Pentest week 6, hunter2

Penetration testing week 6

This week on the course agenda is password cracking with hashcat and overall how to crack passwords for different services and files.

Links to exercise sections

z) Reading/listening/video summary

Taylor et al 2018: The Art of Hacking: Hacking User Credentials

  • Encrypt passwords and limit access to only those who truly need it to stay safer
    • salt the hashes to make cracking harder
    • two-factor authentication makes exploitation of cracked and found passwords very difficult
  • Many machines and services are running with the default passwords that can be searched for easily
  • Credentials can for example be sniffed, captured with a MITM attack or bruteforced
  • Passwords are hashed and can be bruteforced from the hash by trying to hash different cleartext credentials
    • using GPUs makes cracking very fast
  • Many wordlists are public that make cracking common passwords easy
  • Common tools
    • John The Ripper
    • hashcat

0xfd: HTB: Union

  • A Linux machine
  • nmap scan found http port open
  • website has a single text input form
  • gives a link to another similar page
  • directory enumeration fives no useful results
  • one form seems to be vulnerable for injection but is filtered
  • union injection works
    • a flag is found in db that opens ssh port when submitted
  • SQL has read-file permissions so it can be used to read /etc/passwd and website source files
    • one file has credentials that work for ssh
    • user flag is now found
  • one page has command injection vulnerability through a request header
    • create a reverse-shell as another user
    • user has sudo privileges
    • root flag now accessible

a) Creating and cracking hashes

The task is to create three hashes with different programs and then crack them with hashcat and a selfmade small dictionary. I'll use

  • SHA512 (mode: 1700)
  • md5 (mode: 0)
  • bcrypt (mode: 3200)

I made the md5 and bcrypt hashes with a python oneliner and the sha512 hash with the sha512sum command-line tool.


I then ran hashcat once for each hash with the corresponding mode with a very short 5 line list of passwords.




b) Hydra against ssh

Before starting to use hydra anywhere I read a bit from the manpage. The options I need to run it are

  • target: attack target
  • service: service protocol to attack over
  • -l or -L: login string or file to try
  • -p or -P: password string or file to try

I started my Metasploitable 2 machine on the VBox host-only network and copied a small list of passwords and added the known password for msfadmin into it somewhere so that I could make sure it works right. I ran hydra with hydra -l msfadmin -P passlist.txt ssh:// and after 4 minutes I got the results. The credentials were found! Though this seemed really slow so I think cracking over ssh is not really worth it if you're in a hurry, or even if you're not.


c) Bruteforcing HTML forms

The form that I will be trying to crack is the login form of DVWA of Metasploitable 2. I will test bruteforcing the default user (admin) with a small wordlist that actually contains the correct password to see if I can get a response of a successful login.


I first took the POST request from history and from the right-click menu chose attack/fuzzing.


Then I chose the value to modify and added the wordlist to be used.


I added the option to follow redirects so that I could get the response from the landing page after a successful login.


I then ordered the requests by response body size and one stood out that was then the right password.


d) Making a wordlist

For making a wordlist based on a website I found cewl after some googling. I will be trying to make a wordlist out of my blog site by running it locally and running the script cewl -v --lowercase -w list.txt.

  • the -v flag gives verbose output during runtime
  • the --lowercase flag makes all retrieved words lowercase
  • the -w flag writes the output to a file

This produced a 50 word long list.


e) Cracking zip-password protection

Before trying to crack a zipfile password I have to create the file. I create some files with something inside as I found out that this does not work with empty files.

echo -n 'aslfkjafdsgoiuahlsdfkgjhasoidfgbalsdfjhkgyaoskdfngbalksdjgadsfg' > file.txt
for i in `seq 1 10`; do cat file.txt > file$i.txt; done
zip -e ./* #password=changelater

Now I used zip2john, a preinstalled tool on Kali to generate a hashfile that I could then start cracking: zip2john > hash.txt.


I then ran johnjohn --wordlist='/usr/share/wordlists/fasttrack.txt' hash.txt and the password was cracked.


f) PDFCrack

For this task I went online and added a password from rockyou.txt to a pdf file. Then I used this python script to extract a hash from the pdf so that I could start cracking it.


Now that I had the hashcat mode and the hash I could just start cracking. I just ran hashcat with mode 10500 and the rockyou wordlist and it was cracked in no time.


g) HTB machines

My take on the HTB machine Secret can be found here.