NML Says

Data Security 5 - Ethical Hacking

References for this Part

Model Solutions Previous Lesson

Ethical Hacking

Disclaimer

Hacking, in its colloquial sense, is illegal. Therefore, unless specifically, and explicitly allowed, you are not allowed to do what is taught here on other networks than your own.

Tools for Ethical Hacking

Kali

The penetration tester, the eufemism describing the ethical hacker, normally has a dedicated laptop for that part of his job. That laptop probably has Kali, or … installed on it.

Kali from Live USB

For a short course we can’t do that, so, instead we will instruct you to make a USB stick with a Kali Live installed on it.

Once you have the usb, then to use it:

Boot Kali Live

Switch you computer off, and insert the USB stick. Then switch on the computer and boot from the USB.

Depending on your type of computer you must do one of the following to take control of the boot process:

Macbook Pro
  1. Hold Alt tasten nede efter power on
  2. Vælg USB
Lenovo ThinkPad
  1. Tryk enter efter power on
  2. Tryk F12
  3. Vælg usb
HP books, Elite-, Pro-
  1. Tryk Esc efter power on
  2. Tryk F9
  3. Vælg usb
After Boot [Select Keyboard]

From the menu in the upper left hand side of your screen, choose Settings, then Keyboard, then Layout. Now unset systems default, and click edit, then unfold Danish, and then choose the keyboard applicable to your computer. After pressing OK remove any other keyboard than the chosen Danish, and press close. Test ‘blåbærgrød’.

If you depend on the keyboard, this has to be done after each boot.

Kali from Docker

Documentation may be found at

https://www.kali.org/docs/containers/official-kalilinux-docker-images/

https://www.kali.org/docs/containers/using-kali-docker-images/

https://hub.docker.com/r/kalilinux/kali-rolling

https://www.brettfullam.com/create-a-containerized-kali-linux-in-docker

The latter link explains in detail how to create a docker image of Kali on your computer including file sharing with that image and you regular file system.

If you are going to reuse the docker container, it is highly recommended.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

~ $ docker pull kalilinux/kali-rolling
~ $ docker run -itd --name kali kalilinux/kali-rolling:latest
~ $ docker exec -it kali /bin/bash

┌──(root㉿38a779b2739e)-[/]
└─# apt update && apt -y install kali-linux-headless 

# ... takes some time and requires some choices

cd /home
mkdir shared

# keep this console open

now start a second console and do

1
2
3
4
5

$ docker commit 38a779b2739e kali_base
$ docker images -a

REPOSITORY       TAG       IMAGE ID       CREATED              SIZE
kali_base        latest    5ccd28331992   About a minute ago   6.89GB

You may now exit the docker console from above. and remove the container with

1
2
3
4

$ docker ps -a
# this will give you a container name
$ docker stop <name>
$ docker rm <name>

All the above is a one time endeavour. From then you may operate you kali container as follows:

1
2
3

$ docker stop kali
$ docker rm kali
$ docker run --name kali -v /home/<uou>/kali:/home/shared -ti kali_base /bin/bash

Stopping the container is done by exit or Ctrl-d.

Anonymizing Your Kali Activity1

After you are up and running you may want to start using the tor network. It runs as a service, and may be queried/operated by either of:

1
2
3

sudo service tor status
sudo service tor start
sudo service tor stop

To use our tools anonymously we hide behind a series of tor proxies. For that we must configure proxychains by editing its configuration file /etc/proxychains4.conf. Open it in nano, or vi (editors;)

Locate the line

#dynamic_chain

and remove the # (comment). Then make sure that random_chain, round_robin_chain, and strict_chain are all commented.

Now locate the line

proxy_dns

and verify that it is uncommented. Finally add the following as the last line of the file:

socks5 127.0.0.1 9050

There may be a similar line for socks4, the above must be added after that. Then Save and exit.

