Password Cracking ‘Pass The Hash’ style

One of the most time consuming tasks a penetration tester has to face is password attacks. Traditional password attacks involve password guessing, password cracking or a combination of both. While the first can take anything from days to months, the latter can take from hours to days, depending on the quality of the password dictionary and the available CPU power among others. Tools that make use of Rainbow Tables, like Ophcrack, have significantly reduced those times to hours or even minutes, especially for systems that use weak password schemes like LM or NTLMv1.

All of the above describe how the password attack picture was before a new technique, called ‘Pass-The-Hash’ made its way into the hacking scene. Although someone may think this technique is quite new, it was actually back in 1997 when Paul Ashton posted on Bugtraq a Windows exploit named “NT Pass the Hash” along with the theory which the exploit was based on. This Unix-based tool implemented a modified version of a SMB client that allowed the use of captured LanMan hashes, without having to decrypt them first. However, it wasn’t before last year when Core Security finally took this concept to the next level and produced a much more powerful tool called ‘Pass-The-Hash Toolkit’, which now runs on Windows and works with NTLM hashes. Let’s see how this technique works in more detail.

Continue reading Password Cracking ‘Pass The Hash’ style

When chocolate becomes a security threat

Chocolate!Whilst some researchers point out that chocolate may provide health benefits that include decreasing the risk factors for certain heart related diseases, further research indicates that it can also become a security threat, specially when women are around!

I know it sounds funny, but so claims latest survey conducted by Infosecurity Europe over 576 office workers in London. According to that research, women are four times more likely than men to give out their passwords in exchange for a chocolate bar (45% of women compared to 10% of men).

Continue reading When chocolate becomes a security threat