Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
With the goal of cracking all or as many passwords as possible using brute force on an average system built in 2016 with and Intel Core I5 5th Generation CPU, 16 GB DDR3, onboard video only, a 240GB SSD with an additional 500GB HDD.
This is a laptop w/o additional expansion capabilities and no adapters or other tools with you for adding storage, mounting clients storage or any other tricks beyond this laptop which is used for your ethical hacking. You also do not have the ability to offload compute workloads to the cloud or elsewhere (i.e. you have to use the system for all tasks and can not combine resources with the compromised environment for distributing workloads). Given the above, in which of the following situations would access to precomputed rainbow tables found on the Internet be of the least value in accomplishing the goal of testing clients password security (time is likely an important variable to keep in mind)?
Extra points rate the values from lowest to highest with 1 being the least value.
Assume that you do not have any 0 day's , ability to create tools or exploits to advance the process and just above average skills relying only on the common password cracker with the ability to use rainbow tables and/or a dictionary file. The network of systems are patched with default configurations and policies based on the situations presented; unless otherwise noted with an average of 100 users/passwords.
The same client as above has called you back and believes they have mitigated the risk for what they need until a newly designed version is ready for production use. Until then they have the same internal web application is that you identified another php sanitation input validation failure that left a vulnerability you exploited and obtained access to the username database which was encrypted with MD5 at the time of design, but you noticed it is not the same as the one you cracked above. Maybe they changed their passwords since then which a quick test reveals they did, however your attempt to crack it again failed upon testing. Did they use a different encryption? You determine that this is an MD5 hash still and that it must be salted and were given a copy of the password policies that show changes every 30 days are required and the 13 character alphanumeric with ASCII symbols just like above though the admin did not secure the web app as you have a copy of their encrypted database again, he did up his game with the salted hashes as they have PII stored in the database as well as PCI DSS regulation to follow according to the clients description of the data stored on the client for billing. SSO is not enabled and the system was Apache and only accessed by a handful of employee's your obstacle is that you can't read the users or passwords still due to the salt, furthermore you get lucky and get the salt of a regular user account that was used for testing and just has dummy information as you can tell from the address 123 Main St. yet using this salt you go to test the next user and the login fails... You thought you'd save time and use your prior user list and assume the user was removed and try another user and the same salt to determine the MD5 hash's password, but it too fails... Once more you try, but this is on an employee account and it too fails... You are certain it is MD5 as the document outlines this and conclude they must have individual salts for each user now, which also has a new password from the last time and slightly different usernames as it was their e-mail address, but now it is just the xxxxxx@domain.com or you at least believe so as that is what worked for the 1st account you cracked. The server itself also require Multi Factor Authentication with the same RSA protections and no reverse shell or shell is available, however the clients are not required to use 2FA to login to see their account records and this is how you can verify success or failure still as you have the files.
Assessing a local Web Application used internally only that was developed in house and maintained by in house staff used primarily as a CRM with ERP integration. The local network follows latest NIST framework, 2012 R2 servers, Windows 10 Enterprise Workstations, Multi Factor Authentication with RSA Hardware tokens on SecurID 8.x SPx and has RBA enabled along with the GPO locked down for the workstation and DC and full disk encryption. Tokens are SID800's (both a pin and usb smart card) and the system only accepts TPM authentication to boot to the OS and CIS standard baselines in which you have no access to the network except on the segment the internal web application is that you were able to identify a php vulnerability and obtain access to the username database which was encrypted with MD5 at the time of design. As you were not given access nor was it in the project scope to go after the AD domain, but just the Web App which you now have a copy of their encrypted database in which they do require complex passwords as they have PII stored in the database as well. SSO is not enabled and the system was Apache and only accessed by a handful of employee's your obstacle is that you can't read the users or passwords due to the MD5 encryption, complex password requirements of 13 alphanumeric 2 upper and lower case with 2 different symbols and at least two numbers. CIS apache baseline tool was used on this system and for FreeBSD OS. The server itself also require Multi Factor Authentication with the same RSA protections and no reverse shell or shell is available, however the clients are not required to use 2FA to login to see their account records and this is how you can verify success or failure.
