Chapter viii. Password attacks
author :Willie L. Pritchett, David De Smet
translator : Flying dragon
agreement :CC BY-NC-SA 4.0
In this chapter , We're going to explore some ways to attack passwords to get user accounts . Password cracking is a task that all penetration testers need to perform . Essentially , The most insecure part of any system is the password submitted by the user . Whatever the password policy , People must hate entering strong passwords , Or update them from time to time . This makes them easy targets for hackers .
8.1 Online password attack
We'll use it in this script Hydra Password cracker . Sometimes we have the opportunity to physically attack based on Windows The computer , Get the security account manager directly (SAM). however , We can't do that sometimes , So this is where online password attacks have an advantage .
Hydra Many protocols are supported , Include ( But not limited to )FTP、HTTP、HTTPS、MySQL、MSSQL、Oracle、Cisco、IMAP、VNC And more agreements . It should be noted that , Because this attack can produce noise , This will increase the likelihood that you will be detected .
Get ready
Need internal network or Internet Links , You also need a computer to be used as a victim .
Operation steps
Let's start cracking the online password .
In the start menu , choice
Applications | Kali Linux | Password Attacks | Online Attacks | hydra-gtk
.Now that we have Hydra Open the , We need to set up our word list . Click on
Passwords
( password ) TAB . We need to use a list of user names and a list of passwords . Enter the location of your user name and password list . At the same time chooseLoop around users
( Recycle user names ) andTry empty password
( Try an empty password ).- User name list :
/usr/share/wfuzz/wordlist/fuzzdb/wordlistsuser-passwd/names/nameslist.txt
- Password list :
/usr/share/wfuzz/wordlist/fuzzdb/wordlistsuser-passwd/passwds/john.txt
The shortcut you can use is , Click the word list box to open the file system window .
- User name list :
below , We need to make some adjustments . stay
Performance Options
( Execution Options ) below , We'll take the number of missions from 16 Set to 2. The reason is that we're not going to let so many processes run , This will crash the server . Although it is optional , We also want to chooseExit after first found pair
( Exit after first finding a match ) Options .Last , We need to set our goals . Click on
Target
( The goal is ) Tab and set our goals and protocols . here , We use Metasploitable host (192.168.10.111
) Of MySQL port .Finally, we click
Start
( Start ) On the tabStart
Button to launch the attack .
working principle
In this secret book , We use Hydra To perform a dictionary attack on the target .Hydra Allow us to specify goals , And use a list of user names and passwords . It explodes the password by using different user name and password combinations from two lists .
8.2 Crack HTTP password
In this secret book , We are going to use Hydra Password cracker to crack HTTP password . Website and Web Access to applications is usually controlled by a combination of user name and password . Just like any password type , Users usually enter weak passwords .
Get ready
Need internal network or Internet Links , You also need a computer to be used as a victim .
Operation steps
Let's start cracking HTTP password .
In the start menu , choice
Applications | Kali Linux | Password Attacks | Online Attacks | hydra-gtk
.Now that we have Hydra Open the , We need to set up our word list . Click on
Passwords
( password ) TAB . We need to use a list of user names and a list of passwords . Enter the location of your user name and password list . At the same time chooseLoop around users
( Recycle user names ) andTry empty password
( Try an empty password ).- User name list :
/usr/share/wfuzz/wordlist/fuzzdb/wordlistsuser-passwd/names/nameslist.txt
- Password list :
/usr/share/wfuzz/wordlist/fuzzdb/wordlistsuser-passwd/passwds/john.txt
The shortcut you can use is , Click the word list box to open the file system window .
- User name list :
below , We need to make some adjustments . stay
Performance Options
( Execution Options ) below , We'll take the number of missions from 16 Set to 2. The reason is that we're not going to let so many processes run , This will crash the server . Although it is optional , We also want to chooseExit after first found pair
( Exit after first finding a match ) Options .Last , We need to set our goals . Click on
Target
( The goal is ) Tab and set our goals and protocols . here , We use Metasploitable host (192.168.10.111
) Of HTTP port .Finally, we click
Start
( Start ) On the tabStart
Button to launch the attack .
