What I Wish I Knew About Password Auditing: Cracking User's Passwords before the Bad Guys

I learned the hard way you don't have to let's crack some passwords so the elevator pitch go this talk is for all of you to be able to learn this here and then go back to your organization's and do it I saw way too much blue stuff where it didn't give me everything I needed to know to actually be able to do an audit you find tools and they say this is how you dump the hashes off the domain controller here's the tool used to decrypt them and then use hash cat to crack it and then oh here's the beautiful report we generate okay that's fine the hard part was the cracking it that was the hard part

that's the thing I actually need a lot of knowledge about

Who am I Benjamin theis I nerd pretty hard at home I'm covering DC Hopper I've used just about everything I haven't technically used gen 2 but I counts Avion and my other gaming rig is the Raspberry Pi I brought the Raspberry Pi to the hotel room I was very excited to see that I could actually plug it into the TV and then I grabbed into my bag and found I forgot a controller really really sad at work I am a full stack full scope defense or one branch of a company I am a little weird in that I am wearing every hat for an entire security program but at a small enough scale where it's

kind of doable for a single person kind of um I also have really been enjoying doing hunting recently I'm also the internal Red Team so does that make me a one-person purple team maybe um my approach to defense just very very briefly we we as defenders have the home-field advantage why aren't we using it like that's I'm very very home alone about this somebody else is gonna come into my environment and that's where the battle is gonna be fought let me change the environment to manage there why do we care the other thing about me being kind of full scope is yes the lion's share this talk is going to be technical but it's gonna be in context of your

strategy for achieving a goal and we're gonna talk about what is that goal our goal is to frustrate attackers it is to take things away from them it is to lengthen the amount of time it takes to complete certain attacks you make it take longer that's more time for us to respond shut things down a better chance I actually do shut it down before they reach their end goal early on in the attackers lifecycle initial access after spraying if you have anything connected to Active Directory that is available outside from the internet they Outlook Web App anything exchange related they can password spray do a little research get a list of usernames and guess the same

weak password right now it would be fall 2019 bang against your in every account they've identified they just need one dump the global address list they now have every username in your entire org do a second pastors for against all of them you can start pillaging through email looking for VPN credentials certain certificates all that stuff if you find beep inserts boom you're in the fact your password policy the fact that you let somebody in your org have fall 2019 bag as password just got attackers from outside of your to in once you're inside there are lots of ways for attacks to do lateral movement and things a lot of them don't require them cracking anything but if the

attacker can crack things that means they get to do it stealthier you're gonna be setting off more alarms if you just do pass the hash then if you crack that hash and use the legitimate credentials over a legitimate protocol so we're not completely cutting down lateral movement but we can make it harder take away the thing they would rather be doing um as well as like server hosting is a thing you can do it's part of the protocol there's no way you can patch it out but what they're doing is asking for a hash for a service account before they can use that they have to crack it by oughta day we're going to make sure we don't have any

SuperDuper weak service accounts in our environment collection what if what the attackers after is behind a web login portal it is backed by a D but they can't directly like pass the hash into that thing then they need to crack the credentials there depending on what your what your crown jewels are depending with the attackers after they may need to crack a credential to get and they're also a few possibilities for expo you're really locked down you don't have too many things you're letting out you're probably living your own stuff out so like exchange they can use that valid credential just shove stuff into drafts use those credentials to log in pull it out at that point you've seen the same

type of traffic from your legitimate server with a legitimate account that's pretty soapy and then also if you have cloud stuff flowed through you may or may not but if you do hey I've cracked this credential I see that this organization is using Dropbox for whatever let me see if any of these people are using the same username and that same password in Dropbox look they are now it's traffic you've explicitly allowed through with an account you from your organization so these are other things we would like attackers to not doing how do we do that so now we know why we would care about password security how are we gonna improve it there are four

main areas I've identified that people use to do this some people focus on one I'm gonna say probably most of them are worth your time to look at first thing is training and tools the next one just changing your policy this is really important auditing is gonna be most of what we're talking about and then password filtering is the newer techniques to shown up any tools ultimately when it comes to your users password security is about changing their behavior you want them to pick strong passwords to change somebody's behavior you need three things they need to know their behavior needs to change they need to have the knowledge required to change that behavior and do the new behavior you

