Password Attacks

Password Attacks

Tools

SecLists

Websites for default passwords

Websites containing weak password lists

Websites containing leaked password lists

cewl

username_generator

crunch

CUPP -Common User Password Profiler

hashcat

john the ripper

hashid

Task 1

Introduction to the types and techniques used in password attacks. Get and generate custom password lists.

Passwords are used as an authentication method for individuals to access computer systems or applications Using passwords ensures the owner of the account is the only one who has access. However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur. Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system. Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols.

A collection of passwords is often referred to as a dictionary or wordlist. Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches. For example, an easy to guess password could be password, 123456, 111111. The top most seen passwords can be found on this wikipedia page.

Wikipedia:10,000 most common passwords – Wikipedia

It wont take long for an attacker to run password attacks against the target or service. Choosing a strong password is good practise making it hard to guess or crack. Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.

Companies often have password policies enforced. Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing. For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.

How secure are passwords?

This depends on various factors. Passwords are usually stored within the file system or database, and keeping them safe is essential. Companies may store passwords in plain text documents, such as the Sony breach in 2014. Once an attacker has access to the file system, he can easily obtain and reuse these passwords. On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure. Even is the attacker has access to the system, it will be harder to crack.

Task 2

Password Attack Techniques

Dictionary
Brute-force
Rule-base
Guessing attacks.

Password Guessing

A technique used to target online protocols and services. It is time-consuming and opens up the opportunity to generate logs for the filed login attempts. A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected. It may cause an account to be locked if the system is designed and configured securely.

Password Cracking

Performed locally on on systems controlled by the attacker.

Task 3

Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.

Having a good wordlist is critical to carrying out a successful password attack. It is important to know how you can generate username lists and password lists. In this section, we will discuss creating targeted username and password lists. We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.

Default Passwords.

Before performing password attacks, it is worth trying a couple of default passwords against the target service. Manufacturers set default passwords with products and equipment such as switches, firewalls and routers. There are scenarios where customers don’t change the default password, which makes the system vulnerable. Therefore, it is good practise to try admin|admin, admin|123456, etc…. If we know the target device, we can look up the default passwords and try them out. For example, if the target server is Tomcat, a lightweigh, open-source Java application server. The default passwords can be admin|admin or tomcat|admin.

The following websites provide default passwords for various products.

Weak Passwords

Professionals collect and generate weak password lists over time and often combine them into one large wordlist. Lists are generated based on their experience and what they see in pentest engagements. These lists may also contain leaked passwords that have been published publicly.

The following are some weak password lists.

SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.
SecLists – A huge collection of all kinds of lists, not only for password cracking.

Leaked Passwords

Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach. These public or privately available leaks are often referred to as ‘dumps’. The passwords may be in the form of hashes and the passwords may need extracting out of the data. The following are companies’ password lists that have weak and leaked passwords

webhost
elitehacker
hak5
Hotmail
PhpBB

SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub

Combined wordlists

When we have more than one wordlist, we can combine them as follows.

cat file1.txt file2.txt file3.txt > combined_list.txt

cat file1.txt file2.txt file3.txt > combined_list.txt

To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows

sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt

sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt

Customised Wordlists.

Customising password lists is one of the best ways to increase the chances of finding valid credentials. We can create custom password lists from the target website. Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names. In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!

Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords. Cewl. is a powerful tool to generate a wordlist specific to a given company or target.

cewl -w list.txt -d 5 -m 5 http://thm.labs

cewl -w list.txt -d 5 -m 5 http://thm.labs

-w will write the contents to a file. In this case, list.txt

-m 5 gathers strings (words) that are 5 characters or more

-d 5 is the depth level of web crawling/spidering (default 2)

http://thm.labs is the URL that will be used

As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo. Similarly the word list that was created could be used to fuzz for usernames.

Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8.

