 All right, we're back and This is our co-worker. So we felt that we had to Give him a quick introduction because you know, where would we be if we didn't give him this introduction? So, you know, this is a statement that Lee asked me to write that he asked me to Prepare him before this talk. So this is the direct quote from Lee So he says what did you just say about me you hecking cowboy? I'll have you know I graduated top of my class in the hashtag University I've been involved in numerous secret pull requests of the hashtag code repository and I have over 300 GPUs in my basement I'm can I'm trained in gorilla password cracking tactics and on the top contributed a hashes.org in the entire US You're nothing to me, but just another dictionary I'll wipe you out with the precision mask attacks like the which I've never been seen on this earth Mark my hecking words. You think you can get away with these pull requests? Think again cowboy as we speak I'm contacting my secret network of GPUs across the USA and your IPs being traced Right now. See you better prepare for the storm the cluster that wipes off your pathetic little thing. You call your password You're correct kid. I can crack your password at any time I can use it in over 700 ways and that's not even including my FPGA Not only am I extensively trained in password-free combat, but I also have access the entire arsenal of the crypto miner Undergrottable used to the full extent what your miserable password off the face of the continent your little hacker Please welcome the password King Lee Welcome to hashes smothered covered and scattered modern password cracking as a methodology My name is Lee Wangenheim. I'm a security consultant here at Optiv I hack things for fun as well as for a job. If I wasn't getting paid to do this I'd be doing it on my own anyway I've got about five years of infosec experience mostly focused on the offensive side of the house And currently I'm helping to run the crackers that we've got here at Optiv So why does this matter because it only takes one password and as we know People tend to use weak passwords Some examples that we've seen or on actual gigs are using default passwords for Cisco devices Microsoft SQL server. I've even seen iDRAC accounts used using the default root and Kelvin You know and everybody's familiar with the fall 2019 or I guess now it would be summer 2020 you know, this is a real issue and We run into it more often than not and once we've got one foot hold into your network We can use that to move laterally as much as we want Some of the hardware that we're using So we used to use CPUs and rainbow tables CPUs Not really working and not really worth it anymore They've kind of been overpassed now that the modern GPU rigs are out there We used to use a lot of rainbow tables to look up, especially in NTLM and more common hash types However, those have been kind of supplanted by the new GPU cracking machines The reason behind that is it's actually faster to use a GPU to crack the hashes via brute force attack than it is to Try and do a rainbow table look up because again, you're you're burning CPU cycles doing rainbow table look ups versus GPU cycles with the new Modern GPU setups We do sometimes use cloud using the AWS Boxes the new GPU boxes Those are pretty handy there. They are expensive However, if you do need to throw a lot of power at a hash or a series of hashes I can be Beneficial to to go ahead and do that Sometimes if we're on site and clients don't want their hashes leaving or if we're on a Wi-Fi gig or something like that We will use, you know a laptop Typically a gaming laptop will do better But you know you use what you have, right? um If you do happen to still be running a mining rig in 2020, um, you know for some of the GPU mining rig GPU Crypto algorithms such as like Ethereum, you can use those And you know, you can always, you know make a little bit of your money back. I don't Do any more money. So I don't know exactly how useful it is in today's world So talking about AWS some of the engagements that we do run here at Optiv are More of an enterprise security assessment, which is where we'll have a company provide every hash Throughout their Windows domain and then we will throw as many resources as we can over a certain amount of time usually about two weeks of Just letting the crackers run And we'll try and crack as many of their passwords as we possibly can that's That kind of engagement is sort of where this methodology really was born out of As well as some of the tools that we've built internally that I'll be talking about later Have have come from so This is sort of where the cloud is as of 2017 Unfortunately, we don't have too many updated Stats, but it's just about the same So it used to be About 14 cents per gig a hash hour And now it's close to three cents per gig a hash hour. Now. We do have our internal crackers Which you can see are running at about point seven cents per gig a hash