Lab 5.1: Password‐Guessing - Jacob-Mayotte/SEC335_Tech_Journal GitHub Wiki

Deliverables:

1:

Ran: sudo nslookup 10.0.5.21 10.0.5.22 // uses target address followed by dns server to find hostname

image

Pulled this command from: https://github.com/Jacob-Mayotte/SEC335_Tech_Journal/wiki/Assignment-3.2-%E2%80%90-DNS-uses-TCP-and-UDP

Cewl Portion:

  • cewl -h //for cewl manual

sudo cewl -d 1 http://10.0.5.21/bios/[MEMBER_To_be_searched] | grep '^[A-Z]' >> [MEMBER_To_be_searched]_long.txt

  • -d 1 is the delimiter for cewl. This is telling Cewl to only go one web page deep, which would by the bios web page.
  • [Member_to_be_searched] - fill this in with the target user (Frodo, Pippin, bilbo, samwise)
  • '^[A-Z]' - I used this regex to parse through the potential passwords since the lab informed me that it is a proper noun (Must start with a capital letter).

image

Source: https://www.geeksforgeeks.org/cewl-tool-creating-custom-wordlists-tool-in-kali-linux/

After contructing the wordlists I used vim to edit out the unlikely/commonly used words.

image

RSMangler:

For the constructing variants of our new files that were generated with cewl, I used rsmangler. Fortunately the lab had a few hints:

password sizes will range from 9-12 characters (use min/max)
Ideally, you should have a list under 1,500 entries
The linux "wc" command (aka word count) can show you how many lines are in a file
Record the command you used

These two: Source & Source assisted in constructing the command: resmangler --file [insert file name here.txt] -m 9 -x 12 -d -p -u -t -y

Explanation, options found with sources listed above:

  • -m sets minumum word length
  • -x sets max word length
  • -d doubles all of the words
  • -p permutates words
  • -t leets speak the word
  • -u & -l uppercase & lowercase words
  • -y adds years from 1990- now

image

2:

  • Recon scan, using nmap

image

  • - p // scans ports 1-100 (I was targeting ports 22 (SSH) & 80 (HTTP) )
  • - A // nmaps conducts OS & Version detection, script tracing, and tracerte

Source

3:

  • sudo nmap http://10.0.5.21/ -r

  • http://10.0.5.21/ // target

  • -r Don't Search Recursively.

image

Note the /admin!

Source

4:

image

5:

This was password protected, so I needed a username and password, I know due to the lab hydra would be used. to brute force a a password match:

sudo hydra -l (member) -P (member)_mangled.txt -s 80 -f 10.0.5.21 http-get '/admin'

Command Explained:

  • -l // login with name or load logins from file. Used in this case with (member)
  • -P // Loads several password attempts from a file
  • -s // defines port
  • -f // exits the brute force when creds are found
  • Source & Source & hydra -help

Pippin:

image image

Frodo:

image

Bilbo:

image

6: SSH

Using the same sources above I was able to complete an ssh scan w/ hydra:

sudo hydra -l (member).(member last name) -P (member).magled.txt 10.0.5.21 -t 4 ssh

  • -l // login with name or load logins from file. Used in this case with (member)
  • -P // Loads several password attempts from a file
  • -t// allows user to specify number of tasks to run per target, default is 16

At first this was taking awhile, so I did rescramble the documents with rsmanglr and was able to get a few hits.

Reflection

Are your own passwords guessable? No I am confident that they are not Are they repeated over multiple systems and services? Unfortunately yes Are they included in lists such as rockyou? No How can you improve your password tradecraft? Using unique password for each different service What are you doing right? I think the complexity of my passwords is something that I am doing right.

Sources: