In my last post, I talked about cracking Microsoft Office password protected documents.  In the end of that post, I suggested storing the entire document in a password manager and I also mentioned VeraCrypt.  Truth be told, I was going to link to a post that I thought I'd written for this site but I was mistaken.  I'd actually written documentation for a client specifically about VeraCrypt and for obvious reasons, I'm unable to post that document.  

Understanding what a product like VeraCrypt can do for us enables us to choose the appropriate level of security for a given situation.  If you're storing sensitive data in files, VeraCrypt could be a potential avenue for adding protection for your sensitive data if password protecting your documents isn't enough.  

Before moving on, I'd also like to mention that security is inconvenient at times -- most times.  I would love to leave my doors unlocked at my home because it's inconvenient to dig the keys out of my pocket each time I want to open the door.  But that's not the world that we live in.  If you use this product correctly, you will open the vault when needed and you'll close the vault when you're done.  In other words, if you're consistently accessing this data throughout the day, you're going to open it when you come into the office and you're going to close it when you leave.  If you leave it open every minute of every day, it won't protect you much more than the file(s) living in the file system without protection.  That would essentially be the same as installing a deadbolt on your front door but never locking the lock.  

Gather as much knowledge as you can in order to make educated decisions.  For example, there's this idea that if we password protect Microsoft Office documents, we are going to keep people from accessing them.  I'd say that is mostly correct and when I'm done explaining how to crack the password, you can decide if what you have stored in them is protected well enough.  

First, let me state that there are commercial products that will do crack the passwords easily.  I haven't used one of those products in a long, long, time and I think a search would yield legitimate products along with questionable, possibly malware laced, products and it's not something I want to randomly download.  For this post, I'm going to use open source (read:  FREE) and publicly available tools along with the rockyou wordlist.  

I had so many different ideas for the title of this post because there are so many different ways to call attention to this problem.  "Too much point and click."  "Attention to detail."  "Understanding your environment."  All of these apply.  

The other day, I was playing around with (I will post on this soon!) Oracle Glassfish --  "Glassfish is the world's first implementation of the Java Platform, Enterprise Edition (Java EE) 6 specification."  I managed to get credentials and with that, I am able to deploy an application which is very much like deploying an application on Tomcat.  

I setup Metasploit: