Chapter 14: Exercises — Password Attacks and Authentication Bypass

⚖️ Legal Note: All exercises must be performed in your own lab environment against systems you own or have explicit written authorization to test. Never attempt password attacks against production systems or accounts belonging to others. Handle any recovered credentials securely and destroy them after the exercise.

Exercise 14.1: Password Storage Analysis

Objective: Understand different password storage mechanisms and their relative security.

Instructions: 1. Write a Python script that takes a password as input and generates the following representations: - Base64 encoding - MD5 hash (unsalted) - SHA-256 hash (unsalted) - SHA-256 hash with a random 16-byte salt - bcrypt hash (cost factor 12) - Argon2id hash 2. For each representation, document: - Whether it is reversible (encoding vs. hashing) - Whether it uses a salt - The computational cost of generation - The estimated time to crack using Hashcat on a modern GPU 3. Generate hashes for three passwords of varying complexity: password, P@ssw0rd!, and kX9#mQ2$vL7@nR4&bY6.

Expected Deliverable: Python script, generated hashes, and analysis table comparing security properties.

Exercise 14.2: Wordlist Generation and Analysis

Objective: Create effective custom wordlists for targeted password attacks.

Instructions: 1. Download the RockYou wordlist from Kali's default location (/usr/share/wordlists/rockyou.txt.gz). 2. Analyze the wordlist to determine: - Total number of unique passwords - Top 20 most common passwords - Distribution of password lengths - Percentage containing only lowercase letters - Percentage meeting typical complexity requirements (upper + lower + digit + special, 8+ chars) 3. Use CeWL to generate a custom wordlist from a website of your choice (or set up a mock MedSecure website). 4. Create a combined, targeted wordlist for the MedSecure scenario by adding: - Medical terminology - Organization name variations - Current year/season combinations - Common keyboard patterns

Expected Deliverable: Analysis statistics, custom wordlist, and documentation of wordlist creation methodology.

Exercise 14.3: Online Password Attack with Hydra

Objective: Practice online password attacks against common services.

Prerequisites: Lab environment with SSH, FTP, and HTTP login services running.

Instructions: 1. Configure your target with three accounts having passwords of varying strength (weak, medium, strong). 2. Use Hydra to attack the SSH service with the RockYou wordlist. 3. Use Hydra to attack an HTTP POST login form with a custom wordlist. 4. Record the time taken and number of attempts for each successful crack. 5. Implement account lockout on the target (3 attempts, 5-minute lockout) and repeat the attack. Document the difference. 6. Implement rate limiting and document the impact on attack speed.

Expected Deliverable: Hydra command outputs, timing comparisons, and analysis of defensive effectiveness.

Exercise 14.4: Password Spraying Attack

Objective: Understand password spraying methodology and its advantages over brute force.

Instructions: 1. Create a lab Active Directory domain with at least 20 user accounts, each with unique passwords. Set 3 accounts to use common passwords (e.g., Spring2026!, Welcome1!, Password1). 2. Configure the domain password policy: lockout after 5 attempts, 30-minute lockout window. 3. Use CrackMapExec to spray a single password (Spring2026!) against all 20 accounts. 4. Wait for the lockout window and spray the next password. 5. Document: - Number of accounts compromised - Total time to complete the spray - Any accounts locked out (should be zero if done correctly) - Windows Event Log entries generated (Event ID 4625 for failures, 4624 for successes)

Expected Deliverable: CrackMapExec output, Event Log analysis, and spray methodology documentation.

Exercise 14.5: Hash Extraction and Offline Cracking

Objective: Extract password hashes from a compromised system and crack them offline.

Prerequisites: Compromised Windows lab VM with SYSTEM-level access.

Instructions: 1. Use Impacket's secretsdump.py (or Meterpreter's hashdump) to extract local SAM hashes. 2. If you have a domain controller, extract NTDS.dit hashes. 3. Identify the hash format (LM, NTLM, NTLMv2). 4. Use Hashcat to crack the extracted hashes: - Phase 1: Straight dictionary attack with rockyou.txt - Phase 2: Dictionary attack with best64.rule - Phase 3: Mask attack for common patterns 5. Record the percentage of passwords cracked in each phase and the time taken.

Expected Deliverable: Hash extraction evidence, cracking results with statistics, and a password audit summary.

Exercise 14.6: Hash Type Identification

Objective: Practice identifying different hash types from their format.

