Presented at
BSidesDC 2014,
Oct. 18, 2014, 1:30 p.m.
(50 minutes).
We’ve all seen the major security firms show off their password cracking setups on Twitter and their blogs. But it’s not that hard – or expensive - to build a serious password cracker for your own company. In fact, the real attackers probably sport similar hardware to use against you. While it can look daunting to pick from the massive number of GPUs available on the market, it’s not that difficult to nail down your requirements and put together a fast rig able to crack a significant number of passwords in a short period of time. This presentation will show you what to look for, how to pick your equipment, and considerations for building and maintaining your rig – from piecing the system together to
considering your power requirements.
But a password cracker is useless if you don’t know how to use it. It’s all too common for pen testers and auditors to use a dictionary or two and a couple of simple brute force attacks and give up. There are tons of options in most cracking tools to increase the effectiveness of your cracking efforts. We’ll show you how to use your new password cracker and the industry favorite oclHashcat effectively to crack a significant number of passwords in a short amount of time, with minimal brute forcing.
Presenters:
-
Jonathan Fallone
- Senior Penetration Tester at Knowledge Consulting Group
Jonathan Fallone is a penetration tester and security consultant for Knowledge Consulting Group (KCG) in Reston, VA. He is a 2010 summa cum laude graduate of Strayer University with a Bachelors of Science in Information Systems (BSIS), concentrating in security administration. He’s worked as a contractor for the Department of the Navy, Naval Sea Systems Command, performing DoD Information Assurance Certification and Accreditation Process (DIACAP) assessments on Team Submarine systems. Most recently,
Jonathan has worked as a technical assessor and pen tester on numerous government and industry assessments, using multiple frameworks, including NIST 800-53 and PCI. He was also the primary technical assessor for KCGs independent review of the Akamai Content Delivery Network (CDN) for their FedRAMP ATO effort.
Jonathan’s primary area of interest is in internal penetration tests and password cracking. He’s recently worked on providing proof of concepts and practical application of the Cold Boot and FireWire attacks on local memory, and has published a paper on the subject on EthicalHacker.net. He holds the GPEN, Certified Ethical Hacker (CEH), Security+, Network+, and A+ certifications, and is an Intermediate Level Navy Validator.
Links:
Similar Presentations: