Chapter viii. Password attacks

author ：Willie L. Pritchett, David De Smet

translator ： Flying dragon

agreement ：CC BY-NC-SA 4.0

In this chapter , We're going to explore some ways to attack passwords to get user accounts . Password cracking is a task that all penetration testers need to perform . Essentially , The most insecure part of any system is the password submitted by the user . Whatever the password policy , People must hate entering strong passwords , Or update them from time to time . This makes them easy targets for hackers .

8.1 Online password attack

We'll use it in this script Hydra Password cracker . Sometimes we have the opportunity to physically attack based on Windows The computer , Get the security account manager directly （SAM）. however , We can't do that sometimes , So this is where online password attacks have an advantage .

Hydra Many protocols are supported , Include （ But not limited to ）FTP、HTTP、HTTPS、MySQL、MSSQL、Oracle、Cisco、IMAP、VNC And more agreements . It should be noted that , Because this attack can produce noise , This will increase the likelihood that you will be detected .

Get ready

Need internal network or Internet Links , You also need a computer to be used as a victim .

Operation steps

Let's start cracking the online password .

1. In the start menu , choice Applications | Kali Linux | Password Attacks | Online Attacks | hydra-gtk.

   

2. Now that we have Hydra Open the , We need to set up our word list . Click on Passwords（ password ） TAB . We need to use a list of user names and a list of passwords . Enter the location of your user name and password list . At the same time choose Loop around users（ Recycle user names ） and Try empty password（ Try an empty password ）.

   • User name list ：/usr/share/wfuzz/wordlist/fuzzdb/wordlistsuser-passwd/names/nameslist.txt
   • Password list ：/usr/share/wfuzz/wordlist/fuzzdb/wordlistsuser-passwd/passwds/john.txt

   The shortcut you can use is , Click the word list box to open the file system window .

   

3. below , We need to make some adjustments . stay Performance Options（ Execution Options ） below , We'll take the number of missions from 16 Set to 2. The reason is that we're not going to let so many processes run , This will crash the server . Although it is optional , We also want to choose Exit after first found pair（ Exit after first finding a match ） Options .

   

4. Last , We need to set our goals . Click on Target（ The goal is ） Tab and set our goals and protocols . here , We use Metasploitable host （192.168.10.111） Of MySQL port .

   

5. Finally, we click Start（ Start ） On the tab Start Button to launch the attack .

   

working principle

In this secret book , We use Hydra To perform a dictionary attack on the target .Hydra Allow us to specify goals , And use a list of user names and passwords . It explodes the password by using different user name and password combinations from two lists .

8.2 Crack HTTP password

In this secret book , We are going to use Hydra Password cracker to crack HTTP password . Website and Web Access to applications is usually controlled by a combination of user name and password . Just like any password type , Users usually enter weak passwords .

Get ready

Need internal network or Internet Links , You also need a computer to be used as a victim .

Operation steps

Let's start cracking HTTP password .

1. In the start menu , choice Applications | Kali Linux | Password Attacks | Online Attacks | hydra-gtk.

   

2. Now that we have Hydra Open the , We need to set up our word list . Click on Passwords（ password ） TAB . We need to use a list of user names and a list of passwords . Enter the location of your user name and password list . At the same time choose Loop around users（ Recycle user names ） and Try empty password（ Try an empty password ）.

   • User name list ：/usr/share/wfuzz/wordlist/fuzzdb/wordlistsuser-passwd/names/nameslist.txt
   • Password list ：/usr/share/wfuzz/wordlist/fuzzdb/wordlistsuser-passwd/passwds/john.txt

   The shortcut you can use is , Click the word list box to open the file system window .

   

3. below , We need to make some adjustments . stay Performance Options（ Execution Options ） below , We'll take the number of missions from 16 Set to 2. The reason is that we're not going to let so many processes run , This will crash the server . Although it is optional , We also want to choose Exit after first found pair（ Exit after first finding a match ） Options .

   

4. Last , We need to set our goals . Click on Target（ The goal is ） Tab and set our goals and protocols . here , We use Metasploitable host （192.168.10.111） Of HTTP port .

   

5. Finally, we click Start（ Start ） On the tab Start Button to launch the attack .

   

8.3 Get route access

In this secret book , We will use Medusa To blow up .