8.3 Get route access
In this secret book , We will use Medusa To blow up .
Today, , We are in a cyber society . With the birth of online video game system , Most families have several computers , And small businesses are growing at a record rate . Routers have also become the cornerstone of network connectivity . However , The number of experienced network administrators has not increased , To protect these routers , Makes many of these routers vulnerable to attack .
Get ready
Computers that need to be connected to the Internet or intranet . You also need available routers .
Operation steps
In the start menu , visit
Applications | Kali Linux | Password Attacks | Online Attacks | medusa
. When Medusa After starting , It will load.help
( help ) file .We have now selected the option to cloudtop Medusa.
medusa –M http -h 192.168.10.1 -u admin -P /usr/share/wfuzz/ wordlist/fuzzdb/wordlists-user-passwd/passwds/john.txt -e ns -n 80 -F
- 1
- 1
-M http
Allows us to specify modules . here , We chose HTTP modular .-h 192.168.10.1
Allow us to specify the host . here , We chose192.168.10.1
( The routing IP Address ).-u admin
Allow us to specify users . Here we choseadmin
.-P [location of password list]
Allows us to specify the location of the password list .-e ns
Allow us to specify additional password checks .ns
Variables allow us to use a user name as a password , And use an empty password .-n 80
Allow us to specify the port number . Here we chose80
.-F
Allow us to stop blasting after successfully finding the user name password combination .
Medusa Will run , And try all user name and password combinations , Until some success .
working principle
In this secret book , We use Medusa To blow up the password of the target router . The advantage of being able to do this is , Once you have access to the router , You can update its settings , So you can visit it later , Or even redirect the traffic sent to it to change the location you choose .
more
You can also run it directly from the command line Medusa, By typing medusa
command .
You can also pass in other options to Medusa, It depends on your situation . Please refer to the help document for details , By simply typing medusa
To display .
Module type
Here's what we can do with Medusa Module list of :
- AFP
- CVS
- FTP
- HTTP
- IMAP
- MS-SQL
- MySQL
- NetWare
- NNTP
- PCAnywhere
- Pop3
- PostgreSQL
- REXEC
- RLOGIN
- RSH
- SMBNT
- SMTP-AUTH
- SMTp-VRFY
- SNMP
- SSHv2
- Subversion
- Telnet
- VMware Authentication
- VNC
- Generic Wrapper
- Web form
8.4 cryptanalysis
In this secret book , We'll learn how to analyze a password before it's attacked . The purpose of cryptanalysis is to allow us to collect the target machine 、 Business and other information to get a smaller list of words . In our tutorial , We will use Ettercap and its ARP Poison function to sniff traffic .
Get ready
This secret script needs a LAN link .
Operation steps
Let's start Ettercap To do cryptanalysis .
We configure Ettercap Let's start this secret book . First , We find its configuration file and use VIM Edit it .
locate etter.conf
vi /etc/etterconf- 1
- 2
- 1
- 2
it is to be noted that , Your position may be different .
take
ec_uid
andec_gid
Change it to0
.Now we need to cancel the following IPTABLES Comment on line . It's near the end of the file
LINUX
section .Now? , We're going to start Ettercap. Use
-G
Options , Loading graphical interface (GUI).We turn on unified sniffer . You can press
Shift + U
Or visit... In the menu barSniff | Unified sniffing...
.Select the network interface .
below , We began to
Scan for hosts
( Scan host ), This can be done by pressingCtrl + S
Or visit the menu barHosts | Scan for hosts
To complete .Now we can make Ettercap It's sniffing . You can press
Ctrl + W
Or visit the menu barStart | Start Sniffing
( Start sniffing ).Last , We started ARP poison . Go to the menu bar
Mitm | Arp poisoning
(ARP poison ).In the window that appears , Choose
Sniff remote connections
( Sniff remote connections ) The option to .Depending on the network , We'll see information .
