Blog Posts Tagged with "Hashing"


Refresher Series - Capturing and cracking SMB hashes with Cain and Half-LM rainbow tables.

December 20, 2012 Added by:f8lerror

On to the fun stuff, to capture a hash we want to use the Metasploit capture SMB auxiliary module, which is located in auxiliary/server/capture/smb. Leave the default settings with the exception of the CAINPWFILE. Set this to output the file where ever you like...

Comments  (0)


When Log Files Attack: IEEE Data Leak

September 28, 2012 Added by:Tripwire Inc

The fact that usernames and passwords were being logged to a plaintext file itself is problematic, even if the passwords are being hashed when stored in a database, if such data is logged in plain text it defeats the entire purpose...

Comments  (0)


Cross-Protocol Chained Pass the Hash for Metasploit

August 29, 2012 Added by:Rob Fuller

Every so often someone writes a Metasploit Module that is pretty epic. July 12th was one such day, and as soon as you do you can start using this (using the example resource file to put a file, cat it out, enum shares available, list files on a share) then psexec all from a single URL being loaded...

Comments  (0)


Yahoo!'s No Encryption Trumps LinkedIn's Unsalted Hash

July 12, 2012 Added by:Headlines

Just a month after LinkedIn experienced a significant security breach and caught flack for not "salting their hash", the revelation that the Yahoo! credentials were not even stored in an encrypted format should have everyone concerned about how seriously companies are taking the security of their users...

Comments  (0)


ICS-CERT: Credential Management

June 13, 2012 Added by:Infosec Island Admin

Credential caching should be disabled on all machines. A common technique employed by attackers is referred to as “pass the hash.” The pass the hash technique uses cached password hashes extracted from a compromised machine to gain access to additional machines on the domain...

Comments  (0)


ZOMG: LinkedIn was Hacked and our Passwords Were Leaked

June 10, 2012 Added by:Infosec Island Admin

LinkedIn and other companies like Sony have shown time and again, they DON’T CARE about YOUR data. Always remember this people. So, you want an account on these places, then you best make a throw away password and limit your data on the sites that host it. Otherwise, your data will be up for the taking...

Comments  (1)


LinkedIn Fails Security Due Diligence

June 07, 2012 Added by:Marc Quibell

Poor security practices led to the password database ending up in Russia. We can also say that the best security practices were not applied to the security of our passwords: LinkedIn did not "salt their hash" and therefore the passwords were much more vulnerable to simple brute force attacks...

Comments  (0)


LinkedIn Hacked: Change Your Password

June 06, 2012 Added by:Headlines

Reports indicate that as many as 6.4 million passwords have been compromised. Though the passwords are in encrypted form, reports indicate that they are being cracked at a rapid rate, with somewhere near 300,000 passwords already revealed, putting those LinkedIn members' accounts at risk...

Comments  (0)


Recovering Windows Passwords Remotely in Plain Text

April 26, 2012 Added by:Dan Dieterle

There has been a lot of buzz across the web the last few months about a program called “Mimikatz”. It is an interesting program that allows you to recover Windows passwords from a system in clear text. The passwords for anyone who has logged into a machine can be displayed...

Comments  (0)


CISSP Reloaded Domain 4: Cryptography

March 28, 2012 Added by:Javvad Malik

Cryptography, the dark art of information security. The deus-ex-machina, the silver bullet, the be all and end all of all security measures, so profound cryptography was first classed as a munitions. Widely misunderstood, often poorly implemented...

Comments  (1)


LM Hash Flaw: Windows Passwords Easy to Crack

March 01, 2012 Added by:Dan Dieterle

The thing is that the lower security hashes are not present on the SAM stored on the hard drive. When the security accounts are loaded into active RAM, Windows re-creates the LM hashes. The LM Hash can be pulled from active RAM using the Windows Credential Editor (WCE)...

Comments  (0)


Encryption: A Buzzword, Not a Silver Bullet

February 16, 2012 Added by:Danny Lieberman

Encryption, buzzword, not a silver bullet for protecting data on your servers. In order to determine how encryption fits into server data protection, consider four encryption components on the server side: passwords, tables, partitions and inter-tier socket communications...

Comments  (0)


Encryption: On Hashing Basics

February 08, 2012 Added by:PCI Guru

Never store the obscured value along with the truncated value. Always separate the two values and also implement security on the obscured value so that people cannot readily get the obscured value and the truncated value together without oversight and management approval...

Comments  (0)