Username wordlists

Gathering employees’ names in the enumeration stage is essential. We can generate username lists from the target’s website. For the following example, we’ll assume we have a first name last name as a method of generating usernames.

{first name}: john
{last name}: smith
{first name}{last name}: johnsmith
{last name}{first name}: smithjohn
first letter of the {first name}{last name}: jsmith
first letter of the {last name}{first name}: sjohn
first letter of the {first name}.{last name}: j.smith
first letter of the {first name}-{last name}: j-smith
and so on

username_generator is a tool that generates most of the possible combinations.

user@thm$

git clone https://github.com/therodri2/username_generator.git

git clone https://github.com/therodri2/username_generator.git

Cloning into ‘username_generator’…

remote: Enumerating objects: 9, done.

remote: Counting objects: 100% (9/9), done.

remote: Compressing objects: 100% (7/7), done.

remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0

Receiving objects: 100% (9/9), done.

user@thm$

cd username_generator

cd username_generator

python3 username_generator.py -h

python3 username_generator.py -h

Shows the tools help message and optional arguments.

Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.

user@thm$

echo “John Smith” > users.lst

echo “John Smith” > users.lst

python3 username_generator.py -w users.lst

python3 username_generator.py -w users.lst

Question

What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?

check this out https://default-password.info/

Answer

netscreen:netscreen

Task 4

Password Profiling Keyspace Technique and CUPP

Another way of preparing a wordlist is by using the key-space technique. In this technique, we specify a range of characters, numbers, and symbols in our wordlist. crunch is one of many powerful tools for creating an offline wordlist. With crunch, we can specify numerous options, including min, max and options such as:

crunch -h

crunch -h

The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to.

crunch 2 2 01234abcd -o crunch.txt

crunch 2 2 01234abcd -o crunch.txt

cat crunch.txt

cat crunch.txt

The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

crunch 8 8 0123456789abcdefABCDEF -o crunch.txt

The file is 459GB and contains 54875873536 words

crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:

@ – lower case alpha characters

, – upper case alpha characters

% – numeric characters

^ – special characters including space

For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

crunch 6 6 -t pass%%

pass00 pass01 pass02 pass03

CUPP – Common User Passwords Profiler

CUPP is an automatic and interactive tool written in Python for creating custom wordlists. For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.

CUPP will take the information supplied and generate a custom wordlist based on what’s provided. There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4, 1, 3, 7, 0, 5, 9 and 2. More information about the git hub repo

GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

git clone https://github.com/Mebus/cupp.git

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

python3 cupp.py

CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

python3 cupp.py -i

Insert the information about the victim to make a dictionary

[+] If you don’t know all the info, just hit enter when asked! 😉

> First Name:

> Surname:

> Nickname:

> Birthdate (DDMMYYYY):

> Partners) name:

> Partners) nickname:

> Partners) birthdate (DDMMYYYY):

> Child’s name:

> Child’s nickname:

> Child’s birthdate (DDMMYYYY):

> Pet’s name:

> Company name:

> Do you want to add some key words about the victim? Y/[N]:

> Do you want to add special chars at the end of words? Y/[N]:

> Do you want to add some random numbers at the end of words? Y/[N]:

> Leet mode? (i.e. leet = 1337) Y/[N]:

[+] Now making a dictionary…

[+] Sorting list and removing duplicates…

[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)

As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

python3 cupp.py -l

Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!

Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option.

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

python3 cupp.py -a

Questions

Run the following crunch command . How many words did crunch generate?

crunch 2 2 01234abcd -o crunch.txt

Answer

What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt

crunch 5 5 -t “THM^^” -o tryhackme.txt

Task 5

Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks

Dictionary Attack

A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.

Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:

1- What type of hash is this?
2- What wordlist will we be using? Or what type of attack mode could we use?

To identify the type of hash, we could a tool such as hashid or hash-identifier.

apt install hashid

apt install hashid

For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).

hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt

hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt

-a 0 sets the attack mode to a dictionary attack

-m 0 sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.

f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.