Once that is done, any TCP activity that you wish to do anonymously should be invoked from the CLI with a proxychains prepended. Eg

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

sudo service tor stop
sudo service tor start

# and then 

proxychains firefox iba.dk

# or

proxychains nmap -target

# or

proxychains python sqlmap -u target

You may wish to verify the anonymity by doing

1
2
3

sudo service tor stop
sudo service tor start
proxychains firefox dnsleaktest.com

a few times.

Cracking Passwords

In a login process the user enters a cleartext password and a user id. These credentials are sent to an application. The application reads the user’s data from its database. In order to decide whether the credentials received from user match what it read from its database, it has to compare the hashed password from the database with the cleartext received from the login form. The two will never match, so to verify, the application must hash the received cleartext password, and then compare the two hashes. If they match, the user is assigned a ’logged in’ token of some kind.

Figure 1. The Login Process Illustrated

Logging In

Now, examining this, the process of cracking passwords is the same. Some of the technical components are different, but logically they are identical.

The cracker does not (commonly) use a login form. Instead they have a list, file, of passwords that they want to try. The cracker does not (commonly) use the live database of users. Instead they present a stolen list of hashed passwords to the process. For each stolen password hash, the hashing algorithm is identified. The algorithm is then used to hash the entries in the list of cleartext passwords, one by one, and comparing that hash to the current hash from the stolen hashes. If they match the cleartext password from the list is logged as a result. If they dont, the cracker iterates to the next stolen hash.

You will notice the preparatory steps from the crackers side:

Next we shall look at john and hashcat that operate as described.

John the Ripper, john

The documentation is to be found at https://www.varonis.com/blog/john-the-ripper/

In this concrete case we have made john attempt to crack the passwords stolen from test.db.

Example 1. File with the hashes, hashes.txt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

ls4:$2b$12$sU1uR7S5cioCg0RotY.oPu4Y1.Q5PJd4dvJqYhqyh61lDdldc.J3O
nml:$2b$12$sU1uR7S5cioCg0RotY.oPu4Y1.Q5PJd4dvJqYhqyh61lDdldc.J3O
wedn:$2a$10$qAmEfiMVphHhx3SVapETiOZHEqxGFNeLVReE/7LL1BFAU8V.9twly
wedn1:$2a$10$S/.Hn6DsfJ0VB4jipl26zerbxInpKZBBiqpbtyY/5nma1/QrPvTDC
wedn2:$2a$10$zGFlYo0/ojkiGOlXjc5YNevZL1eC3eA1SEl.vDekp.xBRzmHlHISq
wedn3:$2a$10$Pn8gZmJt17O7pKiTCmw9fu8/B0MjMs4CWmgtdRMtPK.XAUkfW/uNW
wedn4:$2a$10$KCseFYELP5nsan2pjg2qHukML8W/xnGTRSP9QtEo5vKVtCgL9EUoO
wedn5:$2a$10$3QDLpx/eoRWrNDmBi6HPZekILQQfrCY8/VFjmhLQa0FB23bJv.XVq
wedn6:$2a$10$IVhrhwk3EBT9y53MmyWjhe4Glxq.Mpb7q9lHeAObPiqNU4KKUCwxS
qubit:$2b$12$d5Pg0o2CXFrnjnJ014qJ7.UDUotAxVT.gMz7S/wR1NIp1wEUeiSjC
quart:$2b$12$B.k3KgR6/bVe9MoN5vNHduoqdDEuvo6JJm5u6ekWwNU4cafxMYNYO

Then, when the hashed passwords are available, we use John the Ripper to crack them against a wordlist with many passwords. Wherever they came from :) Apart from the ‘rockyou.txt’ we have worked with in a previous exercise, installation of john includes a password list somewhat smaller, and therefore more handy for test.

