Category: Password Cracking

Posted on by

Password Cracking in Penetration Testing : Beginners Guide

Password cracking plays a very important role in hacking. We are not always lucky to get credentials during enumeration. There are two types of password cracking.

Online password cracking
Offline password cracking

In this tutorial we will learn about online password cracking. There are many techniques used in online password cracking. Some of them are,

Dictionary Attack: Dictionary password attack is a password cracking attack where each word in a dictionary (or a file having a lot of words) is tried as password until access is gained. This method will be successful when simple passwords are set. By simple, I mean common passwords which can be found in a dictionary like “password”, “iloveyou” etc. This type of attack consumes less time but is not bound to be successful always especially if the password is not present in the dictionary.

Brute force Attack: Brute Force attack is a password cracking attack similar to dictionary attack. The only difference is in this attack, each and every possible combination is tried until the password is successfully cracked. For example, if there are two words say “abc” and “123” in a wordlist, other combinations like “abc1”, “abc2” and “abc3” a re also tried. Brute force attack will definitely succeed even if it means it will take years to do that.

Hybrid Attack: As the name suggests, it uses a combination of both dictionary and brute force password attacks to crack the password.

Rainbow Table Attack: Rainbow Table password cracking technique uses pre -computed hashes to crack the encrypted hashes.

Kali Linux has various tools in its arsenal for both online and offline password cracking. Some of the online password cracking tools are Acccheck, John The Ripper, Hydra and Medusa etc.

We have already seen the working of the tool Accheck during SMB enumeration. In this tutorial, we will see how to crack passwords with a tool called Hydra. THC-Hydra is a password cracker which uses brute forcing to crack the passwords of remote authentication services. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, FTP, HTTP, HTTPS, SMB, several databases and much more.

On our target Metasploitable2, we have many services which allow remote authentication like telnet, ftp and SSH. We also have rlogin available. We will use Hydra on one of these services. Hydra can be accessed from the applications menu of Kali Linux. It is available both in GUI and command line utility. For this tutorial, I’m using the graphical one.

Once opened, Hydra will look like shown below.

Change the target IP to that of Metasploitable’ s IP. There are many protocols to choose from Here I am choosing ftp. Change the port to 21 as ftp is running on port 21. I selected options “Be Verbose” and “show attempts” to see the cracking process.

Click on “passwords” tab. We can give a single username and password or a file containing a number of usernames and passwords. Here I am giving the same dictionary or wordlist for both username and password. This dictionary is big.txt. I selected the options “Try Login as password” , “Try empty password” and “Try reverse login”. These options are self explanatory.

The tuning tab is used to configure proxy and number of simultaneous tries. I left it as default.

I left even “specific” tab to default. When all the settings are set, go to “Start” tab. To start the attack, click on “Start” button.

The attack is displayed as shown below.

The time of the attack depends on the number of words present in the dictionary or the wordlist we specified. The password is cracked if the phrase is present in the dictionary. If the password is not there in the wordlist, we need to use another dictionary. The big.txt dictionary I used failed to crack the password. So I used another wordlist we made during enumeration “pass.txt”. After some time, Hydra found three valid passwords.

Scroll up to see what are those passwords.

Apart from Hydra, Kali Linux also has command line tools to use for password cracking. One such tool is Medusa. Open a terminal and type medusa to see the options of that tool. Below is the command in medusa to crack ftp using a wordlist.

Once medusa cracks a password, it will be shown as below. Once again we got three credentials we found also with Hydra.

We have used the same dictionary in both methods, but where do we find this dictionary or wordlist. Most wordlists of Kali Linux are present in /usr/share directory. Given below are different dictionaries in the “wordlists” folder.

These wordlists are named accordingly. For example, “common.txt” contains most common passwords used by users. But what if none of the dictionaries are helpless in cracking the password. Kali Linux also has tools to create our own dictionary or wordlist. Crunch is one such tool. The syntax is given below.

Here’s an example of how to create a wordlist with crunch.

We can also save the wordlist to a  file as shown below.

Posted on by

Windows Local user hash carver exploit

Hi aspiring ethical hackers. In this article you will learn about the Windows Local user hash carver exploit. During a pen test, it  sometimes becomes necessary to change Windows password.

Although we have a hashdump feature to dump the password hashes of all users in a remote Windows system, this exploit directly changes the password of the user we want in the registry. Thus it saves the trouble of cracking the password hashes altogether.

