Password scanning and cracking techniques in penetration testing

0 × 00 Preface

Password and encryption/Decryption are always involved in a test ". In the process of stepping on, attempts to use weak passwords are an essential process, from capturing chickens in xx to hashes in the Intranet, from personal PCs to network devices/industrial control facilities, password scanning will not be forgotten as long as password authentication is still performed in the single-factor mode. The following is a brief summary of the password scanning and cracking techniques in the security test. If there are any omissions or errors, I hope you can give me some advice.

0 × 01 organize an excellent dictionary

To crack the password, we must "own" someone else's password. The importance of the dictionary in password scanning attempts is self-evident. to sort out an excellent dictionary, you may wish to refer to the major website leakage database, collect the password (plaintext) field, and generate the dictionary based on the frequency of occurrence.

A demo script:

 
 

  
  
#!/bin/bash/python  
  
  
import sys  
  
  
from collections import Counter  
  
  
file = open(sys.argv[1], 'r')  
  
  
readlist = []  
  
  
count_times = []  
  
  
for line in file.readlines():  
  
  
line = line.strip('\r\n ')  
  
  
readlist.append(line)  
  
  
sortlist = Counter(readlist).most_common()  
  
  
for line in sortlist:  
  
  
print line[0] 
 
 

0 × 02 one-handed tool set

If you want to do anything well, you must sharpen your weapon. In password enumeration tools, the List of recommended tools is as follows:

Hydra: password guesses for various online service accounts
Medusa: similar to Hydra
Patator: Python multi-protocol cracking tool
John the ripper: offline hash cracking
Hashcat: GPU offline hash cracking
Burp Suite: online password Enumeration
Rcracki: offline rainbow table hash cracking
Ophcrack: offline LMHash/NTHash cracking
Hashid/HashTag: Hash Algorithm Analysis
Fcrackzip/Truecrack and other specific file password cracking tools
Metasploit: Various auxiliary test scripts
Cupp. py: generate social engineering dictionary
...

Of course, according to specific needs (such as adding various camouflage Bypass Detection), we may also need to write the corresponding script to implement the process of enumeration accounts.

0 × 03 Bypass Detection

WAF is available on the Web layer, and IDS/IPS are available on the Service layer. before testing, you can determine whether there is corresponding protection by scanning and other methods, and take appropriate measures. the Web layer may have verification codes and may have limits on the number of IP connections per second. The Cookie/Header may be used to determine whether the behavior is Human or Robot. after passing a series of tests (how to test it should be explored by yourself), we should use the most reasonable way to bypass or avoid blocking enumeration account passwords caused by detection.

0 × 04 Web account enumeration

Enumeration of Web accounts is a frequent occurrence on weekdays.

EXP is fruitless, and there is no rigorous verification code or other protection in some places, making it possible to enumerate account passwords.
We found that the backdoor left by our predecessors had no password.
Credential stuffing.

Common bypass verification possibilities:

Unlimited use of the page without refreshing the verification code
The verification code is displayed when the password is entered incorrectly several times, but no verification code is displayed when you change the account.
Modify Cookie or UA disguise to escape verification code
Batch round robin with proxy enumeration Bypass

In Web enumeration, the use of BurpSuite can basically solve all common problems. The tool documentation is also rich.

Enable proxy, open Intercept, log on to the webpage, enter the user password, Intercept the data packet, and select Send to Intruder to enter the Attack Module.

Where

There are four modes:

Sniper: there is only one payload, and the payload will be tested at each Fuzz point. The default option is used. This is why new users find that Payload can only be set to 1.
Battering Ram: there is only one payload, and the payload will be tested at multiple Fuzz points at the same time.
Pitchfork: multiple payloads. Multiple payloads are tested at the same time at the corresponding Fuzz point. (Applicable to scanning numbers)
Cluster Bomb: multiple payloads. The payload is tested cyclically at the Fuzz point until all possible attempts are made. (Multi-account enumeration password applies)

Reference: http://www.digininja.org/blog/burp_intruder_types.php

After selecting the corresponding mode, set payload to runtime file and mount the dictionary file. Cancel Payload Encoding.

If you find that the webpage calculates the user's local password for MD5 and then submits it, you need to add the MD5 calculation process in Payload Processing.

After setting, you can also add the regular expression matching result, and so on. Then you can Start attack.

In this process, if you are worried about IP address exposure, you can choose to write a script like this:

The script listens to a port locally and randomly extracts the Proxy IP address for each enumeration. In the Burp, set the Proxy as the listening port of the local database.

