Hands-On Password Attacks and Security
Learn how attackers can bypass passwords and how you can prevent them from doing so.
~ 3 Hours
Passwords have become the top authentication factor in today’s world. You use it in combination with an email or username to sign into almost any service. Big Corporations like Google, Microsoft, Amazon, and Facebook still widely use passwords as an authentication mechanism today. But how secure are passwords?
This course focuses on the practical attacks that malicious users use to crack passwords, how you can use this attack in a penetration test, and how you can prevent them.
We will very briefly cover the basics of cryptography, hashing, and entropy and then immediately go on to crack different types of passwords using different methodologies.
This course is for beginners to intermediate users. They should be more or less familiar with bash or a similar command-line interface as we will use it in the course most of the time. They don’t need to know much about passwords and password security, as this course will be an introduction to those topics.
Participants of the course however should be able to create virtual machines and install windows + Linux.
This course is for you if you have some experience with computers and want to know how to crack passwords or create secure passwords.
It can also be helpful for intermediate users, with no experience regarding password security.
- Easy to understand videos and explanations
- Learn multiple hands-on password attacks that can be used in penetration tests and security assessments
- Basic Theory behind password cryptography, hashing, and entropy
- Interesting Case studies showing what to do and what not to do
The course will cover some basic theory in the beginning and establish a common jargon. Later on, we will mostly perform hands-on attacks and look at how they could’ve been prevented.
The last section will cover some case studies related to password breaches and attacks.
WHAT WILL YOU LEARN
- Setting up a small environment for security testing
- Bypass passwords using Brute Force Attacks, Dictionary Attacks, Rainbow table attacks, and keyloggers
- Use different tools to perform password attacks
- Prevent Brute Force Attacks, Dictionary Attacks, Rainbow table attacks, and sniffing via keyloggers
- Create strong passwords that you will never forget
- Tools to help you prevent password attacks and/or create a strong password
SUMMARY OF CONTENTS
1. Bypassing your first password
2. Brute Force Attacks
3. Dictionary Attacks
4. Rainbow Table Attacks
5. The downside of passwords
6. Remedies and Mitigations
7. Case Studies
SECTION ONE – Bypassing your first password (~16-30 Minutes)
In this section, we will cover the basics to get started with bypassing passwords: Installing all the necessary tools, looking at the structure of passwords, and also look at some legal considerations.
- Legal considerations 1-3 mins
- Basics of Entropy, Hashing, and Cryptography for password security 5-10 min
- Setting up the environment 5-7 min
- Bypassing your first password 5-10 min
SECTION TWO – Brute Force Attacks (~19-25 Minutes)
In this section, we will cover how brute force attacks work and perform different types of brute force attacks on passwords of different strengths.
- What is a brute force attack and how does it work? 5 min
- Tools & commands for brute force attacks 3 min
- Cracking weak passwords 3 min
- Brute forcing your first real password 3 min
SECTION THREE – Dictionary Attacks (~20 Minutes)
In this section, we will cover how to get a wordlist and perform a dictionary attack with and without rules.
- What is a dictionary attack and how does it work? 5 min
- Tools & commands for dictionary attacks (incl. Dictionaries) 5 min
- Crack a password using a dictionary attack 3 min
- Crack a password using a dictionary attack and rules 5 min
SECTION FOUR – Rainbow Table Attacks (~20 Minutes)
In this section, we will cover what rainbow tables are and how to get them. We will then perform an attack on a password using a rainbow table.
- What is a rainbow table attack and how does it work 5 min
- What are rainbow tables 3 min
- Tools & commands for rainbow attacks 5 min
- Crack a password using a rainbow table 5 min
SECTION FIVE – The downside of passwords (~25 Minutes)
In this section, we will cover the downsides of passwords and miscellaneous vulnerabilities of passwords and their (miss-)usage. We will also take a brief look at alternatives to passwords.
- What will be covered in this section? 5 min
- Credential Stuffing 5 min
- Password Spraying 3 min
- Keylogger Attacks 10 min
- Alternatives to password authentication 5 min
SECTION SIX – Remedies and Mitigations (~35 Minutes)
In this section, we will cover the remedies for the attacks demonstrated in the course. We will also take a look at different password managers and how they can or cannot solve our problems with passwords.
- Protect your passwords against Brute Force and Dictionary Attacks 5 min
- Protect your passwords against a Rainbow Table Attack 7 min
- Prevent your key actions from being recorded by a keylogger 5 min
- Other considerations 7 min
- Password Managers, The All-in-One Solution? 10 min
SECTION SEVEN – Case Studies (~25 Minutes)
In this section, we will look at some real-life cases where passwords were stolen or cracked and abused by an attacker. We will also take a look at how it could’ve been prevented and what the consequences for the company were.
- Case Studies 25 min
SETUP AND INSTALLATION
Minimum Hardware Requirements
For successful completion of this course, students will require the computer systems with at least the following:
- OS: Mac, Linux, Windows
- Processor: 6 Cores
- Memory: 6 GB
- Storage: 250 GB
Recommended Hardware Requirements
For an optimal experience with hands-on labs and other practical activities, we recommend the following configuration:
- OS: Linux
- Processor: 8 Cores
- Memory: 16 GB
- Storage: 1 TB
- Operating system: Mac, Linux, Windows
- Browser: Firefox, Chrome
- VirtualBox, Latest Version: https://www.virtualbox.org/wiki/Downloads
- Windows 10 Developer or Evaluation VM (for Virtualbox): https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
- Kali ISO: https://www.kali.org/downloads/