Jump to content

Archived

This topic is now archived and is closed to further replies.

AndroidAggie

hacking someone's login

Recommended Posts

so i know that most servers are centos or rhel or perhaps even ubuntu.  i guess some others might even be windows server.  (gross.)

and i know that password files in linux servers are typically stored in /etc/shadow.  i also know that they're hashed and salted.  and i know that you can brute force most 32 character password in less than a week.  perhaps even less than a day.  but you have to have the password hash list to pull it off.

just trying random passwords, or even passwords that you think the user might use -- like @halfmanhalfbronco's password may be KellenMooresNipples1985 or something -- is pretty foolish.  it won't get you anywhere. 

but how the heck do you get that hash list?  @retrofade, do you know?

Link to comment
Share on other sites

A lot of the leaked hash tables that end out out on the darkweb or wherever don't even end up there because they were even stolen from a web accessible vulnerable server. A lot of the time it's physical security measures that are overcome... a disgruntled employee copying it to a flash drive, someone with high access privileges having their creds obtained via some variation of a phishing attack. It really only takes one flawed security measure to run the risk of a giant breach, and that isn't even taking into account some of the stuff that the owner of the service may have true control over, as it could be a newly discovered hardware or software fault that ends up being exploited. 

This also reminds me of one of my favorite xkcd's...

orw06a7.png

Link to comment
Share on other sites

1 minute ago, thelawlorfaithful said:

My God.

Trump is colluding with the Mormons now.

Resistance is futile. You will be assimilated.

"BYU is like a 4-year-long church dance with 20,000 chaperones all waiting for you to forget to shave one morning so they can throw you out." -GeoAg

l.jpg

Link to comment
Share on other sites

I consider myself a passwordologist.

Since most of my socks are based on school affiliation, my passwords are all the same combination of the same key phrase and a prominent figure associated with that school. For as many socks as I have it's the only way to go. Or maybe all my passwords are "P@ssword123" I forget

 

ezgif-5-959914ff2250.gif.f0cc4fc558f5a154dc6ff5904c80bf34.gif

Link to comment
Share on other sites

14 minutes ago, retrofade said:

Just not Romney.

This is Stunner’s work, no doubt about it.

 

17 minutes ago, Naggsty Butler said:

Resistance is futile. You will be assimilated.

I for one welcome our new overlords of these United States of Deseret.

We’re all sitting in the dugout. Thinking we should pitch. How you gonna throw a shutout when all you do is bitch.

Link to comment
Share on other sites

12 hours ago, retrofade said:

A lot of the leaked hash tables that end out out on the darkweb or wherever don't even end up there because they were even stolen from a web accessible vulnerable server. A lot of the time it's physical security measures that are overcome... a disgruntled employee copying it to a flash drive, someone with high access privileges having their creds obtained via some variation of a phishing attack. It really only takes one flawed security measure to run the risk of a giant breach, and that isn't even taking into account some of the stuff that the owner of the service may have true control over, as it could be a newly discovered hardware or software fault that ends up being exploited. 

This also reminds me of one of my favorite xkcd's...

orw06a7.png

that is indeed an excellent xkcd

so most hash tables that are leaked are because someone with access to it stole it?

Link to comment
Share on other sites

1 hour ago, AndroidAggie said:

also @retrofade, do you think that the reason why phishing is so prevalent is because it's easier to reset your target's password rather than obtain the hash list?

and here's one of my favorite xkcd regarding infosec

image.png.c379fa0a529c8f49d115f1ea9cf673ca.png

I mean,  social engineering is prevalent because fooling people is the goal all along,  right? It doesn't matter if you fill them by unlocking a door with a lockpick, by copying their door key,   by knocking down the front door,  or by tricking them in to letting you in and thinking it's their idea.  You're in with all of those scenarios. 

Remember that every argument you have with someone on MWCboard is actually the continuation of a different argument they had with someone else also on MWCboard. 

Link to comment
Share on other sites

  

1 hour ago, AndroidAggie said:

that is indeed an excellent xkcd

so most hash tables that are leaked are because someone with access to it stole it?

I don't know if I can say "most" in that instance, but I can say with some degree of certainty, because of the people I know in InfoSec, that things like that are very prevalent. Either via someone "leaking" it or it getting out via a compromised account rather than a compromised web server. That's not to say that compromised web servers aren't also a way that the information gets out, but that the other way is far more prevalent than people might think. A friend of mine used to work for a company that did business with a lot of financial institutions, and those financial institutions were required to disclose the methods of breach, security measures taken, etc., whenever they had a breach of customer data. She told me that contrary to what I thought, true exploits weren't as common as someone simply reusing a password multiple places. Which brings us to...

