I Spy With My Hacker Eye: How Hackers Use Public Info to Crack Your Creds

all right everyone I guess we can get started thank you all for being here and welcome to I spy with my hacker eye how hackers use public info to correct your credits my name is Destiny Plaza I am a cyber security engineer at Carnegie Mellon University I work at a lab there called the software engineering Institute my hometown is Buffalo New York where I was able to get my Bachelor of Science and Masters of Science in my undergrad being here at Kenisha so it's really great to be back at my job I lead a lot of projects that automate certain processes in the cyber security space and I love automation but unfortunately so do Bad actors

there are instances however that they do take their time to look at some of the information that you post publicly online and when they do so they're able to tailor existing tools to Target you so you may ask me well what exactly do they want from me well they want your credentials so I want you to get a general idea of the amount of publicly available electronic information also known as p-a-e-i a very well known term in the intelligence community I pulled up some stats when I was composing this presentation the first step I want you to look at is there are 500 million tweets per day wow that's a lot of information the second stat is that our 2.9 billion

monthly active Facebook users note that key term active actively engaging actively posting a lot of information out there and lastly there are roughly 900 million LinkedIn members as you know as you're composing your LinkedIn profile it certainly does ask for a lot of information interestingly enough that all of this content that we tend to release using our social media produces a pattern we as humans by Nature all have a pattern and if noticed by the wrong set of eyes the bad actor well they can let certainly leverage it to crack your credentials the number one sought-off data type by Bad actors according to the Verizon data breach report from 2021 our passwords and the number two is your personal data

wow that's uh scary and um one way and certainly not the only way is what you publicly share on social media which allows them to gather this information in this talk I want to go through over common things people do to help hackers crack your credentials five steps to crack passwords so we can understand that workflow and know how to crack passwords ourself which will be pretty cool we'll go through a very demo attack scenario once we learn how to crack passwords just to see how it would be implemented again very basic and lastly five ways to protect yourself so let's get started with common things that people do on the slide here you'll see a

list of common passwords and uh this is actually true half of my team is composed of penetration testers and these are the passwords that they tell me that they see in the wild all the time which is sad uh my favorite one obviously is having the password password because why not right another password to note here is the q w e r t y it looks pretty random to the human eye but glance down at your keyboard and you see those are Keys all next to each other and of course if you have your username admin your password obviously must be admin cannot miss that I actually had a family friend that I had to help because I realized that

their router configurations their default credentials was admin admin they were complaining to me that they continued to get a lot of notices from their service provider of exceeding their bandwidth and constantly getting knocked off the network well I wonder why um so I was able to help them and uh they're a lot better condition now thankfully but other things that common people do is that they use identifiable information do you recall that we all have a pattern and unfortunately we incorporate that pattern when we think of this very unique and strong and complex password also we tend to reuse passwords there's a survey from the digital Guardian that mentioned about 50 of the participants reused passwords wow

so for instance um I have a new puppy her name is Lucy and I love her so much I just have to post her on Instagram it's a must posted public need everyone to see it please like and um as I think of my password well you know what for Twitter I think I love Lucy's it's a great password I'll definitely not forget that one and you know what for the heck of it why in the world would I generate a new password use the same one for my LinkedIn as well and just to make sure that I don't forget must put it on a sticky note that's just a must I will never forget

my password I love you know passwords on sticky needles are quite prevalent and you may ask me I mean what is the big deal about that well please bring your eyes to the sticky note uh if you're familiar with at all the Hawaii missile incident where there was a false alert that uh really scared the population uh there's a little bit of debate about it but a lot of people say that it has to do with this sticky note so someone uh was able to take a photo of someone one of the staff members in front of their machines and the sticky note was right behind them I have seen people online where they take photos of their living room and ban

their Wi-Fi password is right there obviously anyone can rent one of those famous hacker Vans roll up to the corner and have at it with their Wi-Fi right uh but it may not be that case maybe it's your neighbor you never know you never know who's a hacker it could be people like me and you I don't know if we have a black hat hacker in sight um so this does happen a lot and it's really important to realize why we shouldn't write passwords down another instance to think about when you write passwords down you'll see what new one will see this obviously they'll never take a selfie I'm not about that life but if you happen to throw this password