hour And you know, we built those for about twenty five thousand dollars So, you know, if you're working for a large consulting firm that has the Capital to invest in their on-site cracking machine You can absolutely save money by doing that However, if you're either like a small-time consulting firm or you know, you're you're doing this as kind of like a Single contractor or something like that, you know, absolutely Look into some of the the AWS Machines, so the the p3 16 is currently the largest instance That you can get with GPUs So and So, yeah, that's gonna be kind of the best pain for your buck if you're looking to throw a lot of power As well as using a new tool that will touch on in a little bit called hash topless Which allows you to do distributed cracking by attaching multiple versions of those multiple instances of hash cat together and Hash topless kind of access an orchestration engine handling the binaries and farming jobs out across all of those different Those different platforms, which will allow you to Combine both your in-house and your cloud technology cloud instances and really start throwing massive amounts of power You know, you just do have to to keep in mind that you know, everything will come with a cost hash topless is free AWS instances are definitely not So this slide is Shamelessly borrowed from the tear hash corporation. They run the Brutalis or they produce the Brutalis machines So currently you can see there Their largest one is running 448 NVIDIA RTX 2080s. So if you're looking at Running against like running a brute force attack You're talking Doing the entire eight character key space You know instantly So eight character passwords are absolutely in 2020 dead I gave a version of this talk in 2019 and said that they're dead The same was true in 2018. It's definitely true now the the amount of power that Firms are able to throw at brute forcing, especially in TLM hashes It is just absolutely incredible at this point and so really you want to work on You know instructing your your individuals to have you know Strong 12 character passwords as you can see the exponential growth is just incredible. So you have From an 11 character password to a 12 character password It goes from a two-week crack time on an NTLM hash to a three-year crack time And you know, this is obviously assuming that that Password is not going to be in any sort of a word list or Any sort of the mask that that we can create So Just so that we're all speaking the same language I'll go over a few key terms some of which you've probably heard me using Previously in this talk and you know, I'll continue to use throughout the talk So masks are the makeup of a word broken into its character set. This is pretty important This is so for instance if you had a password one with a capital P And then all lowercase letters and then one the mask is going to be, you know, capital letter Seven lowercase letters and then one digit This becomes really important when you're talking about Attacking large numbers of passwords as you can sort of guess at the makeup of people's passwords For instance, if I told somebody that they're gonna make they need to make a 12 character password That has a capital letter lowercase letters and digits the vast majority of English-speaking individuals are going to create a password that starts with a capital letter Has, you know, 10 or 11 Lowercase letters and then has trailing digits, you know password one summer 2020 You know, we've all seen all of those on engagements. It's Very very common very rarely will you see them shift where the middle characters have your uppercase Or things like that. It's it's kind of attacking that human psychology and the human Linguistics of how we form words, especially in the English-speaking. I did read a very interesting article um Written by a linguistics professor that kind of taught attached on differences that you'll see in Asian languages Especially and also some of the Cyrillic languages as far as password creation and the different masks that we'll see Unfortunately, I haven't worked too many Well, I haven't worked any Engagements that that really leaned heavily on on I on anything other than the the typical English character set So that's where my main focus is especially when it comes to password cracking Hybrid attack is where you're going to be on brute-forcing. So again brute-forcing is just guessing every possible combination of Inside the character space so a through Z character digits zero through nine and then all of your special characters So if I have a character passwords, I would start with, you know, eight a's And then seven a's and a b and then continue to work my way through as I've tried every single Character set that we can against those hashes until we get a match So a hybrid attack is going to use that brute-force attack And then you would take a mask and either a pen or pre-pen. So if you had say Company name, right? so you or if if