 

1 hour ago, AndroidAggie said:

also @retrofade, do you think that the reason why phishing is so prevalent is because it's easier to reset your target's password rather than obtain the hash list?

and here's one of my favorite xkcd regarding infosec

image.png.c379fa0a529c8f49d115f1ea9cf673ca.png

 

Spearphishing is becoming very prevalent because it's easy to target and exploit someone at a specific location rather than trying to "hack" the affected services directly. Sometimes, the services that you would want access to aren't even web accessible, so you would need to get at them through other means... so you would go after credentials instead. Go read through the methods that Fancy and Cozy Bear used when gaining access to the DNC, DCCC, Podesta, and a ton of different election boards. It wasn't generally through directly exploiting a server, but rather through phishing or spearphishing to get credentials and/or plant malware. Plus, as mentioned by Black Hat there, people reuse passwords for EVERYTHING... so it's something that is unfortunately relatively easy to exploit. Pro tip people, get a goddamned password manager with 2FA. 

Also, I love the comment by Black Hat of not believing in anything since March 1997... which has always made me think he was the mastermind behind Heaven's Gate. 

Link to comment
Share on other sites

6 minutes ago, happycamper said:

I mean,  social engineering is prevalent because fooling people is the goal all along,  right? It doesn't matter if you fill them by unlocking a door with a lockpick, by copying their door key,   by knocking down the front door,  or by tricking them in to letting you in and thinking it's their idea.  You're in with all of those scenarios. 

I guess I thought the goal was to get the goods. If the social engineering is easier than the software exploit to obtain them then that wouldn't surprise me. People are weaker than software and that's saying something 

Link to comment
Share on other sites

2 minutes ago, AndroidAggie said:

I guess I thought the goal was to get the goods. If the social engineering is easier than the software exploit to obtain them then that wouldn't surprise me. People are weaker than software and that's saying something 

Software is just an extension of people.  Social engineering is more cutting the knot than anything.  

Remember that every argument you have with someone on MWCboard is actually the continuation of a different argument they had with someone else also on MWCboard. 

Link to comment
Share on other sites

16 minutes ago, retrofade said:

  Spearphishing is becoming very prevalent because it's easy to target and exploit someone at a specific location rather than trying to "hack" the affected services directly. Sometimes, the services that you would want access to aren't even web accessible, so you would need to get at them through other means... so you would go after credentials instead. Go read through the methods that Fancy and Cozy Bear used when gaining access to the DNC, DCCC, Podesta, and a ton of different election boards. It wasn't generally through directly exploiting a server, but rather through phishing or spearphishing to get credentials and/or plant malware. Plus, as mentioned by Black Hat there, people reuse passwords for EVERYTHING... so it's something that is unfortunately relatively easy to exploit. Pro tip people, get a goddamned password manager with 2FA. 

Also, I love the comment by Black Hat of not believing in anything since March 1997... which has always made me think he was the mastermind behind Heaven's Gate. 

what, so, fake websites to scrape credentials?  phishing emails that lead to someone going to www.appl1e.com/user/signin?userid=retrofade@mwcboard.com&reset_password=true ?

Link to comment
Share on other sites

Just now, AndroidAggie said:

what, so, fake websites to scrape credentials?  phishing emails that lead to someone going to www.appl1e.com/user/signin?userid=retrofade@mwcboard.com&reset_password=true ?

Fake websites are a big one, as are those exact type of phishing emails that claim that the help desk in your organization requires you to change your password for xyz security change reason. That stuff is a big part of why companies are finally investing so heavily in cybersecurity for their employees. Those types of emails could also deliver a malware payload that could slip through on a system, or if the employee accesses their email from their home computer, it could deliver it there. If that employee that accesses email from home, they could also access their corporate network from home via VPN, so then the malware could spread from that point. 

Link to comment
Share on other sites

1 minute ago, retrofade said:

Fake websites are a big one, as are those exact type of phishing emails that claim that the help desk in your organization requires you to change your password for xyz security change reason. That stuff is a big part of why companies are finally investing so heavily in cybersecurity for their employees. Those types of emails could also deliver a malware payload that could slip through on a system, or if the employee accesses their email from their home computer, it could deliver it there. If that employee that accesses email from home, they could also access their corporate network from home via VPN, so then the malware could spread from that point. 

and that's the magic that the russkies are using, eh?

Link to comment
Share on other sites

3 minutes ago, AndroidAggie said:

and that's the magic that the russkies are using, eh?

That's the magic most people with nefarious intentions are using these days from what I've read and been told. There are also obviously still exploit attacks and whatnot, but it's easier to try and gain with you need through phishing and exploit tools. 

Link to comment
Share on other sites



  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...