need to have the tool as well as tools will also make that easier and they need to have the motivation to do it motivation is hard taking them know that it's their job to have good passwords that's straightforward include it in your employee onboarding a we care about security here you were required to have a secure password these are our policies you're required to do this reading them is just your nearly training have an onboarding training you need to do so that they know how to make strong passwords they know your recommended method for generating them you give them tools to help generate it and you give them a password vault installed by default on their workstation and new

teachers can be using that one's important because it does affect motivation not directly but indirectly eventually they will figure out that since they have a password vault that means they only need to remember two passwords but when to log into the machine and when to unlock the vault all of the other passwords their story and eyebolt are now gonna be super secure because they don't have to remember them they can just keep them in the vault you just won as far as all of those passwords are concerned and no longer having aspirins under sticky notes no longer having like you all know that one red sheet in your organization that's all of the accounts and all of the

passwords for them you know where it is you know which team is using it it might be yours before you pass for Vulpix is that makes less clean text credentials for a taxi village by pulling down the level of effort blow people's motivation you change their behavior so I can't force somebody to be motivated but I can make it easier for them to do the right thing to do the secure thing I want them to do

policies this is one of the biggest screw-ups in terms of security if you are using 8 character minimum with a bunch of complexity and 90-day rotation you are in the worst case scenario because absolutely no part of that is securing you and part of it is making your grinding down your users point where they have no energy left to make a good password 8 characters is trackable in minutes on a pro rig if we're not talking a pro rig I'm gonna show you how to get through a majority of them in six days on a hundred and fifty dollar GPU so we need to push longer we're talking a pro rig anything shorter than 12 is a

no-go right now and is crackable in I think weeks 11 is gonna take a few years but that's gonna change next year when the next GPU comes out right so 12 is the absolute minimum and for years I've never heard anybody who knew what they're talking about that said anything less than 12 now I do when it comes to password policies it really is the length of caps

that's going in the chip same thing applies to your rotation time I realize a lot of people particularly higher up in your org are gonna be really nervous if you try to go for no backs fast for a time that's fine you don't need to go there but you do need a lid off the pressure it needs to be significantly longer than 90 days I'm gonna recommend pushing up to a year that should be a good balance point between yes you do still have a maximum time a password will live period it's a hard limit why when somebody makes a password they know unless it gets cracked by your audit they get to keep it for a whole year

because I'm recommending you do audits quarterly this means that you're changing my password always change from 90 days into my password will have to change every 90 days unless I make a strong password then I get to keep it for a year and this is reframing their motivation and gives you an opportunity to change the behavior in more people um the the 90 day password thing is why password spraying is even possible because as you force people to rotate passwords they get lazier and lazier and lazier until they find the low-energy point for password password you literally don't even have to remember what your is it what season is it row bang on the end

done I didn't even have to remember my password I can just generate it throw me information I have floating around um so what you managed to achieve in terms of minimum password length will influence your crack cracking strategy when you're auditing if you are stuck at 8 characters if you're getting pushback for changing it to something longer your focus is gonna be on cracking those shorter passwords to demonstrate hey I cracked all these passwords we need this to be longer if you've been successful in pushing up to 12 or longer you're gonna have a different thing and that's gonna be all right what is an attacker who knows that gonna do how do I replicate that how do I crack the same

passwords in actual attack that's weird auditing is closed this talk pretty simple dump ashes crack them anybody they you crack their password you're using the same technique an attacker would if you can crack it a real attacker would have been able to crack it too that person needs to rotate their password look at what they did just a little bit of the information about like hey I saw you use a song lyric as your password I realized it's long enough but you use something that's Gessle you use something somebody can just download manipulate a little bit and guess it need to have it be random or hey this is your favorite bible verse come on I

don't recommend like a three-strike on a thing or any kind of real punishment for this ideally you're gonna be way too successful for that to be a thing if for many audits in a row somebody is failing every single one and on a case-by-case basis maybe take some remedial action but I wouldn't go straight for like though it's three strikes and you get a some kind of punishment I just recommend education that's where filtering is a little bit newer it's recommended by the newness stand where standard at creation time do not allowed known compromised password I don't actually think that's possible given the fact that the list of known compromised passwords I'm gonna recommend you use like 20 gigs I don't I

