Summary

In this lab we did some password guessing using resources like CEWL and rsmangler and utilitzed hydra to bruteforce password guessing attempts.

Tools used

Cewl

Cewl is a custom wordlist generator that parses websites and creates a custom wordlist based on the things it finds, curated towards the content of the website. We used certain parameters to prevent it from including words like "The" and "and":

cewl -m 4 http://10.0.5.21/bios/samwise -w samwise.txt

Then, we manually parsed this file looking for unique password-esque words. For example, exluding words like "before" and keeping words like "Peregrin". This list of words ended up being between 10-30 entries long for this lab's purposes.

These words were put into smaller lists called things like samwise_small.txt

---

Rsmangler

This tool adds capital letters, special characters, numbers, etc. to words in a wordlist to create thousands of unqiuely different words based on singular words. Even just 5 words in your input file can result in 100,000 word output file.

This tool doesn't work under our given setup with proxmox. Typically when trying to use rsmangler, the VMs resources are overloaded to the point that the OOM (Out Of Memory killer) kills the process that is eating up resources. In this case that process is rsmangler.

The zsh: killed error can be caused by your computer's screen locking, if you disable the services that cause inactivity logouts or timed logouts in general and you still recieve this error when running a resource intensive program, it's likely the OOM taking action.

Regardless, rsmangler can work, assuming you have enough computer resources to complete it all. The commands I used and their parameter's descriptions are below:

rsmangler -f samwise_small.txt --min 9 ---max 12 -o samwise_mangled.txt
rsmangler -f pippin_small.txt --min 9 ---max 12 -o pippin_mangled.txt
rsmangler -f frodo_small.txt --min 9 ---max 12 -o frodo_mangled.txt
rsmangler -f bilbo_small.txt --min 9 ---max 12 -o bilbo_mangled.txt 

-f : File source (i.e. what is rsmangler going to add things like numbers, special characters, etc. to)

--min : Minimum amount of characters

--max : Maximum amount of characters

-o : Output file

Issues & Notes

I didn't have many issues in this lab besides rsmangler and the OOM conflict I mentioned earlier. For Hydra, I had a little trouble finding the correct module to use for bruteforcing.

- Hydra using SSH -

For ssh, I used this command:

hydra -l peregrin.took -P pippin_mangled.txt -s 22 -f 10.0.5.21 ssh -t 4

Here, -l is username, -P is the wordlist to bruteforce from, -s is the port -f is the target and ssh is the "module" and -t 4 is the limit of tasks you enact on the server. I limited it to 4 so there's only 4 tasks at a time for SSH.

---

- Hydra using HTTP -

I had a problem with trying to bruteforce the /admin page as I was using the wrong HTTP method. Hydra allows you to bruteforce HTML form logins (i.e. POST forms) along with HTTP Basic Auth. The 10.0.5.21/admin page uses HTTP Basic Auth which is just the default popup when you require credentials before accessing a page. As compared to an actual login form where it doesn't provide a popup and is just a form you fill out like how most website logins work.

For HTML POST Forms:

hydra -l frodo -P frodo_mangled.txt 10.0.5.21 http-post-form "/admin:username=^USER^&password=^PASS^:F=incorrect"

http-post-form : Defines that you're bruteforcing an HTML login form and not the popup window we see on 10.0.5.21/admin

/admin:username=^USER^&password=^PASS^ : Defines username and password

:F : String that appears when you're wrong. In this case it's the string "incorrect"

---

For HTTP BasicAuth:

hydra -l frodo -P frodo_mangled.txt -s 80 -f 10.0.5.21 http-get /admin/

-s : Target port

-f : Target IP

http-get : Module used for HTTP Basic Auth

/admin/ : Page you're trying to access