Fast password cracking - Hashcat wordlists from RAM
Вставка
- Опубліковано 18 тра 2024
- Password cracking often takes a long time. Brute force is normally your last option. But before that, a wordlist usually helps guess the password faster.
Popular wordlists like Rockyou are good for general cases, but making password lists specific to the user can produce faster results. One of the best data sources to produce a customized wordlist is a target's RAM.
Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek, Roman, and Alexis Brignoni! Thank you so much!
We show how to use strings to extract password candidates from a RAM dump and use the resulting wordlist with Hashcat, a high-powered password cracking software.
00:00 Custom wordlists for Hashcat
00:45 Why use memory for wordlists?
02:07 What you need to begin
02:50 Dump strings from memory with strings
05:09 Count the total number of password candidates from memory
05:49 Optimize by removing duplicates
07:36 Optimize by removing obviously wrong strings
08:16 Use the wordlist with hashcat
10:39 Why so fast?
11:10 Password cracking general procedure
11:50 Conclusions
bit.ly/2Ij9Ojc - 👍 Subscribe for weekly videos
❤️ Get early access and bonus content - bit.ly/DFIRSciMember
Links:
* hashcat.net/hashcat/
Related book:
* Hash Crack: Password Cracking Manual v3 (amzn.to/3Hmpe63)
#hashcat #wordlist #forensics #dfir
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSciMember
❤️ Patreon → / dfirscience
🚀 Forensic Courses → learn.dfir.science
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing. - Наука та технологія
I love it, I am considering a career change from DevOps to cybersec and this simple yet powerful trick is what motivates me to pursue it more.
Perhaps, but remember these attacks are only good for residential/very small business. Any legitimate enterprise has enterprise-based security. That means you can't hack the wifi password as there's none to be hacked (uses cloud-based individual user domain accounts with 2factor). Same goes for other technologies outside of 802.11 at the enterprise level.
Great video and presentation (very well spoken and truth). Just curious what you prefer to use for dumping ram (LiME)?
LiME is good for Linux and custom jobs. AVML (github.com/microsoft/avml) is v. nice for Linux and cloud systems. Windows I usually use FTK Imager (www.exterro.com/ftk-imager) or Magnet RAM capture (www.magnetforensics.com/resources/magnet-ram-capture/)
A very well read presentation, that should keep the Script kiddies busy for months ;) j/k lulz. Anyway there’s also other hardware and software dedicated to keeping a copy of every keystroke you type for Simple purposes(for example) of providing next word and character prediction. p.s especially for swipe to text and speech to text BUT I don’t believe UA-cam will allow for such video’s to be online for long. (I’ve lost accounts for less) Great video though!! it’s so refreshing to hear proper English and not some UA-cam Ph.D vomiting out a smattering of “umm’s” “sew-do’s”, and-or (hmmm NOR?haha) “ruffles have ridges” every few words. So Thank You again, you wonderful human being.
Thanks a lot. You're right about the other HW. Pretty sure it would be a removed quickly. :D
Thank you for the video, is there any efficient tool to decompress snappy extension? I have tried with Hadoop fs -text with no success
If it is a RAM dump AVML supports snappy decompression. It might work on other data as well. github.com/microsoft/avml
@@DFIRScience This is great, thank you!
hello
I made an encyrpted .rar file and did a RAM dump however when i was looking through the strings, the password for that file did not come up. is there any work around to this? (password to access the file was entered multiple times during the same session)
PS. This was done on a windows
thanks in advance
I would use strings with powershell's Select-String to try to find partial matches of the password.
strings [memimage] | Select-String [pass]
strings for Windows searches in ASCII and Unicode by default, but maybe the rar program takes in a different encoding.
You might want to open the RAM dump in a hex editor and do some partial password search to see what you can find.
7:56 Z 👍
can i use wordlist from cloud drive like onedrive or google drive in hashcat password cracking
Definitely. If you have a way to extract strings from the files found there, you can make a keyword list. The easiest way would be if the cloud drives were mounted locally. Then you could just use strings over the directory structure.
And nothing about how to delete those tabs in strings
I like to use sed in Linux to remove all white space:
$ command | sed -r ‘s/\s+//g’
linuxhint.com/sed_remove_whitespace/
If you are on Linux maybe check out "tr"'. If you use MS Code, you can search and replace tabs. I would do everything right in the cli, but some people like to use text editors.