don't see your domain controller searching through 20 gigs of text for an exact match and not timing out fast word creation process but we can try it's never gonna cover auditing it's never gonna replace auditing they're complementary they don't replace each other some of the software I've seen out there is soft mattress a listen no password those will be accepted if it is more than 80% similar to this list of passwords I think that's really good because that is starting to cover some of the wiggle room that you're covering with auditing so there must not contain it would be really great for like hey I've cracked bunch of passwords I see that everybody's using the company name

let's just lat let people use the company name and then some of these also come with really advanced password tools someone come with like strike meters and other things there's a good stuff to be had here have you got right now until Microsoft supports this natively in Active Directory you're going to have to grab a DLL and stick it onto the main controller if that third-party DLL crashes it will crash else ass'll the domain controller so if you go to your IT team and say hey we want to do then they go no there's a reason they're telling you no it's because there's a lot of risk there crash as it goes down if they upgrade in the DLL is no longer

compatible with a new version you're gonna have problems and is a bad day for everybody this is a I'm pretty Pro open-source but this is a case where I would look carefully into the project make sure it's well maintained before deploying it period and where you might actually want to go for a commercial solution that has some support behind it look before you gonna talk about different maturity levels in terms of password cracking you can pick what's right for your org I think basically every organization I can think about the planet should at least be at the one-hour level because it is very very little additional effort once you already dump the hashes you check

them against known compromised ones that is the five minute on it just sit there and guess the obvious thing just give a little good to cover and see what you can do in one hour one hour real time not that much I think everybody should be there but if you want to do more than that you can you pick where you want to be on those security levels I'm in an audit we're just checking whether or not the hash is known compromise perfect exact match one hour we're gonna go through high probability passwords with some good password rules and that's about all we're gonna do if you've got a weekend on Friday you do the one hour audit and then you set a

bunch of things to leave running over the weekend let it run over the weekend and then you check them on Monday and now you've got some crack patchwork passwords you're gonna find related passwords you just gonna take that list of crack passwords and you're gonna shove it through some more stuff crack related passwords continuous auditing what I mean by that is just after you're done with that process leave it running until the next audit you will need a dedicated box for this this is where you might want to consider pinning a little bit of money or a little bit of nicer GPU if you want to be at that level of maturity not don't worry about it you

pick where you want to exist on this when you leave that running it's gonna crack a few hashes you then add those to your list you check make sure those things are still active you crack more stuff you've got more common what are we gonna need to do this hardware I'm recommending an NVIDIA GPU there's this good cat compatibility and I'm recommending you stick with Windows Linux guy is telling you to stick with Windows you're pretty much guaranteed it's going to install and any newer Nvidia driver is going to give you open CL which is the thing that lets you do random calculations on hardware what lets you do work on a GPU just if you've never

built a PC before you're gonna need to make sure you have enough power this is our only really relevant if you doing a V for your car and you're gonna need to make sure it has a slot open which it almost certainly welcome make sure the card also physically fits into it all of the cracking times I'm gonna give you are either baby unless otherwise specified or for a gtx 1050 that's about a hundred and fifty dollar card I found one laying around where I work so scrounge around see what you can find you can use whatever you can find you can use multiple if you have a couple like I could have scratched a couple of

seven forties and use both of those would have got me in the same place but see what you can scrounge see what you can buy figure out quite at like say hey we're doing this what's our budget can I spend this much money spend this much money and you're gonna go buy that but you can do this without spending any upfront money software hash cat this is going to be the thing we use to crack the hash you're gonna see a lot of hash cat prints processor is a tool that will do combinations of words so if you I wanted to do every possible combination of five words between eight characters and you know twelve characters

prince2 let me do that back in something as optional this will analyze existing passwords and generate you masks this is how you get something that you know is statistically good what percentage of some of these passwords can i crack in ten minutes ACK tell me how many can i crack in ten minutes well you can crack to these three masks in ten that's great give me those three masks this is where how you do actual root or we'll talking worry about that but nobody does brute force everybody use masks how do I know I'm tracking the right mask you have a tool that generates you the statistically best one um n TST does it is the file on the

domain controller it actually contains the hashes it's encrypted of course it's Microsoft so anybody want to guess where the encryption key is right next to it in the registry same command of the dumps this also dumps that registry hive oh but you will need a tool to decrypt it cracked is gonna show up three times in this list one of the things that we'll do is decrypt that you can also use and packet and if you want to go power show you have TSI intern hash comparison tool but five minute on it we're taking a list of compromised hashes and we're taking a list of our internal hashes and I'm gonna compare them these are tools that'll do it