/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack

We run hashcat with –show option to show the cracked value if the hash has been cracked:

hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou

hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou

As a result, the cracked value is rockyou.

Brute-Force attack

Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.

In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.

For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.

hashcat –help

hashcat –help

https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild

https://hashcat.net/faq

hashcat -a 3 ?d?d?d?d –stdout

hashcat -a 3 ?d?d?d?d –stdout

This shows how we can use hashcat with the brute-force attack mode with a combination of our choice.

-a 3 sets the attacking mode as a brute-force attack

?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999

–stdout print the result to the terminal

Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.

hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d

hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d

05a5cf06982ba7892ed2a6d38fe832d6:2021

Question

Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?

Steps you need to take

Install hashid

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

apt install hashid

2. command to run

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

hashid 8d6e34f987851aa599257d3831a1af040886842f

Answer

SHA-1

Question

Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt

Answer

sunshine

Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]

Password Attacks</p>
<p>Tools<br />
SecLists</p>
<p>Websites for default passwords</p>
<p>Websites containing weak password lists</p>
<p>Websites containing leaked password lists</p>
<p>cewl</p>
<p>username_generator</p>
<p>crunch</p>
<p>CUPP -Common User Password Profiler</p>
<p>hashcat</p>
<p>john the ripper</p>
<p>hashid</p>
<p>Task 1</p>
<p>Introduction to the types and techniques used in password attacks.  Get and generate custom password lists.</p>
<p>Passwords are used as an authentication method for individuals to access computer systems or applications  Using passwords ensures the owner of the account is the only one who has access.  However, if the password is shared or falls into the wrong hands, unauthorised changes to a given system could occur.  Unauthorized access could potentially lead to changes in the system’s overall status and health or damage the file system.  Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols. </p>
<p>A collection of passwords is often referred to as a dictionary or wordlist.  Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches.  For example, an easy to guess password could be password, 123456, 111111.  The top most seen passwords can be found on this wikipedia page.</p>
<p>Wikipedia:10,000 most common passwords – Wikipedia</p>
<p>It wont take long for an attacker to run password attacks against the target or service.  Choosing a strong password is good practise making it hard to guess or crack.  Strong words should not be common words or found in dictionaries as well as the password should be an eight characters length at least and should contain numbers, symbols and upper and lower case letters.</p>
<p>Companies often have password policies enforced.  Which helps ensure users aren’t using common or weak passwords within their organisation and could limit attack vectors such as brute-forcing.  For example, a minimum of 8 characters, include characters, numbers and at least one symbol, however if an attacker figures out thee password policy, he could generate a password list that satisfies the account password policy.</p>
<p>How secure are passwords?</p>
<p>This depends on various factors.  Passwords are usually stored within the file system or database, and keeping them safe is essential.  Companies may store passwords in plain text documents, such as the Sony breach in 2014.  Once an attacker has access to the file system, he can easily obtain and reuse these passwords.  On the other hand, passwords can be stored using hashing functions or encryption algorithms to make them more secure.  Even is the attacker has access to the system, it will be harder to crack.</p>
<p>Task 2</p>
<p>Password Attack Techniques</p>
<p>Dictionary</p>
<p>Brute-force</p>
<p>Rule-base</p>
<p>Guessing attacks.</p>
<p>Password Guessing</p>
<p>A technique used to target online protocols and services.  It is time-consuming and opens up the opportunity to generate logs for the filed login attempts.  A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected.  It may cause an account to be locked if the system is designed and configured securely.</p>
<p>Password Cracking</p>
<p>Performed locally on on systems controlled by the attacker.</p>
<p>Task 3</p>
