0203 | Password Attacks

Red Teaming | Password Attacks | Summary:

This room is designed to teach about various strategies and techniques used in cracking or guessing passwords. It covers both offline and online methods, including dictionary and brute-force attacks, rule-based attacks, and custom rules.

The room emphasizes password profiling, teaching users how to create effective wordlists using default, weak, leaked, combined, and username sources.

Other topics include keyspace techniques, CUPP (Custom Password Profile), and online attacks targeting FTP, SMTP, SSH, and HTTP login pages. Additionally, it introduces the concept of password spraying attacks.

---

Disclaimer

Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.

Learning Objectives

• Password profiling
• Password attacks techniques
• Online password attacks

1 | Introduction

Passwords are used for authentication purposes, serving as a barrier between legitimate users and potential intruders. Weak passwords, often found in public data breaches, can be easily guessed by attackers due to their simplicity or commonality. Strong passwords should include diverse character types (uppercase letters, lowercase letters, numbers, and symbols) and adhere to a minimum length requirement to enhance security.

Password policies implemented by companies help prevent the use of weak passwords within an organization. However, if an attacker understands these guidelines, they can generate password lists that meet policy requirements, posing a threat to system security. Passwords are typically stored in file systems or databases and may be vulnerable if stored in plaintext, as demonstrated by incidents like the 2014 Sony breach. Alternatively, hashing functions or encryption algorithms can securely store passwords within systems, increasing their resistance to cracking attempts.

2 | Password Attacking Techniques

Here we focus on password attack techniques, specifically discussing dictionary, brute-force, rule-based, and guessing attacks. These methods are considered active online attacks where an attacker communicates with the target machine to obtain passwords for unauthorized access.

The difference between password cracking and guessing is highlighted:

• Password guessing targets online protocols and services, often leading to time-consuming attempts that generate logs and may trigger account lockouts in securely configured systems.
• Password cracking occurs locally or on attacker-controlled systems, aiming to escalate privileges and gain unauthorized access to computer systems or networks.

Password cracking tools such as Hashcat and John the Ripper, are used to convert encrypted or hashed passwords into plaintext data obtained from compromised computers or network transmissions. Password cracking is a traditional pen-testing technique with the ultimate goal of granting attackers higher privileges and system access. Both password guessing and cracking are employed by cybersecurity professionals, albeit for different purposes and with distinct implications.

3 | Password Profiling | 1

Summary | Default | Weak | Leaked | Combined | and Username Wordlists

• Default Passwords
  • https://cirt.net/passwords
  • https://default-password.info/
  • https://datarecovery.com/rd/default-passwords/
• Weak Passwords
  • https://github.com/danielmiessler/SecLists/tree/master/Passwords
• Leaked Passwords
  • https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
• Combinend Wordlists
  • use cat to combine | sort and uniq to remove duplicates
• Customized Wordlists
  • use cewl to generate the list using a web page as a source
• Username Wordlists
  • use username_generator to generate the different permutations for a given full name

It is very important to have a good wordlist for successful password attacks. Here we cover various methods for generating username and password lists:

Default passwords

• Attackers should attempt default credentials (e.g., admin:admin, admin:123456) set by manufacturers on devices like switches, firewalls, routers, or specific products such as Tomcat servers.
  Default Passwords | Website List

  • https://cirt.net/passwords
  • https://default-password.info/
  • https://datarecovery.com/rd/default-passwords/

Weak passwords

• Professionals create weak password lists based on their experience and observed patterns during penetration testing engagements.
• Common weak password sources include SecLists, which provide extensive collections of well-known and leaked passwords.

Leaked passwords

• Attackers can utilize publicly disclosed or sold breaches (referred to as 'dumps') containing sensitive data like passwords or hashes.
• These dumps may require password extraction or cracking to obtain plain-text passwords. Common password lists with weak and leaked passwords
• SecLists/Passwords/Leaked-Databases

Combined wordlists

# combine different wordlists into one
cat file1.txt file2.txt file3.txt > combined_list.txt
# clean up duplicates
sort combined_list.txt | uniq -u > cleaned_combined_list.txt

Customized Wordlists

• Customizing password lists significantly improves the likelihood of discovering valid credentials. Attackers can generate custom wordlists from target websites containing valuable company information, such as employee names and business-related keywords.
• Tools like Cewl help extract strings or keywords specific to a company, creating tailored wordlists with relevant words like names, locations, and industry terminology.
• exampe | Creating a custom wordlist

  # -w:file | -m:words min. 5 chars | -d:depth level of web crawling
  cewl -w list.txt -d 5 -m 5 http://thm.labs

Username Wordlists

• Attackers can generate username lists based on employee names obtained during the enumeration stage
• By combining first and last names in various formats (e.g., {first name}{last name}, {first letter of first name}{last name}, etc.), a comprehensive list of potential usernames can be created using tools like username_generator.
• This approach increases the effectiveness of password attacks by targeting specific companies and their employees, enhancing the chances of successful unauthorized access.
• example | create username combinations for "John Smith"

