If you can see this check that

Main Page


Password Attacks

User:
Password:
Aim: To investigate password attacks, both online attacks on a live target, and offline cracking with retrieved hashed password files.

To reset all the check buttons from a previous attempt click here

Question 1: Target 1 - Boot

Press this button to ready your machine for running with the virtual machine targets. If your machine is reset or you reboot then you may have to press this button again.

Note that this target can take (quite) a few minutes to boot, as it has many processes running many services.

Tests - not attempted
Script ready UNTESTED
Target 1 started UNTESTED

Question 2: Understanding Password Hashes and Dictionaries

You can use the echo command piped to md5sum to give you the md5 version of whatever string you like, such as creating an md5 of the string "mycode" by doing:

echo -n mycode | md5sum | cut -f1 -d" "

What is the md5 encoding of the string "password"? encoding:

Tests - not attempted
md5 of password UNTESTED

How is the md5 encoded, and how many bits does this represent?

Encoding:
bits:

Tests - not attempted
md5 encoding UNTESTED
md5 bit length UNTESTED

Create a file called hex.py in /home/kali/ with the following EXACT contents.

#!/usr/bin/python3
import hashlib
import sys

dictionary = ["mycode","pass","password","secret","magic","tasty"]

count=1
for i in dictionary:
  if (hashlib.md5(i.encode('ascii')).hexdigest() == sys.argv[1]):
    print("Match after",count,"tries! The password is",i)
  count+=1

Make the file executable by doing

chmod +x hex.py

This command, ./hex.py, takes 1 parameter. This is a hex encoded md5 password. Try running ./hex.py with the md5 hex from the question above where you calculated the md5 of "password".

How many tries did it take to crack the code.
tries:

Tests - not attempted
tries UNTESTED

Extend the search to try the dictionary words in hex.py but with the numbers 0-9 appended to them. So edit hex.py, and replace all lines after "count=1" with: line add:

for extra in [""] + list(range(0,9)):
 for i in dictionary:
  if (hashlib.md5(str(i+str(extra)).encode('ascii')).hexdigest() == sys.argv[1]):
    print("Match after",count,"tries! The password is",i+str(extra))
  count+=1

Now try and break db0edd04aaac4506f7edab03ac855d56.

How many tries did it take to crack the code.
tries:

Tests - not attempted
tries UNTESTED

Extend the search to try the dictionary words in hex.py but with the numbers 0-999 appended to them. So edit hex.py, and change

for extra in [""] + list(range(0,9)):

to

for extra in [""] + list(range(0,999)):

Now try and break 3bf6cea68a85bf6104092fbbcdf9aea3

What is the password?
password:
How many tries did it take to crack the code.
tries:

Tests - not attempted
password correct UNTESTED
tries correct UNTESTED

Assuming that you had a small dictionary of 20 words, and looked at the permutations of the password being any one of those words, either as it is or with numbers ranging from 0 to 9999, then consider the implications of this.

How many permutations would that be? permutations:

Consider the following:
A - extra complexity, permutations, case, dictionaries will not slow it down much.
B - huge ever expanding dictionaries and permutations do not scale.
C - All this needs is more memory to make it better.
D - Doubling the CPU speed makes this approach scalable.
E - Different approaches are needed for large search spaces.


Which of these is most true?

Tests - not attempted
Permutations UNTESTED
Reflection UNTESTED

Question 3: Offline Password Attacks

Pressing the button here will create a password scenario for you to attempt. It will create a Windows SAM registry file /home/kali/example1.sam. This contains the local hashed passwords which we can try to recover.

Tests - not attempted
Create example1.sam UNTESTED

Offline | Password Cracking | John

John The Ripper can be used to recovery passwords from a Windows SAM file.

We will use a dictionary attack, so we need to prepare a dictionary/wordlist of passwords to use. Locate the default wordlist password.lst file. Use the find or locate command to locate the wordlist file. Note the "lst" is "L S T", and not a "one". If you find more than one, choose the SHORTEST path.

Double check this by using the Password Attacks > Profiling and Wordlists > Wordlists menu item in Kali.