<p>Password Profiling – Default, Weak, Leaked, Combined and Username wordlists.</p>
<p>Having a good wordlist is critical to carrying out a successful password attack.  It is important to know how you can generate username lists and password lists.  In this section, we will discuss creating targeted username and password lists.  We will also cover various topics, including default, weak, leaked passwords and creating targeted wordlists.</p>
<p>Default Passwords.</p>
<p>Before performing password attacks, it is worth trying a couple of default passwords against the target service.  Manufacturers set default passwords with products and equipment such as switches, firewalls and routers.  There are scenarios where customers don’t change the default password, which makes the system vulnerable.  Therefore, it is good practise to try admin|admin, admin|123456, etc….  If we know the target device, we can look up the default passwords and try them out.  For example, if the target server is Tomcat, a lightweigh, open-source Java application server.  The default passwords can be admin|admin or tomcat|admin.</p>
<p>The following websites provide default passwords for various products.</p>
<p>https://cirt.net/passwords</p>
<p>https://default-password.info/</p>
<p>https://datarecovery.com/rd/default-passwords/</p>
<p>Weak Passwords</p>
<p>Professionals collect and generate weak password lists over time and often combine them into one large wordlist.  Lists are generated based on their experience and what they see in pentest engagements.  These lists may also contain leaked passwords that have been published publicly.  </p>
<p>The following are some weak password lists.</p>
<p>SkullSecurity | SkullSecurity Blog This includes the most well-known collections of passwords.</p>
<p>SecLists – A huge collection of all kinds of lists, not only for password cracking.</p>
<p>Leaked Passwords</p>
<p>Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach.  These public or privately available leaks are often referred to as ‘dumps’.  The passwords may be in the form of hashes and the passwords may need extracting out of the data.  The following are companies’ password lists that have weak and leaked passwords</p>
<p>webhost</p>
<p>elitehacker</p>
<p>hak5</p>
<p>Hotmail</p>
<p>PhpBB</p>
<p>SecLists/Passwords/Leaked-Databases at master · danielmiessler/SecLists · GitHub</p>
<p>Combined wordlists</p>
<p>When we have more than one wordlist, we can combine them as follows.</p>
<p>cat file1.txt file2.txt file3.txt > combined_list.txt</p>
<p>To clean up the generated combined list to remove duplicated words, we can use sort and uniq as follows</p>
<p>sort combined_list.txt | uniq -u > cleaned_combined_lisst.txt</p>
<p>Customised Wordlists.</p>
<p>Customising password lists is one of the best ways to increase the chances of finding valid credentials.  We can create custom password lists from the target website.  Often, a company’s website contains valuable information about the company and it’s employees, including emails and employee names.  In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!</p>
<p>Tools such as Cewl can be used to effectively crawl a website and extract strings or keywords.  Cewl. is a powerful tool to generate a wordlist specific to a given company or target.  </p>
<p>cewl -w list.txt -d 5 -m 5 http://thm.labs</p>
<p>-w will write the contents to a file.  In this case, list.txt</p>
<p>-m 5 gathers strings (words) that are 5 characters or more</p>
<p>-d 5 is the depth level of web crawling/spidering (default 2)</p>
<p>http://thm.labs is the URL that will be used</p>
<p>As a result, we should now have a decently sized wordlist based on relevant words for the specific enterprise, like names, locations, and a lot of their business lingo.  Similarly the word list that was created could be used to fuzz for usernames.</p>
<p>Apply what we discuss using cewl against https://clinic.thmredteam.com/ to parse all words and generate a wordlist with a minimum length of 8. </p>
<p>Username wordlists</p>
<p>Gathering employees’ names in the enumeration stage is essential.  We can generate username lists from the target’s website.  For the following example, we’ll assume we have a first name last name as a method of generating usernames.</p>
<p>{first name}: john</p>
<p>{last name}: smith</p>
<p>{first name}{last name}:  johnsmith </p>
<p>{last name}{first name}:  smithjohn  </p>
<p>first letter of the {first name}{last name}: jsmith </p>
<p>first letter of the {last name}{first name}: sjohn  </p>
<p>first letter of the {first name}.{last name}: j.smith </p>
<p>first letter of the {first name}-{last name}: j-smith </p>
<p>and so on</p>
<p>username_generator is a tool that generates most of the possible combinations.</p>
<p>user@thm$ </p>
<p>git clone https://github.com/therodri2/username_generator.git </p>