out in the trash if you have a notebook with passwords in them once you put that trash out it is public for everyone to see there is a form of attack called dumpster diving if you're not familiar with it where people truly dedicate their time to go to different businesses or even Target your home to look at your dumpster because a lot of people are able to find juicy information on the things that you have tossed out which you have deemed garbage but for them extremely valuable a credential may be in that dumpster so definitely steer away from writing them down we'll change gears now that we've talked so much about passwords and we'll look

at well how do you crack them so I'm super excited to go through these five steps to crack passwords on your marks get set stop it's really important to make sure that you have the proper authorization before you proceed we want to make sure that we're ethical in all we do and performing any type of attack on someone is illegal if you don't have permission even if it is a system I know systems are not humans they don't have feelings but it's illegal if you don't have the permission to do so but let's get started because you know what I have permission for this demonstration and step one the Cali box this is free open

source made for penetration testers security researchers and guess what curious People Like Us well I really love about Cali is that it has over 100 pre-built tools ready to go for us to use and the category of tools that I'm extremely interested in are password crackers so I'm super excited to use the Cali box step two is to have a password list you'll ask me well where can I even get one of these well remember that Cali box well golly gee it's full of passwordless as well so you can definitely find your password list on Cali you can also find them on GitHub or even generate your own for the purposes of this demonstration we'll be using rocku.txt now we'll head

over to step three and that is the password cracking tool itself we'll be using John the Ripper it's really important to know um two little details I wanted to call out here that John the Ripper is really fantastic at cracking passwords less than eight characters but it can crack more than eight characters and it was primarily built for CPU but can also be used with a GPU there are two versions there's the pro and the community version and the one that we'll be using is the community version which I think it's pretty good as is alright step four and that is to ident identify your targets you need to identify and locate what you're going to crack but

please stop again make sure that you have permission before trying to do any of this even to a friend if you think it's a joke make sure you have permission to do so now I'm ready for that last step which is step five and that is to start cracking so let's get to this and look at how do we use John the Ripper alrighty so I am in my Cali box and I cannot see the screen sorry and there's a handy command called locate word list where you're able to look at all of the word lists that are in your Cali box so as you can see the long list of word lists that's already included in my Cali

the one that we'll be looking at is rockview.txt I have already unzipped this so I'm going to go ahead and take a look I'm using the head command I'm going to look at the first 10 contents here as you can see some of the common passwords we have here the famous password I love you uh Rock You princess and so much more I'll go ahead and pass this so you can get an idea of all of the passwords that are in rocky.txt which is quite an extensive list

all right all right so I had to clear this and I'm going to uh look at the applications here so I want you to pay attention to uh some of the categories in one particular which is the the password one and the one that we'll be focusing on is John so let's take a look at John with the John Dash H command and here we're able to see all of the options here it takes in uh the word John some options and then the required password file some of the options I want you to take to look at is word list this is a world we'll pass in our rocky.txt so that's something I'll keep in mind to use

also note the syntax it's showing off a series of equal signs so that's one way to pass in on arguments because it's showing me uh the other option I want you to take a look at is dash dash users we're able to take in a user or a series of users you could also invert the check by putting a dash in front to look at all users but this one groups also does the same for groups and you can do a dash in front so you can invert that check as well alrighty and the next one to look at is dash dash format so although this is not required but I really highly recommend that you incorporate the format to

increase crack time and if you're not familiar with the formats that John is able to handle you're able to look at dash dash list equals formats to get an output of all of the formats that John is able to handle that's quite a bit of formats that we see here on our screen some of the formats that I'm kind of looking at is uh mb5 I see mb5 there I see Shaw I see my sequel I see quite a few of these and speaking of hashes well we need to obtain a hash so we can use John and let's just go over basically what hashes are about you wrote plain text you throw it into a

hash function and you get the hashtags the hash representation of your plain text so let's go ahead and try to do this I'm going to be using the hash function md5 I have a password there that's called a winter and I want to get that hash of that and it winter is my plain text the md5 sun is my hash function and I get the hashtags the hash representation of winter right now let's throw this into John but uh first I'll throw this into a file so I'm going to go ahead and Echo this hash that I got and throw it into a file and I'll call this file target.txt