you knew that they had something like a five-character password and You wanted to try adding like the year to the end of it. So you would do like brute-force all character sets for Five characters and then add the year on the end of it as the map at the hybrid attack So the the the year would be your Year either a pen or prepend and so a word list is much different than a password dump So a word list and this is a very important distinction A word list is the candidate of words that you're going to either run by yourself by themselves or be modified with rules So these are going to be dictionary words. This is not supposed to be a password dump So the difference being a password dump is going to be Passwords that have already been cracked whereas a word list is going to be You know basic words like summer or spring And then you can use those words and then modify them via rules in hashcat to create different candidates for for cracking if you take a password dump That has like summer 2020 and apply rules to it in hashcat Sometimes those rules will either append or prepend Different character sets. So you might get summer 2020 2020 Using summer 2020 in a password dump As a word list. So that would be the distinction there So this is one of my favorite quotes if your only tool is a hammer then every problem looks like a nail Obviously mark twain And so that's what we'll touch on here in a minute This is the kit that we use. I'll go into what each of these tools does In the next few slides So hashcat it's now the de facto standard as far as password cracking is concerned It supports just about every hash imaginable I believe they fixed it, but there was one time that I did have a weird zip file that I did have to use john the ripper on But I've never really encountered anything on An engagement that hashcat can't really do John the ripper was the de facto standard, you know, five to ten years ago. Again, it uses the cpu cracking hashcat is You know using gpus It's very very well maintained constantly updated and lots of improvements super easy to set up and To integrate with other tools Also, there's so much information and documentation out there about using hashcat So if you ever have issues you can always look it up And and you usually find the answer Hashtop lists. Um, this is what uh, we've been using to kind of integrate our distributed cracking operations So this is uh, a wrapper for hashcat. What it does is it manages agents jobs board lists and hashcat binaries so basically You log into a web portal Via hashtop lists and it goes and connects to all the different Hashcat instances that you've connected to it You feed it a list of hashes and you tell it to crack and then it goes and farms all of this out To those different hashcat instances And does all of the the work for you basically The other great thing is if there's a new hashcat binary that comes out You can push an update to all of your distributed instances via hashtop lists Um, so for instance if you have a bunch of aws instances Spun up and you want it to you know quickly spin it. You know spin up new ones or push like a new binary You can do that very very easily within hashtop lists. Um We don't use this a lot. This is really more for those big enterprise engagements Only because the cost of running a lot of distributed aws instances Does become prohibitive Especially if we're just looking for You know cracking a Kerberos hash or Things that we can typically do On our internal cracking machines Hash ID, um, so this uh used to be a lot more useful It's not like the most useful anymore This is if you're having trouble identifying what kind of a hash you've caught So, you know, you you find a list of hashes on a client gig And you're not quite sure Um, what what you've got um, you can use this Um, the the nice thing about this is it is offline compared to some of the online out Um systems that you can drop hashes into so if you're trying to keep sensitive data Uh off the internet, uh, you can do it. Um You can uh, if you know if you hash ID isn't working for you, uh, you know, and you've got a new kind of, um Hash that you're not sure on uh, if there's open source code on github You might be able to see what kind of a hashing algorithm It's using so, you know, if you get it off of a new web application Um, you know, you can always Uh Try and create your own hash And see if you can also, um, self-register, uh, so if you somehow get into like a database back end Um, and you're able to self-register on the web application You know, so you could create a password of password one Um, and then go try and crack that password that you know the the password And try and figure out what kind of a hash it is from there by by throwing different kind of hashes at it PW spy is a tool. Um, that was built internally for optiv, but it is open source Some of the cool things that it will do is, um, it will go out and find the most common masks for you So if you're