Week 05: Password Cracking - Paiet/SEC-335 GitHub Wiki
In a dictionary attack, a list of words, known as wordlist, is pre-defined and is used to match against the victim's password. There are ready-made password lists available on the Internet. A password list can be a few bytes large, or it can also be gigabytes, as the more words in a password file, the bigger the size. You can create your own if you do not intend to use a pre-defined wordlist like rockyou.txt. Some tools are available that can help you generate a wordlist. Some of the tools that are used commonly are:
- Wyd: password profiling tool
- Crunch: Password Cracking Wordlist Generator
- CeWL: Password Cracking Custom Word List Generator
- RSMangler: Keyword Based Wordlist Generator for Brute forcing
cewl -w test.txt -d 5 -m 3 intranet
*Note: *The parameter -w defines the name of the wordlist. The -d parameter defines the depth of the search in a Website. The -m parameter defines the minimum word length.
*Note: The hydra command takes the following parameters inputs: -t: Defines the number of logins to try simultaneously. -V: Displays each attempt of login and password. -f: Stops the dictionary attack after a suitable match for username and password is found. -l username: Defines a username that needs to be cracked. For example, the bee was the username for the bWAPP application. If you do not know the username, you can use the -L parameter and provide a username list similar to a wordlist. -P wordlist: Defines the wordlist containing probable passwords. You can use the -p parameter for a single password.The website name or IP address: Defines the Website name or its IP address. Protocol: Defines the services the dictionary attack is launched.
hydra -t 5 -V -f -l bee -P /root/Desktop/wordlist.txt 10.0.0.21 ftp
Notice if the text is green. If so, you have been able to crack the password for this FTP service on the host, 10.0.0.21.
Every Linux system has two key files that contain the user and password information. The first file is /etc/passwd, which includes the general user information, such as:
- Username
- Encrypted password
- The user ID number (UID)
- User's group ID number (GID)
- Full name of the user (GECOS)
- User home directory.
- Login shell
The /etc/shadow file, on the other hand, stores the user password information. The passwords for the users are stored in an encrypted form. This file also contains information, such as:
- password expiry date
- Password change required or not
- Minimum and maximum time between password changes
John the Ripper
Firstly, you need to use the unshadow command to combine /etc/passwd and /etc/shadow files. In this step, you will combine both these files into a single file named pass -- this needs to be done for John the Ripper to reveal the password. To do this, type the following command:
unshadow /etc/passwd /etc/shadow > pass
Next, you will use John the Ripper to get the password from the file, pass.
To do this, type the following command:
john pass