1 00:00:00,930 --> 00:00:09,030 ‫Password policy problems now passwords are the key elements of an authentication system right there, 2 00:00:09,030 --> 00:00:15,270 ‫like the keys to open a door so the application should have a strong password policy. 3 00:00:16,080 --> 00:00:17,330 ‫But you do have to be careful. 4 00:00:17,370 --> 00:00:21,750 ‫I don't mean just password complexity with the word policy. 5 00:00:23,220 --> 00:00:26,050 ‫Password policy is way more comprehensive. 6 00:00:26,910 --> 00:00:30,410 ‫The complexity is just a property of this policy. 7 00:00:31,620 --> 00:00:37,680 ‫So a password policy sets how to transport and store passwords as well. 8 00:00:38,640 --> 00:00:38,910 ‫All right. 9 00:00:38,910 --> 00:00:40,440 ‫So here is Ben Testa's. 10 00:00:40,440 --> 00:00:42,360 ‫We got to figure out three things. 11 00:00:43,170 --> 00:00:44,760 ‫Password, complexity, rules. 12 00:00:45,990 --> 00:00:47,760 ‫Password transmission rules. 13 00:00:48,750 --> 00:00:55,920 ‫And password storage rules, so last thing is, is basically how the passwords are stored on the back 14 00:00:55,920 --> 00:00:56,180 ‫end. 15 00:00:57,270 --> 00:01:07,170 ‫So it's not directly a pen Testim, but passwords should be salted and encrypted and then stored. 16 00:01:07,620 --> 00:01:16,410 ‫See my meaning, because even you cannot bypass the login mechanism, but you can reach the database 17 00:01:16,410 --> 00:01:20,990 ‫over an actual injection and have passwords are not stored properly. 18 00:01:21,870 --> 00:01:22,890 ‫They're going to be dumped. 19 00:01:24,480 --> 00:01:27,670 ‫But we're going to talk about password, complexity and transmission. 20 00:01:27,780 --> 00:01:35,430 ‫So the first thing that we should check is to see if the target has a policy or not, because this is 21 00:01:35,430 --> 00:01:39,100 ‫going to shape how to attack the login mechanism of the application. 22 00:01:39,960 --> 00:01:45,690 ‫So if the target has password complexity rules, we should generate the dictionary based on these rules. 23 00:01:47,550 --> 00:01:55,020 ‫So not go to Caleigh and open up your terminal and we're going to use Krunch to generate a password 24 00:01:55,020 --> 00:01:55,440 ‫list. 25 00:01:57,010 --> 00:02:01,060 ‫And the simple usage of the help screen is printed. 26 00:02:02,050 --> 00:02:08,200 ‫So Krunch can create a wordlist based on, well, criteria that you specify, for example, if you type 27 00:02:08,200 --> 00:02:11,040 ‫Krunch four for a B1 the. 28 00:02:12,450 --> 00:02:19,890 ‫It will print for character words to the screen by using a uppercase B one and. 29 00:02:22,770 --> 00:02:25,500 ‫So now let's have a look at the man page of Krunch. 30 00:02:27,590 --> 00:02:34,100 ‫Grunty has a well planned fanpage with examples to scroll down to see some example uses. 31 00:02:35,780 --> 00:02:37,040 ‫And you can quit from here. 32 00:02:38,840 --> 00:02:41,180 ‫So let's use some options. 33 00:02:42,390 --> 00:02:49,020 ‫So it generates word lists based on a character set, and you need to provide crunchier char set to 34 00:02:49,020 --> 00:02:49,440 ‫star. 35 00:02:50,660 --> 00:02:57,050 ‫So thankfully, it has its prepared list in this directory already, and then you can choose one of 36 00:02:57,050 --> 00:02:58,790 ‫them or add a new one if you want. 37 00:03:00,200 --> 00:03:11,730 ‫OK, type crunch eight eight slash user slash share slash, crunch slash char set dot list L a l page 38 00:03:11,780 --> 00:03:13,760 ‫A and hit enter. 39 00:03:14,790 --> 00:03:18,930 ‫So it's going to produce a long output, but I'm going to stop it here. 40 00:03:21,120 --> 00:03:23,490 ‫And now I'm going to provide my custom, Char said. 41 00:03:26,630 --> 00:03:28,880 ‫So I was along output and I'll stop it here. 42 00:03:29,750 --> 00:03:30,930 ‫OK, so let's have a look. 43 00:03:30,950 --> 00:03:35,450 ‫As you can see, the output contains only the characters in my set. 44 00:03:36,790 --> 00:03:39,610 ‫So then you may want to add some special characters like. 45 00:03:40,770 --> 00:03:42,660 ‫Double quotes or space's. 46 00:03:43,840 --> 00:03:46,810 ‫And it will cause an error like this if you do that. 47 00:03:47,770 --> 00:03:50,080 ‫So you're going to need to escape like this. 48 00:03:51,890 --> 00:03:55,520 ‫Or you need to put your set in between devil quotes. 