cracking, you know, again 20 000 passwords and you've cracked Say 40 of them on your first pass through You can have PW spy analyze those patches for you And it will go ahead and Tell you, um, which masks that you can then plug into hash cat For potential more success. Uh, so say they're having you know, the client has Um, a 12 character minimum. So you find everybody is running, you know uppercase Letter, uh, you know 10 Um lowercase letters and then a digit or things like that Uh, it will also identify weak passwords. So, um, you can kind of tweak that with some of the settings in there By saying, you know, only words or only words in a digit or or things like that It will break out the different password lengths that you have It will also pull out different base words. So, um, if You know, if you're doing a thing An engagement and you find that people are using Seasons or the client name over and over again to create passwords You can, uh, absolutely use this and show that as evidence to your client to say, uh, You know, maybe you should put a blacklist policy in for for different password Terms, um and things like that. Uh, the other thing that it will do, um is it will, um Analyze and find reused hashes. So if you find, uh, multiple people are using the same password This will identify that so you could then point that out to the client. Um, You know, it's not usually a big deal if it's summer 2020. It's a big deal, but it's not, um, You know, a deal with people sharing passwords But if it's more of a complex password that you find multiple times, um, that could indicate that people are either Sharing their passwords or somebody's were using passwords for say, um, their their local account and then their, uh, Administrator account or, you know, even da creds or somewhere in a sql server Um, feel free to go download pwspy. Uh, it's open source and, uh, um, I've had a lot of people, uh, reach out and, and, um, Suggest edits or or find bugs. So please if there's anything, please feel free to either put in, um, A poll request or whatever on on github or reach out to me via twitter or, um Uh, through github. So some of the techniques that we use, um, so this is how we kind of hone our skills. So how do you begin? What's the best way to crack a hash? Well, so this is a loaded question to me. Um, I get this a lot from our internal team. Um, it Kind of drives me a little bit crazy because it's kind of like asking what's the best and what's the best way to Use nmap. Um, there's no one right answer. So Basically, it's kind of an experience and just, um, Depending on the goals of your engagement. What are you looking to do? Um, so are you after one hash or are you after multiple hashes? Um, you know The the algorithm that you're going after is very very important So, you know, and until I'm hash, you're going to be able to throw a lot more power at than, uh, WPA Two, uh, only because it's a much faster algorithm. So You're going to be able to throw more rules and more word sets Uh, one thing we've done, uh, in the past with with client engagements is if we're on a wireless gig and you know, Say we only have a day or two on site Um, and we know that they're using a pre-shared key Uh, what we'll do is we will have the client provide us that key and create, uh, that hash in either an ntlm or an md5 Um, and then run it against our rule sets and our word list to then demonstrate the impact to that client that says Hey, um, you know, we didn't have enough time to crack the WPA to uh, while we were on site However, um, we would have cracked it. So, you know, if you have somebody sitting in your parking lot and they capture um, they could potentially come back and And uh, get into your network that way. Um, and this is, you know, how they how we did it uh, so that's one way to to kind of Work with your clients So where do you get hashes? um You know always, uh Looking for hash dumps. Um, if you can get onto a linux box and you have root access and you can dump at sea shadow Um comp files are always great Uh back end databases that you can get into Um, mimi cats if you encounter like an older windows system. That's not um fully patched Web applications a lot of times, uh, we'll expose hashes Um, you know, either via misconfigurations or just having their database exposed We run a lot of responder or magnum metal six on internal gigs. I'll do a demo of that in a little bit Um dc sync and ntds Um, you know, these are some of the common ways to find hashes there's thousands of ways to find hashes um You know if you're on a wireless gig and you capture a pretty shared k handshake You can open up wire shark and get the psk hash out of there There are just many many different ways to get hashes. Um, these are some good ways to start If you're kind of looking to get into it Um, I would highly recommend kind of building a local lab Um setting up, you know responder Uh on your local lab or setting up a database making some hashes And