Description:
How Yash and Anvay constructed this week's hack!
What if I told you that without having proper security measures in place, your password could get stolen and cracked! Because of this, we want to educate you on how to make sure that this doesn’t happen.
Well, to first see if you’d be able to solve it on your own, here’s the challenge. Somehow find a way to find the hash (a specific encrypted string that's created through an algorithm) of a user's password. Then, try and crack that hash!
It’s pretty hard to do, right? So let’s show you how we actually made the challenge first, and maybe that’ll give you a couple hints to solve it on your own!
The first thing we had to do is actually make the user, and set that user’s password. We did this by going to the “Other users” window on our laptop, and adding a new user!
After creating the account, we set a password. For the sake of this demonstration, the username was “insecureaccount” and the password was “password!”
One thing that is crucial to note is that we had to make the password very insecure. This exploit generally only works with insecure passwords. This is because of a large password breach in 2009 called the RockYou password breach. This password breach contained the 14 billion most commonly used passwords, and is accepted as the most popular wordlist for password cracking!
Now, back to the creation. The next thing we had to do is enable a setting called “Reversible password encryption.” We set this through an application called group policy editor. This enabled us to, well, encrypt passwords in reverse, or, decrypt passwords! Without this setting, the exploit would be completely impossible.
So… what did you learn?
✰ Keep your passwords very secure
✰ Disable the setting “reversible password encryption”
And that’s all we had to do for actually setting up this capture-the-flag challenge!
But wait!
Before you start, you're going to need to know two important things!
1. How to use Kali Linux
2. How to use HashCat
Good luck!