If you can see this check that

Main Page

Week 10 - Password Attacks


Password Attacks

User:
Password:
Aim: To investigate password attacks, both on a live target and with stolen password files.

Question 1: Target 1

Press this button to ready your machine for running the virtual machine targets. If your machine is reset or you reboot then you may have to press this button again.

Note that this target can take (quite) a few minutes to boot, as it has many processes running many services.

Tests - not attempted
Script ready UNTESTED
Target network UNTESTED
Target 1 UNTESTED

Question 2: Understanding the Challenge

You can use the echo command piped to md5sum to give you the md5 version of whatever string you like, such as creating an md5 of the string "mycode" by doing:

echo -n mycode | md5sum | cut -f1 -d" "

What is the md5 encoding of the string "password"? encoding:

Tests - not attempted
md5 of password UNTESTED

How is the md5 encoded, and how many bits does this represent?

Encoding:
bits:

Tests - not attempted
md5 encoding UNTESTED
md5 bit length UNTESTED

Create a file called hex.pl in /root with the following EXACT contents.

#!/usr/bin/perl

use strict;
use Digest::MD5;

my @dictionary = ("mycode","pass","password","secret","magic","tasty");

my $tries=0;
foreach my $word (@dictionary) {
  if (Digest::MD5::md5_hex($word) eq $ARGV[0]) {
    print "Match after $tries tries! The password is '$word'\n";
    exit;
  }
  $tries++;
}
Make the file executable by doing
chmod +x hex.pl

This command, ./hex.pl, takes 1 parameter. This is a hex encoded md5 password. Try running ./hex.pl with the md5 hex from the "mycode" question.

How many tries did it take to crack the code.
tries:

Tests - not attempted
tries UNTESTED

Extend the search to try the dictionary words in hex.pl but with the numbers 0-9 appended to them. So edit hex.pl, and replace all lines after "my tries=0" with: line add:

foreach my $n ("",0..9) {
 foreach my $word (@dictionary) {
  if (Digest::MD5::md5_hex($word.$n) eq $ARGV[0]) {
    print "Match after $tries tries! The password is '$word$n'\n";
    exit;
  }
  $tries++;
 }
}
Now try and break db0edd04aaac4506f7edab03ac855d56.

How many tries did it take to crack the code.
tries:

Tests - not attempted
tries UNTESTED

Extend the search to try the dictionary words in hex.pl but with the numbers 0-999 appended to them. So edit hex.pl, and change

foreach my $n ("",0..9) {
to
foreach my $n ("",0..999) {
Now try and break 3bf6cea68a85bf6104092fbbcdf9aea3

What is the password?
password: How many tries did it take to crack the code.
tries:

Tests - not attempted
tries UNTESTED
tries UNTESTED

Assuming that you had a small dictionary of 20 words, and looked at the permutations of the password being any one of those words, either as it is or with numbers ranging from 0 to 9999, then consider the implications of this.

How many permutations would that be? permutations:

Consider the following:
A - extra complexity, permutations, case, dictionaries will not slow it down much.
B - huge ever expanding dictionaries and permutations do not scale.
C - All this needs is more memory to make it better.
D - Doubling the CPU speed makes this approach scalable.
E - Different approaches are needed for large search spaces.


Which of these is most true?

Tests - not attempted
Permutations UNTESTED
Reflection UNTESTED

Question 3: Offline Attacks

Pressing the button here will create a password scenario for you to attempt. It will create /root/example1.sam

Tests - not attempted
Create example1.sam UNTESTED

John The Ripper can be used to break a password of a windows SAM file.

First locate john's password.lst file. Use the find command for this. Note the "lst" is "L S T", and not a "one". If you find more than one, choose the SHORTEST path.

Full path of password.lst:

Tests - not attempted
Location of password.lst UNTESTED

Examine the example1.sam file. What hashes does it contain?

Hash types:

Tests - not attempted
File type UNTESTED

Crack with John The Ripper the example1.sam file. Use it in "wordlist" mode, and use the full path of password.lst. Use the "lm" format, as this is faster to crack... Apply "john" to example1.sam.

Tests - not attempted
John cracked easy one... UNTESTED
John almost cracked harder one... UNTESTED

Use "john --show example1.sam" and evaluate its attempt. Passwords are CASE SENSITIVE in the checks!

What is the password of "gordon":
What is wrong with the password of "Administrator":

Tests - not attempted
Gordon's password UNTESTED
Admin's password UNTESTED

Switch to John The Ripper in "incremental" mode, and apply it to example1.sam. Use the show mode and identify the password of Administrator. Passwords are CASE SENSITIVE in the checks!

What is the password of "administrator":

Tests - not attempted
John finished harder one... UNTESTED
Admin password correct UNTESTED

Question 4: Online attack

Now focus on the target you started at the beginning of the tutorial. The target can take 5 minutes to warm up, but should have had enough time now. Press the test button to see if it is running fully before continuing.

Tests - not attempted
Target 1 network running UNTESTED
Target 1 all services running UNTESTED

Target 1 lies somewhere in 192.168.1.1 - 192.168.1.254. This time use "ip route show" and find out the device name on your machine which would be used to handle packets going to target 1.

Target network device:

Tests - not attempted
Gateway IP UNTESTED

What is your machine's IP number on the target network?

Your IP:

Tests - not attempted
Local IP UNTESTED

Use nmap to sweep the target network, and identify the IP address of target 1.

Target IP:

Tests - not attempted
target ip UNTESTED

Scan port 22 of the target using nmap in application fingerprinting mode.

SSH Server version?:

Tests - not attempted
Product version correct UNTESTED

We are going to use Hydra, but first we need to set up a password file for it. We are going to use /usr/share/wordlists/rockyou.txt.gz. However that file is currently compressed using gzip.

Uncompress rockyou.txt.gz by doing:

zcat /usr/share/wordlists/rockyou.txt.gz > /root/rockyou.txt

Do "wc -l" on the file and see how many lines (passwords) are in the file.
rockyou length:

Tests - not attempted
File expanded UNTESTED
Lines right UNTESTED

Open Hydra-gtk. It is in Kali Linux > Password Attacks > Online Attacks.

Perform a single target attack against target 1. Use the ssh protocol (you can leave the port on 0 if you like and it will automatically select 22). Be verbose and show attempts...

Switch to the Passwords tab. Assuming you know the name of a user you want to try you would put it in here. In our case hack the "user" username. Use a password list ("/root/rockyou.txt"). Select both "try login as password" and "try empty password" (well why not!). Go to Tuning and set tasks to 1. Now go to the Start tab and Start.

What is the password for "user"?
password:

Tests - not attempted
Password for user UNTESTED

Repeat the process, but this time crack the user account "klog".

What is the password for "klog"?
password:

Tests - not attempted
Password for klog UNTESTED

Perform a similar scan, but this time try and break the "sys" user. Increase the number of tasks to 5 in Tuning before pressing start... otherwise it could be a while. If for some reason the attempts go past 300 then stop the attempt and try again (maybe a timeout or something). If you dont try including a blank password and using the username as a password you wont get the count right...

What is the password for "sys"?
password:
How many attempts dit it take to find the password?
attempts:
Thoughts:

Tests - not attempted
Password for sys UNTESTED
Attempts to get password UNTESTED
Reflection UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2017 Gordon Russell. All rights reserved.