Password Spray

00424_12112019_PodcastPasswordsWeakestLink

Informational, InfoSec 101, Password Cracking, Password Spray, Podcasts Darin Roberts, Password cracking, password policy, passwords

Podcast: Passwords: You Are the Weakest Link

Why are companies still recommending an 8-character password minimum? Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data. Download Slides: https://www.activecountermeasures.com/presentations Originally recorded as a live webcast on December 5th, 2019 Presented by: Darin Roberts & […]

Podcast: Play in new window | Download

Subscribe: RSS

Read the entire post here

00423_12112019_WebcastPasswordsWeakestLink

Informational, Password Cracking, Password Spray, Webcasts Darin Roberts, password policy, passwords

Webcast: Passwords: You Are the Weakest Link

Why are companies still recommending an 8-character password minimum? Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data. Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_PasswordsWeakestLink.pdf 3:26 – In The Beginning 4:23 – What The Experts Say: […]

Podcast: Play in new window | Download

Subscribe: RSS

Read the entire post here

Blue Team, Blue Team Tools, Informational, Password Cracking, Password Spray Darin Roberts, password policy, passwords

Passwords: Our First Line of Defense

Darin Roberts // “Why do you recommend a 15-character password policy when (name your favorite policy here) recommends only 8-character minimum passwords?” I have had this question posed to me a couple of times in the very recent past. There were 2 separate policies that were shown to me when asking these questions. First was […]

Read the entire post here

00387_05112019_PODCAST_Weaponizing_Intel

Password Spray, Phishing, Podcasts, Recon, Red Team, Red Team Tools, Social Engineering Beau Bullock, Demos, FireProx, Mike Felch, PII, recon, Social Media, Social Trust Attack, tools

Podcast: Weaponizing Corporate Intel. This Time, It’s Personal!

Beau Bullock & Mike Felch// Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester performs up front. Often times testers only resort to using publicly available tools which can overlook critical assets. Download slides: http://www.activecountermeasures.com/presentations/ In this one-hour BHIS podcast […]

Podcast: Play in new window | Download

Subscribe: RSS

Read the entire post here

C2, External/Internal, How-To, Informational, LLMNR, Password Cracking, Password Spray, Phishing, Recon, Red Team, Red Team Tools, Webcasts Attack Tactics, crackmapexec, Ethical Hacking, HTA, john strand, Jordan Drysdale, Kent Ickler, LLMNR, MailSniper, Password cracking, password spraying, pen-testing, phishing

Webcast: Attack Tactics 5 – Zero to Hero Attack

Timecode links take you to YouTube: 4:11 – Infrastructure & Background8:28 – Overview & Breakdown of Attack Methodology and Plans11:35 – Start of Attack (Gaining Access), Password Spraying Toolkit15:24 – Mailsniper, Retrieve Global Access List21:58 – Lateral Movement, OWA, VPN, SSH27:05 – Scanning/Enumeration, Nmap SSH Brute Force, “Find Open”, Movement, Gaining Access34:07 – Gaining Access, […]

Read the entire post here

External/Internal, How-To, Informational, Password Spray, Red Team, Red Team Tools, Web App Bypass IP Filtering, Darin Roberts, Foxy Proxy, IP Rotation, password spray, ProxyCannon, ProxyMesh

How To Rotate Your Source IP Address

Darin Roberts// IP-Go-Round – Source IP Rotation I was on an engagement recently that was blocking my password sprays based on my IP address. If I made 3 incorrect requests from my IP, I was blocked out from making any other requests for 30 minutes. How annoying is that? It is a great form of […]

Read the entire post here

How-To, Password Spray, Recon, Red Team, Red Team Tools InSpy, password spraying, recon, recon tool, red team tools

I Spy with InSpy v3.0

Darin Roberts// Early in 2018 I wrote a blog about InSpy. InSpy is a great reconnaissance tool that gathers usernames from LinkedIn. My first blog can be found here. A few months ago, a co-worker mentioned to me that InSpy was now requiring an API key. I found out that the updated version did in […]

Read the entire post here

External/Internal, Password Spray, Red Team domain admin, local admin testing, password, password spraying

Wide-Spread Local Admin Testing

Brian Fehrman // In our experience, we see many Windows environments in which the local Administrator password is the same for many machines. We refer to this as Wide-Spread Local Administrator Re-use. This type of configuration is extremely advantageous to an attacker. Once the attacker has the local Administrator password for one computer, they can […]

Read the entire post here

Password Spray, Red Team bad passwords, password, passwords

Check\ Your\ Tools

Brian King // There’s a one-liner password spray script that a lot of folks use to see if anyone on a domain is using a bad password like LetMeIn! or Winter2015. It reads a list of users from a file, a list of passwords (or just one password, if you’ve got a healthy streak of […]

Read the entire post here

1 2