1 00:00:00,710 --> 00:00:08,620 Let's now see the usage of rainbow tables and practice will show how easy it is to crack an entry passwords 2 00:00:08,620 --> 00:00:11,430 using the tables. 3 00:00:11,510 --> 00:00:16,250 Then we'll also take a look at the risks related to a Windows user connecting to a different system. 4 00:00:19,230 --> 00:00:24,280 Will intercept empty land manager credentials and recover and end TLM password out of them. 5 00:00:27,230 --> 00:00:31,330 Will use this password to extract the user's original password. 6 00:00:31,380 --> 00:00:33,040 We'll start with an off line attack 7 00:00:36,070 --> 00:00:39,060 we'll turn on an operating system but in a different way. 8 00:00:41,130 --> 00:00:49,470 The original system will not start up and it's dead the popular crack application will run automatically. 9 00:00:49,510 --> 00:00:54,490 The program is available in a live CD version and an installation version will look at later 10 00:00:59,400 --> 00:01:01,650 this program is fully automatic. 11 00:01:01,830 --> 00:01:05,770 You only need to launch a disk with the software to obtain a user's password. 12 00:01:08,590 --> 00:01:11,570 You can run the program and then have a coffee or tea break. 13 00:01:13,300 --> 00:01:17,740 When you return your workstation you shouldn't be able to see cracked passwords on the screen 14 00:01:22,670 --> 00:01:27,360 Windows XP will be the tax system as you know from previous modules. 15 00:01:27,440 --> 00:01:32,930 The default Windows XP configurations stores both LAN Manager and any land manager passwords 16 00:01:46,520 --> 00:01:51,520 we have access to the same file since Windows is not booted. 17 00:01:51,570 --> 00:01:55,440 It doesn't protect the file. 18 00:01:55,500 --> 00:02:00,750 We also have access to the security and system files which means that it's now possible to decrypt the 19 00:02:00,750 --> 00:02:08,250 Sam the attack computer's user has not used the Siskiyou tool and hasn't moved the key to an external 20 00:02:08,250 --> 00:02:09,230 location. 21 00:02:11,640 --> 00:02:20,550 This means that we can access the land manager and TLM manager hashes L.M. and Unicode passwords as 22 00:02:20,550 --> 00:02:24,900 you know Ellen passwords are converted to uppercase and split into two halves. 23 00:02:27,300 --> 00:02:34,240 As you can see the program cracks both halves at the same time one password has already been determined. 24 00:02:36,040 --> 00:02:40,510 The first half was runes the other was blank. 25 00:02:40,570 --> 00:02:45,490 We also cracked two letters from the second half of another password but we don't have the first half 26 00:02:45,490 --> 00:02:45,920 yet. 27 00:02:47,110 --> 00:02:55,940 Retrack L.M. passwords in this column you can see the results of reversing enty functions since enty 28 00:02:55,940 --> 00:03:00,450 passwords are case sensitive to crack passwords are also case sensitive. 29 00:03:02,680 --> 00:03:07,640 To determine passwords are so simple that they're probably contained in a dictionary or a permutation 30 00:03:07,640 --> 00:03:08,330 list. 31 00:03:09,880 --> 00:03:15,500 We are using rainbow tables however this will be easier to see when we launch the program again and 32 00:03:15,500 --> 00:03:18,630 an installed version. 33 00:03:18,640 --> 00:03:20,840 What are the drawbacks of this approach. 34 00:03:22,750 --> 00:03:29,260 The method seems effective since after two minutes we've managed to find 913 passwords. 35 00:03:29,340 --> 00:03:31,620 What if this workstation belonged to somebody else. 36 00:03:31,680 --> 00:03:34,990 Two minutes would seem like a lifetime. 37 00:03:35,120 --> 00:03:45,530 Let's leave the attack at the current state will run off crack again but this time not from a live CD. 38 00:03:45,640 --> 00:03:52,410 We switched to Windows 7 offtrack is already installed in the system. 39 00:03:52,500 --> 00:03:57,480 Do I look similar but it will be more noticeable here that we are using rainbow tables. 40 00:03:59,510 --> 00:04:05,450 Will use XP free fast tables that are available for free on the crack Web site. 41 00:04:05,650 --> 00:04:11,030 You can easily download and install them if you'd like to install other tables. 