Last updated at Thu, 11 Jan 2024 19:53:00 GMT
David Maloney's webcast for for network administrators and security engineers is now available online. David discusses weaknesses in password-based authentication on clients and servers and how to audit these as part of a regular security program.
What you'll learn in this webcast
- Password storage systems and password obfuscation
- Strengths and weaknesses of the various approaches
- Real-life examples of badly implemented password authentication mechanisms
- How to audit passwords on your network using Metasploit Pro
Audience questions answered in this webcast
- What do you think about modifying standard ciphers, for example MD5 constants or AES S-boxes?
- Do you know if Putty saves its sessions in a secure way?
- Which FTP and SSH applications have good password protection?
- Do you know about password security issues with popular VPN clients?
- I know of a password that many people in my environment are using. Is there a way to audit my network for just that password?
- Which Metasploit editions is the scheduled password auditing available in?
- You mentioned basic HTTP Authentication. Which method should I use?
- Were all the hashes you cracked LM hashes?
- Can you expand a little on the registry areas that usually contain passwords?
- What are the differences between Metasploit Community and Metasploit Pro? Is it only the graphical user interface? Or am I able to run more exploits or zero-day exploits?
- What are your thoughts on browsers that save credentials for future use?
About David Maloney
David is a Software Engineer on Rapid7's Metasploit team, where he is responsible for development of core features for the commercial Metasploit editions. Before Rapid7, he worked as a Security Engineer and Penetration Tester at Time Warner Cable and as an Application Security Specialist for a global insurance company. David has been a long-time community contributor to the Metasploit Framework. He is one of the founders of Hackerspace Charlotte and is an avid locksport enthusiast.
Download the Metasploit Framework here or download Metasploit Pro here.