Once we find the information we're looking for ( User name and password ). We'll shut down Ettercap. You can press
Ctrl + E
Or visit the menu barStart | Stop sniffing
( Stop sniffing ) To complete .Now we need to shut down ARP Poison the network back to normal .
working principle
In this secret book , We use Ettercap To poison the network and steal the user name and password on the network . We are looking for and modifying Ettercap To start with . And then we started Ettercap And use ARP Poison executive middleman (MITM) attack . Because traffic is redirected to our host , When user names and passwords spread over the network , We can see them .
more
We can also use Metasploit To analyze user names and faces . We'll do it by using the search mail collector module .
Open the terminal window and start MSFCONSOLE:
msfconsole
- 1
- 1
Search the mail collector ;
search email collector
- 1
- 1
Type the following command to use the search mail collector module :
use auxiliary/gather/search_email_collector
- 1
- 1
Show the options available for this module :
show options
- 1
- 1
Now let's set the domain name . If you don't want to be checked by the relevant departments , Please choose your domain name carefully .
Set the domain name to the one you want :
set domain gmail.com
- 1
- 1
Set input file . This is not necessary . If you're going to run multiple attacks , Or plan to run an attack later , It's recommended to set it up .
set outfile /root/Desktop/fromwillie.txt
- 1
- 1
Last , We started to attack .
run
- 1
- 1
8.5 Use John the Ripper Crack Windows password
In this secret book , We will use John the Ripper To crack Windows Secure access manager (SAM) file .SAM The file stores the hash of the user name and password of the target system user . For security reasons ,SAM Files are protected by authorization , And not in Windows When the system is running, it can be opened or copied manually .
Get ready
You will need to visit SAM file .
In this secret book , Let's assume that you can access a certain station Windows host .
Operation steps
Let's start using John the Ripper Crack Windows SAM file . Let's assume that you can access a certain station Windows host , Through remote intrusion , Or physical contact , And can pass through USB or DVD The drive starts Kali Linux.
See which hard drive you want to mount :
Fdisk -l
- 1
- 1
Mount the hard disk , And will
target
Set as its mount point .mount /dev/sda1 /target/
- 1
- 1
Change directory to Windows SAM The location of the file :
cd /target/windows/system32/config
- 1
- 1
List everything in the directory .
ls –al
- 1
- 1
Use SamDump2 To extract the hash , And put it in your root One of the user directories is called
hashes
In the folder of .samdump2 system SAM > /root/hashes/hash.txt
- 1
- 1
Change directory to John the Ripper In the directory .
function John the Ripper:
./john /root/hashes/hash.txt
./john /root/hashes/hash.txt–f:nt (If attacking a file on a NTFS System)- 1
- 2
- 1
- 2
8.6 Dictionary attack
In this secret book , We will attack dictionaries or word lists . Dictionary attacks use a set of pre prepared passwords , And try to use the word list to blow up the password that matches the specified user . The resulting dictionary is usually of three types :
+ Only the user name : The list contains only the user name .
+ Only the password : The list contains only passwords .
+ User name and password : The list contains the generated user name and password .
For demonstration purposes , We use Crucnch To generate our own password dictionary .
Get ready
Need to be in Kali Installation on Crunch.
Operation steps
Kali The advantage of this is that it's already installed Crunch, Unlike BackTrack.
Open terminal window , And enter the
crunch
Order to see Crunch Help file for .crunch
- 1
- 1
Use Crunch The basic syntax for generating passwords is ,
[minimum length] [maximum length] [character set] [options]
.Crunch There are several options . Some of the common ones are as follows :
-o
: This option allows you to specify the file name and location of the output list 、-b
: This option allows you to specify the maximum number of bytes per file . The size can be KB/MB/GB To specify the , And it has to be with-o START
Triggers are used together .-t
: This option allows you to specify the mode to use .-l
: In the use of-t
Option , This option allows you to identify some characters as placeholders (@
,%
,^
).
Next, we execute the command to create a password list on the desktop , It's the least 8 Letters , Maximum 10 Characters , And use character sets
ABCDEFGabcdefg0123456789
.crunch 8 10 ABCDEFGabcdefg0123456789 –o /root/Desktop/ generatedCrunch.txt
- 1
- 1
Once the file is generated , We use Nano To open the file :
nano /root/Desktop/generatedCrunch.txt
- 1
- 1
working principle
In this script we use Crunch To generate a list of password dictionaries .