Today, , We are in a cyber society . With the birth of online video game system , Most families have several computers , And small businesses are growing at a record rate . Routers have also become the cornerstone of network connectivity . However , The number of experienced network administrators has not increased , To protect these routers , Makes many of these routers vulnerable to attack .

Get ready

Computers that need to be connected to the Internet or intranet . You also need available routers .

Operation steps

1. In the start menu , visit Applications | Kali Linux | Password Attacks | Online Attacks | medusa. When Medusa After starting , It will load. help（ help ） file .

   

2. We have now selected the option to cloudtop Medusa.

   medusa –M http -h 192.168.10.1 -u admin -P /usr/share/wfuzz/ wordlist/fuzzdb/wordlists-user-passwd/passwds/john.txt -e ns -n 80 -F

   • 1
   • 1

   • -M http Allows us to specify modules . here , We chose HTTP modular .

   • -h 192.168.10.1 Allow us to specify the host . here , We chose 192.168.10.1（ The routing IP Address ）.

   • -u admin Allow us to specify users . Here we chose admin.

   • -P [location of password list] Allows us to specify the location of the password list .

   • -e ns Allow us to specify additional password checks .ns Variables allow us to use a user name as a password , And use an empty password .

   • -n 80 Allow us to specify the port number . Here we chose 80.

   • -F Allow us to stop blasting after successfully finding the user name password combination .

   

3. Medusa Will run , And try all user name and password combinations , Until some success .

working principle

In this secret book , We use Medusa To blow up the password of the target router . The advantage of being able to do this is , Once you have access to the router , You can update its settings , So you can visit it later , Or even redirect the traffic sent to it to change the location you choose .

more

You can also run it directly from the command line Medusa, By typing medusa command .

You can also pass in other options to Medusa, It depends on your situation . Please refer to the help document for details , By simply typing medusa To display .

Module type

Here's what we can do with Medusa Module list of ：

• AFP
• CVS
• FTP
• HTTP
• IMAP
• MS-SQL
• MySQL
• NetWare
• NNTP
• PCAnywhere
• Pop3
• PostgreSQL
• REXEC
• RLOGIN
• RSH
• SMBNT
• SMTP-AUTH
• SMTp-VRFY
• SNMP
• SSHv2
• Subversion
• Telnet
• VMware Authentication
• VNC
• Generic Wrapper
• Web form

8.4 cryptanalysis

In this secret book , We'll learn how to analyze a password before it's attacked . The purpose of cryptanalysis is to allow us to collect the target machine 、 Business and other information to get a smaller list of words . In our tutorial , We will use Ettercap and its ARP Poison function to sniff traffic .

Get ready

This secret script needs a LAN link .

Operation steps

Let's start Ettercap To do cryptanalysis .

1. We configure Ettercap Let's start this secret book . First , We find its configuration file and use VIM Edit it .

   locate etter.conf
   
   vi /etc/etterconf

   • 1
   • 2
   • 1
   • 2

   it is to be noted that , Your position may be different .

2. take ec_uid and ec_gid Change it to 0.

   

3. Now we need to cancel the following IPTABLES Comment on line . It's near the end of the file LINUX section .

   

4. Now? , We're going to start Ettercap. Use -G Options , Loading graphical interface （GUI）.

   

5. We turn on unified sniffer . You can press Shift + U Or visit... In the menu bar Sniff | Unified sniffing....

   

6. Select the network interface .

   

7. below , We began to Scan for hosts（ Scan host ）, This can be done by pressing Ctrl + S Or visit the menu bar Hosts | Scan for hosts To complete .

   

8. Now we can make Ettercap It's sniffing . You can press Ctrl + W Or visit the menu bar Start | Start Sniffing（ Start sniffing ）.

   

9. Last , We started ARP poison . Go to the menu bar Mitm | Arp poisoning（ARP poison ）.

   

10. In the window that appears , Choose Sniff remote connections（ Sniff remote connections ） The option to .

    

11. Depending on the network , We'll see information .

    

12. Once we find the information we're looking for （ User name and password ）. We'll shut down Ettercap. You can press Ctrl + E Or visit the menu bar Start | Stop sniffing（ Stop sniffing ） To complete .