42 00:04:11,880 --> 00:04:18,770 They unfortunately have to be paid for as a small digression I'd mention that most rainbow tables shared 43 00:04:18,770 --> 00:04:24,950 on the internet don't include many diacritics if a password contains a diacritical marks that is not 44 00:04:24,950 --> 00:04:27,020 found in the table you use. 45 00:04:27,260 --> 00:04:35,600 You won't be able to crack it using this table which should now indicate the location of the sam. 46 00:04:35,640 --> 00:04:39,560 The file can be extracted from a computer that stores passwords we want to crack 47 00:04:42,570 --> 00:04:47,640 under Seacole and backslash windows backslash system 32 backslash config. 48 00:04:47,770 --> 00:04:50,440 You can find three files that were mentioned before. 49 00:04:52,750 --> 00:04:58,120 Sam security and system. 50 00:04:58,210 --> 00:05:06,550 If you try to copy the same it can't be done the file can't be deleted or edited as well. 51 00:05:09,040 --> 00:05:14,680 The file is blocked and these operations are exclusive to the Windows security system only the security 52 00:05:14,680 --> 00:05:20,540 account manager Sam itself. 53 00:05:20,780 --> 00:05:26,800 If we'd like to see what blocks it we should use Process Monitor to do this. 54 00:05:26,840 --> 00:05:33,080 So how can you access the Sam to copy it to your multiprocessor ram heavy PC to make cracking passwords 55 00:05:33,080 --> 00:05:34,220 faster. 56 00:05:36,290 --> 00:05:43,050 You need to launch a victim's computer under a different system then you can copy the three files and 57 00:05:43,050 --> 00:05:47,030 indicate their paths in the program. 58 00:05:47,030 --> 00:05:53,820 You can also crack single passwords in off crack Here's a little window where you provide the password 59 00:05:53,820 --> 00:05:55,580 in the P.W. dump format. 60 00:05:57,530 --> 00:06:05,220 B.W. dump is a popular utility used to dump memory passwords P.W. dump can be run under an account that 61 00:06:05,240 --> 00:06:07,100 has debugging permissions. 62 00:06:07,290 --> 00:06:14,380 For example an administrative account selecting the local sound with the P.W. dump six options launches 63 00:06:14,380 --> 00:06:17,880 the program. 64 00:06:18,130 --> 00:06:23,290 After a while of crack will display system users in the passwords in the anti version. 65 00:06:23,290 --> 00:06:28,150 Not in the L-M since this was Windows 7. 66 00:06:28,380 --> 00:06:32,730 We said before that it's extremely difficult to crack an anti hash if it's secure. 67 00:06:34,790 --> 00:06:42,680 P.W. dumb saves the data that was accessed by a DSL injection into the same manager to a txt file. 68 00:06:42,780 --> 00:06:45,290 The text file has the format you can see below. 69 00:06:47,260 --> 00:06:54,470 For the purposes of this presentation the file has been prepared earlier this cryptographic resource 70 00:06:54,470 --> 00:06:57,520 can be harvested by a person who breaks into a server. 71 00:06:57,830 --> 00:07:05,140 The file names users and their auntie and LAN Manager passwords you can copy the user's data and paste 72 00:07:05,140 --> 00:07:06,210 it into crack 73 00:07:14,100 --> 00:07:20,110 the selected user's password is apparently shorter than 7 characters. 74 00:07:20,130 --> 00:07:27,280 We know this because the second part of the land Manager password is padded with spaces. 75 00:07:27,320 --> 00:07:36,140 Let's try to crack the password rainbow tables are loaded now into memory after they're completely loaded. 76 00:07:36,200 --> 00:07:41,990 The cracking will begin. 77 00:07:42,020 --> 00:07:47,760 It turns out that the password of the admin three users the string pass. 78 00:07:47,890 --> 00:07:51,990 You already know why the Elham password is in upper case. 79 00:07:52,030 --> 00:07:58,470 You can also see that the user Bob has no passwords set the password for the user. 80 00:07:58,470 --> 00:08:02,250 Alice has not been cracked on the other hand. 81 00:08:02,330 --> 00:08:06,280 The rainbow table we use did not contain the string that was Alliss password 82 00:08:11,130 --> 00:08:14,230 will log into Windows XP. 83 00:08:14,310 --> 00:08:17,600 The system is needed for the last presentation in this module. 