the five-minute password audit does that offline you just download both files like you have your file and you download another one you just compare completely offline completely private practice will do anonymity to a cloud service to check it if you don't know what that means that don't do that you don't understand what data that is leaking about your environment don't do that I'm gonna recommend you just do the offline version because a you're guaranteed to be allowed depending on your company you may not be allowed to use the cloud service that way or something like your password something later anyway auditing tools is completely optional you can by hand just compare in hash this hash and

password they line up okay I know this person was compromised with this password you can do that by hand if you don't want to do that my hand cracked it and Gpad will cover that same password and then you will need a BitTorrent client for this if you have never torrent it anything before not scary not illegal and transmission is one that I can give a thumbs up to but if you've toured in something before use whatever you think weird list these are our lists of Internet passwords in fact every word list we're going to use here is candidate passwords except for Google's list of top English words um the real passwords when probable passwords is statistically significant

I will they have a copy of my slide so I don't know how b-sides hands them out and I'm also going to put these on github I apologize for not doing that before the talk but I didn't have the opportunity Rob award list is statistically significant their lowest threshold is that five different dumps had the password that's their lowest threshold the most probable ones were far far more than that so it is a giant list of the most statistically significant passwords all the way to ones that were only five different people across five different dumps this is your biggest bang for your buck wordless passphrase word list if we are pushing for 12 plus characters we're

going to be start using pass phrases I guess I'm training them to pass phrases passphrase word list contains the lazy passphrases song lyrics poppy dia quotes all that stuff potent passwords into him murdered by Count that's actually our hash list we're gonna use for the five minute audit not technically worthless but didn't know where else to put it crack station peak pass and reach compilation are all just when we be really big list later cyclists contains all kinds of useful things it includes your standard everybody talks about rock you rock you in a tutorial for password cracking you don't know where to grab a copy there's a place you can grab a copy and then

Google's about ten thousand words is the only list of actual words in our whistle wordless rules rules are he's a manipulating an input password in my way my I do a head different Who am I joke every single I'm this one it's elite speak who am i how do I take am I and turn it into the lead speaker there's a rule for that it's just onion mango or green yeah passwords they're a multiplier for your guesses if you're just reading a word list is not fully usable oh you know rule lets you fully utilize it the only one I'm going to say is required is one rule to rule them all it is statistically your best bang for your

buck in terms of rule the other rule I'm going to say is required is gonna come to pass cat optional little rules the NSA rule said and then notice probable word list is here again they do the statistical analysis of it and made a bunch of rule Israeli optional grab if you want to tracking techniques first one and the biggest one we're gonna do what word lists are gonna be paying to them I'd have some stuff there you're gonna have rules that are going to swap the characters out such as leaps decline your abs are gonna pen things at the end just to cover and or they could be appending a specific thing like a date

fools are really really powerful this is the first thing that any like professional cracking company is going to do this is the first thing you're a red team is gonna do is they have their preferred word list their preferred set of rules and they're gonna run the word with you accommodator Combinator is how you do unless we're list on the right do every possible combination that's how you do it Doody like ash cat with its Combinator attack we'll only due to some other limitations it says you're supposed to be able to apply a rule to each list before you go in I could only get it to work on the right and you're limited to only two

words Steve Prince fixes this furnace will do any combination up to the length you want you can say give me everything from five words and make sure you're only giving me outputs that are between you do that and if you don't cap it it'll run forever going forever um it is being piped into hash get this is good things and it has bad things the good thing is anything hash cut can do you can do you I would attack you can also just talking about downside pipe seems to cause weird performance issues I can never get it to actually do full utilization so if we have any password cracking in the house the one who tell

me what's up your print this is what we're actually gonna do with Dominator imprints once I have cracked a bunch of passwords how do I get more passwords out of them how do i turn my small list of passwords into a list a password related password attacks fingerprints make sure I'm gonna call it a golden dictionary points that anybody who knows why I call it a golden dictionary is all of the passwords you've already crashed I'm gonna take that you're gonna push it through a tool called expander that will rotate for different character combinations and will chop it into just length so you're gonna do every combination of those blanks a Combinator you're gonna get

