Hello and welcome to this course in which we're talking about gaining initial access. As the name of this course suggests, here we're going to be transitioning from the reconnaissance or preparatory phases we talked about in the previous course to actually engaging with the target network and trying to gain that initial foothold. In this video, we're going to be talking about an introduction to initial access. We'll have three sections to this video. We'll start out with that introduction, laying the groundwork for our discussion of gaining that initial access with Python. After that, we'll talk about the attack method that we're going to be using in this particular case so credential stuffing attacks. In our third section, we'll discuss how we can automate that credential stuffing attack using Python scripts. Let's get started. Let's talk about initial access. There's a variety of different ways that we can accomplish initial access. The way we do so depends a lot on the information that we have. When we perform reconnaissance, we potentially have gained a lot of information about the target. We talked about this a lot in the previous course. Throughout that automated flow that we discussed, we collected IP addresses that are associated with Internet connected computers. We learned a little bit potentially about some of the services running on those computers. Anything that's Internet facing, we might have learned what it does and potentially even the exact implementation and version number on the software. We potentially have identified some vulnerabilities in the target system. Based off of those CVE lookups, we could say we've identified that we're running this version of this program, and so it has this known vulnerability. Throughout the reconnaissance process, we might have learned other piece of information that we haven't discussed there. Information about organizational charts, email addresses of employees, and other things like that that can be used to help plan an attack. In some cases, the results of our previous course in those python scripts is plenty to plan the next stage of the attack. For example, if we've identified as CVE that allows remote code execution, then exploitation of that might be enough to give us the foothold that we need on the network. However, that really depends on if we identified any vulnerabilities. Say throughout our information gathering, scanning, et cetera, we found that all of the services running on those computers are completely up-to-date and so they have the latest security patches, there's no known vulnerabilities for them. A lot of cases that's a bit of a stretch with an assumption, but it could happen. What happens if we've got nothing at the end of reconnaissance? Account takeover attacks are always a viable option. That's really been demonstrated by the techniques that have been used to spread malware in recent years. Time we're discussing this, exploitation of the Remote Desktop Protocol or RDP is the most common way that ransomware is delivered because those RDP endpoints expose to the open Internet. If you can learn the user account credentials, then you can gain access via RDP and be able to drop your malware and execute it yourself on the target system. Credential stuffing attacks don't require a lot of information about the target environment, and they don't require any vulnerabilities. What we need is a login portal, and that's the thing that we easily could have found in our reconnaissance. If we've identified an SSH server, FTP server, a website that requires user authentication and RDP authentication page or VPN authentication page, et cetera, all we need is something where if you provide a username and a password, it tells you you're in or you're not. That's all we need for credential stuffing. We've probably found at least one of those via reconnaissance. Next we need some guess for usernames. Often these are email addresses and e-mail addresses are rarely considered sensitive information. You literally have to give them out for people to talk to you. It's likely that you'll be able to find some email addresses, bit of a stuff of reconnaissance and just learning about some of the employees at the organization. If not, many organizations have a fairly standard method for defining usernames. Something like first initial last name, first name last name, etc. Even if you don't know what the email addresses are of anyone at the organization or any username guesses, just trying some of those common schemes with a known employee's name gives you a good shot at finding a username. The biggest challenge with a credential stuffing attack is the password. That's good because that's supposed to be the secret. However, password security is often a bit of a joke. For example, we have the top most common passwords for 2020. A list like this is published every year. Looking through these, I see several just numeric passwords, a series of numbers, 1,2,3,4,5,6,7,8,9,0. Some variation on that, millions of hits and recent data breaches. It takes no time at all to crack that password. Moving past that, we see that we've got things based off of the word password, and some common words with a little bit of a tweak. For example, picture 1. That's an English word followed by a number, which is probably intended to fulfill some organizations secure password policy which requires at least at a minimum length of this and at least two of the following lowercase, uppercase numbers, symbols, et cetera. Looking at these, if this is in general the most common passwords, then there's a good chance that at least one account at our target organization has a bad password. So if we can find that and if we can guess the right password, then we're set. Our real challenge here is building that password list to try to guess, maybe they don't have picture one is their password. They have photo one instead. Can we figure that out? Not all users are going to have one of those most common passwords, though definitely check those 10 first just in case. However, many of them will have variations, so jokingly saying that picture one might be chosen as a password to fulfill secure password policies. But honestly that's a significant consideration. So if you want your password to be password, a lot of places won't let you do it. However, if you make your password capital P, password, exclamation point 1, 2, 3, that's acceptable. Because it's got a minimum length, it has at least four of the different types of characters, uppercase, lowercase, numbers, and symbols, et cetera. If you take into account those organizational password policies and common ways that people create those password variations, there's a good chance that you'll be able to guess at least one account password. That's what we're going to be using Python for. Again, here we have a flow of how we're going to work on building the pieces that allow us to automate that process. We're going to start out with a dictionary. That dictionary depends on what you want to use for that and which of the generate variations are three random words approach you want to take. For example, you could be banking on, you've got that list of the top 10 most common passwords, or maybe you want to expand to the top 20 or 50, go crazy. But you expect that people aren't going to use those exactly, they're going to try to tweak them to make them a little bit more clever. Your dictionary might be that list of 50 passwords and you want to create variations of those. We can do that. One of our Python scripts we'll talk about is for a password munging. If you're not familiar with the term password munging, is that practice where people take a password like password and they make little changes to hopefully make it unguessable. Things like substituting at symbol for the a, a dollar sign for the S, a zero for the o, et cetera. Problem with that is everyone knows everyone does it and the rules for doing it are fairly well-known. If you've got a character, you probably know which character would be most likely substituted for it. Because it's got to be something that the person doing it is be able to remember. We can automate that process of generating all of the various variations on a particular password, taking in account capitalisation, password, munging, et cetera. We'll also cover that case of, well, what if you have to tuck something on the end because you need some characters and numbers and you don't have any? Well, we can do that too. That way we'll cover cases like picture one from that top password list if you have that base word a picture going in. That's one way in which we can build a password list. The other is to take into account that some people aren't using passwords anymore, they're focusing more on passphrases. A common recommendation is to use three random words. You generate three random words, you memorize those three random words, and then you use them as your passphrase instead of the traditional password. There, you're going for the length of the phrase, adding enough complexity to make it hard to crack. Problem with three random words is whether or not they're random enough and whether they're drawing from a big enough dictionary. For example, the English language has over a 100,000 words in it. So if you do 100,000 to a third power, that's a lot of passphrases, probably more than we can effectively crack. However, most people don't know every word in the English language. So if you shrink it down to that usable collection of passwords or word that people are actually going to remember and actually use in their passphrase, that's a bit more manageable. We'll look into taking a literal Dictionary of English words and generating potential three random word passphrases based off of that. The end of that first stage, whichever path we take, we're going to end up with a password list, which is the big challenge that we had coming into this slide. We already potentially have a target system and we have a username. We've got passwords now. With that and with some service data information from our initial reconnaissance, just knowing, oh hey, we want to try to log into an FTP server and here one is, we can start looking at performing a brute force or credential stuffing attack. Because we've got passwords, we've got the way to log in and Python will let us actually iterate through those passwords, try them and see if we successfully logged in. Hopefully at the end of the day we have access. Just as a quick recap here, we started out with talking about how we can gain that initial access. Maybe we have a vulnerability that we can exploit, but maybe we don't. In that second case, we'll go to the old fallback of account takeover attacks. You can guess the username and the password, you can probably get in. In the next few videos, we're going to look at automating the various stages of that credential stuffing attack using Python. Let's get started. Thank you.
