Summary of password scanning and cracking in penetration testing
0x00 preface a test always involves "password" and "encryption and decryption ". In the process of stepping on, attempts to use weak passwords are an essential process, from capturing chickens in xx to hashes in the Intranet, from personal PCs to network devices/industrial control facilities, password scanning will not be forgotten as long as password authentication is still performed in the single-factor mode. The following is a brief summary of the password scanning and cracking techniques in the security test. If there are any omissions or errors, I hope you can give me some advice.
0x01 prepare an excellent dictionary to crack the password, which requires that we already "own" someone else's password. The importance of the dictionary in password scanning attempts is self-evident. To sort out an excellent dictionary, you may wish to refer to the major website leakage database, collect the password (plaintext) field, and generate the dictionary based on the frequency of occurrence.
A demo script:
#!/bin/bash/pythonimport sysfrom collections import Counterfile = open(sys.argv[1], 'r')readlist = []count_times = [] for line in file.readlines(): line = line.strip('\r\n ') readlist.append(line)sortlist = Counter(readlist).most_common() for line in sortlist: print line[0]
0x02 a tool set that is satisfactory to others. In the password Enumeration Tool, the recommended tool List is as follows:
Hydra: password guesses for various online service accounts Medusa: similar to Hydra Patator: Python multi-protocol cracking tool John the ripper: offline cracking hash Hashcat: GPU offline hashing cracking Burp Suite: online password enumeration Rcracki: offline rainbow table hash cracking Ophcrack: offline LMHash/NTHash cracking Hashid/HashTag: hash algorithm analysis specific file password cracking tools such as Fcrackzip/Truecrack Metasploit: Various auxiliary test scripts Cupp. py: generate social engineering dictionary...
Of course, according to specific needs (such as adding various camouflage Bypass Detection), we may also need to write the corresponding script to implement the enumeration account process.
0x03 Bypass Detection
WAF is available on the Web layer, and IDS/IPS are available on the Service layer. Before testing, you can determine whether there is corresponding protection through scanning and other methods, and take appropriate measures. The Web layer may have verification codes and IP connections per second. The Cookie/Header may be used to determine whether the behavior is Human or Robot. After passing a series of tests (how to test it should be explored by yourself), we should use the most reasonable way to bypass or try to avoid blocking enumeration account passwords caused by detection.
0x04 Web account enumeration
Enumeration of Web accounts is a frequent occurrence on weekdays.
EXP was fruitless, and there was no rigorous verification code or other protection at one place, making it possible to enumerate account passwords. We found that the backdoor left by our predecessors had no password. Scan the credential stuffing.
Common bypass verification possibilities:
The page does not need to refresh the verification code for unlimited times use the wrong password entered several times to pop up the verification code, but the change account does not show the verification code to modify the Cookie or UA disguised escape verification code can be round-robin in batches Using proxy enumeration Bypass
In Web enumeration, using BurpSuite can basically solve all common problems. Tool-related documents are also rich.
Enable proxy, open Intercept, log on to the webpage, enter the user password, Intercept the data packet, and select Send to Intruder to enter the Attack Module.
There are four modes:
Sniper:
There is only one payload, and the payload will be tested at each Fuzz point. The default option is used. This is why new users find that Payload can only be set to 1. Battering Ram:
There is only one payload. The payload will be tested at multiple Fuzz points at the same time. Pitchfork:
Multiple payloads will put multiple payloads in the same row at the same time to the corresponding Fuzz point for testing. (Applicable to scanning) Cluster Bomb:
Multiple payloads are tested cyclically at the Fuzz point until all possible attempts are made. (Multi-account enumeration password applies)
After selecting the corresponding mode, set payload to runtime file and mount the dictionary file. Cancel Payload Encoding.
If you find that the webpage calculates the user's local password for MD5 and then submits it, you need to add the MD5 calculation process in Payload Processing.
After setting, you can also add the regular expression matching result and so on. Then you can Start attack.
In this process, if you are worried about IP address exposure, you can choose to write a script like this:
The script listens to a port locally and randomly extracts the Proxy IP address for each enumeration. In the Burp, set the Proxy as the listening port of the local database.