    

13. Now we need to shut down ARP Poison the network back to normal .

    

working principle

In this secret book , We use Ettercap To poison the network and steal the user name and password on the network . We are looking for and modifying Ettercap To start with . And then we started Ettercap And use ARP Poison executive middleman （MITM） attack . Because traffic is redirected to our host , When user names and passwords spread over the network , We can see them .

more

We can also use Metasploit To analyze user names and faces . We'll do it by using the search mail collector module .

1. Open the terminal window and start MSFCONSOLE：

   msfconsole

   • 1
   • 1

2. Search the mail collector ;

   search email collector

   • 1
   • 1

   

3. Type the following command to use the search mail collector module ：

   use auxiliary/gather/search_email_collector 

   • 1
   • 1

4. Show the options available for this module ：

   show options

   • 1
   • 1

   

5. Now let's set the domain name . If you don't want to be checked by the relevant departments , Please choose your domain name carefully .

6. Set the domain name to the one you want ：

   set domain gmail.com

   • 1
   • 1

7. Set input file . This is not necessary . If you're going to run multiple attacks , Or plan to run an attack later , It's recommended to set it up .

   set outfile /root/Desktop/fromwillie.txt

   • 1
   • 1

   

8. Last , We started to attack .

   run

   • 1
   • 1

   

8.5 Use John the Ripper Crack Windows password

In this secret book , We will use John the Ripper To crack Windows Secure access manager （SAM） file .SAM The file stores the hash of the user name and password of the target system user . For security reasons ,SAM Files are protected by authorization , And not in Windows When the system is running, it can be opened or copied manually .

Get ready

You will need to visit SAM file .

In this secret book , Let's assume that you can access a certain station Windows host .

Operation steps

Let's start using John the Ripper Crack Windows SAM file . Let's assume that you can access a certain station Windows host , Through remote intrusion , Or physical contact , And can pass through USB or DVD The drive starts Kali Linux.

1. See which hard drive you want to mount ：

   Fdisk -l

   • 1
   • 1

2. Mount the hard disk , And will target Set as its mount point .

   mount /dev/sda1 /target/ 

   • 1
   • 1

3. Change directory to Windows SAM The location of the file ：

   cd /target/windows/system32/config 

   • 1
   • 1

4. List everything in the directory .

   ls –al

   • 1
   • 1

5. Use SamDump2 To extract the hash , And put it in your root One of the user directories is called hashes In the folder of .

   samdump2 system SAM > /root/hashes/hash.txt

   • 1
   • 1

6. Change directory to John the Ripper In the directory .

7. function John the Ripper：

   ./john /root/hashes/hash.txt
   
   ./john /root/hashes/hash.txt–f:nt (If attacking a file on a NTFS System) 

   • 1
   • 2
   • 1
   • 2

8.6 Dictionary attack

In this secret book , We will attack dictionaries or word lists . Dictionary attacks use a set of pre prepared passwords , And try to use the word list to blow up the password that matches the specified user . The resulting dictionary is usually of three types ：

+ Only the user name ： The list contains only the user name .

+ Only the password ： The list contains only passwords .

+ User name and password ： The list contains the generated user name and password .

For demonstration purposes , We use Crucnch To generate our own password dictionary .

Get ready

Need to be in Kali Installation on Crunch.

Operation steps

Kali The advantage of this is that it's already installed Crunch, Unlike BackTrack.

1. Open terminal window , And enter the crunch Order to see Crunch Help file for .

   crunch

   • 1
   • 1

   

2. Use Crunch The basic syntax for generating passwords is ,[minimum length] [maximum length] [character set] [options].

3. Crunch There are several options . Some of the common ones are as follows ：

   • -o： This option allows you to specify the file name and location of the output list 、

   • -b： This option allows you to specify the maximum number of bytes per file . The size can be KB/MB/GB To specify the , And it has to be with -o START Triggers are used together .

   • -t： This option allows you to specify the mode to use .

   • -l： In the use of -t Option , This option allows you to identify some characters as placeholders （@,%,^）.

4. Next, we execute the command to create a password list on the desktop , It's the least 8 Letters , Maximum 10 Characters , And use character sets ABCDEFGabcdefg0123456789.

   crunch 8 10 ABCDEFGabcdefg0123456789 –o /root/Desktop/ generatedCrunch.txt

   • 1
   • 1

   

5. Once the file is generated , We use Nano To open the file ：

   nano /root/Desktop/generatedCrunch.txt

   • 1
   • 1

working principle

In this script we use Crunch To generate a list of password dictionaries .

