1
00:00:00,820 --> 00:00:01,920
<v ->In our previous discussion</v>

2
00:00:01,920 --> 00:00:03,560
about vulnerability assessment tools,

3
00:00:03,560 --> 00:00:06,130
we covered network mapping, vulnerability scanning,

4
00:00:06,130 --> 00:00:07,450
network sniffing tools,

5
00:00:07,450 --> 00:00:09,590
but I put off covering password analysis tools

6
00:00:09,590 --> 00:00:11,780
until this lesson because there's a lot of things

7
00:00:11,780 --> 00:00:13,470
that we need to discuss with the concept

8
00:00:13,470 --> 00:00:15,210
of password analysis tools.

9
00:00:15,210 --> 00:00:17,780
First, what is a password analysis tool?

10
00:00:17,780 --> 00:00:19,040
Well, it's a tool that's used

11
00:00:19,040 --> 00:00:20,720
to test the strength of your passwords

12
00:00:20,720 --> 00:00:22,170
to ensure that your password policies

13
00:00:22,170 --> 00:00:23,900
are being followed properly.

14
00:00:23,900 --> 00:00:26,610
Another name for these is a password cracker.

15
00:00:26,610 --> 00:00:29,270
Now a password cracker uses comparative analysis

16
00:00:29,270 --> 00:00:31,950
to break passwords and systematically guess them

17
00:00:31,950 --> 00:00:34,090
until the password is finally determined.

18
00:00:34,090 --> 00:00:36,310
There's a bunch of different password crackers out there,

19
00:00:36,310 --> 00:00:38,340
but by far the two most well known

20
00:00:38,340 --> 00:00:40,670
are Cain and Abel and John the Ripper.

21
00:00:40,670 --> 00:00:42,100
In fact, in the next video,

22
00:00:42,100 --> 00:00:44,480
I'm going to load up John the Ripper in my lab environment

23
00:00:44,480 --> 00:00:46,810
and I'm going to show you how it can crack the root password

24
00:00:46,810 --> 00:00:48,710
of a Kali Linux machine.

25
00:00:48,710 --> 00:00:50,420
Now, there are four different methods

26
00:00:50,420 --> 00:00:52,420
of doing password cracking and analysis

27
00:00:52,420 --> 00:00:54,230
that can be performed by the various tools

28
00:00:54,230 --> 00:00:55,600
out there on the market.

29
00:00:55,600 --> 00:00:58,170
There's password guessing, a dictionary attack,

30
00:00:58,170 --> 00:01:01,270
a brute-force attack, and a cryptanalysis attack.

31
00:01:01,270 --> 00:01:02,490
With password guessing,

32
00:01:02,490 --> 00:01:03,930
this occurs when a weak password

33
00:01:03,930 --> 00:01:05,557
is simply figured out by a person.

34
00:01:05,557 --> 00:01:08,220
For example, if you happen to know personal information

35
00:01:08,220 --> 00:01:10,800
about somebody, like their dog's name was Fluffy

36
00:01:10,800 --> 00:01:12,630
and their birthday was June 17th,

37
00:01:12,630 --> 00:01:14,930
you might try a few passwords like fluffy0617,

38
00:01:16,070 --> 00:01:18,333
or Fluffy17, or other combinations

39
00:01:18,333 --> 00:01:20,400
to try and guess their password.

40
00:01:20,400 --> 00:01:21,910
If the person chose a weak password

41
00:01:21,910 --> 00:01:24,080
like their dog's name, the name of their high school,

42
00:01:24,080 --> 00:01:25,520
or even the word password,

43
00:01:25,520 --> 00:01:27,730
then password guessing may work for you.

44
00:01:27,730 --> 00:01:30,090
Now although this isn't a technical form of attack

45
00:01:30,090 --> 00:01:32,580
because you're not using algorithms and tools

46
00:01:32,580 --> 00:01:33,800
to crunch it through these

47
00:01:33,800 --> 00:01:35,180
and break up the password,

48
00:01:35,180 --> 00:01:37,110
it can still be quite effective.

49
00:01:37,110 --> 00:01:39,190
I'm sorry to say that I once had a pin number

50
00:01:39,190 --> 00:01:40,520
protecting my smart phone

51
00:01:40,520 --> 00:01:42,466
that my nine year old son was able to guess.

52
00:01:42,466 --> 00:01:44,190
That's right, he went through

53
00:01:44,190 --> 00:01:45,460
and he started guessing numbers,

54
00:01:45,460 --> 00:01:47,080
and eventually he picked the right one,

55
00:01:47,080 --> 00:01:49,770
the right four digit code to get into my phone.

56
00:01:49,770 --> 00:01:53,240
Now again, this is why a good, long, strong password,

57
00:01:53,240 --> 00:01:55,010
or more preferably biometrics,

58
00:01:55,010 --> 00:01:57,430
should be used to secure your devices.

