Password Attacks

Press this button to ready your machine for running with the virtual machine targets. If your machine is reset or you reboot then you may have to press this button again.

Note that this target can take (quite) a few minutes to boot, as it has many processes running many services.

You can use the echo command piped to md5sum to give you the md5 version of whatever string you like, such as creating an md5 of the string "mycode" by doing:

echo -n mycode | md5sum | cut -f1 -d" "

What is the md5 encoding of the string "password"? encoding:

How is the md5 encoded, and how many bits does this represent?

Encoding: Binary ASCII Decimal Hex Base64 Base128 Baccus Normal Form
bits:

Create a file called hex.py in /home/kali/ with the following EXACT contents.

#!/usr/bin/python3
import hashlib
import sys

dictionary = ["mycode","pass","password","secret","magic","tasty"]

count=1
for i in dictionary:
  if (hashlib.md5(i.encode('ascii')).hexdigest() == sys.argv[1]):
    print("Match after",count,"tries! The password is",i)
  count+=1

Make the file executable by doing

chmod +x hex.py

This command, ./hex.py, takes 1 parameter. This is a hex encoded md5 password. Try running ./hex.py with the md5 hex from the question above where you calculated the md5 of "password".

How many tries did it take to crack the code.
tries:

Extend the search to try the dictionary words in hex.py but with the numbers 0-9 appended to them. So edit hex.py, and replace all lines after "count=1" with: line add:

for extra in [""] + list(range(0,9)):
 for i in dictionary:
  if (hashlib.md5(str(i+str(extra)).encode('ascii')).hexdigest() == sys.argv[1]):
    print("Match after",count,"tries! The password is",i+str(extra))
  count+=1

Now try and break db0edd04aaac4506f7edab03ac855d56.

How many tries did it take to crack the code.
tries:

Extend the search to try the dictionary words in hex.py but with the numbers 0-999 appended to them. So edit hex.py, and change

for extra in [""] + list(range(0,9)):

to

for extra in [""] + list(range(0,999)):

Now try and break 3bf6cea68a85bf6104092fbbcdf9aea3

What is the password?
password:
How many tries did it take to crack the code.
tries:

Assuming that you had a small dictionary of 20 words, and looked at the permutations of the password being any one of those words, either as it is or with numbers ranging from 0 to 9999, then consider the implications of this.

How many permutations would that be? permutations:

Consider the following:
A - extra complexity, permutations, case, dictionaries will not slow it down much.
B - huge ever expanding dictionaries and permutations do not scale.
C - All this needs is more memory to make it better.
D - Doubling the CPU speed makes this approach scalable.
E - Different approaches are needed for large search spaces.


Which of these is most true? A B C D E A,C,D B,E All of the above None of the above

Pressing the button here will create a password scenario for you to attempt. It will create /home/kali/example1.sam

John The Ripper can be used to break a password of a windows SAM file.

First locate john's password.lst file. Use the find command for this. Note the "lst" is "L S T", and not a "one". If you find more than one, choose the SHORTEST path.

Full path of password.lst:

Examine the example1.sam file. What hashes does it contain?

Hash types: This is a Linux crypt password file This is a Linux sha 256 password file This is a Linux sha 512 password file This is a Windows LM only file This is a Windows NTLM only file This is a Windows LM and NTLM file

Crack with John The Ripper the example1.sam file. Use it in "wordlist" mode, and use the full path of password.lst. Use the "lm" format option, as this is faster to crack... Apply "john" to example1.sam.

Use "john --show example1.sam" and evaluate its attempt. Passwords are CASE SENSITIVE in the checks!

What is the password of "gordon":
What is wrong with the password of "Administrator": Failed to work out anything Password is PASSWOR??????? Only cracked the first LM half Only cracked the second LM half Full of unprintable characters Password is locked Password is E52CAC67419A9A22664345140A852F61

Switch to John The Ripper in "incremental" mode, and apply it to example1.sam. Use the show mode and identify the password of Administrator. Passwords are CASE SENSITIVE in the checks!

