Juuso Kalliomäki
BlogGitHub

Pentest week 6, hunter2

Penetration testing week 6

This week on the course agenda is password cracking with hashcat and overall how to crack passwords for different services and files.

Links to exercise sections

z) Reading/listening/video summary

Taylor et al 2018: The Art of Hacking: Hacking User Credentials

  • Encrypt passwords and limit access to only those who truly need it to stay safer
    • salt the hashes to make cracking harder
    • two-factor authentication makes exploitation of cracked and found passwords very difficult
  • Many machines and services are running with the default passwords that can be searched for easily
  • Credentials can for example be sniffed, captured with a MITM attack or bruteforced
  • Passwords are hashed and can be bruteforced from the hash by trying to hash different cleartext credentials
    • using GPUs makes cracking very fast
  • Many wordlists are public that make cracking common passwords easy
  • Common tools
    • John The Ripper
    • hashcat

0xfd: HTB: Union

  • A Linux machine
  • nmap scan found http port open
  • website has a single text input form
  • gives a link to another similar page
  • directory enumeration fives no useful results
  • one form seems to be vulnerable for injection but is filtered
  • union injection works
    • a flag is found in db that opens ssh port when submitted
  • SQL has read-file permissions so it can be used to read /etc/passwd and website source files
    • one file has credentials that work for ssh
    • user flag is now found
  • one page has command injection vulnerability through a request header
    • create a reverse-shell as another user
    • user has sudo privileges
    • root flag now accessible

a) Creating and cracking hashes

The task is to create three hashes with different programs and then crack them with hashcat and a selfmade small dictionary. I'll use

  • SHA512 (mode: 1700)
  • md5 (mode: 0)
  • bcrypt (mode: 3200)

I made the md5 and bcrypt hashes with a python oneliner and the sha512 hash with the sha512sum command-line tool.

hashes

I then ran hashcat once for each hash with the corresponding mode with a very short 5 line list of passwords.

md5

bcrypt

sha512

b) Hydra against ssh

Before starting to use hydra anywhere I read a bit from the manpage. The options I need to run it are

  • target: attack target
  • service: service protocol to attack over
  • -l or -L: login string or file to try
  • -p or -P: password string or file to try

I started my Metasploitable 2 machine on the VBox host-only network and copied a small list of passwords and added the known password for msfadmin into it somewhere so that I could make sure it works right. I ran hydra with hydra -l msfadmin -P passlist.txt ssh://192.168.56.103 and after 4 minutes I got the results. The credentials were found! Though this seemed really slow so I think cracking over ssh is not really worth it if you're in a hurry, or even if you're not.

hydra

c) Bruteforcing HTML forms

The form that I will be trying to crack is the login form of DVWA of Metasploitable 2. I will test bruteforcing the default user (admin) with a small wordlist that actually contains the correct password to see if I can get a response of a successful login.

login

I first took the POST request from history and from the right-click menu chose attack/fuzzing.

fuzz

Then I chose the value to modify and added the wordlist to be used.

fuzz-list

I added the option to follow redirects so that I could get the response from the landing page after a successful login.

redirects

I then ordered the requests by response body size and one stood out that was then the right password.

fuzz-done

d) Making a wordlist

For making a wordlist based on a website I found cewl after some googling. I will be trying to make a wordlist out of my blog site by running it locally and running the script cewl -v --lowercase http://192.168.56.1:3000 -w list.txt.

  • the -v flag gives verbose output during runtime
  • the --lowercase flag makes all retrieved words lowercase
  • the -w flag writes the output to a file

This produced a 50 word long list.

cewl

e) Cracking zip-password protection

Before trying to crack a zipfile password I have to create the file. I create some files with something inside as I found out that this does not work with empty files.

echo -n 'aslfkjafdsgoiuahlsdfkgjhasoidfgbalsdfjhkgyaoskdfngbalksdjgadsfg' > file.txt
for i in `seq 1 10`; do cat file.txt > file$i.txt; done
zip -e secret.zip ./* #password=changelater

Now I used zip2john, a preinstalled tool on Kali to generate a hashfile that I could then start cracking: zip2john secret.zip > hash.txt.

zip-hash

I then ran johnjohn --wordlist='/usr/share/wordlists/fasttrack.txt' hash.txt and the password was cracked.

zip-cracked

f) PDFCrack

For this task I went online and added a password from rockyou.txt to a pdf file. Then I used this python script to extract a hash from the pdf so that I could start cracking it.

pdf-hash

Now that I had the hashcat mode and the hash I could just start cracking. I just ran hashcat with mode 10500 and the rockyou wordlist and it was cracked in no time.

pdf-cracked

g) HTB machines

My take on the HTB machine Secret can be found here.

Sources