59
00:01:57,430 --> 00:01:59,880
The next method is called a dictionary attack.

60
00:01:59,880 --> 00:02:02,130
In this type of attack, the password cracking program

61
00:02:02,130 --> 00:02:03,840
is going to attempt to use a dictionary

62
00:02:03,840 --> 00:02:05,550
to automatically guess the password

63
00:02:05,550 --> 00:02:08,820
by trying each and every word in that dictionary file.

64
00:02:08,820 --> 00:02:10,660
Now a dictionary attack doesn't just use

65
00:02:10,660 --> 00:02:12,270
common dictionary words, though,

66
00:02:12,270 --> 00:02:14,370
because hackers have created their own dictionaries

67
00:02:14,370 --> 00:02:16,140
that consist of other variations.

68
00:02:16,140 --> 00:02:17,730
Like commonly used passwords,

69
00:02:17,730 --> 00:02:19,440
variations on real dictionary words

70
00:02:19,440 --> 00:02:21,800
using numbers, letters, and special characters,

71
00:02:21,800 --> 00:02:23,610
and other such variations.

72
00:02:23,610 --> 00:02:25,110
When I demonstrate password cracking

73
00:02:25,110 --> 00:02:26,650
with John the Ripper in the next video,

74
00:02:26,650 --> 00:02:29,650
I'm actually going to be using a dictionary attack to do it.

75
00:02:29,650 --> 00:02:32,780
The next type of attack is known as a brute-force attack.

76
00:02:32,780 --> 00:02:34,861
A brute-force attack is where the computer program

77
00:02:34,861 --> 00:02:38,300
attempts to try every single combination of a password

78
00:02:38,300 --> 00:02:40,140
until it can find the right one.

79
00:02:40,140 --> 00:02:42,670
Now this can take a lot of computing processing power,

80
00:02:42,670 --> 00:02:44,020
as well as a lot of time,

81
00:02:44,020 --> 00:02:46,490
depending on how long and strong your password is.

82
00:02:46,490 --> 00:02:49,070
But eventually, it will always find it.

83
00:02:49,070 --> 00:02:51,900
So if I set a four digit pin to protect my smart phone,

84
00:02:51,900 --> 00:02:53,550
you could basically start at zero

85
00:02:53,550 --> 00:02:58,550
and go 0000, and then 0001, and then 0002,

86
00:02:59,000 --> 00:03:00,960
and keep adding one digit each time

87
00:03:00,960 --> 00:03:02,520
until you find my passcode,

88
00:03:02,520 --> 00:03:05,360
which may be something like 8157.

89
00:03:05,360 --> 00:03:09,756
This means you're going to try 8,157 different passcodes

90
00:03:09,756 --> 00:03:11,650
until you land on the correct one

91
00:03:11,650 --> 00:03:14,910
on your 8,158th attempt.

92
00:03:14,910 --> 00:03:17,930
Now, if it took you two seconds to enter each passcode,

93
00:03:17,930 --> 00:03:20,010
this would take you a little over four and a half hours

94
00:03:20,010 --> 00:03:21,370
to determine my passcode.

95
00:03:21,370 --> 00:03:22,530
Assuming you didn't take any breaks

96
00:03:22,530 --> 00:03:25,200
for coffee, a snack, or use the restroom.

97
00:03:25,200 --> 00:03:26,310
Now, as you can imagine,

98
00:03:26,310 --> 00:03:29,100
a computer can try much faster than you can.

99
00:03:29,100 --> 00:03:30,097
In fact, it can do hundreds

100
00:03:30,097 --> 00:03:32,720
or thousands of combinations per second.

101
00:03:32,720 --> 00:03:35,580
So a four digit pin can easily be cracked by a computer

102
00:03:35,580 --> 00:03:37,330
in just a couple of minutes.

103
00:03:37,330 --> 00:03:40,250
Now again, this is why longer, more complex passwords

104
00:03:40,250 --> 00:03:41,990
are critical to your security.

105
00:03:41,990 --> 00:03:43,150
By moving from numbers,

106
00:03:43,150 --> 00:03:45,030
which only have 10 options per digit,

107
00:03:45,030 --> 00:03:47,920
to uppercase, lowercase, numbers, and special characters,

108
00:03:47,920 --> 00:03:50,540
we now have exponentially increased the amount of time

109
00:03:50,540 --> 00:03:52,742
that it's going to take to brute-force this password.

110
00:03:52,742 --> 00:03:55,380
Now the final method covered by SecurityPlus

111
00:03:55,380 --> 00:03:57,097
is called the cryptanalysis attack.

112
00:03:57,097 --> 00:03:59,790
This attack relies on comparing a precomputed,

113
00:03:59,790 --> 00:04:03,100
encrypted password to a value found in a lookup table.