<p>Cloning into ‘username_generator’… </p>
<p>remote: Enumerating objects: 9, done. </p>
<p>remote: Counting objects: 100% (9/9), done. </p>
<p>remote: Compressing objects: 100% (7/7), done. </p>
<p>remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 0 </p>
<p>Receiving objects: 100% (9/9), done. </p>
<p>user@thm$ </p>
<p>cd username_generator</p>
<p>python3 username_generator.py -h</p>
<p>Shows the tools help message and optional arguments.</p>
<p>Now let’s create a wordlist that contains the full name John Smith to a text file. Then, we’ll run the tool to generate the possible combinations of the given full name.</p>
<p>user@thm$ </p>
<p>echo “John Smith” > users.lst</p>
<p>python3 username_generator.py -w users.lst</p>
<p>Question</p>
<p>What are the default login credentials (username|password) for a Juniper Networks ISG 2000 device?</p>
<p>check this out https://default-password.info/</p>
<p>Answer</p>
<p>netscreen:netscreen</p>
<p>Task 4</p>
<p>Password Profiling Keyspace Technique and CUPP</p>
<p>Another way of preparing a wordlist is by using the key-space technique.  In this technique, we specify a range of characters, numbers, and symbols in our wordlist.  crunch is one of many powerful tools for creating an offline wordlist.  With crunch, we can specify numerous options, including min, max and options such as:</p>
<p>crunch -h</p>
<p>The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. </p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>cat crunch.txt</p>
<p>The above command will product a list example: 00 01 02 03 04 0a 0b 0c 0d 10 . . . cb cc cd d0 d1 d2 d3 d4 da db dc dd</p>
<p>crunch 8 8 0123456789abcdefABCDEF -o crunch.txt</p>
<p>The file is 459GB and contains 54875873536 words </p>
<p>crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:</p>
<p>@ – lower case alpha characters</p>
<p>, – upper case alpha characters</p>
<p>% – numeric characters</p>
<p>^ – special characters including space</p>
<p>For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:</p>
<p>crunch 6 6 -t pass%%</p>
<p>pass00 pass01 pass02 pass03</p>
<p>CUPP – Common User Passwords Profiler</p>
<p>CUPP is an automatic and interactive tool written in Python for creating custom wordlists.  For instance, if you know some details about a specific target, such as their birthdate, pet name, company name, etc…, this could be a helpful tool to generate passwords based on this known information.</p>
<p>CUPP will take the information supplied and generate a custom wordlist based on what’s provided.  There is also support for a 1337/leet mode, which substitutes the letters a, i, e, t, o, s, g, z with numbers 4,  1, 3, 7, 0, 5, 9 and 2.  More information about the git hub repo</p>
<p>GitHub – Mebus/cupp: Common User Passwords Profiler (CUPP)</p>
<p>git clone https://github.com/Mebus/cupp.git</p>
<p>python3 cupp.py</p>
<p>CUPP supports an interactive mode where it asks questions about the target and based on the provided answers, it creates a custom wordlist. If you don’t have an answer for the given field, then skip it by pressing the Enter key.</p>
<p>python3 cupp.py -i</p>
<p>Insert the information about the victim to make a dictionary </p>
<p>[+] If you don’t know all the info, just hit enter when asked! ;) </p>
<p>> First Name: </p>
<p>> Surname: </p>
<p>> Nickname: </p>
<p>> Birthdate (DDMMYYYY): </p>
<p>> Partners) name: </p>
<p>> Partners) nickname: </p>
<p>> Partners) birthdate (DDMMYYYY): </p>
<p>> Child’s name: </p>
<p>> Child’s nickname: </p>
<p>> Child’s birthdate (DDMMYYYY): </p>
<p>> Pet’s name: </p>
<p>> Company name: </p>
<p>> Do you want to add some key words about the victim? Y/[N]: </p>
<p>> Do you want to add special chars at the end of words? Y/[N]: </p>
<p>> Do you want to add some random numbers at the end of words? Y/[N]: </p>
<p>> Leet mode? (i.e. leet = 1337) Y/[N]: </p>
<p>[+] Now making a dictionary… </p>
<p>[+] Sorting list and removing duplicates… </p>
<p>[+] Saving dictionary to …..txt, counting ….. words. > Hyperspeed Print? (Y/n)</p>
<p>As a result, a custom wordlist that contains various numbers of words based on your entries is generated. Pre-created wordlists can be downloaded to your machine as follows:</p>
<p>python3 cupp.py -l</p>
<p>Based on your interest, you can choose the wordlist from the list above to aid in generating wordlists for brute-forcing!</p>
<p>Finally, CUPP could also provide default usernames and passwords from the Alecto database by using the -a option. </p>
<p>python3 cupp.py -a</p>
<p>Questions</p>
<p>Run the following crunch command .  How many words did crunch generate?</p>
<p>crunch 2 2 01234abcd -o crunch.txt</p>
<p>Answer </p>
<p>81</p>
<p>What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt</p>
<p>crunch 5 5 -t “THM^^” -o tryhackme.txt</p>
<p>Task 5 </p>
<p>Offline Attacks – Dictionary, Brute-Force and Rule-Based attacks</p>
