2025-08-04 –, Tuscany
This is the story of three organizations: EvilCats (a criminal group), YOLO Corp (a new company that don't have any security staff) and CoolSec (a company that goes above security compliance). We will see how two corporations fret against EvilCats during various attack scenarios that all involve passwords.
To begin, we will present the latest NIST recommendation for passwords and the risks and benefits of implementing them. We will also present our 3 corporations (with AI generated icon style images) (~5 mins)
We will then jump in the heart of the subject.
Attack 1: Password Spray
We will present stats about breach that starts with Brute Force/PassSpray attacks
We'll see how YOLO Corp falls from an exposed RDP service to a ransomware scenario VS CoolSec who was able to both detect the attack and resist the PassSpray Attacks because they audits their passwords and eliminates the common one (~ 5 mins)
Attack 2: Evils gets a copy of NTDS.dit from an unprotected backup from YOLO Corp & CoolSec
They attempt cracking the passwords. Typically that'll get over 50% of the password within a few days and some will fall in seconds (anything that has 7 characters long)
We will then see that dumping NTDS.dit from your DC to perform Password Audit isn't the most elegant way to go about it. Fortunately Michael Grafnetter's DSInternals got us covered. This Open Source PowerShell project will pull the information for the DC (just like the DCSync attack) and will perform some basic analysis of the hashes found. We will go over the main modules of this project and how to configure a user that can fetch the hashes.
And finally how to detect this type of activity if another user (or if that account ever gets compromised!!) ever perform a similar action (~15 mins)
From there it's also easy (built-in command) to convert the user & hash to a format John the Ripper or Hashcat can ingest for additional cracking. We will go over some effective password cracking rules and methodology for Hashcat and reference Travis Palmer's Defcon 28 Red Team Village talk "Passwd Cracking Beyond 15 Chars, Under $500"
Using either Password Filter or Azure AD "ban list" we can prevent users from choosing derivatives of these weak passwords in the future (~10 mins)
In conclusion we'll cover how once you have DSInternals & Hashcat in place, it's easy to create a wrapper script to automate the whole process :
- Extract the hashes
- Run a few check on hashes (without cracking)
- Any previously cracked hash present
- Any hash associated with multiple accounts
- Etc.
- Launch a Password cracker against the account
- Force change password on accounts with "known passwords"
- Send a communication to the account's owner.
(~5 mins)
After attending this talk the attendees should leave the room with knowledge about the latest NIST recommendation for passwords and a plan to enforce them while making sure their users are not using weak passwords and putting the whole enterprise at risk.
With a passion for Offensive Security, he automates OffSec Tools to improve the security posture of organizations around the world. Building on his strong technical background he now focuses on Threat Research, Threat Hunting, Detection Engineering and Incident Response.
Mat (better known as Scoubi in this community) is a recognized security professional and Core Mentor for Defcon’s Blue Team Village that has over 2 decades of experience in security. He shared his passion for IT Security and captivated audiences at Derbycon, SANS Summits and RSAC, amongst others.