I used the cewl command to create wordlists based on text that is in a webpage.
To make a full worldlist of all unique words on the frodo webpage, I used the command cewl -d 1 http://10.0.5.21/bios/frodo -w frodo.txt
I used the same command for the pages for samwise, bilbo, and pippin.
To create a more concise list that only contains proper nouns and excludes words that wouldn't be a part of the password for the purposes of this lab, I used the cewl command in combination with a grep that excludes various common words.
I also ran that command for samwise, blibo, and frodo
Using Rsmangler to Create a Password List
Rsmangler is a tool that takes wordlists and "mangles" them using various flags
I used the command rsmangler --file pippin_small.txt -x 12 -m 9 -l -s -e -i -p -u -a --output pippin_mangled.txt to "mangle" the wordlist for pippin and output it into pippin_mangled.txt
I ran this command for samwise, bilbo, and frodo as well.
Note: mangled wordlists must have a newline at the bottom
Find running services on a host
For this lab the target host is 10.0.5.21
I ran an nmap scan using sudo nmap -A -sV -O -p 1-6000 10.0.5.21
I learned that the target host has port 20 and port 80 open, and the services, ssh and http running on them. I also learned that the target host in an apache web server running rocky linux.
Using dirb to scan a URL to find files and directories under that URL
I used the command dirb http://10.0.5.21 -r /usr/share/wordlists/dirb/common.txt
The -r option makes it so the command isn't recursive
The command showed me directories such as /bios/, /cgi-bin/, /admin, /sitemap.xml, and /images/, which I was able to navigate to in a web browser.
HTTP Password Cracking(Brute Force)
The hydra tool and be used to guess the password on the target server. I used hydra to determine the password for users that access that admin page of the web server.
For the Frodo user, I used the command, hydra -l frodo -P frodo_mangled.txt -s 80 -f 10.0.5.21 http-get /admin/ to guess the password for Frodo.
I ran this command for the other three users (pippin, bilbo, and samwise) as well.
Using the discovered passwords, I was able to log into each user's account on the web interface.
SSH Password Cracking(Brute Force)
I also used the hydra command to get the passwords for the same four users on the target server itself to gain access over SSH.
I had to find determine each user's user name based on the webpage before attempting to guess the passwords. I knew that the scheme was firstname.lastname, so I was able to determine each user's username knowing that.
For example, Pippin's username is peregrin.took
For Pippin, I use the command hydra -l peregrin.took -P pippin_mangled.txt 10.0.5.21 -f -t 64 ssh
The -t 64 tells the command to run in 64 threads, which makes the command take less time
I ran that command for each user.
I used the credentials that I found to gain access to each user's account over SSH
Challenges/Issued
I attempted to used medusa or ncrack to guess the passwords in the lab, but ended up choosing hydra because I kept running into issues with ncrack and medusa
Using hydra to crack the SSH was taking far too long at first, but I ended up adding the -t 64 which greatly reduced the time that the command took to execute.