Password Cracking

• This week, we learned a lot about password cracking and the different tools and techniques that help. Specifically, we used password cracking to break into SSH accounts and a protected directory using hydra.

CEWL

• CEWL is a website crawler that is found on Kali Linux and can be used to pull words to a text file. These words can then be sorted through to find unique words and combined with RSMangler to create a password list. An example of CEWL can be found below, where we used CEWL to scroll a webpage with a depth of one (-d) and output the words found to a file called frodo.txt.

RSMangler

• RSMangler is a word scrambling tool that takes a list of words and creates a list of possible passwords using scrambling techniques. Combined with CEWL, we can create a large list of possible passwords to brute force on a system. Below is an example of the use of RSMangler where we are mangling a group of words from samwise.small.txt. -x is the maximum length of the scrambled word and -m is the minimum length of a scrambled word. The rest of the parameters are turning off certain scrambling techniques in order to make the list of scrambled words smaller.

Hydra

• Hydra is a brute-force password guessing application used to take a list of words and simply guess them all on a given application until the correct password is found. Hydra combined with a list of passwords from RSMangler and CEWL can allow for a strong brute-force attack. Below is an example of how we used Hydra in the lab. -l defines the login name, -P is the list of passwords to guess from, -s is the port, then we have the target to attack, the service, and the location on the HTTP site we want to attack.