then just going ahead and and trying to crack them. Um, you can also just create a bunch of um, You know ntlm hashes or md by five hashes via some scripts So make a bunch of passwords that that you know, uh and test it out in in hash cat So that's a good way to get started So developing a methodology, uh, so this is really where our password audit kind of came out of Um, so we wanted to create a repeatable process for other people on our team to be able to follow And make it as um easy as possible for a new consultant to just kind of get spun up and start working Um, these are going to be much more analysis based than um, you know hands on the keyboard Uh, this is going to be a lot of Look, you know letting the cracker run Using your various rules and masks and all of the stuff that we've discussed previously Looking at the results and kind of figuring out where you want to go from there looking at what Their hashes are doing looking at what the passwords they're using are Are they a secure company? Are you seeing, you know, a lot of crazy hashes that you know, you're not able to crack Or are you seeing a lot of like really simple? um passwords Uh, the other uh thing we're going to look for is, you know common words easy wins again I keep coming back to summer 2020 uh password one uh company name Uh company name and the date that it was founded is a really popular one um Street names, um, if you're in an area if you're doing a client and there's You know a local sports team, um, you know, I'm From ohio. So uh in my area, you know, you find a lot of ohio state or buckeye related Uh passwords, um, you know, you could uh Extrapolate that uh across the country, you know new england. You could do patriots or whatever um a lot of um Uh, we'll find a lot of times clients will do Uh will claim that they do their own password audits, but they're not really doing it effectively. Uh, you know, they might Um run hash cap with like a base word list or like a rock you and Or something like that and say that they they covered it. Um, you really for these, um, these enterprise engagements You need heavy hitting cracking rigs, uh, either built in house or or setting up the the cloud And I would say even just one amazon Uh p3 16 is not gonna, um, really You know past muster for this you're you're gonna want to throw Um a good amount of resources at these, uh, especially if you're talking, um, you know, 20 000 or or more Um, you know passwords that you're trying to to recover So what do we do? Um, again, we go for quick wins. Um, so we run, uh internally we have some proprietary word lists that we use. Um It's kind of been tweaked over the years. It has Um, a lot of data from all the different breaches where we've extrapolated common base words. Um, things like that And we'll run those without rules. Uh, and then, um, we will slowly start adding things that increase the time of cracking But also increase your, uh, possibility of cracking more passwords. Um, so we will continue, uh, to run new and new newer and newer attacks against the same, um list of hashes and, um, You know as you'll see in a second. It's kind of the law of diminishing returns, but um as we Move through the process We tend to be pretty successful we do, uh In-house we have the capability to do a one to eight character brute force. Um, that takes about 24 hours on our internals crackers Um, so we can brute force the entire ntlm key space Within a day, uh, so that's usually about the first day of a password engagement. Uh, and then we will, um, run our words Our word lists and then our rules against things after um, you know, we How we'll then use either, um, pw spy to create different masks Or just use common masks things like that Um, and and you know, just kind of moving on and doing more and more advanced attacks, um as as we Get closer to the end of the engagement So this is sort of what, uh, this is actually real data and this is what our password recovery over time looked like on a recent password Assessment so as you can see, um, you know within the first few hours, um, we Cracked the majority of the passwords we were going to crack and as we moved through You can see the the longer, um password recovery attempts um did, uh yield less results, um, but out of um I believe this was uh over This was about 18 000 passwords Our hashes that we were trying to crack and we um cracked almost 14 000 of them Um, which is pretty good. Uh, you know, that's um That was enough to show an impact to the client and this is Uh, you know, over about two weeks of letting the crackers run and then doing a lot of that analysis on the back end And tweaking the rules to to match What we were seeing So how to help your future self? Uh, this is really important. Um, so you want to have, uh, your pop files, um We'll typically separate out pop files based on, um Clients, but we also keep a master pop file. Um, that's a historical record of your cracked hashes It's useful to see if