This works on a local user account. This can be pretty useful if we need credentials but can’t crack the hashes. Mind that you need to have system privileges on the remote system to use this exploit (See how to escalate privileges). Let’s see how this exploit works.

First acquire system privileges on the system. Background the session (note the meterpreter session id) and load the hashcarver exploit as shown below.

Type command  “show options” to see the options required. Session is the meterpreter session id, user is the user in the remote system whose password you want to change and “pass” is the password you want to set for the user.

My session id is 2, Kanishka is the username for which I want to change the password and I want the new password to be “hacked”.

When all the options are set, execute the exploit using command “run.  The exploit runs as shown and successfully changes the password. That’s all in windows Local User Hash Carver exploit. Learn how to upgrade from Command shell to Meterpreter session

Posted on by 8 Comments

Crack password hash es with Kali

Hello aspiring hackers. In this article, we will learn how to crack password hash es using kali. n many hacking scenarios, we encounter hashes. To those newbies who have no idea what hashes are, they are encrypted text ( literally we can’t call it text ). Normally they are used to encrypt passwords for website users, operating system users etc. Today our tutorial is about cracking hashes.

For this howto, we will use NewsP Free News Script 1.4.7 which had a credential disclosure vulnerability as shown below. Imagine we got the username and password hash as shown below. The only thing that stops me from accessing the website is password in encrypted format.

The first step in cracking hashes is to identify the type of hash we are cracking. Kali Linux has an inbuilt tool to identify the type of hash we are cracking. It’s hash-identifier. Open a terminal and type command hash-identifier.

Enter the hash we need to crack as shown above and hit ENTER. It will show the possible hash type as shown below. In our case, it is MD5 or a variant of it.

We can also use another tool hashid for similar purpose. It’s syntax is as shown below.

We know what the type of hash is. Now, it’s time to crack the hash. We will use a tool called ‘findmyhash’. To use this tool, we need to specify the hash type ( which we already know ) and hash after it as shown below. This tool tries to crack the hash by using various online hash crackers available.

After successfully cracking the hash, it will display us the corresponding password as shown below. In our case, the password is admin.

That’s all in how to crack password hash with Kali. Learn how to do SMB enumeration with Kali.

Posted on by

Password cracking with Brutus

Hi everybody, today I’m gonna show you remote password cracking with Brutus. For the newbies, script kiddie is a person with little knowledge  of hacking or any programming languages and instead searches for automatic tools to hack the computers. In this scenario, script kiddie is using a Windows XP machine and two tools Zenmap and Brutus available for free to download. As you will see, Zenmap is used for scanning for any open ports of  live machines and Brutus is a password cracker.

Imagine I am the script kiddie, I  first find out my own computer’s  ip address by typing the command “ipconfig” in the command line.

The ip address of my system happens to be 10.10.10.1. I decide to scan the following range of ip addresses to look for any live hosts. In the target option, I specify IP address as 10.10.10.2-10 and I choose profile as intense scan to get maximum information about the target. After performing the scan, the results show that only one system 10.10.10.3 is alive.

The scan  also shows that the victim machine which is LIVE is running a ftp server and its operating system is Windows XP.

I decide to use Brutus to crack the remote FTP password. Brutus has both dictionary and brute force attack options. I decide to choose dictionary attack since it is faster than brute forcing. Brutus comes with a built in username(users.txt) and password list(pass.txt).As the victim machine is running Windows XP which comes with a default administrator account, I decide to  add “administrator” to the users.txt file.

I choose type as FTP since I am about to crack a FTP server.

Then I select the file pass.txt containing some common passwords and just hope to crack the password.

Then after starting the cracker, Brutus runs and gives one positive authentication result.

Username : administrator

Password: 123456

Then I try to log into the FTP server of the remote machine using CMD with the authentication result achieved above.

I successfully logged into the FTP server. Once I am into the remote machine I try some FTP commands but before that I change my local directory to Desktop.

Then I use DIR command to list the directories in the FTP server.

There are four directories in the FTP server:Detroit, Images:lena and users. I  go to the users directory using command cd users and then list the files in the directory by using command ls. There is one text file named users.txt in the directory.

I decide to download the file users.txt to my machine using the command get users.txt. Since I had set my local directory to desktop it will be downloaded to Desktop.

Let’s see the contents of the users.txt file just downloaded. It contains some usernames and passwords.

In the same way, I enter into another directory of interest to me “Images” and download the only image present in it to my desktop.

In this way, I can download any number of files from the remote server to my local machine. That’s all for in password cracking with Brutus.