Password Attacks

Press this button to ready your machine for running with the virtual machine targets. If your machine is reset or you reboot then you may have to press this button again.

Note that this target can take (quite) a few minutes to boot, as it has many processes running many services.

You can use the echo command piped to md5sum to give you the md5 version of whatever string you like, such as creating an md5 of the string "mycode" by doing:

echo -n mycode | md5sum | cut -f1 -d" "

What is the md5 encoding of the string "password"? encoding:

How is the md5 encoded, and how many bits does this represent?

Encoding: Binary ASCII Decimal Hex Base64 Base128 Baccus Normal Form
bits:

Create a file called hex.py in /home/kali/ with the following EXACT contents.

#!/usr/bin/python3
import hashlib
import sys

dictionary = ["mycode","pass","password","secret","magic","tasty"]

count=1
for i in dictionary:
  if (hashlib.md5(i.encode('ascii')).hexdigest() == sys.argv[1]):
    print("Match after",count,"tries! The password is",i)
  count+=1

Make the file executable by doing

chmod +x hex.py

This command, ./hex.py, takes 1 parameter. This is a hex encoded md5 password. Try running ./hex.py with the md5 hex from the question above where you calculated the md5 of "password".

How many tries did it take to crack the code.
tries:

Extend the search to try the dictionary words in hex.py but with the numbers 0-9 appended to them. So edit hex.py, and replace all lines after "count=1" with: line add:

for extra in [""] + list(range(0,9)):
 for i in dictionary:
  if (hashlib.md5(str(i+str(extra)).encode('ascii')).hexdigest() == sys.argv[1]):
    print("Match after",count,"tries! The password is",i+str(extra))
  count+=1

Now try and break db0edd04aaac4506f7edab03ac855d56.

How many tries did it take to crack the code.
tries:

Extend the search to try the dictionary words in hex.py but with the numbers 0-999 appended to them. So edit hex.py, and change

for extra in [""] + list(range(0,9)):

to

for extra in [""] + list(range(0,999)):

Now try and break 3bf6cea68a85bf6104092fbbcdf9aea3

What is the password?
password:
How many tries did it take to crack the code.
tries:

Assuming that you had a small dictionary of 20 words, and looked at the permutations of the password being any one of those words, either as it is or with numbers ranging from 0 to 9999, then consider the implications of this.

How many permutations would that be? permutations:

Consider the following:
A - extra complexity, permutations, case, dictionaries will not slow it down much.
B - huge ever expanding dictionaries and permutations do not scale.
C - All this needs is more memory to make it better.
D - Doubling the CPU speed makes this approach scalable.
E - Different approaches are needed for large search spaces.


Which of these is most true? A B C D E A,C,D B,E All of the above None of the above

Pressing the button here will create a password scenario for you to attempt. It will create a Windows SAM registry file /home/kali/example1.sam. This contains the local hashed passwords which we can try to recover.

Offline | Password Cracking | John

John The Ripper can be used to recovery passwords from a Windows SAM file.

We will use a dictionary attack, so we need to prepare a dictionary/wordlist of passwords to use. Locate the default wordlist password.lst file. Use the find or locate command to locate the wordlist file. Note the "lst" is "L S T", and not a "one". If you find more than one, choose the SHORTEST path.

Double check this by using the Password Attacks > Profiling and Wordlists > Wordlists menu item in Kali.

Full path of password.lst:

Use "wc -l" to review how many passwords are in the wordlist file.
dictionary size:

We now need to evaluate the hash type/strength. Examine the example1.sam file. Which type of password hashes does it contain?

Hash types: This is a Linux crypt password file This is a Linux sha 256 password file This is a Linux sha 512 password file This is a Windows LM only file This is a Windows NTLM only file This is a Windows LM and NTLM file

Use the john tool to recover passwords from the hashed passwords in the example1.sam file. Use john in "wordlist" mode, and use the full path of password.lst file as the password dictionary/wordlist. Specifiy the hash format to be "NT" to target the Windows NTLM hashes in the SAM file.

What is the NTLM password of "gordon":

The second NTLM password has not been found, as it is not be in the john default password wordlist.

To try to brute force the NTLM password (so keep the format NT in the command options), run john in "incremental" mode against the example1.sam file. With no configuration except the NTLM format option, john creates password guesses for all ASCII char combinations, for 95 printable character passwords. Allow the attack to run for a minute or two, and then stop with CTRL+C is it does not recover the password.

While the brute force password attack is running, try to calculate the key space, and the time to crack all possible password guesses. Calculate the totoal passwords/key space for all ASCII char combination passwords, with 95 ASCII printable characters, and a 6 character password. If 200 guesses per second, then how many days to complete attack? Use commas in your answers!

Now use john to recover passwords for the LANMAN hashed passwords in the same example1.sam file. Use john in "wordlist" mode with the password.lst file as before. Specifiy the hash format to be "LM" to target the Windows LANMAN hashes in the SAM file. This should be faster to crack the hashes as the algorithm is rather weak...

Use "john --show example1.sam" and evaluate its attempt. Passwords are CASE SENSITIVE in the checks!

What is the LM password of "gordon":
What is wrong with the password of "Administrator": Failed to work out anything Password is PASSWOR??????? Only cracked the first LM half Only cracked the second LM half Full of unprintable characters Password is locked Password is E52CAC67419A9A22664345140A852F61

Switch to John in brute force "incremental" mode again, and run it against the LM hashes in the example1.sam file. Use the show mode and identify the password of Administrator. Passwords are CASE SENSITIVE in the checks!