Example 2. john, Step 1
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

$ wc -l password.lst
   238195 password.lst
$ ls -l /usr/local/share/john/password.lst
$ -rw-r--r--  1 root  bin  2510270 Sep 28 11:42 /usr/local/share/john/password.lst

$ john hashes.txt --wordlist=password.lst 
Loaded 7 password hashes with 7 different salts (bcrypt [Blowfish 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (wedn4)
password         (wedn3)
password         (wedn2)
test             (wedn)
test1            (wedn1)
5g 0:00:24:35 7% 0.003389g/s 13.34p/s 28.55c/s 28.55C/s autoinduction..autoinductive
5g 0:00:24:50 7% 0.003355g/s 13.35p/s 28.55c/s 28.55C/s autosuppression..autosymbiontic
Use the "--show" option to display all of the cracked passwords reliably
Session aborted
$john hashes.txt --show                  
wedn:test
wedn1:test1
wedn2:password
wedn3:password
wedn4:password

5 password hashes cracked, 2 left

$ john hashes.txt --wordlist=password.lst 
Loaded 7 password hashes with 7 different salts (bcrypt [Blowfish 32/64 X2])
Remaining 2 password hashes with 2 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status

as we just saw, the run of john allows status messages. Perhaps more importantly, it allows interruption and display of intermidiary results. If we run the command one more time, it will not start over, but resume from where it came to earlier.

Example 3. john, YAE
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

$ echo "user:AZl.zWwxIh15Q" > hashes1.txt

$ john hashes1.txt
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
example          (user)
1g 0:00:00:00 100% 2/3 50.00g/s 2682Kp/s 2682Kc/s 2682KC/s evocate..exceptin
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ john hashes1.txt --show
user:example

1 password hash cracked, 0 left

You will notice from the CLI of example 3 that there’s no reference to a wordlist of cleartext passwords. This is possible because the installation of john supplies a 240K words long list, and this list is used as a default.

Example 4. john, YAE
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

$ cat nodecontacts.txt
ls@x15.dk:$2a$10$4ajboUXRaVje8famf53AUOEwBtTQMIBPoYcfXvQXUdjdS8hU9d6ta
rene@iba.dk:$2a$10$IPx29doZfFi.bfAV6fo7C.OdDq.xfLHwrKQSGs2IaELdH9ew8QxWO
abc@def.gh:$2a$10$JVizGpr3dm.qstyovAfNOO4qVgAkMjzNyBGmZJUPDst3tSyMuFgoK
abc@x15.dk:$2a$10$exSQPmlE78xE0D45ZD.S9eee.fSY4tiSICNeXHeW1hqFzmls/pwYy
tulle@x15.dk:$2a$10$kw9mFlcrq0M2TwIs.FRP0ugMLs0CXnu1PkSz660AmuUub.gDcSLEq
nmla@iba.dk:x

$ john nodecontacts.txt
Loaded 5 password hashes with 5 different salts (bcrypt [Blowfish 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:12:48 20% 1/3 0g/s 28.50p/s 28.50c/s 28.50C/s DABC@DEF.GH5..DEFABC5
0g 0:00:20:00 37% 1/3 0g/s 28.38p/s 28.38c/s 28.38C/s ,xls..,x15dk
0g 0:00:54:05 86% 1/3 0g/s 28.56p/s 28.56c/s 28.56C/s idk888888..dk888888
0g 0:01:03:07 98% 1/3 0g/s 28.32p/s 28.32c/s 28.32C/s ldk1919..ls1919
0g 0:01:04:04 98% 1/3 0g/s 28.18p/s 28.18c/s 28.18C/s tdk1910..tulle1910
0g 0:01:04:06 98% 1/3 0g/s 28.18p/s 28.18c/s 28.18C/s xdk1910..dk1910
1234             (abc@def.gh)
1234             (rene@iba.dk)
test             (abc@x15.dk)
test             (tulle@x15.dk)
test             (ls@x15.dk)
5g 0:01:06:14 100% 2/3 0.001257g/s 27.66p/s 27.78c/s 27.78C/s test..test123
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ john nodecontacts.txt --show
ls@x15.dk:test
rene@iba.dk:1234
abc@def.gh:1234
abc@x15.dk:test
tulle@x15.dk:test

5 password hashes cracked, 0 left

Hashcat

Tutorial at https://resources.infosecinstitute.com/topic/hashcat-tutorial-beginners/. more details at

https://uwnthesis.wordpress.com/2014/12/28/kali-how-to-use-hashcat-cracking-dictionaries/

man hashcat has all the data but not many words. Not informative for noobs.