every combination of like words prints can do whatever you want this is a great thing to do once you already have some passwords to find more because an attackers gonna do this and attackers gonna find related password somebody had an old password they change it and minorly how you find their new password asks our what people are actually doing when they talk about pick a pattern you only crack things within that pattern pretty simple four-digit pin we're only going to do things of exactly like four and we're gonna do every digit bambbles on that they wanted to crack passwords one or password ooh more secure gonna do lowercase R eight characters and then one day

and generate these with axe with the most statistically difficult one on analyzing a list of crack passwords over gonna take advantage up here to be able to say alright what do I want to do if I want to have a bit coverage of 8 characters a pack gives me everything so let you get longer than brute force so us on our brown store budget at cracking regs are not gonna be able to prove all of eight characters but we can get good coverage of the patterns people actually and if you want to push longer than that you can you're just not gonna be able to do as many well let's get into how we actually do

this step one is to grab and decrypt the hashes envyus NTDs hill if you just run it it'll drop you into a shell and you can type these commands manually want to do it all in one line you can put L input onto it this is going to give you each amp is your output you just say this taking a backup of a lot of important stuff in the Tipene controller or to us includes the file that has the ashes in it and it includes system hive as practice there as I mentioned there other tools you can do this with give it the pass through that system hive will decrypt it it downloaded and archived are at UM list

they import this I know somebody would complain that it didn't work if I didn't letting the execution policy we're gonna import it we're gonna run it it's gonna give you a list of every account that matches an own publicly compromised pack so you know what the password is but you know it's actually compromised out there somewhere spend a little bit more time on this we'll all complete within an hour most of these are delayed two to five minutes - cat daddy exceed what we're using - uppercase o optimize this makes it run like 10 times faster outside you can't do anything over 27 characters the vast majority of our things that's a trade-off were willing to make em is the

type of hash in this case is in a clean ntlm hash so that's one thousand for the coat your pod file is your output hashes we're it's saving what it cracks and then use names because we're doing user name password format for our output we million hey this is a bat format and ashes that takes T is all the things you jump we're gonna take in a word list in this case it's the biggest bird list in our probable word list everything in there is at least five different five people across five different public dumps that password and then we're gonna run a rule on it that's 64 comes with hash Kat was at one point that's the

rules and it's still really solid it's a lightweight rule it's gonna run pretty fast even though this is a big list so going to complete next we're gonna cover our passphrases hopefully we're at 12 plots characters hopefully people aren't using the same we allowed that doesn't mean they're gonna start doing song lyrics and things like that we're gonna run it this that passphrases project comes with rules specifically intended for this really the rule one is going to do things with spaces gonna do intelligent placement of its faces and then we're gonna run it with their other one it's pretty fast how again we're using something other probable word list we're taking a much smaller one instead

of two billion using a one and a half million so it's a lot smaller we're gonna run it with a much more expensive rule we're out I would say that one rule rule them all is but it's still lighter than a lot of the heavy this because we're using smaller who's gonna give us a little more confidence if there was something similar to but not an exact match

now we get into masks I asked Pat Capac can you give me as any eight character mass as I can crack in 30 min ago this is as little statistical coverage as a higher percentage of those patterns as you can cover in half an hour and if I wasn't doing that this probably would have been about a fish the weekend on it we'll spend a little more time in this and complete her of one hour on it and then we're gonna go up some stuff to leave running over the weekend this can be on your workstation it doesn't notice there's going to be a w3 in our command lines that's the workload if you do that

while you're using desktop it's gonna weigh this we're leaving it running Arif it's wagging we're not using it here's the workload of three we're gonna take one rule to rule them all you're a big one and we're gonna take big lists gonna run that big bull plus our op 2 billion list you can also download crack station we passed and run it across those one of these is going to take between like let's go around like five six hours I think at least one of those take supposed to twelve but everything in the weekend all it will complete because of business next we're gonna run eight hours of any character passwords that's the first half hour will be redundant but we're

gonna get better coverage of this pager password and it's worth it to do even if you have pushes both characters because I guarantee have a service account somewhere that is still a character of old password music nobody's rotated they're still going to be that so it's still worth covering it next we're gonna take that passphrase list and we're gonna take that first passphrase rule no spaces and then we're gonna run that through one little rule them all sometimes order matters in haschke and sometimes it doesn't may have noticed that I swapped the order of where I was staying rule and where I was saying word list and it was fine this case it actually matters it