you've already cracked that hash on another engagement So if you're seeing summer 2020, um, you're not going to burn cycles trying to crack it again I will just try that hash. Um, this obviously doesn't work, uh against salted hashes But it will work against, you know, ntlm Uh, or or any of the, you know, nd5 or or things like that Um, do be really careful about bloat. It can slow down the hash the process, um Because it's going to check it against the existing pop file So, uh, for instance, we did have a pretty overzealous analyst on the team who uh, decided to add the entirety of the, um, linkedin Uh dump into our pop file Um, and at the time of the dump linkedin did not have any password restrictions So you had a lot of four character passwords or just plain text passwords. Um, which is pretty useless against Um, you know enterprise networks that are running either, you know, an eight character with complexity or 12 character with complexity Um, so you do want to be careful of that, uh, because you're going to be running each hash against that pop file Uh, and again, you're going to be burning cpu cycles on that Um common masks. So we keep a list of in-house tools That includes the masks that we can copy in, uh, to our hash cat commands As well as creating new masks, um, as we see fit on the, um, the engagements, but You know, the the common ones would be, you know, uppercase letters at the Beginning and then trailing lowercase letters with digits at the end So now we're going to move into a demo. I'm going to show you sort of, uh, what a typical engagement might look like You know on a client network Okay, so for this demo I have a, um, responder lab built, uh, using virtual box on my windows machine So what I've done is I have set up a domain controller, uh, a firewall appliance, a kelly machine and a windows 10 machine So you can see all of the machines are up and running um What you see here is, uh, ip fire is running, um, to route everything together Windows server 2012 is currently running, uh, to act as the domain controller, uh, and the dns Um, obviously kelly, which is going to be our attacking machine And then the win eval is going to be your windows 10, uh, simulating a client, um, Computer Okay, so closing that out We just want to verify it once again that we are on the same network so we can see, um Both of these, uh, hosts are actually, uh, network together on the same subnet So we'll go ahead and start up responder here Uh, so when you start up responder, um, you have to feed it the interface that you're using So what responder is doing is poisoning the l l m n r and n b t n s, uh requests that windows Machines will set out This happens if windows can't resolve a host name using dns We'll send broadcast traffic out, uh, asking for, uh, that information uh, so responder kind of steps into the middle between a domain controller and the um, uh the windows machine and, uh, we'll We'll, um Respond with, uh, the information that they're requesting But it will then ask that, uh, windows machine to send its authentication to it Which the windows machine will provide and then responder will capture those hashes You can usually accomplish this by trying to access something that doesn't exist such as like File share does not exist or or something like that inside your your network libraries And that should be sufficient to generate the l l m n r broadcast traffic and we'll see an example of that here, uh, so I open up the Folders and I go to server does not exist Uh, and you can see the poison answers are being sent and we're capturing ntlm v2 hashes Now this is important As we, uh, could start capturing the ntlm v2 hashes you'll see there are multiple hashes being captured These are actually the same hash, uh, just due to the nature of ntlm v2 They are salted, uh, so you will receive, um, multiple hashes When you are going to crack these, uh, hashes what you'll want to do is take those, um Take one hash per username, uh, that way you're not spending, uh, excess time trying to crack the same hash For a user that you've already, um, cracked or, uh, for a user that you're not going to be able to crack Uh, so once we've got that hash we can just copy it over into, uh, a text file Which I do here, uh, so you can see, um I drop it into a hash dot text And you could do this, um, for as many of the, um Uh Usernames and passwords that you capture, um, you know Hopefully you get something juicy like sometimes you'll you'll be able to get like da creds or or things like that Okay, so now that we've got hash dot text created, um, we're going to go ahead And start up, um, hash cat so ntlm v2 hashes are, um, mode, uh, 5600 So to to accomplish that in hash cat, uh, you feed it the tag m flag, uh, and then 5600 Um, then you feed it the, uh, file name and then, uh, in this particular example, um, we're using, uh, A little bit of a contrived example, uh, just for brevity Um, so we're going to use, uh, fast track dot text