Now to work:

Example 5. Unix Hashing from the CLI
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | shasum -a 512
0e3e75234abc68f4378a86b3f4b32a198ba301845b0cd6e50106e874345700cc6663a86c1ea125dc5e92be17c98f9a0f85ca9d5f595db2012f7cc3571945c123  -
                                                                                                            
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | shasum -a 256
f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2  -
                                                                                                            
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | shasum -a 1  
4e1243bd22c66e76c2ba9eddc1f91394e57f9f83  -
                                                                                                            
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | md5sum       
d8e8fca2dc0f896fd7cb4cb0031ba249  -
Example 6. Create Hashes, Script createTargetHashes
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

#!/usr/bin/bash
if [ $# -ne 3 -o "$1" != '-m' ] ; then
    echo "Usage: $0 -m nn outfile" >&2; exit 1
fi
case "$2" in
    0) HASH="md5sum" ;;
    100) HASH="shasum -a 1" ;;
    1400) HASH="shasum -a 256" ;;
    1700) HASH="shasum -a 512" ;;
    *) HASH="md5sum" ;;
esac
OUTFILE=$3

echo -n "Password" | $HASH | tr -d " -" > ./"$OUTFILE"
echo -n "HELLO" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "MYSECRET" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "Test1234" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "P455w0rd" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "GuessMe" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "S3CuReP455Word" | $HASH | tr -d " -" >> ./"$OUTFILE"

executed by

Example 7. hashcat
1
2
3

./createTargetHashes.sh -m 0 fil1
# or
./createTargetHashes.sh -m 1700 fil4
Example 8. hashcat
1

$ hashcat -m 1700 -a 0 -o fil4o.txt fil4 rockyou.txt
Example 9. hashcat
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

$ hashcat -m 1700 -a 0 -o fil4o.txt fil4 $WORDLISTL 
hashcat (v6.2.5) starting

OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2867/5799 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 7 digests; 7 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
* Uses-64-Bit

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

INFO: Removed 5 hashes found as potfile entries or as empty hashes.

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.           

                                                          
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1700 (SHA2-512)
Hash.Target......: fil4
Time.Started.....: Sun Jan  9 17:55:00 2022 (5 secs)
Time.Estimated...: Sun Jan  9 17:55:05 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2778.7 kH/s (0.44ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 5/7 (71.43%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 73c Util: 71%

Started: Sun Jan  9 17:54:59 2022
Stopped: Sun Jan  9 17:55:07 2022

there is an option quiet if you don’t need all the details. The systemvariable $WORDLISTL points at /usr/share/wordlists/rockyou.txt the location of the rockyou file on KALI Linux.

Example 10. hashcat

The output file from the above command is fil4o.txt

1
2
3
4
5
6

$ cat fil4o.txt
e6c83b282aeb2e022844595721cc00bbda47cb24537c1779f9bb84f04039e1676e6ba8573e588da1052510e3aa0a32a9e55879ae22b0c2d62136fc0a3e85f8bb:Password
33df2dcc31d35e7bc2568bebf5d73a1e43a0e624b651ba5ef3157bbfb728446674a231b8b6e97fa1e570c3b1de6d6c677541b262ac22afda5878fa2b591c7f08:HELLO
0a9b3f20d3d588b98616f5792d957709f62a5ddd2662436e46c752a5000db6877c8c58997bd0cadc3c8f14827510cab5df92170a8ceda6ecb8275fa6b5d8f375:P455w0rd
b43f1d28a3dbf30070bf1ae7c88ee2784047fc86d7be8620c8510debbd8555b3ef0b96376a4dd494ae0561580274bcf7a3069f5c0beceff63d1237a13d4d72b7:Test1234
c7c06c1eb863fa23513834077a1ef3de11e3df81b45c84979747387398125430a53c9b5f9f84f0210819da784bf6cdb307c0dc1e019a6a9334e73990b947e3e9:MYSECRET

Hydra

Hydra is documented at https://www.kali.org/tools/hydra/ apart from the regular hydra -h of course. This article in Medium has a good overview.

