:06:46,090 OK, so besides having a good password policy, the application can still have authentication issues. 75 00:06:47,100 --> 00:06:50,550 One of them is default and weak credentials. 76 00:06:51,890 --> 00:06:58,670 And it's very common to see these values in pre configured application platforms, hardwares, web interfaces 77 00:06:58,970 --> 00:07:00,830 and in Internet environment. 78 00:07:02,870 --> 00:07:08,090 Just for the sake of usability, they all come with default usernames or sometimes default passwords 79 00:07:08,450 --> 00:07:09,260 or both. 80 00:07:10,760 --> 00:07:17,390 And generally, companies have a standard structure of email addresses or any other text to use to define 81 00:07:17,390 --> 00:07:18,430 a user ridi. 82 00:07:19,670 --> 00:07:25,730 So what this does is it helps us to predict username values and even passwords. 83 00:07:26,950 --> 00:07:31,030 So what I'm saying is don't even hesitate to use the default values while testing.