Date: 2024-10-04
Time: 6pm-8pm
Location: GH 224
Host: Patrick Hirsch
This meeting aims to cover password cracking and guessing techniques at an introductory level. This is achieved by lecture-driven content with some hands-on practices with relevant tools along the way followed by a simple password cracking CTF.
Contextual and background information is adapted from past NKCyber content prepared and developed by Jakob Banta. Notes and exercises on specific tools are adapted from last semester's Red Team meeting as is the Password Cracking exercise developed by Patrick Hirsch.
Please check-in here.
Boot up your Kali VM
Kali is a Linux distribution often described as the "Swiss Army Knife for cyber security pros." Kali comes loaded with over 600 tools for penetration testing and offensive cyber security. Some of these will be used today.
- On the computer in front of you, check that it displays username "gh224cyber" and log in with the same password.
- If not, reboot and select the middle boot partition when prompted.
- On the desktop, select the VirtualBox icon.
- Open and boot up the Kali VM
- Default credentials for Kali are
kali:kali
Open TryHackMe's Hydra Room
- If you have a TryHackMe account, login. If not I'd recommend creating a free account.
- Find and open the "Hydra" room.
- Start the AttackBox and Room's target machine now to save some time later.
¶ Context and Background
- Definition: Passwords serve as crucial authentication tools for safeguarding digital access.
- Purpose: Protecting accounts and sensitive data from unauthorized access.
- Importance of Strong Passwords:
- Shields against malicious intent.
- Mitigates the risk of breaches.
Characteristics of Strong Passwords:
- Length: Longer passwords offer better protection.
- Complexity: Comprising a mix of uppercase, lowercase, numbers, and symbols.
- Unpredictability: Avoiding easily guessable patterns or words.
- Password Policies: Guidelines that define password requirements.
- Examples of Password Policy Requirements:
- Minimum Length (e.g., 8 characters).
- Character Variety (mix of letters, numbers, symbols).
- Regular Password Changes.
- Benefits: Esurance of strong passwords thus reducing the risk of attacks like brute-forcing
- Plaintext: Vulnerable to breaches.
- Hashing: Adds security by converting passwords into hashes.
- Encryption: Further safeguards passwords.
- Overview of Password Attack Techniques:
- Dictionary Attacks: Using pre-defined wordlists.
- Brute-Force Attacks: Trying all possible combinations.
- Rule-Based Attacks: Creating passwords based on known patterns.
- Guessing Attacks: Attempting common passwords.
- Attackers attempt to crack hashed passwords.
- Techniques such as dictionary attacks and brute-force.
- Tools like Hashcat and John the Ripper are used for this.
- Attackers targeting login attempts directly.
- Techniques such as dictionary attacks and brute-force.
- Tools like Hydra are used for this.
Sometimes, if it can be achieved, physical access to a target can be beneficial.
- You may be able to find passwords written down
- Chrome's password manager will give plaintext passwords saved needing only the user's password.
- If you can gain root access to a Linux system, you can copy the shadow file.
- A hash is a one-way function that obfuscates a value beyond recognition.
- When a password is saved on a system, it's hash is what is stored, the actual password should never be stored in a readable manner.
- When you log in somewhere, the password you provide is then hashed in the same manner and the hashes are prepared.
John, or john the ripper is a brute force password cracking tool. It takes a list of hashes and a wordlist of potential passwords and looks for a match.
There are rules within John you can use to "fuzz" a wordlist with John, such as pluralizing entries.
Another option out there is Hashcat.
# Create and enter a workspace
mkdir ~/passcrack;cd ~/passcrack
# Download some hashes
curl https://wiki.nkcyber.org/red/exercise-files/simplehashes.md5 > hashes
# Take a look inside this file
cat hashes
# Decompress the rockyou wordlist
sudo gzip -d /usr/share/wordlists/rockyou.txt
# Run john
john hashes --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5
- Hydra is a brute force password guessing tool.
- You can point it at a target, give it a list of usernames/passwords and it will try them.
- This works for HTML forms like login pages, but also FTP, SSH, and more.
To learn more about Hydra, and use it in a contained environment, check out the free TryHackMe room.
- Back in 2009, social application developer RockYou suffered a data breach resulting in over 32 million user passwords being stolen and published online.
- RockYou was storing credentials in plaintext, so all user's passwords were out there for the world to see.
- THIS IS WHY WE HASH THINGS, PEOPLE!
- The resulting list of passwords has become the go-to wordlist for password cracking.
- Fair warning, real passwords made by people. Much profanity to be found.
- The wordlist can be found on GitHub, or packaged with Kali
hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.150.122 http-post-form "/login:username=^USER^&password=^PASS^:F=Your username or password is incorrect." -V
- RockYou is great in a hypothetical sense.
- RockYou didn't even allow for special characters, so most passwords in there wouldn't meet modern requirements.
- You can however find success in creating your own wordlists.
- If users aren't using basic security practices, you may be able to guess their passwords, or automatically generate a list of possibilities to try.
- There are also a plethora of published wordlists out there following various themes.
Tools like Cewl can be used to scrape a webpage for information relevant to a business that may have influenced an insecure password such as a Chipotle employee having a password of burrito1 or sofritasandguac.
# Run the tool on Norse IoT's Homepage
cewl https://norseiot.club/ > iot
# Run the tool with a depth of 3
cewl https://norseiot.club/ -d 3 > iot3
# Read the files
less iot
less iot3
GitHub user Mebus's Common User Passwords Profiler (CUPP) can also take known info about a target into account and generate potential simple passwords based on someone's name, pets, partner, children, etc.
# Install the tool (Kali doesn't come with this one)
sudo apt update
sudo apt install cupp
# Run it in interactive mode
cupp -i
# Answer some questions
# Examine the output
less filename
Crunch is one that can make a comprehensive wordlist within a keyspace. This will generate a massive wordlist that will build up extremely fast in length and filesize. This will contain every possible password within the given parameters, meaning if you adapt password complexity requirements correctly, it will work… eventually. It is often more helpful to pipe the output directly into another tool reather than geneating the massive file.
# SYNOPSIS: crunch <min-len> <max-len> [<charset string>] [options]
crunch 10 100 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@#$"
# Crunch will now generate the following amount of data: 14809017679091798272 bytes
# 14122979811755 MB
# 13791972472 GB
# 13468723 TB
# 13153 PB
# Crunch will now generate the following number of lines: 1346274334462890752
# Let this run for a bit then stop it with CTRL+C
- Tools like GitHub user shroudri's username_generator can be used to generate wordlists of potential usernames for a target based on data available and common username formats.
- This provides 11 common username formats for each of the names given, though things like appending numbers may be needed.
- This can be a good place to start if usernames on the system are not readily available or known.
# Clone the repo locally
git clone https://github.com/shroudri/username_generator.git
# Enter the local repo copy
cd username_generator
# Create a wordlist
echo your_name_here > names
# Add some more names
curl https://wiki.nkcyber.org/red/exercise-files/names.txt >> names
# Run the script
python3 username_generator.py -w names
- Go to https://ctf.nkcyber.org/ and make an account.
- On the Kali VM go to http://10.15.32.104/
- You'll notice there is an employee login page.
- You'll notice there is a list of employees.
- See how many you can crack in 30 minutes