114
00:04:03,100 --> 00:04:05,180
For example, if you store a password in Windows,

115
00:04:05,180 --> 00:04:07,540
it's actually stored as a hash value.

116
00:04:07,540 --> 00:04:09,150
If I had to calculate every hash

117
00:04:09,150 --> 00:04:11,640
of every dictionary word in my dictionary attack

118
00:04:11,640 --> 00:04:13,420
or every possible password combination

119
00:04:13,420 --> 00:04:14,660
in a brute-force attack,

120
00:04:14,660 --> 00:04:16,850
this takes additional computing power.

121
00:04:16,850 --> 00:04:19,900
But if I have a database of all of those values already,

122
00:04:19,900 --> 00:04:21,950
I can just compare the encrypted password

123
00:04:21,950 --> 00:04:23,480
to the values found in the table,

124
00:04:23,480 --> 00:04:25,960
and if I find it, I can then look in the column next to it

125
00:04:25,960 --> 00:04:27,670
for it's unencrypted value.

126
00:04:27,670 --> 00:04:29,550
These tables of precomputed values

127
00:04:29,550 --> 00:04:31,210
are known as a Rainbow Table,

128
00:04:31,210 --> 00:04:34,330
and these files can be massively large.

129
00:04:34,330 --> 00:04:35,750
One of my favorite rainbow tables

130
00:04:35,750 --> 00:04:38,530
is actually found online at CrackStation.net.

131
00:04:38,530 --> 00:04:41,290
Their table contains 15 billion entries

132
00:04:41,290 --> 00:04:43,710
and is a 190 gigabytes in size.

133
00:04:43,710 --> 00:04:46,470
That is a really, really big text file.

134
00:04:46,470 --> 00:04:48,970
Now I said there was only four types of password cracking

135
00:04:48,970 --> 00:04:51,400
you need to know for the security exam, and that's true.

136
00:04:51,400 --> 00:04:53,220
But I wanted to tell you about a fifth option,

137
00:04:53,220 --> 00:04:54,670
which used to be covered by the exam,

138
00:04:54,670 --> 00:04:56,700
but they've taken it out in recent objectives.

139
00:04:56,700 --> 00:04:59,078
Now, if you're not interested, feel free to skip ahead

140
00:04:59,078 --> 00:05:01,090
and just move on from this lecture,

141
00:05:01,090 --> 00:05:02,410
but honestly I'm going to tell you about this

142
00:05:02,410 --> 00:05:03,870
because it was one of my favorites.

143
00:05:03,870 --> 00:05:06,650
Every time I read it in the textbook it just made me laugh.

144
00:05:06,650 --> 00:05:08,850
The fifth method is a very low-tech method,

145
00:05:08,850 --> 00:05:10,500
but it can be effective.

146
00:05:10,500 --> 00:05:12,020
I think they removed it from the textbook

147
00:05:12,020 --> 00:05:13,330
because you're probably not going to use this

148
00:05:13,330 --> 00:05:14,780
in your office environments.

149
00:05:14,780 --> 00:05:15,690
What is it?

150
00:05:15,690 --> 00:05:18,030
Well, it's known as the rubber hose method.

151
00:05:18,030 --> 00:05:18,863
What?

152
00:05:18,863 --> 00:05:20,720
Yes, the rubber hose method.

153
00:05:20,720 --> 00:05:23,080
The rubber hose method was the name they used to call

154
00:05:23,080 --> 00:05:24,670
any kind of password cracking attempt

155
00:05:24,670 --> 00:05:27,550
that was made by the threat or use of physical violence

156
00:05:27,550 --> 00:05:30,270
against the person who actually knew the password.

157
00:05:30,270 --> 00:05:32,650
So if you think back to some of those old military movies

158
00:05:32,650 --> 00:05:35,000
or spy movies, somebody's tied to a chair,

159
00:05:35,000 --> 00:05:37,190
and another big mean guy comes over and punches him

160
00:05:37,190 --> 00:05:38,840
or hits him with a bat and says,

161
00:05:38,840 --> 00:05:41,270
Tell me the password or I'm going to keep beating you!

162
00:05:41,270 --> 00:05:43,370
That's basically the rubber hose attack.

163
00:05:43,370 --> 00:05:44,700
They call it this because you can beat somebody

164
00:05:44,700 --> 00:05:47,350
with rubber hose until they told you the password.

165
00:05:47,350 --> 00:05:49,540
Alright, like I said, it's not necessary information

166
00:05:49,540 --> 00:05:51,410
for the exam, but it always made me laugh

167
00:05:51,410 --> 00:05:52,670
so I thought I'd share it with you

168
00:05:52,670 --> 00:05:54,840
and maybe give you a chuckle, too.

169
00:05:54,840 --> 00:05:57,167
(electronic tones)