8.7 Use the rainbow watch
In this script, we'll learn how to Kali Use the rainbow table in . Rainbow table is a special dictionary table , It uses hashes instead of standard dictionary passwords to complete the attack . For demonstration purposes , We use RainbowCrack To generate the rainbow table .
Operation steps
Open the terminal window and change the directory to
rtgen
The catalog of :cd /usr/share/rainbowcrack/
- 1
- 1
Now we're going to start
rtgen
To generate data based on MD5 My rainbow watch ../rtgen md5 loweralpha-numeric 1 5 0 3800 33554432 0
- 1
- 1
Once the rainbow table is generated , Your directory will contain
.rt
file . It depends on the number of processors used to generate the hash , About need 2~7 Hours .To start cracking the code , We use
rtsort
The program sorts the rainbow table , Make it easier to use .
working principle
In this secret book , We used RainbowCrack Attack to generate 、 Sorting and cracking MD5 password .RainbowCrack Can use rainbow table to crack hash , Based on some pre prepared hash values . We generate by using lowercase values MD5 Rainbow watch to start . At the end of the script , We successfully created the rainbow table , And use it to crack hash files .
8.8 Using NVIDIA unified computing device architecture (CUDA)
In this secret book , We'll use NVIDIA's unified computing device framework (CUDA) To crack the password hash .CUDA It's a parallel computing platform , It uses GPU To improve computing performance . Over time ,GPU There has been a dramatic increase in the processing power of , This allows us to use it for computational purposes . For demonstration purposes , We use CudaHashcat-plus To crack the code .
Get ready
need CUDA Supported graphics card to complete this script .
Operation steps
Open the terminal window and change the directory to OclHashcat-plus In the directory .
cd /usr/share/oclhashcat-plus
- 1
- 1
Execute the following command to start CudaHashcat-plus Help file for :
./cudaHashcat-plus.bin –help
- 1
- 1
function CudaHashcat The grammar of is
cudaHashcat-plus.bin [options] hash [mask]
.Use OclHashcat One of the key points is to understand its character set structure .
Before we start attacking , Let's first look at some of the attack vectors available .CudaHashcat Use left and right masks in attacks . The characters of the password are divided according to the mask , And divided equally into left and right masks . For each mask , You can specify a dictionary or character set for it . For our purposes , We'll use a custom character set .
To specify a custom character set , We use
–1
Options . We can set any number of custom character sets , Just give them a number (1-n
). Each custom character has a question mark (?
) To express , And then there are character types . The available options are :d
Specify the number (0~9)l
Specify lowercase lettersu
Specify capital letterss
Specify special characters1-n
Specify a custom character set to use as a placeholder .
So you put them together , We specify a custom character set , It includes special characters (
s
), Capital (u
), Lowercase letters (l
) And number (d
), The generation length is 8 Password . We're going to nameattackfile
Hash table for ../cudaHashcat-plus.bin attackfile -1 ?l?u?d?s ?1?1?1?1 ?1?1?1?1
- 1
- 1
We can split this command like this :
./cudaHashcat-plus.bin
Called CudaHashcat .attackfile
It's our attack file .-1 ?l?u?d?
Specified a custom character set1
, It contains lowercase letters 、 Capital 、 Numbers and special characters .?1?1?1?1
It's using character sets1
The left mask of .?1?1?1?1
It's using character sets1
The right mask of .
It's over .
8.9 Use ATI Stream
In this secret book , We will use ATI Stream To crack the password hash .ATI Stream Be similar to CUDA, Because it's a parallel computing platform , It can be done by using GPU To improve computing performance . Over time ,GPU There has been a dramatic increase in the processing power of , This allows us to use it for computational purposes . For demonstration purposes , We use OclHashcat-plus To crack the code .OclHashcat There are two versions :plus and lite. Both are contained in Kali in .
Get ready
Need to support ATI Stream To complete this secret script with your graphics card .
Operation steps
Let's start using OclHashcat-plus.