<p>Dictionary Attack</p>
<p>A dictionary attack is a technique used to guess passwords by using well-known words or phrases. The dictionary attack relies entirely on pre-gathered wordlists that were previously generated or found. It is important to choose or create the best candidate wordlist for your target in order to succeed in this attack. Let’s explore performing a dictionary attack using what you’ve learned in the previous tasks about generating wordlists. We will showcase an offline dictionary attack using hashcat, which is a popular tool to crack hashes.</p>
<p>Let’s say that we obtain the following hash f806fc5a2a0d5ba2471600758452799c, and want to perform a dictionary attack to crack it. First, we need to know the following at a minimum:</p>
<p>1- What type of hash is this?2- What wordlist will we be using? Or what type of attack mode could we use?</p>
<p>To identify the type of hash, we could a tool such as hashid or hash-identifier. </p>
<p>apt install hashid</p>
<p>For this example, hash-identifier believed the possible hashing method is MD5. Please note the time to crack a hash will depend on the hardware you’re using (CPU and/or GPU).</p>
<p>hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt</p>
<p>-a 0  sets the attack mode to a dictionary attack</p>
<p>-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.</p>
<p>f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.</p>
<p>/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack</p>
<p>We run hashcat with –show option to show the cracked value if the hash has been cracked:</p>
<p>hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt –show f806fc5a2a0d5ba2471600758452799c:rockyou</p>
<p>As a result, the cracked value is rockyou.</p>
<p>Brute-Force attack</p>
<p>Brute-forcing is a common attack used by the attacker to gain unauthorized access to a personal account. This method is used to guess the victim’s password by sending standard password combinations. The main difference between a dictionary and a brute-force attack is that a dictionary attack uses a wordlist that contains all possible passwords.</p>
<p>In contrast, a brute-force attack aims to try all combinations of a character or characters. For example, let’s assume that we have a bank account to which we need unauthorized access. We know that the PIN contains 4 digits as a password. We can perform a brute-force attack that starts from 0000 to 9999 to guess the valid PIN based on this knowledge. In other cases, a sequence of numbers or letters can be added to existing words in a list, such as admin0, admin1, .. admin9999.</p>
<p>For instance, hashcat has charset options that could be used to generate your own combinations. The charsets can be found in hashcat help options.</p>
<p>hashcat –help</p>
<p>https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild</p>
<p>https://hashcat.net/faq</p>
<p>hashcat -a 3 ?d?d?d?d –stdout</p>
<p>This shows how we can use hashcat with the brute-force attack mode with a combination of our choice. </p>
<p>-a 3  sets the attacking mode as a brute-force attack</p>
<p>?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999</p>
<p>–stdout print the result to the terminal</p>
<p>Now let’s apply the same concept to crack the following MD5 hash: 05A5CF06982BA7892ED2A6D38FE832D6 a four-digit PIN number.</p>
<p>hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d</p>
<p>05a5cf06982ba7892ed2a6d38fe832d6:2021</p>
<p>Question</p>
<p>Consider the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?</p>
<p>Steps you need to take</p>
<p>Install hashid</p>
<p>apt install hashid</p>
<p>    2. command to run</p>
<p>hashid 8d6e34f987851aa599257d3831a1af040886842f</p>
<p>Answer</p>
<p>SHA-1</p>
<p>Question</p>
<p>Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.</p>
<p>hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>sunshine</p>
<p>Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]</p>
<p>hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt</p>
<p>Answer</p>
<p>1337</p>
<p>Task 6</p>
<p>Rule-Based attacks</p>
<p>Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.</p>
<p>For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:</p>
<p>cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>OR</p>
<p>cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF</p>
<p>We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!</p>
<p>john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l</p>
<p>–wordlist= to specify the wordlist or dictionary file. </p>
<p>–rules to specify which rule or rules to use.</p>
<p>–stdout to print the output to the terminal.</p>
<p>|wc -l  to count how many lines John produced.</p>
<p>By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!</p>
<p>john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”</p>
<p>The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!

hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d /usr/share/wordlists/rockyou.txt

Answer

1337

Task 6

Rule-Based attacks

Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy. Rules are applied to create passwords within the guidelines of the given password policy and should, in theory, only generate valid passwords. Using pre-existing wordlists may be useful when generating passwords that fit a policy — for example, manipulating or ‘mangling’ a password such as ‘password’: p@ssword, Pa$$word, Passw0rd, and so on.

For this attack, we can expand our wordlist using either hashcat or John the ripper. However, for this attack, let’s see how John the ripper works. Usually, John the ripper has a config file that contains rule sets, which is located at /etc/john/john.conf or /opt/john/john.conf depending on your distro or how john was installed. You can read /etc/john/john.conf and look for List.Rules to see all the available rules:

cat /etc/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF

cat /opt/john/john.conf|grep “List.Rules:” | cut -d”.” -f3 | cut -d”:” -f2 | cut -d”]” -f1 | awk NF

We can see that we have many rules that are available for us to use. We will create a wordlist with only one password containing the string tryhackme, to see how we can expand the wordlist. Let’s choose one of the rules, the best64 rule, which contains the best 64 built-in John rules, and see what it can do!

john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l

john –wordlist=/tmp/single-password-list.txt –rules=best64 –stdout | wc -l

–wordlist= to specify the wordlist or dictionary file.

–rules to specify which rule or rules to use.

–stdout to print the output to the terminal.

|wc -l to count how many lines John produced.

By running the previous command, we expand our password list from 1 to 76 passwords. Now let’s check another rule, one of the best rules in John, KoreLogic. KoreLogic uses various built-in and custom rules to generate complex password lists. For more information, please visit this website here. Now let’s use this rule and check whether the Tryh@ckm3 is available in our list!

john –wordlist=single-password-list.txt –rules=KoreLogic –stdout |grep “Tryh@ckm3”

The output from the previous command shows that our list has the complex version of tryhackme, which is Tryh@ckm3. Finally, we recommend checking out all the rules and finding one that works the best for you. Many rules apply combinations to an existing wordlist and expand the wordlist to increase the chance of finding a valid password!