  # download the tool
  git clone https://github.com/therodri2/username_generator.git
  cd username_generator
  # check usage
  python3 username_generator.py -h
  # generate possible username list for "John Smith"
  echo "John Smith" > users.lst
  python3 username_generator.py -w users.lst

4 | Password Profiling | 2

Keyspace Technique

• a method for generating custom wordlists using tools like crunch involving specifying a range of characters, numbers, and symbols to create a comprehensive list of possible combinations
• Crunch offers various options, such as min (minimum length), max (maximum length), and character sets (e.g., lowercase alpha, uppercase alpha, numeric, special characters).
• example | crunch 2 2 01234abcd -o crunch.txt | generate a wordlist containing all possible combinations of 2 characters
• example | crunch 8 8 0123456789abcdefABCDEF -o crunch.txt | generating an 8-character password list with numbers 0-9, lowercase letters a-f, and uppercase letters A-F would result in a 459 GB file containing over 54 billion words
• it is possible to specify the character set if a part of the password is known to us
  • @ | lower case alpha character
  • \, | upper case alpha characters
  • % | numeric characters
  • ^ | special characters including space
  • example | crunch 6 6 -t pass%% | starts with pass, follows two numbers

CUPP | Common User Passwords Profiler

• a Python-based tool for creating custom wordlists based on known information about a target, such as birthdate, pet name, or company name
• It supports an interactive mode where it asks questions and generates a tailored wordlist based on user inputs
  • example inputs | First Name; Surname; Nickname; Birthdate; Partners name; Partners nickname; Partners birthdate; Child's name; Child's nickname; Child's birthdate; Pet's name; Company name; key words; special chars/random numbers at the end of words; leet mode option
• includes a 1337/leet mode for substituting letters with numbers (e.g., 'a' becomes '4').
• can generate default usernames and passwords from the Alecto database using the -a option
• install and usage

  # download the tool
  git clone https://github.com/Mebus/cupp.git
  cd cupp
  # check the available options
  python3 cupp.py
• examples

  # check usage
  python3 cupp.py
  # start the interactive mode
  python3 cupp.py -i
  # download pre-created wordlists
  python3 cupp.py -l
  # provide default usernames and passwords from the Alecto database
  python3 cupp.py -a

5 | Offline Attacks

Dictionary attack

• a password-guessing technique that utilizes common words or phrases from pre-generated wordlists
• relies entirely on pre-gathered wordlists that were previously generated or found
• Step-1 | Identify the HASH type.
  • use hashid or has-identifier
• Step-2 | Identify the applied wordlist and attack mode
  • hashcat -h | list supported hash types
  • hashcat -a 0 | Set the attack mode to a dictionary attack
  • example | cracking the md5 hash f806fc5a2a0d5ba2471600758452799c with rockyou

    # -a 0 | attack mode is directory attack; -m 0 | hash type is MD5; rockyou wordlist
    hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt
    # show the cracked value
    hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt --show

Brute-Force attack

• by guessing passwords through systematic trials of all possible combinations
• unlike dictionary attacks that use pre-compiled wordlists, brute-force attempts every conceivable character sequence
• example | if a 4-digit PIN is suspected, a brute-force attack would try all numbers from 0000 to 9999
• hashcat charset options | generate your own combinations

  user@machine$ hashcat --help
  ? | Charset
  ===+=========
    l | abcdefghijklmnopqrstuvwxyz
    u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
    d | 0123456789
    h | 0123456789abcdef
    H | 0123456789ABCDEF
    s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
    a | ?l?u?d?s
    b | 0x00 - 0xff
• example | a 4-digit PIN

  # -a 3 | attack mode:brute-force attack; ?d?d?d?d --> 4 digit; --stdout:print result to stdout
  hashcat -a 3 ?d?d?d?d --stdout
• example | crack hash of 4-digit PIN

  # brute-force | MD5 | 4-digit
  hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d

6 | Offline Attacks

Rule-Based attacks

• also known as hybrid-attacks
• combines wordlists with custom rules to generate complex password variations
• assumes knowledge of the password policy
• by applying rules, users create passwords within the defined guidelines, aiming to produce valid passwords only
• mangling (manipulating) passwords | password --> |p@ssword|Pa$$word|Passw0rd|
• check already pre-existing rules in John the Ripper

  # config file: /etc/john/john.conf (kali) | /opt/john/john.conf
  # list all the available rules for john the ripper
  cat /etc/john/john.conf|grep "List.Rules:" | cut -d"." -f3 | cut -d":" -f2 | cut -d"]" -f1 | awk NF
• example | use the best 64 build-in John rules

  echo "tryhackme" > /tmp/single-password-list.txt
  # --rules:which rule to use | --stdout:print to terminal
  john --wordlist=/tmp/single-password-list.txt --rules=best64 --stdout
• example | use the KoreLogic rule to generate complex password list (from 1 single pwd --> 7089833)

  john --wordlist=single-password-list.txt --rules=KoreLogic --stdout

Custom Rules

John the Ripper | Resources

• John the Ripper guide by Openwall
• Custom Credential Mutations by Rapid7

• create custom a rule for John the Ripper
  • goal | add special characters (ex: !@#$*&) to the beginning of each word and add numbers 0-9 at the end | [symbols]word[0-9]
  • adding the rule to the config file

    sudo vim /etc/john/john.conf
    # specify the rule and add it to the end of the config file
    [List.Rules:THM-Password-Attacks] 
    Az"[0-9]" ^[!@#$]
    # Az | single word from the wordlist
    # "[0-9]" | single digit (0-9)
    # ^[!@#$] | special char at the beginning of each word (^)
    # $ would mean append to the end of the line/word
  • applying the rule

