Hashing & brute force attacks


Hash Functions [CISMP]
Hash functions

The course is part of this learning path

Hashing & brute force attacks

One of four primary areas of cryptography, hash functions are the focus of this course, which is designed to inform you of their characteristics, properties, and uses.  


Welcome to this session on encryption. So, in this section, we're going to talk about symmetric encryption and asymmetric encryption and we're gonna look at a couple of little tools and demonstrations for this purpose. So, I'm gonna turn to my machine. Encryptions is used primarily for confidentiality and there are layered approaches to this which you'll see as the session goes on. This next tool is called CyberChef. I do like this tool. This is a tool provided by GCHQ and it's used for digital forensics. It's used for lots of other things as well, but I want to show you something called hashing. So, hashing, and there are different types of hashers out there. We have something called MD. Now, MD is Message Digest, and that will appear in you exam, so you do need to remember what Message Digest-, and that's a hashing algorithm. You have two, four, five, six, one, is-, different algorithms. Don't be flummoxed by any of these numbers, as long as you know that the MD series, Message Digest, is to do with hashing, but what's the hash-mark? Well, let's demonstrate just what a hash is. So, I'm gonna select MD5, Message Digest 5, and I'm gonna put this in the recipe, and then I'm gonna type in 'password123', and you can see that the output from the file is fixed, so it's now 482c811. That's the fixed output for the hash itself. That's pretty straightforward. Any time I use MD5 and I use the same password, I get the same hash.  

Now, this hash, I'm gonna copy the hash-, gonna copy the hash, then I'm gonna go and bring up Google and put that hash into Google and see if Google can recognise that hash. And I can see straight away, if I look at the hash toolkit and I'm gonna click on the hash toolkit, the second one down, there's other ones that are obviously showing what the password relates to. And straight away, password123, which is quite a common on that's used by people in America, every single combination of the hash relating to that password is available on this site. So, we've got MD5, SHA is called Secure Hashing Algorithm, that's another hashing algorithm that we can use. We only use SHA1 for hashing. We don't use it for confidentiality purposes. SHA2 and 3, we can use for confidentiality, and we can also use it for hashing, but you can see the output is longer. It's a longer output that comes from it, a fixed-length output, depending on which algorithm you use, and you can see some good examples just on this site here, so that's quite interesting, if the hash is coming up more. So, if I go back to our example now, password123, that's the fixed hash for that but what I'm gonna do in this one, this time, now, is I'm gonna change the hash from a lower-case 'p' to an upper-case 'P', and immediately, the hash has changed. Which obviously would indicate to you that this is an integrity issue, and the integrity would tell you that something's happened to this file. Maybe your-, there's a file you're trying to download and the file's been modified or changed.  

It could be that someone's put a Trojan, which is a form of malware, or some other type of malicious software has been put inside it and that's changed the hash. That's why, if you're downloading programs from the Internet, always check that the hash that's on the website you're downloading from matches the one you've downloaded, and, obviously, this is a good example of that. Now, hashes, we see hashes, your passwords will be hashed and stored in a security account manager, a SAM file, but these can be subject to attacks. Passwords are subject to attacks, and one of those types of attacks is a brute-force attack. Now, this little tool here, it's a lovely little tool, it's an example showing you how passwords can be attacked. A brute-force attack is a slow, methodical attack using every combination to break the password. Now, in this one here, we have a username and we have a password, and the password's only three characters. Obviously, if there was gonna to be longer characters, the time will go up, but for this demonstration, I'm gonna demonstrate how this works 'cause I wanna access this log-in page. So, I'm gonna just click the register element in here, and it's said, 'Okay, the server database is telling me there are three characters,' and I want to introduce a brute-force attack and I'm gonna use a tool.  

Now, I could use John the Ripper or Cain and Abel or one of the other password-cracking tools to crack the passwords, and I'm used to using this tool that's provided by the website and I'm gonna run the tool, and it's gonna run every single combination, and obviously, with three characters, it pretty-, should be relatively quick to find it. And soon as it's got it, it's gonna identify the password. The password is CIA, surprisingly enough, some people do use that as a password, and then if I click 'log in', I'm in the website. That simple. That simple demonstration of what a brute-force attack is.  



About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.