because I I happen to know that this, um, uh particular, uh, password for this user, um Again because I've created the lab, uh, we'll be in that Now if this is a live gig, um, that's where you're going to feed, um, some of the the more advanced, um Masks or rules or definitely, you know, stronger word lists, uh, things like that But you can always start with the the quick and easy ones and maybe you'll get lucky And if you do that's awesome. You haven't spent a lot of time However, um, you know, if if you do need to to use those heavier lists, uh, please feel free to, uh, and You know, uh, definitely use the the masks and such that that you've got working So we start a passcat here again using the mode 5600 Um, and then we feed it the hash hash dot text that we created, um and then We go ahead and feed it the, um, particular word list Which in this case again is stored as user share word list And then we're just using the fast track dot text Once hash cat starts, um, again this, uh, particular Um Kelly instance isn't hooked up to my gpu box. So, um, you'll get some warnings for open cl and things like that um, but, uh, you'll see Uh, the the warnings come through, uh, and then Just because I know that this, uh, works really quickly, uh, you'll see that this cracks. Um, and you can see Uh, password one is is our cracked password Now if, uh, we were cracking multiple, uh, passwords, um, you know, or take longer You would see those in your pot file You can also, uh, create a new pot file by doing, um, dash dash Pot file dash path equals and then name, uh, your your pot file, whatever you want Uh, and that that will, uh, create a pot, uh, pot file specifically for, um, that particular session with hash cat Uh, that's useful if you're running, um, you know, an engagement for a particular client And you wanted to separate out the hashes that you've cracked from them, uh, versus Uh, you know, the the other, uh, engagements that you've worked So you can see here, uh As the hash is cracked, uh, it will, um, append the, uh, password to the end of the hash file Which will, uh, be the exact same way it's presented in the the pot file as well So, uh, now that we've got, uh, our password, um, we can then, um, go ahead and Uh, use those credentials to go and, uh, log in via via windows doing, uh, any particular, uh, thing that we might want to do Okay, so with a little bit of time that we have left, I'd like to do a quick demo of pw spy, uh, as it's, uh, kind of a new tool that I've developed and, uh, It was originally released, uh, during, uh, 614 con 2019 However, it's gone through, uh, some pretty major changes, um, And, uh, I'm happy to announce that The newest version is now live on github, uh, for you guys to, uh, to go ahead and, uh, go grab a few, uh, so shoes So, um, again, uh, this was an internal tool developed, uh, mostly to help us deal with the massive amount of information coming from the, um, Uh, enterprise password audits Uh, so the intention was, uh, that you would take a pop file that you've created specifically for, uh, your particular client Or engagement And then, uh, you would, uh, feed that as well as the initial hash list, um, that you fed into hash cat Uh, and it would do, uh, the analysis for you, uh That's pretty much been accomplished. Um, there's still a few more bugs and things that I'd like to tweak, uh, however, um Let's, uh, get into it For this particular demo, I went ahead and grabbed some of the passwords that we've seen, uh, in some of the public dumps that, uh, are out there Uh, and I went ahead and created some ntlm hashes using those passwords and cracked them using the optif cracker, uh, to to generate the, um Pop file, uh, for this demo, uh, so that's what you're gonna see here So I'll go ahead and open a demo dot pot And as you can see, these are just, uh, some common passwords, uh, and they've already been cracked So it's time to do the, uh, the post session analysis on that So we're gonna go ahead, uh, and feed this file, uh, into Uh, pwspy Now, pwspy, um, if you open up the help options You'll see that, uh You can feed it both on pop file and a hash list. Um, the hash list is actually optional. Uh, you don't have to add that As well as, um, inside the, um Python script, you can turn on and off individual modules simply by commenting them out, uh, in the calls Those are down at the bottom of the script, uh, and I'll show you that, uh, towards the end of this demo so, uh In this particular case, um, because we're we're using, uh, like a publicly available passwords and we haven't, uh, cracked a bunch from a particular company So there's not going to be any reuse. Uh, there's really no sense in in doing the, um Hash list as well, uh, so we're we're not gonna, um Feed that in, uh, as well as some of the modules may not work because there's just not enough data, uh, such as the mask builder, um, and Um, Definitely the password reuse won't work because you need to feed that the pat and the