The hydra -h provides some useful examples, as man pages often do:

Example 11. Ecamples from hydra -h
1
2
3
4
5
6

Examples:
    hydra -l user -P passlist.txt ftp://192.168.0.1
    hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
    hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
    hydra -l admin -p password ftp://[192.168.0.0/24]/
    hydra -L logins.txt -P pws.txt -M targets.txt ssh
Example 12. Output from hydra
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

$ hydra -l tester11 -P tmp/crunches.txt localhost -t 14 ssh                                   
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-07 11:18:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 14 tasks per 1 server, overall 14 tasks, 20736 login tries (l:1/p:20736), ~1482 tries per task
[DATA] attacking ssh://localhost:22/
[STATUS] 131.00 tries/min, 131 tries in 00:01h, 20607 to do in 02:38h, 14 active
[STATUS] 98.67 tries/min, 296 tries in 00:03h, 20442 to do in 03:28h, 14 active
[STATUS] 92.29 tries/min, 646 tries in 00:07h, 20092 to do in 03:38h, 14 active
[STATUS] 90.67 tries/min, 1360 tries in 00:15h, 19378 to do in 03:34h, 14 active
[STATUS] 90.65 tries/min, 2810 tries in 00:31h, 17928 to do in 03:18h, 14 active
[STATUS] 90.55 tries/min, 4256 tries in 00:47h, 16482 to do in 03:03h, 14 active
[STATUS] 90.49 tries/min, 5701 tries in 01:03h, 15037 to do in 02:47h, 14 active
[STATUS] 90.73 tries/min, 7168 tries in 01:19h, 13570 to do in 02:30h, 14 active
[STATUS] 90.88 tries/min, 8634 tries in 01:35h, 12104 to do in 02:14h, 14 active
[STATUS] 90.62 tries/min, 10059 tries in 01:51h, 10679 to do in 01:58h, 14 active
[STATUS] 90.61 tries/min, 11507 tries in 02:07h, 9231 to do in 01:42h, 14 active
[STATUS] 90.64 tries/min, 12961 tries in 02:23h, 7777 to do in 01:26h, 14 active
[STATUS] 90.64 tries/min, 14411 tries in 02:39h, 6327 to do in 01:10h, 14 active
[STATUS] 90.61 tries/min, 15857 tries in 02:55h, 4881 to do in 00:54h, 14 active
[STATUS] 90.66 tries/min, 17316 tries in 03:11h, 3422 to do in 00:38h, 14 active
[STATUS] 90.66 tries/min, 18766 tries in 03:27h, 1972 to do in 00:22h, 14 active
[STATUS] 90.55 tries/min, 20193 tries in 03:43h, 545 to do in 00:07h, 14 active
[22][ssh] host: localhost   login: tester11   password: fede
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-07 15:06:29

Exercises

The rules for handing in assignments may be found in the README

Exercise DS.5.0

Generate a file of hashes with something like

1
2
3
4

echo -n "test" | shasum | tr -d " -" > bftest 
echo -n "fede" | shasum | tr -d " -" >> bftest 
echo -n "1234" | shasum | tr -d " -" >> bftest
echo -n "Fede" | shasum | tr -d " -" >> bftest

Crack those passwords by

Solutions must show the file bftest, and the command doing the crack.

Exercise DS.5.1

You must test and time brute force attacks with hashcat. Because time consumption may explode, try and compare passwords of length 3, 4, and 5 characters only.

Generate the necessary input hash file with something like the following

1
2
3
4

echo -n "NML" | shasum | tr -d " -" > bftest3 
echo -n "abc" | shasum | tr -d " -" >> bftest3 
echo -n "666" | shasum | tr -d " -" >> bftest3
echo -n "a1a" | shasum | tr -d " -" >> bftest3

  1. Pls refer to https://geekflare.com/anonymize-linux-traffic/ ↩︎