Open the terminal window and change the directory to OclHashcat-plus In the directory .
cd /usr/share/oclhashcat-plus
- 1
- 1
Execute the following command to start OclHashcat-plus Help file for :
./oclHashcat-plus.bin –help
- 1
- 1
function OclHashcat The grammar of is
oclHashcat-plus.bin [options] hash [mask]
.Use OclHashcat One of the key points is to understand its character set structure .
Before we start attacking , Let's first look at some of the attack vectors available .OclHashcat Use left and right masks in attacks . The characters of the password are divided according to the mask , And divided equally into left and right masks . For each mask , You can specify a dictionary or character set for it . For our purposes , We'll use a custom character set .
To specify a custom character set , We use
–1
Options . We can set any number of custom character sets , Just give them a number (1-n
). Each custom character has a question mark (?
) To express , And then there are character types . The available options are :d
Specify the number (0~9)l
Specify lowercase lettersu
Specify capital letterss
Specify special characters1-n
Specify a custom character set to use as a placeholder .
So you put them together , We specify a custom character set , It includes special characters (
s
), Capital (u
), Lowercase letters (l
) And number (d
), The generation length is 8 Password . We're going to nameattackfile
Hash table for ../oclHashcat-plus.bin attackfile -1 ?l?u?d?s ?1?1?1?1 ?1?1?1?1
- 1
- 1
We can split this command like this :
./oclHashcat-plus.bin
Called OclHashcat .attackfile
It's our attack file .-1 ?l?u?d?
Specified a custom character set1
, It contains lowercase letters 、 Capital 、 Numbers and special characters .?1?1?1?1
It's using character sets1
The left mask of .?1?1?1?1
It's using character sets1
The right mask of .
It's over .
8.10 Physical access attack
In this secret book , We will use SUCrack To perform a physical access password attack . SUCrack It's a multithreading tool , Can pass su
To perform brute force cracking of local user accounts .Linux Of su
Commands allow you to run commands as a surrogate user . This attack , Although you can't raise power through other means Linux It's very useful when it comes to systems , But it fills the log file , So make sure you clean up the logs when you're done .
SUCrack There are several alternative commands available :
--help
Allows you to view its help documentation .-l
Allow you to modify the user we're trying to bypass the login .-s
Allows you to set the number of seconds interval for displaying Statistics . The default value is 3 second .-a
Allows you to set whether to use ANSI escape codes .-w
Allows you to set the number of worker threads . because SUCrack It's multi-threaded , You can run any number of threads . We recommend that you use only one thread , Because every failed login attempt usually has a three second delay before trying the next password .
Operation steps
In order to use SUCrack, You need to specify a list of words at startup . otherwise , You get a funny message . Open the terminal window and execute
sucrack
command . For our purposes , We'll use the custom word list file we created earlier , It consists of Crunch Generate . however , You can specify any desired list of words .sucrack /usr/share/wordlists/rockyou.txt
- 1
- 1
If you're going to set up two worker threads , And every 6 The statistics are displayed once a second , And use ANSI escape codes , You can use the following command :
sucrack –w 2 –s 6 –a /usr/share/wordlists/rockyou.txt
- 1
- 1
It's over .
working principle
In this secret book , We use SUCrack To understand the system root Users perform physical access password attacks . Attacks that use word lists can attack Administrators ( Default ) Or specified by a specific user . We run sucrack
command , It carries out attacks for us .
kali More articles about password attacks
- Kali Password attack —— Offline attack tools
Online password attacks are very important in penetration testing , But for hashes obtained during testing , Encrypt data , It also needs offline cracking tools to help solve Creddump Kit kali In the offline attack tool Cache-dump,lsadump,pwdump, all ...
- kali Client side attacks
Browser attack browser_autpwn2 (BAP2) mkdir /test Create a directory for the server that receives the response use auxiliary/server/browser_autopwn2 set ...
- No password attack Microsoft SQL Server
In a recent penetration test , In some of the packets we captured, we found some unencrypted Microsoft SQL Server(MSSQL) Traffic . At first , We think that we can sniff the authentication certificate directly , However ,MSSQL It's encrypted ...