0x05 basic HTTP Authentication
Home routing/Jboss and so on often use HTTP Basic Authentication, authentication process, user name and password encryption. If the user name and password are not correct, the system returns
HTTP/1.1 401 Authorization Required
You can see that the default user name is admin, and the default password is admin to log on to the route.
Authorization: Basic YWRtaW46YWRtaW4=
Base64 decryption is admin: admin. password cracking for basic authentication is still usable, but the user name and password must be processed first. A demo script is as follows:
#!/usr/bin/python import os.path,sys,base64userfile = raw_input("input usr file:")passfile = raw_input("input pwd file:")outputfile = raw_input("input out file:")outputfile = open(outputfile, "w")userInfile = open(userfile)passInfile = open(passfile)userLines = userInfile.readlines()passLines = passInfile.readlines() for userLine in userLines: for passLine in passLines: combinedLine = userLine.strip() + ':' + passLine.strip() print combinedLine outputfile.write(base64.b64encode(combinedLine) + '\n')userInfile.close()passInfile.close()outputfile.close()
Generate a dictionary and use Burp to crack it.
Of course, Hydra provides a simpler solution.
hydra -L user.txt -P pass.txt -F http://demourl:2048/auth
The uppercase values of-L and-P are mounted dictionaries.-F indicates that the system stops cracking once a valid user password is found, and the-t parameter can be added to specify the number of threads.
0x06 service password cracking
Password enumeration is inseparable from services. for common services such as FTP, SSH, TELNET, POP3, and 1433, we provide complete information. The following is a brief record of commands.
FTP
hydra -L user.txt -P pass.txt -F ftp://127.0.0.1:21
SSH
hydra -L user.txt -P pass.txt -F ssh://127.0.0.1:22
patator ssh_login host=127.0.0.1 user=root password=FILE0 0=pass.txt -x ignore:mesg='Authentication failed.'
SMB
hydra -L user.txt -P pass.txt -F smb://127.0.0.1
MSSQL
hydra -L user.txt -P pass.txt -F mssql://127.0.0.1:1433
0x07 social engineering dictionary generation
Password collisions are mostly due to two possible causes: weak passwords represented by admin and 19 ?? 0101 represents the social engineering password. in case of a weak password attempt failure, if you have a good grasp of the target information, you can try to generate a social engineering dictionary. take cupp. the py tool is used as an example to create a new dictionary:
python cupp.py -i
After entering the relevant information, generate the dictionary and use the above tool to continue enumeration.
0x08 hash cracking
In Windows, wce and other tools directly capture the memory password. Offline cracking after the hash is captured is often hard to avoid, especially after Microsoft patches for recent Vulnerabilities
Normal hash can be cracked using Ophcrack. If it is necessary to crack the hash of other uncommon passwords (the hash cannot be solved using the existing web cracking Service), there are currently only three relatively efficient methods:
Distributed (more and more tools have begun to try distributed cracking. Can this be said, cloud computing ?) GPU (or professional password cracking hardware developed by DSP/FPGA) rainbow table (don't think about it if you don't have a hard disk)
However, if the password can be cracked based on certain rules. for example, if you create an account with a password of hahaharoot and use the brute-force password of John, it is difficult for a common computer to run in one day, however, if other administrator passwords, such as web/SQL, are beginning with hahaha, you can consider defining password rules, such
hashcat -m1800 -a3 hashdumpedfile --pw-min=7 --pw-max=11 "hahaha?l?l?l?l"
Several seconds to obtain the plaintext of the password
Here,-m specifies the hash algorithm and-a3 specifies the brute-force cracking method. You can also generate a password dictionary with the specified prefix using the script and use the tool to mount the dictionary to crack it.
john -w:gen_wordlist.txt hash
0x09 File Password
Finally, I want to add a bit of file password cracking. For zip files, the encryption method is not as strong as rar, so it is very likely to be decrypted. The command for cracking a tool under kali is as follows:
fcrackzip -b -v -c a -l 1-4 -u 1.zip
-B indicates brute-force cracking,-v indicates detailed information,-c a indicates that the password is a pure letter, and-l 1-4 indicates that the password length is 1-4 characters, -u indicates using a possible password for the decompression test (plus, otherwise there will be a lot of interference with the password)
If you have efficient tools for cracking other file passwords, I hope you can share them with us.