will run one and then it will run one rule to rule them all

next up let me use a 64 roll weight or its additive it's not doing the same thing it's now taking 1password is making multiplying that into a bunch of candidates by applying every rule we're gonna take that and we're gonna have it do the same thing again

you know that three or three Monday morning you come in got a collection of hashes already cracked over the weekend to take all those passwords ooh crash we're gonna stick them in our golden dictionary and then we're going to expand it yes this is a useless use that don't give me a hard time about it the other syntax is way harder to read girl in dictionary we're gonna push it through expander sort it and we're gonna unique it because it doesn't take care of that put it into a file called film dictionary and this is done in andiron windows yes after you in unique and once they have that we're just gonna do the Combinator attack on

it take our left hand side and a right hand side as ago every possible combination of going to complete in about a second but you can do it until you had passwords already practice at this point your weekend audit is done go and you say alright these people need to rotate the past what do we want to get into continuous auditing leave something running between or weekend on it this is where you definitely need a dedicated machine you know one of these running in and not have to worry about it you can pay some time with it and this is where if you wanted to a little bit of money in it it all depends on what your goal is and

what you're after what are we getting out of doing this a professional isn't going to be using a scratch graphics card

but if their rig is four times stronger than ours he covered with the same thing they would in a week then use a there's a twelve times stronger I need to use three months to hire five that's still a little bit more confidence that we would have found internally on our own what we it if we had external auditor that's our goal here

now we're going to do this everybody's you covering all the vet care occurs if you have pushed up to 12 you only have to do this once just to clean out your old legacy stuff your old service bouncer and from that point you then alright what can I get if you are still stuck at age any really important because we'll crack a whole bunch of your ehh password is basically significant everything that was at least 1% of the population you wave hassle in reports this is going to take about six days 10:50 it's gonna take about six days did you like fingerprint attack but we're gonna do it a little bit better we're not gonna limit ourselves suggest

lengths to we're gonna use prints for it so P P 64 is prints processor I'm gonna say max element count is or women how long this is going to go I'm gonna take in the golden dictionary push it through prints and I hand that over to hash cap get optimized and then Prince comes with its own rules so we're gonna rule on it this is going to give you even more related password time we'll help you build confidence next something it's gonna take be doing something meaningful for the rest of our time Prince is also a good choice here we're going to use Google that's gonna take and this me not complete I wait you to give Alice

just washing her feet do this every quarter whatever level of maturity you've decided to exist on just do it quarterly actually those passwords have them rotated and give person specific advice on how to her password hey I was able to crack it

optional upgrades for this those of you are familiar with house we're cracking you're probably wondering why I didn't talk about hybrid attacks I didn't talk about hybrid attack success I cracked exactly zero passwords using this technique everything that I would have cracked you miss technique I had already cracked mileage may vary go ahead and try it the example I'm giving you here is using it on your zone dictionary which is very fast and let you or expensive every input password is going to get every possible combination of that mask applied so there's a really big multiplier something that's you know like for long hear something you can only do on all this we're gonna use a

larger candidate list smaller now it can either prepend or a pen cannot do both the right-hand side of this equation or does the left-hand side of this Bigley order matters even though I'm telling it hey attack mode is six the append mode Oh cares that I'm putting the mask after the word list and even though I am telling it hey V attack mode is 7 the upend it still requires me to put that before the gold missionary okay so the thing you can do is optimize your word list you may have noticed that I'm telling you to run that command on or a different big honking list probably have a bunch the reason I'm telling you to do that is

because I think the level of effort required to actually a little bit of a high ass for most people if you want to go after it the street forward way to do it requires you to be able to fit that entire amount in RAM at one time have enough RAM or other ways to do it without that that are a lot more painful there is Splash was a tool that would do this for you there was the problem is that real world lists word lists have green coatings and Python does not like that so it Python tool this has to just like a week file basically fuzzing the Python decoder at that point so tool was

not happy I was sad it work on all word list did not work on my big ones another thing you can do is hash cut sessions those command lines were absurd enough on the slides in practice anything I'm leaving running over the weekend or leaving running when I'm away from it I'm gonna name it with a specific session so that I can go check that session file to see if it completed and I can see just by looking at the files on disk each sessions have started to rock and then also analyze your comb dictionary pack if you're successful with this and or particularly if you're too large enough organization iona game passwords you get enough of them you can