Full path of password.lst:

Use "wc -l" to review how many passwords are in the wordlist file.
dictionary size:

Tests - not attempted
Location of password.lst UNTESTED
Passwords in file UNTESTED

We now need to evaluate the hash type/strength. Examine the example1.sam file. Which type of password hashes does it contain?

Hash types:

Tests - not attempted
File type UNTESTED

Use the john tool to recover passwords from the hashed passwords in the example1.sam file. Use john in "wordlist" mode, and use the full path of password.lst file as the password dictionary/wordlist. Specifiy the hash format to be "NT" to target the Windows NTLM hashes in the SAM file.

What is the NTLM password of "gordon":

Tests - not attempted
John cracked user1... UNTESTED
Gordon's password UNTESTED

The second NTLM password has not been found, as it is not be in the john default password wordlist.

To try to brute force the NTLM password (so keep the format NT in the command options), run john in "incremental" mode against the example1.sam file. With no configuration except the NTLM format option, john creates password guesses for all ASCII char combinations, for 95 printable character passwords. Allow the attack to run for a minute or two, and then stop with CTRL+C is it does not recover the password.

While the brute force password attack is running, try to calculate the key space, and the time to crack all possible password guesses. Calculate the totoal passwords/key space for all ASCII char combination passwords, with 95 ASCII printable characters, and a 6 character password. If 200 guesses per second, then how many days to complete attack? Use commas in your answers!


Key space size/total password guesses:
Time to complete all password guesses:
Tests - not attempted
Key space UNTESTED
Time to complete UNTESTED
John run in incremental mode... UNTESTED

Now use john to recover passwords for the LANMAN hashed passwords in the same example1.sam file. Use john in "wordlist" mode with the password.lst file as before. Specifiy the hash format to be "LM" to target the Windows LANMAN hashes in the SAM file. This should be faster to crack the hashes as the algorithm is rather weak...

Tests - not attempted
John cracked user1... UNTESTED
John almost user2... UNTESTED

Use "john --show example1.sam" and evaluate its attempt. Passwords are CASE SENSITIVE in the checks!

What is the LM password of "gordon":
What is wrong with the password of "Administrator":

Tests - not attempted
Gordon's password UNTESTED
Admin's password UNTESTED

Switch to John in brute force "incremental" mode again, and run it against the LM hashes in the example1.sam file. Use the show mode and identify the password of Administrator. Passwords are CASE SENSITIVE in the checks!

What is the LM hash password of "administrator":

Tests - not attempted
John finished harder one... UNTESTED
Admin password correct UNTESTED

Question 4: Online Password Attacks

Now focus on the target you started at the beginning of the tutorial. The target can take a couple of minutes to warm up, but should have had enough time now. Press the test button to check if it is running fully before continuing.

Tests - not attempted
Target 1 network running UNTESTED
Target 1 all needed services running UNTESTED

Target 1 lies somewhere in 192.168.1.1 - 192.168.1.254. This time use "ip route show" and find out the device name on your machine which would be used to handle packets going to target 1.

Target network device:

Tests - not attempted
Gateway IP UNTESTED

What is your machine's IP number on the target network?

Your IP:

Tests - not attempted
Local IP UNTESTED

Use nmap to sweep the target network, and identify the IP address of target 1.

Target IP:

Tests - not attempted
target ip UNTESTED

Scan port 22 of the target and identify the application version running on that port.

SSH Server version?:

Tests - not attempted
Product version correct UNTESTED

Online | Password Guessing | Hydra

We are going to use Hydra, but first we need to set up a password file for it. We are going to use /usr/share/wordlists/rockyou.txt.gz. However that file is currently compressed using gzip.

Uncompress rockyou.txt.gz by doing:

zcat /usr/share/wordlists/rockyou.txt.gz > /home/kali/rockyou.txt

How many passwords are in the rockyou.txt wordlist file.
rockyou length:

Tests - not attempted
File expanded UNTESTED
Passwords in rockyou UNTESTED

using hydra we are going to attack the ssh service. However the target uses password hash algorithms which are not switched on by default. To solve this we are going to need to switch those on. The check button does this for you. These settings could be lost if you reboot, so bear in mind that this button needs to be pressed every time you boot.

