David Maloney's webcast for for network administrators and security engineers is now available online. David discusses weaknesses in password-based authentication on clients and servers and how to audit these as part of a regular security program.

What you'll learn in this webcast

  • Password storage systems and password obfuscation
  • Strengths and weaknesses of the various approaches
  • Real-life examples of badly implemented password authentication mechanisms
  • How to audit passwords on your network using Metasploit Pro

Audience questions answered in this webcast

  • What do you think about modifying standard ciphers, for example MD5 constants or AES S-boxes?
  • Do you know if Putty saves its sessions in a secure way?
  • Which FTP and SSH applications have good password protection?
  • Do you know about password security issues with popular VPN clients?
  • I know of a password that many people in my environment are using. Is there a way to audit my network for just that password?
  • Which Metasploit editions is the scheduled password auditing available in?
  • You mentioned basic HTTP Authentication. Which method should I use?
  • Were all the hashes you cracked LM hashes?
  • Can you expand a little on the registry areas that usually contain passwords?
  • What are the differences between Metasploit Community and Metasploit Pro? Is it only the graphical user interface? Or am I able to run more exploits or zero-day exploits?
  • What are your thoughts on browsers that save credentials for future use?

About David Maloney

David is a Software Engineer on Rapid7's Metasploit team, where he is responsible for development of core features for the commercial Metasploit editions. Before Rapid7, he worked as a Security Engineer and Penetration Tester at Time Warner Cable and as an Application Security Specialist for a global insurance company. David has been a long-time community contributor to the Metasploit Framework. He is one of the founders of Hackerspace Charlotte and is an avid locksport enthusiast.

View the Password Auditing Webcast Now