- About how to pass through kali linux Attack and crack WPA/WPA2 Wireless encryption
http://blog.csdn.net/wingstudio_zongheng/article/details/51435212 1. Preparation 1) Open a terminal Carry out orders : ifconfig ...
- Back Track 5 And Loophole attack && Password attacks && Windows Penetration tools
Network vulnerability attack tools Metasploit First msfupdate upgrade : And then choose msfconsole: Next : set LHOST This machine IP Address setLPORT setg PAYLOAD window ...
- WPA Password attack Dictionary
principle : The password is 8-10 Position based .11 The number is limited to the local mobile number . Common people's habit and psychology of using numbers as passwords for many years , Count first word . And then the letters , Or number . Repeat the letters a few times , Characters are almost all lowercase , So we're going to eliminate capital letters and "[email protected]#$%^&* ...
- john Crack kali password
Experimental environment :kali Experimental tools :john The command used : 1. see /etc In the catalog shadow file , This document records the user names and passwords of all users hash value 2. Use command echo user name : password > shadow, ...
- Kali Next Ettercap Use the tutorial +DNS Deceptive attack
One .Ettercap Use the tutorial EtterCap It's based on ARP Address spoofing network sniffer tool . It has dynamic connection sniffer . Dynamic content filtering and many other interesting techniques . It supports active and passive analysis of many protocols , And contains many for network and ...
- Kali 2020.1 The default password is not toor
official 2020 January 28 It is pointed out in the article published on May root/toor is dead. Long live kali/kali. The login user name and password are kali:kali But the virtual machine image download page is not updated in time , Still prompt to board ...
Random recommendation
- myeclipse and eclipse Which good ?
eclipse It's development java It's a professional IDE,myeclipse Itself is eclipse Plug in for ( Used to develop javaee The platform of ), later myeclipse Just put eclipse Integrated , So now you download one my ...
- android-BaseAdapter Deep understanding of custom controls
One . Implementation of custom control Custom controls need to inherit BaseAdapter abstract class , This class implements ListAdapter, SpinnerAdapter Two interfaces , These two interfaces inherit Adapter Interface class , you 're right . It's inheritance Ada ...
- Weidongshan course ARM The problems and solutions of the clock setting of
Clock setting is a very important part , If the system doesn't have the right clock , Can't work at all . S3C2440 The clock is complicated , It is divided into FCLK,HCLK,PCLK. In program testing , There was such a mistake . The system is currently FCLK by 400 ...
- JSP Medium Attribute and InitParameter
attribute :Attribute type : application / Context , request , conversation (ServletContext,HttpServletRequest/ServletRequest,HttpSession) Setup method :setAtt ...
- iOS SDK: Preview and open the document
iOS The sandbox in can make the platform more secure , This is also the main benefit of sandbox to users . However, due to the strict restrictions of sandbox , It is troublesome to share data between programs . Generally, documents can be shared between programs through UIDocumentInteractionCon ...
- MSF add to ms17-010 Of exp Script and attack recurrence
Original address :https://bbs.ichunqiu.com/thread-23115-1-1.html I was going to recreate the latest CVE-2017-11882, Because I am Xiaobai , I don't know how to add msf Of ...
- .bat Batch start redis
background : lately , The company's project development , Need to use Redis, But every day we need to d The one under the disk starts redis Very annoying , I am. I just want to write one .bat The startup file is on the desktop , So every day just click below on the desktop redis Of bat The file can be opened ...
- NGINX Docs | Load Balancing Apache Tomcat Servers with NGINX Open Source and NGINX Plus
NGINX Docs | Load Balancing Apache Tomcat Servers with NGINX Open Source and NGINX Plushttps://docs. ...
- python The old boy of learning python The ninth issue of the whole stack _ database day005 Summary of knowledge points —— MySQL database day5
3、 ... and . MySQL View ( Not commonly used ) Set an alias for a query statement ( View name ), Easy to use in the future - establish : create view View name as SQL; PS: The view is virtual - modify : alter view View ...
- Server deployment php project
windows The server First open the start menu , Click on the run . Then input mstsc, determine Enter your server IP, Click to connect Choose here yes And then there's the login screen , Just enter the user name and password linux clothing ...