make sure it's there it's there fantastic now we can use John with our mock password file all right so my command is going to be pseudo John dash dash format which is raw md5 and then the password file which is target.txt let's go ahead and run this wow that was extremely fast it was able to see that that hash that was plugged in was in plain text winter which it indeed it was that was the password that we made let's make another dummy password and get the hash of that as well and I'll call this password love just make this super simple I got the hash I'm going to throw this into the file overwrite the one I already had

overriding target.txt just make sure it's there and it's there awesome

all right so remember that John can take in a word list if you haven't noticed already the first time that we ran John we did not passing rockview.txt because John already has a wordless pre-built in but this time around we'll be specifying rockview.txt

so I'll be using that word list option for John which is Dash W passing the path of rockview.txt

all right so I have John my word list my format Ron D5 and my uh file which is target.txt let's go ahead and run this again super super fast it was able to find out that yes the password hash is love

alrighty so we're going to try something a little bit different I created a file uh which we'll check out here called targets.txt where it has a series of users in there the format provided is the username colon in the hash and this format is what John likes to take in so that's uh the way that I wrote it in there and I'm really curious to know what the password of admin is and if you recall in this file there are three users right but John has an option that I can Target one specific user so I'm going to go ahead and use that option Dash users

all right change this to targets.txt have my word list I'm going to do Dash users and then equals admin oh huh for some reason it's not working I wonder why well maybe the format is not md5 after all well if you're ever in doubt there's a handy tool called hash Dash identifier already in our Kelly box which was able to Output a prediction of what hash it thinks it may be so I'm going to go ahead and copy the hash for admin and I'm going to run hash Dash identifier alrighty this is really interactive super cool so I'll paste this in here and I'll see what the prediction is okay seems like there's a high probability

that the hash is shot to 56. alrighty so I'll keep that in mind it wasn't md5 after all it's shot 256. so update my format for it to reflect shot 256. awesome so now this should work I have my word list my format child to physicist my file and the user I'm targeting which is admin so let's go ahead and run this and Bam super fast again the user admin was using the password admin alrighty well John can definitely crack more than one password at a time so far we've only been doing one by one so let's go ahead and crack the rest of those users in that file all right so I see in my two additional

users would just Target one and Target Two so I'll go ahead and crack the rest of it all right so all I did was delete the dash user's option and I'm going to run this alrighty so looks like we have here that uh the first password crack was look 777 the second one was pizza rules I do agree that pizza rules but not a great password and do note as well that um the username admin was not cracked here why because John is able to stash that for you and not repeat the process alrighty so let's go ahead and recap some of the uh some of the um options they were using for John so uh

the one thing I want you to take into consideration is uh this thing here which is John Dash W wordless you pass in the format and then you have the required password file we went over hash functions which was md5 and shot 256 there's a lot more than that so if you're not familiar with them then go ahead and look them up online and if you're ever in doubt about a hash do look at hash Dash identifier where it's able to give you a prediction of what has something maybe we looked at a few options which was the word list as we just talked about targeting a user and uh passing in the format we use John

with and without a word list so now uh we'll go into a demo attack scenario now that we know how John the Ripper works we'll go ahead and check out how can we piece all this information together in a very very basic example so I have my target my target is Amy Amy is my boss we both work at Dunder Mifflin I'm extremely upset at Amy because she gave everyone on the team a raise ah except for me so I am a disgruntled employee and Amy I'm out to get you the first thing I'm going to look at however is her Instagram I'm gonna see if she has an Instagram so I'm going to go ahead and look to see if I can find

Amy and Bam I find her Instagram all right I Love Lucy I love Stephen King manager at Dunder Mifflin yup that's her okay hashtag horror okay so let's look at the first picture oh that makes sense you named her puppy Lucy after I Love Lucy makes total sense now okay the next photo says uh man crush everyday Loopsy like I am Amy I didn't know that that was a thing for you okay so it was more than literature I'm gonna look at the horror hashtag all right it looks like it's something I don't want to get into so I'm Gonna Cancel that hashtag horror is not for me alrighty so I got some information here she's really

heavy on Stephen King horror she loves her puppy Lucy all right some information to take now now I'll scroll over and start looking at Facebook to see if I find her Facebook profile I found her it's public wow a lot of information here and we'll take a pause here and I want to ask you all do you see any identical identifiable information on her profile please raise your hand on this one out if you would like to birthday anyone else any other takers Hometown I got a hand over there Hometown alrighty so we have her name her name is definitely identifiable information we have her birthday her location we have music entrance we even have mutual friends that she's connected