analyze those with pack and go after what are the patterns my

you

oh yeah so endpoint protection is

don't have anything

those are you ranch guard will not play well with soccer on windows somewhere or anything else on the high price that's not an option where they did credential guard they had Alice a protection you can play that and then there's stuff for this in Windows Defender there this defender has a lot of amazing stuff in it that you just have to go in either into the registry or into policy and turn on it has something well I have all of that deployed that I can deploy it to make it as hard as possible

you

and I make it really really difficult to get hashes out of memory yes is everybody on Windows 10 so that there's no plaintext credentials yeah this is one little you know puzzle piece your whole jigsaw of entire security but one thing you do this is a thing that I see

you

my crazy setup was finding an unused desktop it had a powerful enough cheap and getting my boss to let me buy a 1070 I let it get in going windows on it and then running crazy-cool ins no oh so I do have a crazy-cool and I use MSI Afterburner to force two teams the fan curve as the fan curve going down that's the craziest thing I've done so you could get into can i overclock this can I do like coolant on it is that worth it for the majority of people in practice I don't think want to get into if you want to get into this more seriously you want to build a professional cracking rig get into all

that but if you have no budget but you can surround a jeep and do almost everything I'm talking about today

you yes so thing that AWS changes is that it's no longer about how much money is it for he it's about Giga hashes per dollar how many of you have to do I want to spend on tracking this thing how many is required to crack my goal all right how much time do I have to say that because you're not limited to one GB we buy as many of those instances in AWS as you want just figure out how much money do I want to spend to crack this for me

the calculation for is this going to be cost effective

absolutely

boy you're in the back I was gonna call it make like call you out when you walked in I decided that would be

you

you

you

I would say that you're gonna forever hold on to your golden dictionary and add to it every password you've ever cracked and that is where you're gonna go when you do if you want to implement password filtering your password filter lets you what are the commonalities is that the company name is that everybody's favorite sports team no password containing that is allowed and then also if I have a password that somebody's trying to use multiple times throw it into the filters so that when they try to use that they're not allowed there's always going to be that one user that is going to try to mess up your day that's where the hard controls of

minimum lags in the past

you

so this specific the person behind that passphrase list also created a tool called lyric class that's how they're pulling song lyrics into that what they're doing is looking up and he grabs a like top 100 artists downloaded every song lyrics for those top 100 artists and then parse it like every possible combination

oh mighty thing with telling people not to use fun later if I can just go to the net and download a list and punish that list and it'll match your password password is too common it's portable if something somebody can crack something so that's the same problem with what quotes the same thing yeah your favorite bible verse like I screw into my Wittenberg

so if it's somebody else laying around on your hard drive I come from a forensics background you know we track people's passwords org list every single word on the entire hard drive if it's anything like that somebody's going to be able to guess it but I always tell people is listen yes is generating X random words using a tool like dice we're gonna be a little bit of a pain yeah gonna be easy to type are you going to remember it after you

you

so that's a decision you're gonna need me to make what is the right thing they've got a small office block down anything cloud-based is a a no for Policy firewall for us we win with keep and if they keep this I wanted to leave when you don't need that's just some part of the golden image for an organization in a different situated I'm suggesting to you as to all of you is humping the password fault better than not

which vault is the right for you and your organization depends on you

you you

we're now getting down to a point where we have a understanding of

you

i'ii be surprised very high quality

very famously like four different ways to

mfa deployed I would be very very interesting validating

you

you you

I've actually settled on you this laptop

you

but I you

have fun any on topic question you

nothing insecurity is yes or no everything is how bad do they want is if somebody wants to hack there exists out there somebody who has the O'Day's found in their arsenal get into your organ take not going to do that O'Day is worth way more to them

about duder can say he is

you want to leave a kind of like a five out of five mature level that's gonna be a lot of money for you but it also needs a massive amount of money our organization not want to live in a 5 out of 5 now where's well

place here um somebody wants to crack that house where they can I'm out of money they literally exhaust

I spend that much on you and answer that question of are they going to send them up from you but here do I want my thirty in my organization

sure you should match

you