Penetration Testing

Exploiting I: Password Cracking

CIS 6395, Incident Response Technologies
Fall 2021, Dr. Cliff Zou
[email protected]
 Acknowledgement
• Content from the book:
“The Basics of Hacking and Penetration Testing:
Ethical Hacking and Penetration Testing Made
Easy”, Second Edition
 Prepare Windows VM
• On Windows VM (all Win VM from Microsoft):
• Username: IEUser Password: Passw0rd!
• You can change the account password in “control panel” “user
account” section

• Create another target account for exploitation

• Such as account: cis6395
• Give it a simple password for password cracking exploitation
• Such as: abc123, 1234, 1024, abc123, secret, hello, 111111 …..
 Prepare Windows VM
• In Windows 7 and up VM, by default many
services (including Ping) are blocked by
Firewall
• Disable firewall will allow others to ping the VM
• You can use nmap scan to show the difference
 Prepare Windows VM
• In Windows VM, you can enable “remote desktop
assistance”
• In Win7 VM, right-click
‘computer’’properties’’remote settings’
• Use the allow any computer connecting with remote desktop
(don’t select the NLA authentication one)
• We can use nmap scan to show this
• Then, if we know an account name/password on the
Windows, we can remote log in it.
• Add the “cis6395” account to the remote desktop” user
list
• Right click “my computer”
• Click “properties”  “remote” tab  “select remote users…”
“add…”, and then enter the username in the field box
 Prepare Windows VM
• When enabling remote desktop on Win
VM, disable the NLA authentication
• https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-service
s/clients/remote-desktop-allow-access

• On your Kali Linux VM:

• Suppose your Win VM IP is: 192.168.0.101
• On Kali: #rdesktop 192.168.0.101
• You will be able to see the GUI of Windows!
• For Win VM, you need to logout any user account on
the Win in order for the rdesktop to login without
further asking permission!
 Hydra: Remote Online Password Cracking
• Password Cracking:
• Offline password cracking
• Online password cracking
• Hydra is included in Kali Linux
• Give it a discovered user name, give it a password
dictionary, hydra could be very effective to find out an
account password
• Goal: Gain access to remote services opened on
some machines
• SSH: by Unix or Mac OS; VNC (virtual network computing): Linux
• Remote desktop: by Windows OS
• Password dictionary included in Kali Linux:
• A dictionary directory: /usr/share/wordlists/
• John the Ripper: /usr/share/john/password.lst (a small list)
 Hydra: Remote Online Password Cracking

• Suppose the Win VM remote desktop is open, and has IP

of 192.168.0.101, we attack the account “cis6395”:
• #hydra -t 1 -V -l cis6395 -P /usr/share/john/password.lst
192.168.0.101 rdp
• -t 1: only use one connection (no parallel sessions since rdp
does not like concurrent connection requests)
• -V: show each attempt
• -l: usename
• -P: password list file
• rdp: service name (remote desktop, tcp 3389)
• Note: We need to make the Win target logging out all
user accounts in order for this rdesktop to work!
 Hydra: Remote Online Password Cracking

• Let us try to do password cracking for the Metasploitable

Linux VM
• It has SSH server, so let us try ssh login crack
• First, you need to create a user account with a weak
password
• ‘sudo useradd cis6395’ to create the user account
• ‘sudo passwd cis6395’ to create the password for this account
• It will create an account ‘cis6395’ with the password of ‘1234’
• #hydra -t 4 -V -l cis6395 -P /usr/share/john/password.lst
192.168.1.7 ssh
• Assuming the metasploitable Linux VM has IP of 192.168.1.7
• Hydra will try 4 password guessing in parallel at one time
Ncrack: Remote Online Password Cracking

• #ncrack -v --user cis6395 -P ./password.lst -g CL=5

10.0.2.5:22
• The port number to attack is specified after the target IP
• The ‘CL=5’ option is to limit the parallel connection # to be 5

• Use ‘CTRL-C’ to stop it trying more passwords after finding the

correct one
• It does not show the process of passwords attempted but failed,
so be patient with the list
 Hydra and Ncrack: Remote Online
Password Cracking
• A Youtube tutorial on using hydra in Kali:
• https://www.youtube.com/watch?v=D2-Eq12hZ1o

• Another webpage shows how to use a few more

password crackers:
• https://hackertarget.com/brute-forcing-passwords-with
-ncrack-hydra-and-medusa/
User Password Selection against Password
Cracking
• Password dictionary included in Kali Linux:
• A dictionary directory: /usr/share/wordlists/
• A big notorious password dictionary list: rockyou.txt
• The original file is rockyou.txt.gz, you need to unzip it by command
• $gunzip rockyou.txt.gz
• John the Ripper: /usr/share/john/password.lst (a small list)
• If you are IT security staff:
• Ask each of your employee checking his/her own password
against the above password list
• $ cat rockyou.txt |grep user_password
• Or, $grep user_password rockyou.txt
• If above command returns results, then the user’s password
exists in the password list and should never be used!