    # create simple password list
    echo "password" > /tmp/single.lst
    # apply the custom rule
    john --wordlist=/tmp/single.lst --rules=THM-Password-Attacks --stdout

7 | Online password attacks

Online Password Attacks Tools

• hydra (demonstrated here)
• Medusa
• Ncrack

Online password attacks target networked services using username and password authentication schemes, such as HTTP, SSH, VNC, FTP, SNMP, POP3, etc. Hydra is a popular tool for brute-forcing logins on various network services like web login pages, FTP, SMTP, and SSH.

Attacking Network Services

• FTP | hydra -l ftp -P passlist.txt ftp://10.10.x.x
  • -l | specify user name (-L for username wordlist)
  • -P | password wordlist path (-p for single password)
  • ftp://<target-ip> | specify the protocol and the fully qualified domain name of the target
• SMTP | hydra -l [email protected] -P /path/to/wordlist.txt smtp://10.10.x.x -v
• SSH | hydra -L users.lst -P /path/to/wordlist.txt ssh://10.10.x.x -v
• HTTP login pages | first you need to understand what you are brute-forcing

  • analyze the HTTP request that is need to be sent (using browser dev tools or web proxy like burp suite)

  • Supported HTTP Services: http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum

  • POST request | hydra http-post-form -U | check hydra http-post-form option

  • GET request | hydra http-get-form -U | check hydra http-get-form option

    • Syntax | <url>:<form parameters>[:<optional>[:<optional>]:<condition string>
    Quote | Eliminating false positives

    "The following section is important to eliminate false positives by specifying the 'failed' condition with F=."

    "And success conditions, S=. You will have more information about these conditions by analyzing the webpage or in the enumeration stage! What you set for these values depends on the response you receive back from the server for a failed login attempt and a successful login attempt. For example, if you receive a message on the webpage 'Invalid password' after a failed login, set F=Invalid Password."

    "Or for example, during the enumeration, we found that the webserver serves logout.php. After logging into the login page with valid credentials, we could guess that we will have logout.php somewhere on the page. Therefore, we could tell hydra to look for the text logout.php within the HTML for every request."

    • eliminate false positives by specifying the 'failed' condition
      • invalid condition login check can be preceded by F=
      • successful condition login checks by S=
    • example | brute-force target webserver with S=logout.php as the success condition to identify the valid credentials, automatically stopping the attack upon success

      # -l:username | -P:password wordlist | 10.10.x.x:target-ip | http-get-form:target-service
      # login-get/index.php | the path of the login page on the target webserver
      # username=^USER^&password=^PASS^ | the parameters to brute-force, we inject ^USER^ to brute force usernames and ^PASS^ for passwords from the specified dictionary
      # S=logout.php | the success condition to identify the valid credentials
      # -f |  stop the brute-forcing attacks after finding a valid username and password
      hydra -l admin -P 500-worst-passwords.txt 10.10.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f 

8 | Password spray attack

Password Spraying is an effective method for uncovering weak user credentials across various online services and authentication systems

• Unlike brute-force attacks that focus on one username with multiple weak passwords, password spraying employs a single common weak password against numerous users to bypass account lockout policies.
• Common and weak passwords often follow patterns
  • the current season followed by the year (e.g., Fall2020)
  • month followed by the year (e.g., November2020)
  • using the company name with random numbers (e.g., TryHackMe01).
• if password complexity policies are enforced, symbols must be included to meet requirements (e.g., October2021!, Spring2021!)
• to successfully execute a password spraying attack, the target must be enumerated and a list of valid usernames or email addresses must be created

Attacking Network Services

• assumes that we already enumerated the system and created a valid username list
• SSH | hydra -L usernames-list.txt -p Spring2021 ssh://10.1.1.10
  • -L | to load the list of valid usernames
• RDP | use the RDPassSpray Tool
  • example | single user, password and machine

    # -u: single user | -p: single password | -t target machine
    python3 RDPassSpray.py -u victim -p Spring2021! -t 10.100.10.240:3026
  • example | multiple user; single password; multiple target; with domain

    # -U: userlist; -d: domain name (if active directory environment); -T: targets list
    python3 RDPassSpray.py -U usernames-list.txt -p Spring2021! -d THM-labs -T RDP_servers.txt
• Outlook web access (OWA) portal | tools
  • SprayingToolkit
  • MailSniper
• SMB | tools
  • Metasploit (auxiliary/scanner/smb/smb_login)