Cracking passwords

 

Description

The lab is divided in two main parts:

• Network authentication cracking

• Bruteforce and password cracking

In the first part of the lab you will have to use different network authentication cracking techniques and tools against services available on the target machine.

Once valid credentials have been found, it is time to download the passwords stored on the remote system and use John the Ripper to crack them!

Goal

The final goal of the lab is retrieve the passwords of at least ten users on the target machine!

Tools

The best tools for this lab are:

• Network authentication cracking tools such as Hydra

• Cracking tools such as John the Ripper

Steps

Find alive hosts on the network

Since we do not have any information about the remote network and the hosts attached to it, the first step is to find a possible target!

Port scan and service detection

You should have found an alive host on the network. Get as many information as you can about it!

Bruteforce the service authentication

It is time to get our hands dirty. Run a network authentication cracker tool in order to discover valid credentials for the following two services: SSH and Telnet.

We suggest you use the following two wordlists:

• Username:

  • /usr/share/ncrack/minimal.usr

    • If you do not have this in your system, please download it from here.

• Password:

  • /usr/share/seclists/Passwords/rockyou-10.txt

  • /usr/share/seclists/Passwords/rockyou-15.txt

    • If you do not have these in your system, please download them from here (rockyou-10.txt) and here (rockyou-15.txt).

For ease of use, you can save those files in the aforementioned locations.

Download and crack the local password on the system

You should now have SSH access on the remote machine. Download the necessary files to crack local password. Find at least ten passwords!

SOLUTIONS

Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course, will dramatically reduce the benefits of a hands-on lab!

Solutions steps

Find alive hosts on the network

We first need to verify which the remote network is. We can do it by running ifconfig and checking the IP address of our tap0 interface.

As we can see the target network is 192.168.99.0/24. Let\'s run nmap in order to discover available hosts on the network:

The previous screenshot shows that the only host alive in the network is 192.168.99.22 (besides our host: 192.168.99.16).

Port scan and service detection

Let us target the host found in the previous step and check what ports are open and services it has running.

From the nmap output, we can see that the host has two services enabled: SSH and Telnet.

Bruteforce the service authentication

It is time to get our hands dirty! Let us try to bruteforce both telnet and SSH in order to find any working pair of username and password. To do this we are going to use Hydra.

For the telnet service, let us use the following command and see what we get:

hydra
-L /usr/share/ncrack/minimal.usr
-P /usr/share/seclists/Passwords/rockyou-10.txt
telnet://192.168.99.22

Before you use minimal.usr, check for any unnecessary entries and remove them.

Specifically, if you are using minimal.usr for the first time, it may contain the following entry at the beginning of the list:

# minimal list of very common usernames

If this entry exists, remove it otherwise Hydra will not work as expected.

As we can see in the following screenshot, we are able to find some valid username/password pairs. For our testing purposes, they are enough, so we can stop the bruteforce.

Let us confirm that at least one of these two credentials works with the following command:

Let us now focus our test on the SSH service. In the same way we did with telnet, let us use Hydra to bruteforce the SSH service with the following command:

hydra
-L /usr/share/ncrack/minimal.usr
-P /usr/share/seclists/Passwords/rockyou-15.txt
192.168.99.22 ssh 

If you use older versions of Hydra, please add -t 8 to the previous command. This option sets the number of parallel tasks to 8.

As we can see in the results, Hydra found valid credentials for the SSH service.

Once again let us verify that these credentials work on the remote system:

Download and crack the local password on the system

Now that we have SSH access on the machine, we can try to crack the password of the local user accounts. To do this we first need to download two files from the victim: passwd and shadow.

In order to download these two files we can use the scp (secure copy) command as follows:

Now that we have these files into our local machine, we can use john the ripper and unshadow to crack the user passwords. First let us use unshadow to get the password hashes:

Now that we have the password hashes stored in the file named to_crack, we can use John the Ripper to crack them:

STATUS

Lab Not Running

info_outlineLAB NOT RUNNING

Start the lab and you’ll be able to download a VPN File and connect.

Windows Shares - Study Guide

Null Sessions - Study Guide

Null Session

Null Session

ARP Poisoning - Study Guide

ARP Spoofing

ARP Poisoning

Metasploit - Study Guide

Metasploit

Metasploit

Meterpreter - Study Guide

Meterpreter

Beyond Remote Code Execution

Shells

Next Steps

Items:6

What to do Next - Study Guide

Black-box Penetration Test 1

Black-box Penetration Test 2

Black-box Penetration Test 3

Penetration Testing Approach - Study Guide

Career Paths - Study Guide