Mano ‘dash4rk’ Paul

October 11, 2013

Seek and Ye shall Find-

Password and

Providence

2

whois[Querying whois.org]Name: manoranjan paul > mano paul > @manopaul [IDENTITY] Primary: Follower of Jesus Christ (Christian) DOB: 09/30-1990

[TECHNICAL] Advisor: Software Assurance Book: The 7 Qualities of Highly Secure Software; Official (ISC)2 Guide to CSSLP CEO: SecuRisk Solutions

[OTHER] Researcher: Shark Biology (dash4rk) Credz: CSSLP, CISSP, MCSD, MCAD, CompTIA Network+, ECSA

Record created on 03-03-19.. Record expires on tbd Database last updated on 10-11-2013

www.hackformers.org

wen u c me, tweet #/@HackFormers

3

Agenda

• Teach Security • Teach Christ• Teach Security In Christ

www.hackformers.org

4

What is the topic/series about?

• Seek and Ye shall Find– Passwords (Teach Security)– Providence (Teach Christ)

• Part of the Kali OS series– Pentesting processes from r3c0n to r00t– Intro to security tools in the Kali Linux

OS• Password Attack Tools

www.hackformers.org

Seek and Ye shall Find-- passwords --

Teach Security

6

What is a password?

• A credential/claim• Used in combination with a username• For validation of an identity – Authentication

• Used to gain admission/access

www.hackformers.org

7

I AM that I AM

• Authentication– Something you know

• Passwords, PINs

– Something you have• Badges, Certs, Fobs

– Something you are• Biometrics

www.hackformers.org

In scope for this talk!

8

Cracking

• Discovering • Can it be legit?

– Attest password policy

– Attest password strength

– Determine if the passwords are cryptographically protected• Hashed• Encrypted

www.hackformers.org

To crack for the right reasons is being wise; To crack for the wrong

reasons is being a wisecracker!

9

wisecracker

www.hackformers.org

10

A note about ‘strong’ passwords

• Characteristics– Particular length– Alpha– Numeric– Mixed Case– Special Characters

• Change– Periodically

changed

www.hackformers.org

So is your password ‘strong’ enough?

11

Strong but psychologically acceptable

• Make it too complex– Users seek to find a

way around it

• Make it too simple– Hackers seek to find

it and often do

• Is your password – Strong?– Psychologically

acceptable?

www.hackformers.org

13

Tools, Tools, and more Tools

www.hackformers.org

14

Humans – The weakest link

• Why hack when you can just ask– Ask and you shall receive (Matthew 7:7)

• Social Engineering (Toolkit) – Credential Harvesting

• You are the weakest link, Goodbye!– Anne Robinson, Gameshow Host

• You are the weakest link, Hacked Guy!

– Mano Paul, HackFormers Host

www.hackformers.org

15

Password Attack Tools

www.hackformers.org

16

john (the ripper)without wordlists

www.hackformers.org

17

john (the ripper)with wordlist

www.hackformers.org

18

johnny

www.hackformers.org

19

Seeking Wordlists!

• Download existing wordlists– http://packetstormsecurity.com/Crackers/wordlists/ (free)– http://www.outpost9.com/files/WordLists.html (free)– http://www.openwall.com/wordlists/ (paid ~$30)

• Create your own i.e., Crunch It

www.hackformers.org

20

mimikatz

• Tool to grab windows passwords from memory

• Benjamin Delphy (@gentilkiwi) oui oui

• How to?– Upload libraries and

run commands[virustotal flags it]

– Meterpreter Extension

www.hackformers.org

21

Disclaimer

• Do NOT hack to crack unless you are authorized to …

• Demo – Seek and Ye shall

Find

www.hackformers.org

22

Demo < Seek and Ye shall Find

• 1. Social Engineering Toolkit– Credential Harvesting attack

• 2. Meterpreter– Migrate to winlogon process– Keylog

• Meterpeter – Get password hashes (hashdump)– Crack (john without/with wordlists)

• 4. Mimikatz www.hackformers.org

Seek and Ye shall Find -- Providence --

Teach Christ

24

Humans – The weakest link

• Humans are frail made from the dust of the earth – the weak link

• The devil tries to social engineer us to death

• We need to ask for it is written

7 Ask, and it shall be given you; seek, and ye shall find; knock, and it shall be opened unto you:

– Matthew 7:7-11

• Ask and ye shall receive > But who do you ask for?

www.hackformers.org

25

Who do you say I AM?- Jesus’ Question

• God said– I AM that I AM– I AM the God of your

fathers (Abraham, Isaac and Jacob)

• Jesus said– Before Abraham was, I AMÞ Jesus is God (Providence)i.e., God’s provision for our Salvation … without Jesus, no one can be granted access to God … no other way!

• Jesus said > I AM– The bread of life– From above– I am the true vine– The Light of the world– The door – The good shepherd– The Son of God– The Resurrection and

the life– The way, the truth, and

the life

www.hackformers.org

26

Who is Jesus Christ?- HackFormers Style

• Jesus is – The credential/claim– To be used in combination with a Your name– For validation of your identity

• Authentication

– Needed to gain admission/access

• Jesus is THE PASSWORD to all the questions of life – He is strong and psychologically acceptable, never changes, and UNCRACKABLE

www.hackformers.org

27

If you seek Jesus, you will find him

• 7 Ask, and it shall be given you; seek, and ye shall find; knock, and it shall be opened unto you:8 For every one that asketh receiveth; and he that seeketh findeth; and to him that knocketh it shall be opened.

– Matthew 7:7-8

• 13 And ye shall seek me, and find me, when ye shall search for me with all your heart.14 And I will be found of you, saith the Lord:

– Jeremiah 29:13-14a

www.hackformers.org

28

If you seek Jesus, you will find him

• 6 Seek ye the Lord while he may be found, call ye upon him while he is near:7 Let the wicked forsake his way, and the unrighteous man his thoughts: and let him return unto the Lord, and he will have mercy upon him; and to our God, for he will abundantly pardon.

– Isaiah 55:6-7

www.hackformers.org

Points to Ponder

Teach Security In Christ

30

Discussion Points• You need to know the password to get access to a privileged resource• You need to know Jesus (THE password) to get access to God

– And this is life eternal, that they might know thee the only true God, and Jesus Christ, whom thou hast sent.

• John 17:3

– Know him NOT JUST as a cool guy, but as Savior and Lord!

• Is Jesus your password? ********– Is he your Savior and Lord i.e., Have you believed or do you still doubt?

• Seek Jesus while he may still be found!

All who call on the name of the Lord Jesus Christ shall be saved(Joel 2:32)

[i.e., all who know Jesus Christ as their password shall be granted access to the presence of God to live eternally]

www.hackformers.org

31

Closing Thoughts

www.hackformers.org

try {if (uLikedThisPresentationAndMtg) {

subscribeViaEmail();followAndTweet(); // @hackformersgetLinkedIn();emailUs(); // mano.paul@hackformers.org

} else {

giveFeedback(); // mano.paul@hackformers.org }

} catch(Temptations t) {

Seek(God’sProvidence > JesusChrist);} finally {

ThankUandGodBless(); }