Penetration Testing #6 - Bruteforce and Password cracking from INE free course

 

Introduction

When I was a kid I was thinking - how is it possible to break into someone's account? And I thought that being a security specialist is like having some kind of power. Today is the day when I can show you a solution to the Brute Force and Password cracking lab from the INE free course. Being a legal hacker is always a fun game and this lab is created for "breaking into accounts" purposes only! 

The first thing to mention before jumping into the lab is the answer to the question How passwords are actually stored?. Well, obviously user's credentials are stored inside databases or files within the operating system. But they are not stored in plain text. Instead, credentials are encrypted with a one-way encryption function called a hash function. This operation is crucial in case of the security, otherwise when a database with credentials leaks, attackers have all credentials in their hands without additional effort. It's logical that there are two most commonly used password cracking attacks. One of them is brute force and the second one is a dictionary attack. Brute force is probably the most trivial way to crack a password. This attack relies on trying every possible combination of characters against the authentication system. Therefore, we can be sure that we are not avoiding any passwords while cracking them. But brute force is also very time-consuming and thus it's not the best option for cracking long passwords. I will show you proof that the time needed for cracking a nine-character password hashed with MD5 is way too long for considering.

Trying to crack a nine-character password on a GPU with brute force takes over 6 years! As you can see this type of attack should be considered only as the last resort. The better way to crack passwords is to use a dictionary attack. As the name suggests, in this approach we use a dictionary which is a text file with common passwords from around the world. I have to tell you that this text file is really large. Every password inside is separated by the newline character from the other. Probably, the best dictionary available is rockyou.txt which is available in Kali Linux. (/usr/share/wordlists/rockyou.txt.gz) 

As you can see there are over 14 million passwords inside this dictionary. It's huge and very efficient. Tools that are created for cracking passwords simply take a password from a dictionary, hash it and compare the result with the correct hash of the victim's password. If these two hashes match then the password is cracked. 

You can ask "What if a correct password is test1 and test1 is not inside a dictionary?". In such a situation mangling comes to the game. Mangling is simply a modification of the string taken from a dictionary. Obviously, the most commonly used tools to crack passwords have the mangling feature in the arsenal, and this technique is widely used. You can also define your own rules for mangling using the Hashcat. (https://hashcat.net/hashcat/) In the documentation of the program, this attack is called a Rule-based attack (https://hashcat.net/wiki/doku.php?id=rule_based_attack) but this is simply a dictionary attack with user-defined mangling. It's worth mentioning that the most common tools used to crack passwords are John the Ripper, Hashcat, and Hydra. I will use two of them in the lab. I believe that we already know everything that is needed to solve the challenge. Let's hack!

Bruteforce and Password cracking lab from INE free course

Description of the lab

The goal of the lab

This challenge is all about retrieving users' credentials from the target machine. The description tells us that we need to bypass network authentication first. Our second step will be cracking credentials saved inside the victim's operating system. As usual, the very first step in the penetration test is network recognition. I will use Nmap to scan the target's network and look for some interesting hosts.

With the help of the ifconfig command, we know that our machine inside the network is 192.168.99.100. We have a 24-bit netmask in the configuration so the address of the target's network is 192.168.99.0. It's time to run Nmap with ping scan but without any port or services mapping since this is out of our concern for now.

There is only one host up other than the one owned by us. It looks like the machine with a 192.168.99.22 IP address is our target. Let's see which ports are open on this host and maybe we will find a way to break into. 

As you can see we can log into the machine remotely using SSH or Telnet protocol. It's worth mentioning that the traffic generated by the Nmap is not logged on the victim's machine since I've used SYN scan, therefore, the TCP three-way handshake wasn't complete. Now our journey in this lab begins. We have to accomplish the first step which is "cracking the network authentication". I will use an excellent tool for this kind of task called Hydra.

Hydra found credentials to the account connected with the SSH protocol. If you want to crack credentials to the telnet connection you should do it the same as in this example but with telnet as the protocol, not SSH. But I've decided to skip cracking credentials to the telnet connection since we already have remote access to the machine via SSH.

We are logged in as root! That's really cool stuff. Now it's the time for the second step which is called persistence. We want to have access to as many accounts as possible to be sure that the network won't be closed if someone changed his or her credentials. You can think that if we are already root we can simply change someone's password and own the victim's account that way. It's a simple mistake. Note that the victim most likely will try to login into his or her account and when the authentication fails he or she knows that something is wrong. If we want to achieve persistence inside a system we have to be as quiet as possible. That's why the next goal of this lab is to crack credentials to some local accounts. For this, we need shadow and passwd files. Shadow file consists of password hashes and passwd file keeps all information about accounts on a Unix system for instance usernames, emails, phone numbers, etc. To crack credentials of local accounts especially on Unix-like systems the best tool to use is John the Ripper or simply john. But first, we have to copy the files we need. To do this let's use the scp command. This program is used to copy files through the SSH protocol.

To use john properly these two files have to be merged correctly. The unshadow tool from the john toolkit does this job for us.

Unshadow tool is responsible for pasting the passwords' hashes from the shadow file right into the passwd file but we have to create a new file to make this kind of syntax. Now everything is set for john and we can launch this powerful program. I'm going to use the default configuration of john. In such a case john will try "single" mode first which is based on the GECOS information. The next mode will be "incremental" which is a dictionary attack with john's dict. When these two modes are not sufficient john will try brute force as the last resort. If you want to read more about john modes I recommend you the documentation https://www.openwall.com/john/doc/MODES.shtml.

John cracked over 20 credentials. With such a list we are pretty powerful am I right? :D The goal was to crack at least 10 users' credentials. I have a much bigger list thanks to john. Thus I'm ending here. Thanks for reading and have a nice day!