49 00:03:58,970 --> 00:04:02,630 ‫So also, I'm going to add a space like this. 50 00:04:03,760 --> 00:04:06,340 ‫And output is very long, so I'm going to stop it here. 51 00:04:07,570 --> 00:04:11,800 ‫So you can see the crunch is a very powerful command line, word list generator. 52 00:04:12,850 --> 00:04:14,560 ‫So it helps us to play with characters. 53 00:04:16,110 --> 00:04:17,490 ‫So by tapping this line. 54 00:04:24,160 --> 00:04:28,030 ‫T the parameter will produce a special output. 55 00:04:29,720 --> 00:04:35,150 ‫And the first two characters will be lower case, the next two characters will be upper case, next 56 00:04:35,150 --> 00:04:39,500 ‫to will be numbers, the last two will be special symbols. 57 00:04:41,430 --> 00:04:46,100 ‫Now, the order in which you specify the characters you want is important. 58 00:04:47,470 --> 00:04:53,950 ‫So it means that you need to specify your assets in order as lowercase character, uppercase, character 59 00:04:54,310 --> 00:04:56,140 ‫number and then symbol. 60 00:04:57,230 --> 00:05:03,200 ‫Now, if you aren't going to use a particular char set, you must use a plus sign as a placeholder. 61 00:05:04,660 --> 00:05:10,900 ‫So let me just add a plus sign instead of C, D and change it here to lower case. 62 00:05:13,000 --> 00:05:19,660 ‫So if I use a placeholder for uppercase letters, then I will use all uppercase letters in the English 63 00:05:19,660 --> 00:05:20,350 ‫alphabet. 64 00:05:21,070 --> 00:05:25,720 ‫OK, so we can also limit the number of duplicate characters. 65 00:05:28,050 --> 00:05:32,310 ‫That you just use a deep parameter to add a limit. 66 00:05:33,490 --> 00:05:37,210 ‫And this will limit duplicate lowercase letter to one. 67 00:05:38,990 --> 00:05:42,040 ‫Which means the winner will not present after the same letter. 68 00:05:43,750 --> 00:05:48,610 ‫Also, we can expand this to uppercase letters as well, numbers and symbols to. 69 00:05:51,550 --> 00:06:01,630 ‫So Krunch can also print the list after a specific word, so using the S parameter with a word B DC 70 00:06:01,930 --> 00:06:09,220 ‫one, two, it will trim words before a BDC one to. 71 00:06:10,360 --> 00:06:15,730 ‫And using the E parameter, we can trim the output from the end, like the. 72 00:06:20,070 --> 00:06:24,000 ‫Then the output from Krunch can be sent to the screen file or to another program. 73 00:06:25,720 --> 00:06:27,430 ‫Not having the whole parameter. 74 00:06:28,800 --> 00:06:32,910 ‫We can then save the output to a file called WORDLIST. 75 00:06:34,600 --> 00:06:37,240 ‫And I'll show you the generated output. 76 00:06:39,130 --> 00:06:46,120 ‫OK, so besides having a good password policy, the application can still have authentication issues. 77 00:06:47,130 --> 00:06:50,580 ‫One of them is default and weak credentials. 78 00:06:51,910 --> 00:06:58,690 ‫And it's very common to see these values in pre configured application platforms, hardwares, web interfaces 79 00:06:59,020 --> 00:07:00,850 ‫and in Internet environment. 80 00:07:02,900 --> 00:07:08,120 ‫Just for the sake of usability, they all come with default usernames or sometimes default passwords 81 00:07:08,480 --> 00:07:09,290 ‫or both. 82 00:07:10,780 --> 00:07:17,430 ‫And generally, companies have a standard structure of email addresses or any other text used to define 83 00:07:17,430 --> 00:07:18,440 ‫a user ridi. 84 00:07:19,690 --> 00:07:25,780 ‫So what this does is it helps us to predict username values and even passwords. 85 00:07:26,970 --> 00:07:31,050 ‫So what I'm saying is don't even hesitate to use the default values while testing.