SANS Penetration Testing: Category - Passwords

SANS Penetration Testing:

Ever Crack a Password using a Cisco Device?*

[Editor's Note: Here's a short but sweet article by Tim Medin on using Cisco IOS's own capabilities for decoding Type 7 passwords. Now, you might think -- "Why don't I just use one of the conversion websites on the Internet for decoding that?" Or, "I know a free downloadable hacker tool that does just that." But, in some environments, taking sensitive passwords from devices and pasting them into free web-based tools or even downloaded computer attack tools is a BIG HUGE no-no, as you may be leaking some sensitive info to places you shouldn't be. Tim's technique lets you use the router itself to decode the password. Simple, fun, and effective. Thanks, Tim! --Ed.]

If you've done penetation testing for a while, you probably already know that the Cisco Type 7 password is easily reversible. The password is encrypted (not hashed) using the Vigenre cipher, which dates to 16th century. Moreover, the static key is known to the world (it's


SMB Relay Demystified and NTLMv2 Pwnage with Python

By Mark Baggett

[Editor's Note: In this _excellent_ article, Mark Baggett explains in detail how the very powerful SMBRelay attack works and offers tips for how penetration testers can operationalize around it. And, bet yet, about 2/3rds of the way in, Mark shows how you can use a Python module to perform these attacks in an environment that uses only NTLMv2, a more secure Windows authentication mechanism. Really good stuff! --Ed.]

The SMB Relay attack is one of those awesome tactics that really helps penetration testers demonstrate significant risk in a target organization; it is reliable, effective, and almost always works. Even when the organization has good patch management practices, the SMB Relay attack can still get you access to critical assets. Most networks have several automated systems that connect to all the hosts on the network to perform various management tasks. For example, software inventory systems, antivirus updates, nightly backups,


A Penetration Tester's Pledge

by Ed Skoudis

Over the weekend, I was thinking about the wonderful psexec capabilities of tools like Metasploit, the Nmap Scripting engine smb-psexec script, and the psexec tool itself from Microsoft Sysinternals. It's my go-to exploit on Windows targets, once I have gained SMB access and admin credentials (username and password, or username and hash for pass-the-hash attacks). It works on a fully patched Windows environment, giving you code execution with local system privileges of a program or Metasploit payload of your choice. That's especially helpful in a penetration test once you gain access to an internal network that is relatively well patched. We talk a lot about how to leverage this capability creatively and effectively in my SANS 560 course on Network


This is the Winter2012 of our Discontent: Guessing Bad Rotating Passwords

[Editor's Note: Sometimes the most effective and lethal penetration testing and ethical hacking techniques are shockingly straight-forward. Tim Medin offers hugely useful advice in this article on fine-tuning your wordlists based on the target organization's password policy. Read it and live it -- these techniques will make your password guessing attacks much more effective. --Ed.]

When walking into a client, I like to have a number of attacks ready to rock while I let the (usually obligatory) Nmap and/or Nessus scans run. This gives me something interesting to do while I wait for the coffee to replace the blood in my veins. Once I get that engine running and the coffee shakes start, you better stand back.

Password guessing, when done right, is one of the attacks with a high success rate. You may not get an admin account, but it is almost guaranteed that you will get at least one account as a solid foothold. To do this right you need to be mindful of the