8.7 Use the rainbow watch

In this script, we'll learn how to Kali Use the rainbow table in . Rainbow table is a special dictionary table , It uses hashes instead of standard dictionary passwords to complete the attack . For demonstration purposes , We use RainbowCrack To generate the rainbow table .

Operation steps

1. Open the terminal window and change the directory to rtgen The catalog of ：

   cd /usr/share/rainbowcrack/

   • 1
   • 1

   

2. Now we're going to start rtgen To generate data based on MD5 My rainbow watch .

   ./rtgen md5 loweralpha-numeric 1 5 0 3800 33554432 0

   • 1
   • 1

   

3. Once the rainbow table is generated , Your directory will contain .rt file . It depends on the number of processors used to generate the hash , About need 2~7 Hours .

4. To start cracking the code , We use rtsort The program sorts the rainbow table , Make it easier to use .

working principle

In this secret book , We used RainbowCrack Attack to generate 、 Sorting and cracking MD5 password .RainbowCrack Can use rainbow table to crack hash , Based on some pre prepared hash values . We generate by using lowercase values MD5 Rainbow watch to start . At the end of the script , We successfully created the rainbow table , And use it to crack hash files .

8.8 Using NVIDIA unified computing device architecture （CUDA）

In this secret book , We'll use NVIDIA's unified computing device framework （CUDA） To crack the password hash .CUDA It's a parallel computing platform , It uses GPU To improve computing performance . Over time ,GPU There has been a dramatic increase in the processing power of , This allows us to use it for computational purposes . For demonstration purposes , We use CudaHashcat-plus To crack the code .

Get ready

need CUDA Supported graphics card to complete this script .

Operation steps

1. Open the terminal window and change the directory to OclHashcat-plus In the directory .

   cd /usr/share/oclhashcat-plus

   • 1
   • 1

   

2. Execute the following command to start CudaHashcat-plus Help file for ：

   ./cudaHashcat-plus.bin –help 

   • 1
   • 1

3. function CudaHashcat The grammar of is cudaHashcat-plus.bin [options] hash [mask].

   Use OclHashcat One of the key points is to understand its character set structure .

4. Before we start attacking , Let's first look at some of the attack vectors available .CudaHashcat Use left and right masks in attacks . The characters of the password are divided according to the mask , And divided equally into left and right masks . For each mask , You can specify a dictionary or character set for it . For our purposes , We'll use a custom character set .

5. To specify a custom character set , We use –1 Options . We can set any number of custom character sets , Just give them a number （1-n）. Each custom character has a question mark （?） To express , And then there are character types . The available options are ：

   • d Specify the number （0~9）
   • l Specify lowercase letters
   • u Specify capital letters
   • s Specify special characters
   • 1-n Specify a custom character set to use as a placeholder .

6. So you put them together , We specify a custom character set , It includes special characters （s）, Capital （u）, Lowercase letters （l） And number （d）, The generation length is 8 Password . We're going to name attackfile Hash table for .

   ./cudaHashcat-plus.bin attackfile -1 ?l?u?d?s ?1?1?1?1 ?1?1?1?1

   • 1
   • 1

7. We can split this command like this ：

   • ./cudaHashcat-plus.bin Called CudaHashcat .

   • attackfile It's our attack file .

   • -1 ?l?u?d? Specified a custom character set 1, It contains lowercase letters 、 Capital 、 Numbers and special characters .

   • ?1?1?1?1 It's using character sets 1 The left mask of .

   • ?1?1?1?1 It's using character sets 1 The right mask of .

   It's over .

8.9 Use ATI Stream

In this secret book , We will use ATI Stream To crack the password hash .ATI Stream Be similar to CUDA, Because it's a parallel computing platform , It can be done by using GPU To improve computing performance . Over time ,GPU There has been a dramatic increase in the processing power of , This allows us to use it for computational purposes . For demonstration purposes , We use OclHashcat-plus To crack the code .OclHashcat There are two versions ：plus and lite. Both are contained in Kali in .

Get ready

Need to support ATI Stream To complete this secret script with your graphics card .

Operation steps

Let's start using OclHashcat-plus.