to so all this information I'll be taking into account alrighty now I know that uh Amy loves to go to this coffee shop she's always talking about at work I just happen to be sitting there happen to be at the right place at the right time and captured a password hash she was trying to log into Spotify and Bam I got that hash so let's take a pause at all the information I have so far so I've gathered some info from Amy through social media through her Instagram I gained some information to her Facebook I now have the password hash of her Spotify account and the next step is to create a word list to crack the password

and I'll be using John because that's what we're using so far so I'm super excited about this but remember I love automation do you think I have the time to generate my own word list manually no I don't well there is a tool out there that can do that for me

once it loads

alrighty so all on GitHub there is a cool called cult it's super cool it stands for common user password profiler so this tool is on GitHub it's free open to the public and I have downloaded it so I'll be using this it allows me to put in a set of information that I've gathered about my victim into this tool and I'll output a word list for me so as you can see I have my main file which is cup.py and I have that hash stored in the file credits.txt that hash I got from her Spotify account so let's go ahead and look at the options that cup has to offer and um looking at the list I think I'm

interested in interactive mode yeah make that easier for me so I'll go ahead and run this file in interactive mode all right so it's prompting me with the first question here her first name well Amy so that's easy awesome surname I don't have one nickname well sometimes I work with color Aim so Ames will be it birthday when we got that information from Facebook so um thank you Amy for providing that for us putting that in there already partner's name nope she's single and not ready to mingle um Chow saying she has none her pet yep she posted about it Lucy okay company name Dunder Mifflin that's where I worked the best company ever

okay keywords about my victim oh I sure do want to put in some key words I learned a ton about her so far so um let's think um as you can see here that any key term is delineated by a comma so I'll put in her home time which was Chicago what else can I think of Stephen King yeah she said man crush every day okay um she reads Stephen King then she's like four there was hashtag horror everywhere um ah coffee she always likes to go coffee I mean that's right that's where I got her hash from a coffee shop uh animals she's into animals because she has a dog I think that's enough information for

now it's asking if I want to include special characters so yeah yeah I'll include special characters make that better for me random numbers I'll say no the list will be too long let's see what we have with this alrighty wow we already have our work list is that insane what automation can do for you so my word list is an amy.txt I'm doing this in print mode so you can just get an idea of all of the combinations of passwords I was able to do just based on those key terms and all the information that it was prompting me to enter let's go ahead and look at it a little bit deeper so I'll get into amy.txt

so this is in order so we see some uh special characters there look at the tail different variations of spelling her name and we'll look in here just so you can get an idea of all of the passwords it was able to generate for us that was a super easy lift for me for sure see Stephen King in here Lucy up her dog different iterations of that password things I wouldn't even think of myself to do and uh yeah she like punk music so that's in there also cool all righty great so now let's see if we can use this with um John so remember my hash is increds.txt that's the hash that I got

check it out yup my hash is in there awesome

cool now we can pipe this into John but uh I not like 100 sure what that hash is so hash Dash identifier is my friend I'm going to throw that in there and Bam it says high probability is shot one cool so that's where I'll be tossing it to John then alrighty so we have a lot of information and now I can use John

cool so my word list that I'm passing in is not going to be rocky.txt it's going to be amy.txt that's my specialized word list got my format which is shawl I have my password file credits.txt let's run this in bam extremely fast I found her password it's cracked horror underscore 1980 is it wow that is amazing I knew Amy wasn't that smart hashtag horror everywhere obviously that's what she's thinking about right okay well I have this uh password and I want to do other things with it though I don't care about her Spotify account sure I can look at her address and maybe get the last four digits of her credit card number uh but I want to do even

greater damage and I'm familiar that she's uh a member of Bank of America so I'm coming for you Amy she was using on her Spotify account her work email address which is really really bad so I'm just gonna assume she's using her work address for this as well so what I'm doing here is called a credential stuffing attack because I know of a username or of an email and now I got it an instance of one password I'm going to try to now stop this password into every account known to humanity well at least that I know that she has so that's what I'm doing here credential stuffing I'm going to stop this password in here and let's see if

