Auth & Crack: Password Security in Aotearoa

Presenters and Expertise

  • Jim Rush (Senior Squeely): Senior Offensive Security Consultant (PrivSec), hash cracker, and bug bounty enthusiast. CVEs include Jellyfin Media Server, Adguard DNS, Microsoft ASP.NET 66, 77 & 88, Zitadel, and precisely Spectrum Analysis.

  • Jack Moran (itz-d0dgy): Senior Offensive Security Consultant (Tier Zero) and DEFCON32 speaker. CVEs involve Kramer, Moodle, Blackboard, MS Word, MS Outlook, and Visual Studio.

Fundamentals of Authentication

  • Hashing: A one-way function converting plaintext to ciphertext; described as turning a potato into a hash brown.

  • Salting and Pepper: Unique strings added to hashing functions to improve security.

  • NTLM: New Technology LAN Manager, appearing in versions NetNTLMv1 and NetNTLMv2.

  • NZISM: New Zealand Information Security Manual, a framework for organizational compliance which sometimes leads to "malicious compliance" passwords like iamnzismcompliant.

Initial Access: Password Spraying and Stuffing

  • Password Spraying: A "low and slow" brute force attempt using one password against an entire userbase (1 password, many users1 \text{ password, many users}).

  • TrevorSpray: A tool by Black Lantern Security that can load balance across 18 quintillion IPv6 addresses18 \text{ quintillion IPv6 addresses} to bypass IP lockouts. It targets modules like Okta, Cisco VPN, Azure AD / Entra, ADFS, and MSOL.

  • Username Enumeration: Identifiable through Skype, Entra, ADFS, and structured email formats (Firstname + lastname).

  • Error Messages: Microsoft codes such as AADSTS50126 (invalid credentials) or AADSTS50053 (locked account) reveal account status.

  • Credential Stuffing: Automates login attempts using data leaked from third-party breaches on the dark web.

Windows Vulnerabilities and Hash Leaking

  • Protocol Leaks: Windows authenticates frequently, leaking hashes via SMB, .lnk files, or SSRF on IIS.

  • Responder: A rogue authentication server used on internal networks to poison protocols like NBT-NS, MDNS, and LLMNR to capture NTLMv2 hashes.

  • Flagship CVEs: Critical vulnerabilities in Outlook, MS Word, and Visual Studio allow hash theft.

  • CVE-2024-38200: A URI handler exploit that bypasses Office security controls and A/V by leveraging ms-word URI schemes and a 302302 redirect to a file share.

Cracking Methodologies and Cloud Pivoting

  • Cracking: Utilizes collisions via Dictionary and Brute-force attacks with tools like John the Ripper.

  • Common Weaknesses: Users often use Welcome2024, Welcome2025, or seasonal variations (Summer2024) and increment them as part of a 90 Day Rotation90 \text{ Day Rotation}.

  • Post-Exploitation: Successful credential theft leads to pivoting into cloud environments (AWS, Azure, Google Cloud, Salesforce) to access PII, databases, and Incident Response Playbooks.