1. Open the terminal window and change the directory to OclHashcat-plus In the directory .

   cd /usr/share/oclhashcat-plus

   • 1
   • 1

   

2. Execute the following command to start OclHashcat-plus Help file for ：

   ./oclHashcat-plus.bin –help 

   • 1
   • 1

3. function OclHashcat The grammar of is oclHashcat-plus.bin [options] hash [mask].

   Use OclHashcat One of the key points is to understand its character set structure .

4. Before we start attacking , Let's first look at some of the attack vectors available .OclHashcat Use left and right masks in attacks . The characters of the password are divided according to the mask , And divided equally into left and right masks . For each mask , You can specify a dictionary or character set for it . For our purposes , We'll use a custom character set .

5. To specify a custom character set , We use –1 Options . We can set any number of custom character sets , Just give them a number （1-n）. Each custom character has a question mark （?） To express , And then there are character types . The available options are ：

   • d Specify the number （0~9）
   • l Specify lowercase letters
   • u Specify capital letters
   • s Specify special characters
   • 1-n Specify a custom character set to use as a placeholder .

6. So you put them together , We specify a custom character set , It includes special characters （s）, Capital （u）, Lowercase letters （l） And number （d）, The generation length is 8 Password . We're going to name attackfile Hash table for .

   ./oclHashcat-plus.bin attackfile -1 ?l?u?d?s ?1?1?1?1 ?1?1?1?1

   • 1
   • 1

7. We can split this command like this ：

   • ./oclHashcat-plus.bin Called OclHashcat .

   • attackfile It's our attack file .

   • -1 ?l?u?d? Specified a custom character set 1, It contains lowercase letters 、 Capital 、 Numbers and special characters .

   • ?1?1?1?1 It's using character sets 1 The left mask of .

   • ?1?1?1?1 It's using character sets 1 The right mask of .

   It's over .

8.10 Physical access attack

In this secret book , We will use SUCrack To perform a physical access password attack . SUCrack It's a multithreading tool , Can pass su To perform brute force cracking of local user accounts .Linux Of su Commands allow you to run commands as a surrogate user . This attack , Although you can't raise power through other means Linux It's very useful when it comes to systems , But it fills the log file , So make sure you clean up the logs when you're done .

SUCrack There are several alternative commands available ：

• --help Allows you to view its help documentation .

• -l Allow you to modify the user we're trying to bypass the login .

• -s Allows you to set the number of seconds interval for displaying Statistics . The default value is 3 second .

• -a Allows you to set whether to use ANSI escape codes .

• -w Allows you to set the number of worker threads . because SUCrack It's multi-threaded , You can run any number of threads . We recommend that you use only one thread , Because every failed login attempt usually has a three second delay before trying the next password .

Operation steps

1. In order to use SUCrack, You need to specify a list of words at startup . otherwise , You get a funny message . Open the terminal window and execute sucrack command . For our purposes , We'll use the custom word list file we created earlier , It consists of Crunch Generate . however , You can specify any desired list of words .

   sucrack /usr/share/wordlists/rockyou.txt

   • 1
   • 1

2. If you're going to set up two worker threads , And every 6 The statistics are displayed once a second , And use ANSI escape codes , You can use the following command ：

   sucrack –w 2 –s 6 –a /usr/share/wordlists/rockyou.txt 

   • 1
   • 1

   It's over .

working principle

In this secret book , We use SUCrack To understand the system root Users perform physical access password attacks . Attacks that use word lists can attack Administrators （ Default ） Or specified by a specific user . We run sucrack command , It carries out attacks for us .

kali More articles about password attacks

1. Kali Password attack —— Offline attack tools

   Online password attacks are very important in penetration testing , But for hashes obtained during testing , Encrypt data , It also needs offline cracking tools to help solve Creddump Kit kali In the offline attack tool Cache-dump,lsadump,pwdump, all ...

2. kali Client side attacks

   Browser attack browser_autpwn2 (BAP2) mkdir /test Create a directory for the server that receives the response   use auxiliary/server/browser_autopwn2  set ...

3. No password attack Microsoft SQL Server

   In a recent penetration test , In some of the packets we captured, we found some unencrypted Microsoft SQL Server(MSSQL) Traffic . At first , We think that we can sniff the authentication certificate directly , However ,MSSQL It's encrypted ...

