Password Attacks

Press this button to ready your machine for running the virtual machine targets. If your machine is reset or you reboot then you may have to press this button again.

Note that this target can take (quite) a few minutes to boot, as it has many processes running many services.

You can use the echo command piped to md5sum to give you the md5 version of whatever string you like, such as creating an md5 of the string "mycode" by doing:

echo -n mycode | md5sum | cut -f1 -d" "

What is the md5 encoding of the string "password"? encoding:

How is the md5 encoded, and how many bits does this represent?

Encoding: Binary ASCII Decimal Hex Base64 Base128 Baccus Normal Form
bits:

Create a file called hex.py in /root with the following EXACT contents.

#!/usr/bin/python3
import hashlib
import sys

dictionary = ["mycode","pass","password","secret","magic","tasty"]

count=1
for i in dictionary:
  if (hashlib.md5(i.encode('ascii')).hexdigest() == sys.argv[1]):
    print("Match after",count,"tries! The password is",i)
  count+=1

chmod +x hex.py

This command, ./hex.py, takes 1 parameter. This is a hex encoded md5 password. Try running ./hex.py with the md5 hex from the question above where you calculated the md5 of "password".

How many tries did it take to crack the code.
tries:

Extend the search to try the dictionary words in hex.py but with the numbers 0-9 appended to them. So edit hex.py, and replace all lines after "count=1" with: line add:

for extra in [""] + list(range(0,9)):
 for i in dictionary:
  if (hashlib.md5(str(i+str(extra)).encode('ascii')).hexdigest() == sys.argv[1]):
    print("Match after",count,"tries! The password is",i+str(extra))
  count+=1

How many tries did it take to crack the code.
tries:

Extend the search to try the dictionary words in hex.py but with the numbers 0-999 appended to them. So edit hex.py, and change

for extra in [""] + list(range(0,9)):

for extra in [""] + list(range(0,999)):

What is the password?
password: How many tries did it take to crack the code.
tries:

Assuming that you had a small dictionary of 20 words, and looked at the permutations of the password being any one of those words, either as it is or with numbers ranging from 0 to 9999, then consider the implications of this.

How many permutations would that be? permutations:

Consider the following:
A - extra complexity, permutations, case, dictionaries will not slow it down much.
B - huge ever expanding dictionaries and permutations do not scale.
C - All this needs is more memory to make it better.
D - Doubling the CPU speed makes this approach scalable.
E - Different approaches are needed for large search spaces.


Which of these is most true? A B C D E A,C,D B,E All of the above None of the above

Pressing the button here will create a password scenario for you to attempt. It will create /root/example1.sam

John The Ripper can be used to break a password of a windows SAM file.

First locate john's password.lst file. Use the find command for this. Note the "lst" is "L S T", and not a "one". If you find more than one, choose the SHORTEST path.

Full path of password.lst:

Examine the example1.sam file. What hashes does it contain?

Hash types: This is a Linux crypt password file This is a Linux sha 256 password file This is a Linux sha 512 password file This is a Windows LM only file This is a Windows NTLM only file This is a Windows LM and NTLM file

Crack with John The Ripper the example1.sam file. Use it in "wordlist" mode, and use the full path of password.lst. Use the "lm" format, as this is faster to crack... Apply "john" to example1.sam.

Use "john --show example1.sam" and evaluate its attempt. Passwords are CASE SENSITIVE in the checks!

What is the password of "gordon":
What is wrong with the password of "Administrator": Failed to work out anything Password is PASSWOR??????? Only cracked the first LM half Only cracked the second LM half Full of unprintable characters Password is locked Password is E52CAC67419A9A22664345140A852F61

Switch to John The Ripper in "incremental" mode, and apply it to example1.sam. Use the show mode and identify the password of Administrator. Passwords are CASE SENSITIVE in the checks!

What is the password of "administrator":

Now focus on the target you started at the beginning of the tutorial. The target can take 5 minutes to warm up, but should have had enough time now. Press the test button to see if it is running fully before continuing.

Target 1 lies somewhere in 192.168.1.1 - 192.168.1.254. This time use "ip route show" and find out the device name on your machine which would be used to handle packets going to target 1.

Target network device:

What is your machine's IP number on the target network?

Your IP:

Use nmap to sweep the target network, and identify the IP address of target 1.

Target IP:

Scan port 22 of the target using nmap in application fingerprinting mode.

SSH Server version?: None Running Actually an Apache server port Actually a Telnet server port OpenSSH 4.7p1 OpenSSL 4.5p1 OpenSSH 4.6p1 OpenSSH 5.7p1 OpenSSH 2.0

We are going to use Hydra, but first we need to set up a password file for it. We are going to use /usr/share/wordlists/rockyou.txt.gz. However that file is currently compressed using gzip.

Uncompress rockyou.txt.gz by doing:

zcat /usr/share/wordlists/rockyou.txt.gz > /root/rockyou.txt

Do "wc -l" on the file and see how many lines (passwords) are in the file.
rockyou length:

Open Hydra-gtk. It is in Kali Linux > 5. Password Attacks > Online Attacks > Hydra-gtk.

Perform a single target attack against target 1. Use the ssh protocol (you can leave the port on 0 if you like and it will automatically select 22). Be verbose and show attempts...

Switch to the Passwords tab. Assuming you know the name of a user you want to try you would put it in here. In our case hack the "user" username. Use a password list ("/root/rockyou.txt"). Select both "try login as password" and "try empty password" (well why not!). Go to Tuning and set tasks to 1. Now go to the Start tab and Start.

What is the password for "user"?
password:

Repeat the process, but this time crack the user account "klog".

What is the password for "klog"?
password:

Perform a similar scan, but this time try and break the "sys" user. Increase the number of tasks to 5 in Tuning before pressing start... otherwise it could be a while. If for some reason the attempts go past 300 then stop the attempt and try again (maybe a timeout or something). If you dont try including a blank password and using the username as a password you wont get the count right... Do give it a few minutes...the answer is found in no more than 300 attempts.

What is the password for "sys"?
password:
How many attempts dit it take to find the password?
attempts:
Thoughts: Easily crack anyones password A large password file would take seconds Good for brief checks using short lists Good for in-depth scanning of a whole enterprise A fast and large scan Would never overload a network