What is the LM hash password of "administrator":

Now focus on the target you started at the beginning of the tutorial. The target can take a couple of minutes to warm up, but should have had enough time now. Press the test button to check if it is running fully before continuing.

Target 1 lies somewhere in 192.168.1.1 - 192.168.1.254. This time use "ip route show" and find out the device name on your machine which would be used to handle packets going to target 1.

Target network device:

What is your machine's IP number on the target network?

Your IP:

Use nmap to sweep the target network, and identify the IP address of target 1.

Target IP:

Scan port 22 of the target and identify the application version running on that port.

SSH Server version?: None Running Actually an Apache server port Actually a Telnet server port OpenSSL 4.5p1 OpenSSH 4.6p1 OpenSSH 4.7p1 OpenSSH 5.7p1 OpenSSH 2.0

Online | Password Guessing | Hydra

We are going to use Hydra, but first we need to set up a password file for it. We are going to use /usr/share/wordlists/rockyou.txt.gz. However that file is currently compressed using gzip.

Uncompress rockyou.txt.gz by doing:

zcat /usr/share/wordlists/rockyou.txt.gz > /home/kali/rockyou.txt

How many passwords are in the rockyou.txt wordlist file.
rockyou length:

using hydra we are going to attack the ssh service. However the target uses password hash algorithms which are not switched on by default. To solve this we are going to need to switch those on. The check button does this for you. These settings could be lost if you reboot, so bear in mind that this button needs to be pressed every time you boot.

Hydra needs a few flags in order to run fully and make the check buttons happy. Research the flags discussed below and ensure you have the right ones ready.

You are going to be attacking our target machine with an ssh protocol attack. What will that part of the command line look like:
-- 192.168.1.1 ssh 192.168.1.255 ssh 192.168.1.1 sshprotocol 192.168.1.1 --ssh

You want to see the username and password combinations, but not have to watch the handshake. What flag is that?
-- -v -V -verbose -handshake

You want to use the /home/kali/rockyou.txt file as the password list. What is the flag for that?
-- -u /home/kali/rockyou.txt -U /home/kali/rockyou.txt -p /home/kali/rockyou.txt -P /home/kali/rockyou.txt

You will want to specify a login name to use in combination with the password list. Imagine you are going to try and break the user account "user". What flag is that?
-- -L user -l user -l WORKGROUP/user -L user:usergroup

You want to also try the login name as a password, and to also try an empty (null) password, in addition to the password list. What is the flag for that?
-- -e n -e ns -e s -e nsr

You dont want to overload the target with requests. What is the command line to run 4 task requests in parallel?
-- -t 16 -t 1 -t 4 -taskmax 4

Use parameters identified above, to perform a single target attack against target 1, against the ssh protocol, showing the password guessing attempts...

The password guessing attack should be against the "user" username, and use the rockyou password wordlist. Set the number of paralell tasks to 2.

Let's time our attempt, and to start only run for 1 minute. Set a stopwatch on your phone. If useful you can use the date command before and after your attack, or open another terminal window and run the following to show the seconds passing in Kali:

  while true; do printf '%s\r' "$(date)"; done

Run the scan for 1 minute, and if the user is not found, stop Hydra with CTRL+C. From the Hydra output review how many password guesses have been sent in 1 minute approx?

Now, run the attack again, but try both null and the username as the password, using -e ns.

What is the password for "user"?
password:

Repeat the process, but this time target the user account "klog". Use the same general flags.

Again time your attack. If it takes more than around 1 minute then you have probably made an error.

What is the password for "klog"?
password:

Perform a similar attack, but this time try and recover the "sys" user's password. If for some reason the attempts go past 300 then stop the attempt and try again (maybe a timeout or something). If you dont include the flags for a blank password and using the username as a password you wont get the count right in the check button... Do give it a few minutes...the answer is found in no more than 300 attempts.

What is the password for "sys"?
password:
How many attempts dit it take to find the password?
attempts:
Thoughts: Easily crack anyones password A large password file would take seconds Good for brief checks using short lists Good for in-depth scanning of a whole enterprise A fast and large scan Would never overload a network

Online | Password Guessing | Custom Wordlists

New information has arisen, and the it shows the the password policy for services specifies paswords must be a min of 6 characters, and must have at least 1 alphanumeric in a password.

The pw-inspector tool which is part of the hydra toolset, can be used to create a custom password dictonary, filtering out passwords which don't match a profile. It is useful for reducing the size of password wordlist files.

Use pw-inspector to create a new password wordlist file /home/kali/rockyou6-8.txt. Based on the original rockyou.txt file, but reduce the wordlist to only contain passwords between 6 and 8 char's and with at least 1 lowercase character.

Run the hydra attack again, to recover the "sys" user's password. It should take less attempts than previously. Remmember include the flags for a blank password... Give it a few minutes...

How many attempts dit it take to find the password?
attempts:

THIS BUTTON IS ONLY NEEDED IF TARGET MACHINE IS RUNNING BUT BECOMES UNRESPONSIVE OR DAMAGED. That is rare. You can also use this button if you are finished with the tutorial and simply want to shutdown all the targets.