I'm in I have spoofed my uh IP there's no way that anyone can track that I did this I'm on VPN I'm ready to go I'm a smart hacker and Bam I am a smart hacker because Amy is not a great user she did reuse her past word and Bam now I can do bad stuff I can empty out her account uh Jokes Aside though that was a very basic example but these things do happen in the real world and now we'll transition to five ways to protect yourself alrighty so please if you haven't gotten this point so far is to not include identifiable information in your credentials using passwords like I Love Lucy because you own a dog called Lucy

is something that is not going to help you in the long run it's essential that you use password best practices so there's been some research done at Carnegie Carnegie Mellon University Itself by Dr Laurie cranner where she has noted that past phrases are much more effective than complex passwords an example of a passphrase is something like correct horse battery staple and if you want to make it a little bit more difficult to crack then do include special characters somewhere in the mix there another thing to note is that do not reuse passwords as you can see credential stuffing attacks are quite prevalent so it's extremely important for you not to reuse a password and length matters the longer

your password is the harder it is to crack and obviously it's amazing because past phrases allows you to have longer passwords because now they're easier to remember another thing to take into consideration if you're still doubting the strength of your password is to go check out a password strength meter one example of this is how secure is my password.net and another thing I want you to notice on this slide is multi-factor authentication and that survey I was quoting from earlier from the digital Guardian there was approximately 32.8 percent the debt not know that two what to factor authentication even was so it's extremely important to be aware that multi-factor authentication exists if you didn't know so already an example of

this is if I were to log in with my password right and then I get a code sent to my cell phone and I'm able to input that code to then be authenticated in my account so those are two forms of authentication something you know which is your password something you have which is your phone you can also use two tokens sorry and do them things like that so definitely if you're not familiar with multi-factor authentication or if you don't have it set up please do so because even if someone was able to crack your creds if they don't have multi-factor authentication set up they're able to get in your account but if you do now

you have extra layer of protection which is awesome and another thing is man is it hard to remember all these passwords I mean there's going to come for everything I get exhausted just thinking about it and well that's what password managers are for so they help you keep track of all your passwords and they can also Auto generate them for you so you don't have to remember all these complex passwords you may ask yourself well Destiny now I want to know have I ever been cracked like how can I protect myself what accounts do I need to change my credentials um so there is this really handy website if you're not familiar with it's called

haveibivinpond.com it's really amazing so you're able to put in all of the email addresses that you have different accounts associated with and press that enter button and it will show you if you have been cracked and what accounts have been cracked so usually these passwords and things like that are found on the dark web all right so now let's recap we want to ensure that based on the knowledge you've gained today I'm sure you're going to expand it in a vast way is to make sure you have permission though before you try to attempt to do any of this can't get that I just cannot have you leave this and not understand that you need permission

I don't want to see anyone reported that they went to jail after a b-sized [Music] but another thing to note is now you're happier I mean it's really easy to be a hacker anyone can be a hacker and now you're able to see the lens of a hacker please take these measures to protect yourself don't use identifiable information don't reuse your passwords don't write them down now you know about passphrases and all these things that we've learned that is the end of this talk and if there aren't any questions I would love to show a quick little video writing I had one past 30 episode and we used it forever and then every time I have a special world and then come

you would put your password in and it would go week [Applause] and then I come Simon the internet has become very popular [Music] businesses would insist we must have a new a capital letter I'm sorry we will not be accepting passwords anymore unless it contains at least what capitalism a real momentarily consider our options before deciding to capitalize the first letter of our password [Applause] fine but the internet became even more popular and their business is such a thing I'm afraid you cannot join me unless you have at least one one number amen less than a half of micro seconds consideration before we collectively decide you should be getting the number one [Applause] [Music] [Applause]

[Music] yeah this is acceptable to the whole new unexpected and exciting Dawn emerge oh well of special characters and businesses would say we need a capital letter we need a number but we will also require a special character and we clicked on the budget please can I have some examples of these special characters when she was having a sister from and with the rules them there they are I have no idea this delicious Mr special until all of our eyes stop it upon the exclamation mark [Applause] your mind we just need an inputs and the end of our capitalized password just after the one and it's in this moment in the London religion is thinking I

should probably change my password [Applause] alrighty thank you so much thank you foreign