Post exploitation (ie, après impacket-secretdump)
- Secrets in LSASS process.
- Secrets in registry such as LSA secrets.
- DPAPI secrets.
En récupérant le contenu de wikipédia.
Voir aussi la règle 'universelle" pour hashcat
Passwords et clef ssh. De diverses sources (citées)
It’s a good practice to create one SSH key for each server or service that you want to use. This can be a bit tricky to manage. Let’s learn how to use KeypassXC to mange all of them
[Guide pratique] (https://ssd.eff.org/fr/module/guide-pratique-utiliser-keepassxc) de l'EFF
Apps mobile:
KeepassDX (F-Droid et Google Play)
Keepass2Android
Ici https://twitter.com/taviso/status/1401248187831099394
I always get angry replies when I say "use a password manager" is bad advice, but I stand by that! Here are some weekend thoughts about it https://t.co/tOm2LIR5E4 (tl;dr just use chrome!) 😆
Un commentaire
http://shaarli.guiguishow.info/?aovkkg
Expandpass is a string expansion program. It's "useful for cracking passwords you kinda-remember." You tell the program what you remember about the password and it tries related passwords.
Many online accounts allow you to supplement your password with a second form of identification, which can prevent some prevalent attacks…
Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. How? NIST explains: When processing requests to establish
Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, auditing, and provides secrets as a service through a unified API.
Today I’m proud to announce the release of something I’ve been working on for past 3 years: SecureLogin Authentication Protocol 1.0.
Basée sur la gestion d’un secret, l’authentification par identifiant et mot de passe est un moyen simple et peu coûteux à déployer pour contrôler un accès. Toutefois, cette méthode d’authentification présente un niveau de sécurité faible.