Instructions: Identify the hash type for each of the following (do not attempt to crack them):

1. 5f4dcc3b5aa765d61d8327deb882cf99
2. $2b$12$LJ3m4ys3Lg2PqCiO7JkNEO8eScS8rCVWlg3SVnSAfkl4oMeSKuhYa
3. aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889
4. $6$rounds=5000$saltsalt$abcdef1234567890...
5. $krb5tgs$23$*user$DOMAIN$service/host*$abc123...
6. $argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$...
7. e10adc3949ba59abbe56e057f20f883e
8. $1$salt$hash...
9. cbfdac6008f9cab4083784cbd1874f76618d2a97
10. user::DOMAIN:challenge:response:blob

For each, state: the hash algorithm, whether it is salted, the Hashcat mode number, and its relative cracking difficulty.

Expected Deliverable: Completed identification table with justifications.

Exercise 14.7: Hashcat Mask and Rule Attacks

Objective: Master advanced Hashcat attack modes for efficient cracking.

Instructions: 1. Create a set of 20 NTLM hashes from known passwords following common patterns: - Season + Year + Special (e.g., Winter2026!) - Name + Numbers (e.g., Michael123) - Keyboard patterns (e.g., Qwerty1234!) 2. Design a Hashcat mask attack (-a 3) to crack the Season+Year+Special pattern. 3. Write custom Hashcat rules to transform dictionary words into common password patterns: - Capitalize first letter - Append two digits and a special character - Leet speak substitutions (a->@, e->3, i->1, o->0) 4. Run the mask and rule attacks and document the results. 5. Compare the time and success rate of mask attacks versus rule-based dictionary attacks.

Expected Deliverable: Hashcat commands, custom rules file, cracking results, and comparative analysis.

Exercise 14.8: John the Ripper for Non-Standard Formats

Objective: Use John the Ripper to crack passwords from various file types.

Instructions: 1. Create a password-protected ZIP file with a known password. 2. Create a password-protected PDF document. 3. Create a password-protected SSH private key. 4. Create a password-protected KeePass database. 5. For each, use the appropriate *2john utility to extract the hash. 6. Crack each hash using John the Ripper with appropriate wordlists and rules. 7. Document the extraction process and cracking time for each format.

Expected Deliverable: Hash extraction commands, cracking results, and format comparison.

Exercise 14.9: Kerberoasting Attack

Objective: Perform a Kerberoasting attack against an Active Directory lab.

Prerequisites: Windows AD lab with at least two service accounts with SPNs.

Instructions: 1. From a compromised domain user account, enumerate service accounts with SPNs using: - GetUserSPNs.py from Impacket - Or PowerShell: Get-ADUser -Filter {ServicePrincipalName -ne "$null"} 2. Request TGS tickets for the discovered service accounts. 3. Export the tickets in Hashcat-compatible format. 4. Crack the tickets using Hashcat (mode 13100) with rockyou.txt. 5. Set one service account password to a 25-character random string and attempt to crack it. Document the failure. 6. Replace service accounts with Group Managed Service Accounts (gMSAs) and verify that Kerberoasting is no longer effective.

Expected Deliverable: Complete Kerberoasting workflow documentation, cracking results, and gMSA implementation guide.

Exercise 14.10: NTLM Relay Attack

Objective: Perform an NTLM relay attack to understand credential forwarding.

Instructions: 1. Set up ntlmrelayx.py from Impacket targeting a second server in your lab. 2. Use Responder or another method to trigger NTLM authentication from a victim machine. 3. Observe the relay forwarding the authentication to the target. 4. Document what access was gained on the target. 5. Implement SMB signing on the target and repeat the attack. Document that it fails. 6. Disable LLMNR and NBT-NS via Group Policy and verify that Responder can no longer trigger authentication.

Expected Deliverable: Relay attack documentation, SMB signing implementation, and defensive verification.

Exercise 14.11: MFA Bypass Techniques (Conceptual)

Objective: Understand MFA bypass techniques and their defensive countermeasures.

Instructions: This is a research and analysis exercise (do not perform attacks against real MFA systems):

1. Research and document five different MFA bypass techniques: - Real-time phishing (Evilginx2) - MFA fatigue/push bombing - SIM swapping - Session hijacking post-MFA - Recovery code theft
2. For each technique, describe: - How the attack works technically - Prerequisites for success - Real-world examples where it was used - Defensive countermeasures
3. Create a comparison matrix rating each technique by: difficulty, success rate, detectability, and impact.
4. Recommend the strongest MFA configuration for MedSecure that resists all five techniques.