What is the password of "administrator":

Now focus on the target you started at the beginning of the tutorial. The target can take 5 minutes to warm up, but should have had enough time now. Press the test button to see if it is running fully before continuing.

Target 1 lies somewhere in 192.168.1.1 - 192.168.1.254. This time use "ip route show" and find out the device name on your machine which would be used to handle packets going to target 1.

Target network device:

What is your machine's IP number on the target network?

Your IP:

Use nmap to sweep the target network, and identify the IP address of target 1.

Target IP:

Scan port 22 of the target and identify the application version running on that port.

SSH Server version?: None Running Actually an Apache server port Actually a Telnet server port OpenSSL 4.5p1 OpenSSH 4.6p1 OpenSSH 4.7p1 OpenSSH 5.7p1 OpenSSH 2.0

We are going to use Hydra, but first we need to set up a password file for it. We are going to use /usr/share/wordlists/rockyou.txt.gz. However that file is currently compressed using gzip.

Uncompress rockyou.txt.gz by doing:

zcat /usr/share/wordlists/rockyou.txt.gz > /home/kali/rockyou.txt

Do "wc -l" on the file and see how many lines (passwords) are in the file.
rockyou length:

In hydra we are going to do an ssh scan. However the target uses authentication algorithms which are not switched on by default. To solve this we are going to need to switch those on. The check button does this for you. These settings could be lost if you reboot, so bear in mind that this button needs to be pressed every time you boot.

Hydra needs a few flags in order to run fully and make the check buttons happy. Research the flags discussed below and ensure you have the right ones ready.

You are going to be attacking our target machine with an ssh protocol attack. What will that part of the command line look like:
-- 192.168.1.1 ssh 192.168.1.255 ssh 192.168.1.1 sshprotocol 192.168.1.1 --ssh

You want to see the username and password combinations, but not have to watch the handshake. What flag is that?
-- -v -V -verbose -handshake

You want to use the /home/kali/rockyou.txt file as the password list. What is the flag for that?
-- -u /home/kali/rockyou.txt -U /home/kali/rockyou.txt -p /home/kali/rockyou.txt -P /home/kali/rockyou.txt

You will want to specify a login name to use in combination with the password list. Imagine you are going to try and break the user account "user". What flag is that?
-- -L user -l user -l WORKGROUP/user -L user:usergroup

You want to also try the login name as a password, and to also try an empty (null) password, in addition to the password list. What is the flag for that?
-- -e n -e ns -e s -e nsr

You dont want to overload the target with requests. What is the command line to run 4 task requests in parallel?
-- -t 16 -t 1 -t 4 -taskmax 4

Use all the flags identified above, and perform a single target attack against target 1. Use the ssh protocol Show attempts...

Hack the "user" username. Use a password list ("/home/kali/rockyou.txt"). Try both null and the username as the password. Go to Tuning and set tasks to 4.

If the scan takes more than 10s then you have probably made an error.

What is the password for "user"?
password:

Repeat the process, but this time crack the user account "klog". Use the same general flags.

If the scan takes more than 10s then you have probably made an error.

What is the password for "klog"?
password:

Perform a similar scan, but this time try and break the "sys" user. If for some reason the attempts go past 300 then stop the attempt and try again (maybe a timeout or something). If you dont include the flags for a blank password and using the username as a password you wont get the count right in the check button... Do give it a few minutes...the answer is found in no more than 300 attempts.

What is the password for "sys"?
password:
How many attempts dit it take to find the password?
attempts:
Thoughts: Easily crack anyones password A large password file would take seconds Good for brief checks using short lists Good for in-depth scanning of a whole enterprise A fast and large scan Would never overload a network

THIS BUTTON IS ONLY NEEDED IF TARGET MACHINE IS RUNNING BUT BECOMES UNRESPONSIVE OR DAMAGED. That is rare. You can also use this button if you are finished with the tutorial and simply want to shutdown all the targets.