4. About how to pass through kali linux Attack and crack WPA/WPA2 Wireless encryption

   http://blog.csdn.net/wingstudio_zongheng/article/details/51435212 1. Preparation 1) Open a terminal   Carry out orders : ifconfig   ...

5. Back Track 5 And Loophole attack && Password attacks && Windows Penetration tools

   Network vulnerability attack tools Metasploit First msfupdate upgrade : And then choose msfconsole: Next : set LHOST This machine IP Address setLPORT setg PAYLOAD window ...

6. WPA Password attack Dictionary

   principle : The password is 8-10 Position based .11 The number is limited to the local mobile number . Common people's habit and psychology of using numbers as passwords for many years , Count first word . And then the letters , Or number . Repeat the letters a few times , Characters are almost all lowercase , So we're going to eliminate capital letters and "[email protected]#$%^&* ...

7. john Crack kali password

   Experimental environment :kali Experimental tools :john The command used : 1. see /etc In the catalog shadow file , This document records the user names and passwords of all users hash value 2. Use command echo user name : password > shadow, ...

8. Kali Next Ettercap Use the tutorial +DNS Deceptive attack

   One .Ettercap Use the tutorial EtterCap It's based on ARP Address spoofing network sniffer tool . It has dynamic connection sniffer . Dynamic content filtering and many other interesting techniques . It supports active and passive analysis of many protocols , And contains many for network and ...

9. Kali 2020.1 The default password is not toor

   official 2020 January 28 It is pointed out in the article published on May root/toor is dead. Long live kali/kali. The login user name and password are kali:kali But the virtual machine image download page is not updated in time , Still prompt to board ...

Random recommendation

1. myeclipse and eclipse Which good ？

   eclipse It's development java It's a professional IDE,myeclipse Itself is eclipse Plug in for ( Used to develop javaee The platform of ), later myeclipse Just put eclipse Integrated , So now you download one my ...

2. android-BaseAdapter Deep understanding of custom controls

   One . Implementation of custom control Custom controls need to inherit BaseAdapter abstract class , This class implements ListAdapter, SpinnerAdapter Two interfaces , These two interfaces inherit Adapter Interface class , you 're right . It's inheritance Ada ...

3. Weidongshan course ARM The problems and solutions of the clock setting of

   Clock setting is a very important part , If the system doesn't have the right clock , Can't work at all .   S3C2440 The clock is complicated , It is divided into FCLK,HCLK,PCLK.    In program testing , There was such a mistake . The system is currently FCLK by 400 ...

4. JSP Medium Attribute and InitParameter

   attribute :Attribute type : application / Context , request , conversation (ServletContext,HttpServletRequest/ServletRequest,HttpSession) Setup method :setAtt ...

5. iOS SDK： Preview and open the document

   iOS The sandbox in can make the platform more secure , This is also the main benefit of sandbox to users . However, due to the strict restrictions of sandbox , It is troublesome to share data between programs . Generally, documents can be shared between programs through UIDocumentInteractionCon ...

6. MSF add to ms17-010 Of exp Script and attack recurrence

   Original address :https://bbs.ichunqiu.com/thread-23115-1-1.html I was going to recreate the latest CVE-2017-11882, Because I am Xiaobai , I don't know how to add msf Of ...

7. .bat Batch start redis

   background : lately , The company's project development , Need to use Redis, But every day we need to d The one under the disk starts redis Very annoying , I am. I just want to write one .bat The startup file is on the desktop , So every day just click below on the desktop redis Of bat The file can be opened ...

8. NGINX Docs | Load Balancing Apache Tomcat Servers with NGINX Open Source and NGINX Plus

   NGINX Docs | Load Balancing Apache Tomcat Servers with NGINX Open Source and NGINX Plushttps://docs. ...

9. python The old boy of learning python The ninth issue of the whole stack _ database day005 Summary of knowledge points —— MySQL database day5

   3、 ... and . MySQL View ( Not commonly used ) Set an alias for a query statement ( View name ), Easy to use in the future - establish : create view View name as SQL; PS: The view is virtual - modify : alter view View ...

10. Server deployment php project

    windows The server   First open the start menu , Click on the run .   Then input mstsc, determine   Enter your server IP, Click to connect   Choose here yes   And then there's the login screen , Just enter the user name and password linux clothing ...