0 × 05 basic HTTP Authentication

Home routing/Jboss and so on often use HTTP Basic Authentication. during authentication, the user name and password are encrypted. If no correct user name and password are available, the system will return

HTTP/1.1 401 Authorization Required

You can see that the default user name is admin, and the default password is admin to log on to the route.

Authorization: Basic YWRtaW46YWRtaW4=

Base64 decryption is admin: admin. password cracking for basic authentication is still usable, but the user name and password must be processed first. A demo script is as follows:

 
 

  
  
#!/usr/bin/python  
  
  
import os.path,sys,base64  
  
  
userfile = raw_input("input usr file:")  
  
  
passfile = raw_input("input pwd file:")  
  
  
outputfile = raw_input("input out file:")  
  
  
outputfile = open(outputfile, "w")  
  
  
userInfile = open(userfile)  
  
  
passInfile = open(passfile)  
  
  
userLines = userInfile.readlines()  
  
  
passLines = passInfile.readlines()  
  
  
for userLine in userLines:  
  
  
for passLine in passLines:  
  
  
combinedLine = userLine.strip() + ':' + passLine.strip()  
  
  
print combinedLine  
  
  
outputfile.write(base64.b64encode(combinedLine) + '\n')  
  
  
userInfile.close()  
  
  
passInfile.close()  
  
  
outputfile.close() 
 
 

Generate a dictionary and use Burp to crack it.

Of course, Hydra provides a simpler solution.

hydra -L user.txt -P pass.txt -F http://demourl:2048/auth

The uppercase values of-L and-P are mounted dictionaries.-F indicates that the system stops cracking once a valid user password is found, and the-t parameter can be added to specify the number of threads.

0 × 06 service password cracking

Password enumeration is inseparable from services. for common services such as FTP, SSH, TELNET, POP3, and 1433, we provide complete information. The following is a brief record of commands.

FTP

hydra -L user.txt -P pass.txt -F ftp://127.0.0.1:21

SSH

hydra -L user.txt -P pass.txt -F ssh://127.0.0.1:22

patator ssh_login host=127.0.0.1 user=root password=FILE0 0=pass.txt -x ignore:mesg='Authentication failed.'

SMB

hydra -L user.txt -P pass.txt -F smb://127.0.0.1

MSSQL

hydra -L user.txt -P pass.txt -F mssql://127.0.0.1:1433

0 × 07 social engineering dictionary generation

Password collisions are mostly due to two possible causes: weak passwords represented by admin and 19 ?? 0101 represents the social engineering password. If a weak password attempt fails

Master, you can try to generate a social engineering dictionary. Take the cupp. py tool as an example to create a new dictionary:

python cupp.py -i

After entering the relevant information, generate a dictionary and use the above tool to continue enumeration ;-)

0 × 08 hash cracking

In the win environment, wce and other tools directly capture memory passwords. Offline cracking after capturing hash is often difficult to avoid, especially after Microsoft patches for recent vulnerabilities: (Common hash can be cracked using Ophcrack, the official website provides the corresponding rainbow table download. Of course, you can also query it directly. http://www.objectif-securite.ch/en/ophcrack.php

If it is necessary to crack the hash of other uncommon passwords (which cannot be solved through the existing web cracking Service), there are only three relatively efficient methods:

Distributed (more and more tools have begun to try distributed cracking. Can this be said, cloud computing ?)

GPU (or professional password cracking hardware developed by DSP/FPGA)

Rainbow table (don't think about it if you don't have a hard disk)

However, if the password can be cracked based on certain rules. for example, if you create an account with a password of hahaharoot and use the brute-force password of John, it is difficult for a common computer to run in one day, however, if other administrator passwords, such as web/SQL, are beginning with hahaha, you can consider defining password rules, such

hashcat -m1800 -a3 hashdumpedfile --pw-min=7 --pw-max=11 "hahaha?l?l?l?l"

Several seconds to obtain the plaintext of the password

Here,-m specifies the hash algorithm and-a3 specifies the brute-force cracking method. You can also generate a password dictionary with the specified prefix using the script and use the tool to mount the dictionary to crack it.

john -w:gen_wordlist.txt hash

0 × 09 File Password

Finally, I want to add a bit of file password cracking. For zip files, the encryption method is not as strong as rar, so it is very likely to be decrypted. The command for cracking a tool under kali is as follows:

fcrackzip -b -v -c a -l 1-4 -u 1.zip

-B indicates brute-force cracking,-v indicates detailed information,-c a indicates that the password is a pure letter, and-l 1-4 indicates that the password length is 1-4 characters, -u indicates using a possible password for the decompression test (plus, otherwise there will be a lot of interference with the password)

For password cracking of other files, if you have efficient tools, you may wish to share them with us .;)