hash list Uh, so we'll go ahead and, um, run Uh pwspy and we'll take a look at the, uh, the output So you can see here, uh, the output is a pretty standard, uh, script output complete with the, uh, you know, required ASCII text, um, for for any cool hacker tool, of course uh So this, uh shows you some of the, um The various, uh Modules, um that have worked Uh, so as we scroll back, um, you can see, uh, that We have the, um Common base words, uh, and the number of times that we've seen those Um, as well as, um There would be a password reuse, uh, and the masks, uh would go, uh, there as well, um, which would help you If you were going to do further attacks against, uh, this client Um, the other thing that it will do, uh, is it will, um Tell you, uh weak passwords, uh, so passwords, uh, in this case I have it, um, to set, uh, a set to just passwords that are just plain text So you can see all of these passwords were cracked and consist of only, uh, letters, uh, and no numbers or Special characters of any sort You can always make this more restrictive or less restrictive, uh by editing the python script One of the goals, uh for the future is to, uh add options, uh to define what a weak password would be and then, uh Is the last, uh thing that it will do is check the lengths of all the passwords that you have cracked And as you can see, um It splits those out and gives you the number of occurrences So there were some, uh, a lot of nine character passwords, some 10 character passwords This really, uh, becomes helpful If you are, um, doing, uh, again, uh, an engagement and let's say The client says that they've got a 12 character password policy And you can go ahead and check against that and make sure that you didn't, uh, capture any passwords that might not fit that policy As well as, uh, if you're, um, you know, gonna build your custom masks that might not be, um, output by this tool You would be able to, uh, use the, uh, Um, the password length to help you generate those masks, um, and, uh, as well So the last thing I wanted to touch on with pwspy is, uh I'm just kind of taking a quick look at the source code, uh, and showing, uh, where you would turn on and off those modules Uh, so if we cap the, um, file here Uh, you can see that, um, all of the function calls are down here at the bottom Uh, which I'm highlighting here, uh, and from there, uh, what you can do is, uh, go ahead and comment out any of those different modules And it will, uh, not run those So if you didn't particularly want to run, uh, you know, the mask builder or check for weak passwords or Password length for whatever reason, uh, you could go ahead and comment that out. Um, again, this is an open source tool Please feel free to fork and edit it as You, uh, see fit, um And, uh, I hope that, uh, you know, this Proves helpful to somebody or anybody, um, if you, uh Are doing especially, uh, large password assessments I'd like to thank you for taking the time to listen to today's talk Uh, there's been a lot of great talks here at the red team village and, uh, looks like there's a few more after me Uh, this has been a great defcon, uh, despite it being remote Uh, at this time, I, uh, would like to just once again reiterate that, uh, password, uh, cracking methodology It's more of a comprehensive, uh, approach than a one-size-fits-all There are many different ways and approaches to cracking passwords and And what works for one person may not work for everybody So keep that in mind as well as, uh, always remember that, um, password cracking is again, um, not One-size-fits-all, uh, you're not going to be able to do this, uh, by just scripting everything Uh, you definitely need to, to do that deep dive analysis, uh, really think about what you're going after Uh, and use that to guide, uh, the way that you go after your, your passwords in the future Um, hopefully you have taken, uh, something, uh, away from this talk, uh, and I will, uh, be in the red team village discord, uh For any questions, uh, I'm hx50 in there, uh, as well as, uh, on twitter, uh, you can find me at hx underscore 50, uh, and Once again, I, uh, would highly encourage you to go ahead and try some of these techniques out on your own, uh, Go ahead and create hashes, uh, you know, set up a, uh, lab and go ahead and crack, uh, crack your own stuff, um, You know, uh, I will, uh, release, uh, the Instructions on how to set up my lab, uh, as well as possibly, um, setting up, um, just, uh, OVA files, uh, that you can download, uh, as well as, um, Uh, you know, you can go on github and, uh, feel free to grab pwspy, uh, if you, if you so choose, uh, you can find that at, uh, github.com slash l. Wangenheim, uh, Under slash, uh, pwspy, um, and obviously, uh, that's quite the mouthful trying spell. So if you, uh, do want to try and find it on google doesn't help, uh, feel free to reach out to me. I'm more than happy to either just provide you the link or I can just send you the files, uh, directly.