Tests - not attempted
~/.ssh/config saved UNTESTED
contents look ok UNTESTED

Hydra needs a few flags in order to run fully and make the check buttons happy. Research the flags discussed below and ensure you have the right ones ready.

You are going to be attacking our target machine with an ssh protocol attack. What will that part of the command line look like:

You want to see the username and password combinations, but not have to watch the handshake. What flag is that?

You want to use the /home/kali/rockyou.txt file as the password list. What is the flag for that?

You will want to specify a login name to use in combination with the password list. Imagine you are going to try and break the user account "user". What flag is that?

You want to also try the login name as a password, and to also try an empty (null) password, in addition to the password list. What is the flag for that?

You dont want to overload the target with requests. What is the command line to run 4 task requests in parallel?

Tests - not attempted
target UNTESTED
show attempts UNTESTED
password file UNTESTED
login name UNTESTED
extra passwords UNTESTED
tasks UNTESTED

Use parameters identified above, to perform a single target attack against target 1, against the ssh protocol, showing the password guessing attempts...

The password guessing attack should be against the "user" username, and use the rockyou password wordlist. Set the number of paralell tasks to 2.

Let's time our attempt, and to start only run for 1 minute. Set a stopwatch on your phone. If useful you can use the date command before and after your attack, or open another terminal window and run the following to show the seconds passing in Kali:

  while true; do printf '%s\r' "$(date)"; done

Run the scan for 1 minute, and if the user is not found, stop Hydra with CTRL+C. From the Hydra output review how many password guesses have been sent in 1 minute approx?

Now, run the attack again, but try both null and the username as the password, using -e ns.

What is the password for "user"?
password:

Tests - not attempted
Password for user UNTESTED

Repeat the process, but this time target the user account "klog". Use the same general flags.

Again time your attack. If it takes more than around 1 minute then you have probably made an error.

What is the password for "klog"?
password:

Tests - not attempted
Password for klog UNTESTED

Perform a similar attack, but this time try and recover the "sys" user's password. If for some reason the attempts go past 300 then stop the attempt and try again (maybe a timeout or something). If you dont include the flags for a blank password and using the username as a password you wont get the count right in the check button... Do give it a few minutes...the answer is found in no more than 300 attempts.

What is the password for "sys"?
password:
How many attempts dit it take to find the password?
attempts:
Thoughts:

Tests - not attempted
Password for sys UNTESTED
Attempts to get password UNTESTED
Reflection UNTESTED

Online | Password Guessing | Custom Wordlists

New information has arisen, and the it shows the the password policy for services specifies paswords must be a min of 6 characters, and must have at least 1 alphanumeric in a password.

The pw-inspector tool which is part of the hydra toolset, can be used to create a custom password dictonary, filtering out passwords which don't match a profile. It is useful for reducing the size of password wordlist files.

Use pw-inspector to create a new password wordlist file /home/kali/rockyou6-8.txt. Based on the original rockyou.txt file, but reduce the wordlist to only contain passwords between 6 and 8 char's and with at least 1 lowercase character.

Run the hydra attack again, to recover the "sys" user's password. It should take less attempts than previously. Remmember include the flags for a blank password... Give it a few minutes...

How many attempts dit it take to find the password?
attempts:

Tests - not attempted
Attempts to get password UNTESTED

Question 5: Target 1 - Shutdown

THIS BUTTON IS ONLY NEEDED IF TARGET MACHINE IS RUNNING BUT BECOMES UNRESPONSIVE OR DAMAGED. That is rare. You can also use this button if you are finished with the tutorial and simply want to shutdown all the targets.

Tests - not attempted
Script ready UNTESTED
Power Off Target Machines UNTESTED


Centos 7 intro: Paths | BasicShell | Search
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 log Mail
Caine 10.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Mock Exam |
Caine 13.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Registry | Mock Exam |
CPD: Cygwin | Paths | Files and head/tail | Find and regex | Sort | Log Analysis
Kali 2020-4: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7 | 8a | 8b | 9 | 10 |
Kali 2024-4: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7 | 8a | 8b | 9 | 10 |
Useful: Quiz | Privacy Policy | Terms and Conditions

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2025 Edinburgh Napier University