Expected Deliverable: Research document with comparison matrix and MFA recommendation.

Exercise 14.12: Password Policy Audit

Objective: Audit an organization's password policy against modern best practices.

Instructions: 1. Review the current Active Directory password policy in your lab domain: powershell Get-ADDefaultDomainPasswordPolicy 2. Compare the policy against NIST SP 800-63B recommendations. 3. Identify gaps and weaknesses. 4. Check for fine-grained password policies that might apply to specific groups. 5. Implement the following improvements: - Minimum 12 characters for regular users, 15 for administrators - Remove composition rules (no mandatory special characters) - Disable mandatory password rotation - Implement a custom password filter that checks against a breach database 6. Document the before/after policy comparison.

Expected Deliverable: Policy audit report with gap analysis and implementation steps.

Exercise 14.13: Pass-the-Hash Lab

Objective: Practice pass-the-hash techniques in an Active Directory environment.

Instructions: 1. Extract NTLM hashes from a compromised workstation (using Mimikatz or secretsdump). 2. Use CrackMapExec to test the hash against multiple systems: crackmapexec smb 10.10.10.0/24 -u admin -H <hash>. 3. Use Impacket's psexec.py with the hash to gain a shell on an accessible system. 4. Use Impacket's wmiexec.py with the hash for a stealthier approach. 5. Implement the following defenses and verify they block PtH: - Enable Credential Guard on Windows 10/11 - Add the admin account to the Protected Users group - Deploy LAPS for unique local admin passwords 6. Document which defenses were effective against which PtH techniques.

Expected Deliverable: PtH attack documentation and defense effectiveness analysis.

Exercise 14.14: Password Cracking Rig Performance Analysis

Objective: Understand the relationship between hardware and cracking speed.

Instructions: 1. Benchmark Hashcat on your available hardware: hashcat -b. 2. Record the hashes-per-second for: - MD5 (mode 0) - NTLM (mode 1000) - SHA-256 (mode 1400) - bcrypt cost 12 (mode 3200) - Argon2id (mode 32500) 3. Calculate how long it would take to brute-force an 8-character password (all printable ASCII) for each hash type. 4. Calculate the same for a 12-character password. 5. Research the performance of a high-end cracking rig (e.g., 8x RTX 4090) and calculate the same metrics. 6. Create a visualization showing the relationship between hash algorithm choice and brute-force resistance.

Expected Deliverable: Benchmark results, brute-force time calculations, and visualization.

🧪 Exercise 14.15: MedSecure Comprehensive Password Audit

Objective: Conduct a complete password security assessment of the MedSecure lab environment.

Instructions: Perform a full password audit following professional methodology:

1. Hash Extraction: - Extract SAM hashes from compromised workstations - Extract NTDS.dit from the domain controller - Capture NTLMv2 hashes with Responder

2. Offline Cracking: - Phase 1: Common passwords (top 1000) - Phase 2: RockYou with rules - Phase 3: Custom MedSecure wordlist with rules - Phase 4: Targeted masks for common patterns - Document percentage cracked at each phase

3. Kerberoasting: - Enumerate and attack all service accounts with SPNs

4. Password Spraying: - Spray top 5 common passwords against all domain accounts

5. Analysis and Reporting: - Calculate password complexity distribution - Identify password reuse across accounts - Identify patterns (company name, seasons, etc.) - Rate each finding by severity - Write remediation recommendations

Expected Deliverable: Professional password audit report including executive summary, methodology, findings, statistics, and recommendations.

Exercise 14.16: Ethical Scenario Analysis

Objective: Practice ethical decision-making in password attack scenarios.

Instructions: Consider this scenario and write a 500-word analysis:

During the MedSecure password audit, you successfully crack the password of the Chief Medical Officer (CMO): MyWife$Name2024. This password reveals personal information about the CMO. Additionally, you discover that the same password hash appears on three different systems, indicating password reuse. The CMO's account has access to all patient records in the EHR system.

Address: 1. How do you report this finding without unnecessarily exposing the CMO's personal information? 2. Should you include the actual cracked password in the report? 3. How do you communicate the password reuse risk? 4. What are the HIPAA implications of a weak password on an account with access to all patient records? 5. How would you recommend MedSecure address privileged account password security?

Expected Deliverable: Written ethical analysis with specific reporting recommendations.