84 00:08:19,990 --> 00:08:26,790 Even though our passwords even as empty are L.M. passwords are not sent over a network in plaintext. 85 00:08:26,830 --> 00:08:31,320 We can use can enable a tool we used before to sniff them out. 86 00:08:32,130 --> 00:08:36,210 This time the tool will not poison R.P. caches but simply listen in 87 00:08:45,480 --> 00:08:53,210 your the results of the previous listening session as you can see Cecil and admin are the users that 88 00:08:53,210 --> 00:08:54,370 connected to us. 89 00:08:55,510 --> 00:09:00,700 Or who's NZL sessions we have intercepted. 90 00:09:00,870 --> 00:09:06,390 Let's try to connect to an attacker's computer in Windows XP. 91 00:09:06,410 --> 00:09:12,780 We don't have any ulterior motive we simply want to see what the computers sharing. 92 00:09:12,950 --> 00:09:16,580 We don't want to download files or run applications on that PC. 93 00:09:18,370 --> 00:09:23,590 We only want to connect to it if you type in net view. 94 00:09:23,610 --> 00:09:27,880 LS PC in the command line interface the result would be the same 95 00:09:31,760 --> 00:09:38,330 we can't connect to LS PC a window pops up where we can enter a different log in and then different 96 00:09:38,330 --> 00:09:39,020 password 97 00:09:43,960 --> 00:09:45,700 coming back to the attackers computer. 98 00:09:45,700 --> 00:09:47,510 Let's see if there are any changes. 99 00:09:49,600 --> 00:09:57,380 Eyeteeth super admin is another user next to Cecil I.T. admin that appears in Cain and Abel as you can 100 00:09:57,380 --> 00:10:05,790 see the user attempted to authenticate using a secure version of the TLM protocol session security. 101 00:10:05,830 --> 00:10:13,540 We know the users L.M. in NC hashes and also the challenge and response messages as you can see the 102 00:10:13,540 --> 00:10:17,250 L-A messages contain only Noll's. 103 00:10:17,260 --> 00:10:21,830 This means that this is the second version of the protocol. 104 00:10:21,880 --> 00:10:30,790 If there is no domain you cannot then a kid in a more secure way you can also select to Cecil Edmon 105 00:10:31,000 --> 00:10:37,060 and eyeteeth super Edmon and send them to a cracker. 106 00:10:37,260 --> 00:10:42,600 Cain and Abel features a cryptanalysis attack option that uses a rainbow table just like before. 107 00:10:44,450 --> 00:10:46,760 We don't want to repeat the same attacks over and over. 108 00:10:46,760 --> 00:10:53,810 So now we'll try a brute force attack on that and TLM session security hashes. 109 00:10:53,890 --> 00:10:56,410 You can see only one security hash. 110 00:10:56,500 --> 00:10:59,170 Probably the newest one. 111 00:10:59,260 --> 00:11:01,880 We don't know how the earlier ones were intercepted. 112 00:11:03,530 --> 00:11:05,370 The attack begins by clicking Start 113 00:11:09,390 --> 00:11:12,910 the cracked password belongs to the user's Cecil. 114 00:11:12,940 --> 00:11:15,600 It turns out that the user has a blank password. 115 00:11:16,770 --> 00:11:18,310 Things get interesting now. 116 00:11:19,290 --> 00:11:25,820 Paradoxically the fact that Cecil has an empty password is what rescue's the user. 117 00:11:25,890 --> 00:11:33,820 You can't connect to a computer as Cecil now Windows disables remote authentication using blank passwords 118 00:11:35,360 --> 00:11:40,100 Microsoft implemented this solution a while back because many administrative accounts were blank by 119 00:11:40,100 --> 00:11:40,940 default. 120 00:11:42,530 --> 00:11:48,910 Up till recently Windows created administrative accounts with no passwords during installation. 121 00:11:48,930 --> 00:11:55,950 It turns out that a blank password can be more secure than a lazy or simple password or example toor 122 00:11:56,060 --> 00:11:56,570 one 123 00:12:00,760 --> 00:12:04,820 this password was brute force during this short talk on Cecil. 124 00:12:04,820 --> 00:12:12,200 In about 30 seconds Arty's super Edmon only tried to see what we shared. 125 00:12:12,220 --> 00:12:16,460 This was enough however to sniff out the user's password. 126 00:12:16,540 --> 00:12:18,040 We didn't need anything else.