David Maloney's webcast for for network administrators and security engineers is now available online. David discusses weaknesses in password-based authentication on clients and servers and how to audit these as part of a regular security program.
What you'll learn in this webcast
- Password storage systems and password obfuscation
- Strengths and weaknesses of the various approaches
- Real-life examples of badly implemented password authentication mechanisms
- How to audit passwords on your network using Metasploit Pro
Audience questions answered in this webcast
- What do you think about modifying standard ciphers, for example MD5 constants or AES S-boxes?
- Do you know if Putty saves its sessions in a secure way?
- Which FTP and SSH applications have good password protection?
- Do you know about password security issues with popular VPN clients?
- I know of a password that many people in my environment are using. Is there a way to audit my network for just that password?
- Which Metasploit editions is the scheduled password auditing available in?
- You mentioned basic HTTP Authentication. Which method should I use?
- Were all the hashes you cracked LM hashes?
- Can you expand a little on the registry areas that usually contain passwords?
- What are the differences between Metasploit Community and Metasploit Pro? Is it only the graphical user interface? Or am I able to run more exploits or zero-day exploits?
- What are your thoughts on browsers that save credentials for future use?
About David Maloney
David is a Software Engineer on Rapid7's Metasploit team, where he is responsible for development of core features for the commercial Metasploit editions. Before Rapid7, he worked as a Security Engineer and Penetration Tester at Time Warner Cable and as an Application Security Specialist for a global insurance company. David has been a long-time community contributor to the Metasploit Framework. He is one of the founders of Hackerspace Charlotte and is an avid locksport enthusiast.