Let's Talk About: Password Cracking
Wuddup everyone it’s ya boi James here. So you know how my teacher wanted me to write that tech journal assignment. Well I figured ya know what James why don’t we fight back 😉 So I figured why not make my lab assignments my tech journal, and why don’t I make my blog posts my tech journals. So ya boi kills three birds with one stone 🙂 🙂 (James doesn’t condone bird stoning please keep the birds safe we need them…also I’m a bit ornithophobic so I don’t wanna be a target of the birdman granted guy’s got Money to Blow) ;P Who got that reference?!? Anyone ayee. Yess rapperzz le go!
Aight lmao classic James intro aside let’s talk about password guessing.
If we think back to my post on Pentesting we’ll see there’s the phase where we start to exploit a target! Usually one of the first steps of exploitation is password guessing. So I’m gonna introduce you to some common password guessing tools, what they do, and some general info about password guessing in general.
So let’s get chatting
Wordlists and Dictionaries:
- Password-guessing tools use wordlists/dictionaries to test combinations of usernames and passwords. Many files are available to download but crawling websites is a useful way to gather words/usernames that maybe uniquely associated with a particular organization/target.
Once you have a worldlist from say using CeWL you will then want ot mangle the list to contain every different variation of that word.
Basically what we’re doing is gathering as many potential passwords we can using the power of computer to manipulate the words for us.
For example say the password is “P@$$W0RD”
- The generic wordlist will start with “password”
- Once we start mangling the word it will add these variations of the word to the wordlist:
- PASword (you get the idea it’s uppercasing each letter as it goes along eventually ending with all caps)
- Then it’ll mangle the word to different styles for example it will convert it to leet speak (that’s basically your stereotypical hacker typing lingo, you put numbers into words, etc.)
- So PASSWORD Will Slowly Get Converted with Leet Speak
- Essentially that’s what mangling is and your wordlist will end up including all the different variations of the word.
- So like:
- all the different ways you can type it out. I think you get the idea.
- So like:
The way you mangle the wordlist from CeWL would be to use a word mangler like RSMangler.
So now that you have a wordlist with as many possible passwords as you can think of with the help of our trusty computers. We get to the actual brute-forcing/password guessing.
At this stage you’re gonna start to use tools like medusa, ncrack, and hydra.
Let’s Talk Tools:
- CeWL crawls through a webpage/site to a specified depth, gathers a bunch of words that can then be passed onto other tools like password crackers (for example, John the Ripper, etc.)
- The basic syntax is like this:
- cewl -with-numbers -a -w wordList.txt 192.168.4.243/bios/marviMalware.html
- So the “-with-numbers” will extracts words with numbers in it
- the “-a” will include any metadata from the page
- the “-w” tells CeWL to write the wordlist out to a file that I specified i.e. wordList.txt
- RSMangler is a program that takes your wordlist generated by lets say CeWL and then mangles them into variations of the words, combines them, etc. It basically mangles the words to make as many different possible passwords from the words it was given
- What you get as a result is a password list. Which you can then use to attempt to login to a target.
- RSMangler commands are like this:
- rsmangler -T -x 12 -m 9 –file adamList.txt > mangledAdamList.txt
- the thing about the options is that all of them are enabled by default so when you select an option you’re actually disabling it. For example -T disables full leet speak.
- Using Ncrack is the last step. Fun fact Ncrack is part of the Nmap Suite so the options are basically the same. So I won’t repeat them.
- ncrack -v -T3 -p 80 –user [agoldstein] -P [magledAdamListn.txt] [ip address]
- -v is for verbosity
- -T3 is the level of paranoia. I did T3 b/c that’s average
- -p is to set the port number afterwards so -p 80 is port 80 for web
- -user is username [insert the username without brackets]
- -P specifies the word list [insert your word list without brackets]
- [ip address] is obviously [insert the target ip without brackets]