Attacking the SAM file on a 2003 R2 server with XP workstations and the default GPO applied to the domain. You are tasked with gaining access to a privileged account or access to the network from your laptop and without social engineering or physical access being granted to you. Their network is designed well, segmented, using RADIUS or TACACS+ for the switches, they have NAC implemented and policies in place. In these policies you notice that they have a BYOD policy that makes you more distressed as Cisco ISE is enabled as well, but then you notice a portion about guest access and are able to connect this way. You launch an arp attack and ad hoc attack on an employee who appears to be from another office and he/she ends up connecting to the guest network rather then continue being disconnected and having weird name resolution issues and use this to get access to their local file system and find a backup of their registry file and SAM file. Using this you guess they might have the same network account and realize even though Radius, NAC, Cisco ISE are all available to them and in use on the hardwired LAN they resorted to using WPA2-PSK for their wireless access on the corporate side as they really don't use it beyond meetings and for guests, but it gives you an in that you further exploited to obtain the SAM file from an AD server.
You have a pile of Apple iPhone's all running IOS 8 or earlier that you are to provision for the corporate network that were bought, but are encrypted and you do not have the access codes them. They are new HW models 6s, but IOS 8.x was used for whatever reason and now you need to get into all of these devices or waste your budget on 100 new ones. You have mobile forensic tools to connect to it and try brute force if you dare?
A. Incorrect as sniffing, Cain and Able, and other Tools will easily crack LM and/or NTLM hashes and pre generated tables would not provide the most value as a standard AD domain GPO does not force both highly complex passwords and a higher level of encryption to be used. Thus allowing LM hashes with old XP machines authenticating to the domain using simple passwords that any modern PC can crack a users account in ample time, as LM is not case sensitive and stops at 8 characters, though allows use of longer passwords where NTLM would take advantage of, but NTLM is also very weak and dated, so easily cracked, but simply forcing LM encryption or passing the hash would allow you to do as you needed to continue to gain further control of the enterprise along with an optional attack using LC3 or higher sniffing and waiting for the domain admin to login if they were not in your local SAM file. Still though this is not the least value as it could assist better then the correct answer where it would be of no value. Rated #2 as it likely has little value given the outdated AD Servers and XP Workstations one would assume the passwords would crack quickly and be stored in the local cache possibly even the admin using a single word for privileged accounts.
B. Incorrect, though the rainbow tables will speed up the cracking process as complex passwords are used as there is no salt on the hash and MD5 once a standard is relatively weak now and phased out, though still better then LM or NTLM given the use of complex password policy's being enforced. Rank #3
C. Correct as you will not be able to find a database for both the combinations of salted hashes or use attacks on accounts where passwords may be the same as each account is individually salted before being hashed and these would have to be created if you were even able to determine the salt for 1 getting the next salt and building a Rtables for those MD5 hashes and then again for the next and so on and repeat doing so for the remainder of the 100 accounts and potentially run out of storage space and these would not be available on the web given the unique hashes from a random salt. Some exist for basic sales like pass or simple words, you'd essentially have to brute force every possible salt and create another Rtable for each of the possibilities and then run each of those tables against the hashes until each one is individually cracked. This is nearly impossible even though it is md5 and it'd be pointless without some serious power, but even then the passwords likely change before you finish and by then a new encryption and solution will be in place and you'd have been fired. This is why this is the correct answer and #1 See the end for a technical on how this works as there is a link if you do not understand individually salting each account before hashing.
D. IOS 9.x is the hard one you hear of on the news 8 is simple, you just connect it to you laptop and run the cellbrite, EnCase, Access Data or many other tools that allow you to mount the device and run a cracker against it. We feel this is the easiest of the group to get into as most have a simple pin or password as no policy existed other then the initial authentication and these will crack easily and if you're like me you have VMWare workstation running and the extra RAM would allow you to run through 3+ at a time limited to your USB ports mainly. You need a cable to charge it, so this is assumed as a part of the device and not an outside tool. Worst case if one takes longer then you have time for you simply wipe it as these did not have anything important on them for your client as they were bought refurbished or claimed to be and really just a lot that someone was lazy about wiping and were purchased Rank #4
Better understanding on why http://stackoverflow.com/questions/420843/how-does-password-salt-help-against-a-rainbow-table-attack
Study thousands of practice questions that organized by skills and ranked by difficulty.
Create a tailored training plan based on the knowledge you already possess.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.