NML Says

Data Security 5 - Ethical Hacking

References for this Part

Model Solutions Previous Lesson

Model Exercise DS.4.0

Example M1. Login loginBCR.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# loginBCR.py

import bcrypt
import sqlite3
import sys

def verify(user, pwd):
        con = sqlite3.connect('test.db')
        cur = con.cursor()

        try:
                sql = 'select password from user where userid = ?'
                cur.execute(sql, (user,))
                row = cur.fetchone()
                if not row:
                        return False
                readpwd = row[0]
                pwd = pwd.encode()
                rc = bcrypt.checkpw(pwd, readpwd)
                return rc
        except sqlite3.Error as err:
                print(err.sqlite_errorcode, err.sqlite_errorname)
                return False

if __name__ == "__main__":
        argv = sys.argv
        entereduser = argv[1]
        enteredpassword = argv[2]
        if (verify(entereduser, enteredpassword)):
                print(f'you are *in*, wellcome {entereduser}')
        else:
                print('Nice try, but try again!')
Example M2. Login loginBCR.js
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
// verifyps.js

const bcrypt = require('bcryptjs');
const sqlite3 = require('better-sqlite3');
// https://www.npmjs.com/package/better-sqlite3

const argv = process.argv;
const db = new sqlite3('test.db');

const verify = function (user, pwd) {
        // read user in db
        let sql = 'select userid, password from user where userid = ?';
        let stmt = db.prepare(sql);
        let rows = stmt.get(user);

        // extract password as readpwd
        let readpwd = rows.password;
        let rc = bcrypt.compareSync(pwd, readpwd);
        return rc;
}


let entereduser = argv[2]
let enteredpassword = argv[3];

if (verify(entereduser, enteredpassword)) {
        console.log('You chose wisely, you are in');
} else {
        console.log('Try again');
}

if (db) db.close();

Model Exercise DS.4.1

This exercise is meant for demoing use of another algorithm. SHA256 is not recommended for use with password hashing in real life.

Example M3. Register register256.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# register256.py

# https://docs.python.org/3/library/sqlite3.html for doc
# https://www.slingacademy.com/article/python-sqlite3-insert-new-row-get-id/

import hashlib
import rock
import sqlite3
import sys



def hash_password(pwd):
    pwd_bytes = pwd.encode('utf-8')
    hash_obj = hashlib.sha256(pwd_bytes)
    hash = hash_obj.hexdigest()
    return hash

def register(user, pwd, textstring):
    con = sqlite3.connect('test.db')
    cur = con.cursor()

    h256 = hash_password(pwd)
    try:
        res = cur.execute('insert into user256 values(?, ?, ?)', (user, h256, textstring))
        con.commit()
        return True
    except sqlite3.Error as err:
        print(err)
        return False

if __name__ == '__main__':
    argv = sys.argv
    entereduser = argv[1]
    enteredpassword = argv[2]
    enteredcomment = argv[3]

    rockyou = rock.Rockyou()
    exists = rockyou.search(enteredpassword)
    if not exists:
        result = register(entereduser, enteredpassword, enteredcomment)
        if not result:
            print('db error')
        else:
            print('inserted')
    else:
        print('inadequate password')
Example M4. Login login256.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# login256.py

import hashlib
import sqlite3
import sys
from register256 import hash_password

def verify(user, pwd):
        con = sqlite3.connect('test.db')
        cur = con.cursor()

        try:
                sql = 'select password from user256 where userid = ?'
                cur.execute(sql, (user,))
                row = cur.fetchone()
                if not row:
                        return False
                readhash = row[0]
                enteredpwdhash = hash_password(pwd)
                if enteredpwdhash != readhash:
                        return False
                return True
        except sqlite3.Error as err:
                print(err.sqlite_errorcode, err.sqlite_errorname)
                return False

if __name__ == "__main__":
        argv = sys.argv
        entereduser = argv[1]
        enteredpassword = argv[2]
        if (verify(entereduser, enteredpassword)):
                print(f'you are *in*, welcome {entereduser}')
        else:
                print('Nice try, but try again!')

Ethical Hacking

Disclaimer

Hacking, in its colloquial sense, is illegal. Therefore, unless specifically, and explicitly allowed, you are not allowed to do what is taught here on other networks than your own.

Tools for Ethical Hacking

Kali

The penetration tester, the eufemism describing the ethical hacker, normally has a dedicated laptop for that part of his job. That laptop probably has Kali, or … installed on it.

Kali from Live USB

Kali Live

Kali from Docker

Kali Docker

Anonymizing Your Kali Activity

Kali Anonymous

Cracking Passwords

In a login process the user enters a cleartext password and a user id. These credentials are sent to an application. The application reads the user’s data from its database. In order to decide whether the credentials received from user match what it read from its database, it has to compare the hashed password from the database with the cleartext received from the login form. The two will never match, so to verify, the application must hash the received cleartext password, and then compare the two hashes. If they match, the user is assigned a ’logged in’ token of some kind.

Figure 1. The Login Process Illustrated

Logging In

Now, examining this, the process of cracking passwords is the same. Some of the technical components are different, but logically they are identical.

The cracker does not (commonly) use a login form. Instead they have a list, file, of passwords that they want to try. The cracker does not (commonly) use the live database of users. Instead they present a stolen list of hashed passwords to the process. For each stolen password hash, the hashing algorithm is identified. The algorithm is then used to hash the entries in the list of cleartext passwords, one by one, and comparing that hash to the current hash from the stolen hashes. If they match the cleartext password from the list is logged as a result. If they dont, the cracker iterates to the next stolen hash.

You will notice the preparatory steps from the crackers side:

  • Steal the hashed passwords of the targets
  • Compile a long list of cleartext passwords

Next we shall look at john and hashcat that operate as described.

John the Ripper, john

The documentation is to be found at https://www.varonis.com/blog/john-the-ripper/

In this concrete case we have made john attempt to crack the passwords stolen from test.db.

Example 1. File with the hashes, hashes.txt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
ls4:$2b$12$sU1uR7S5cioCg0RotY.oPu4Y1.Q5PJd4dvJqYhqyh61lDdldc.J3O
nml:$2b$12$sU1uR7S5cioCg0RotY.oPu4Y1.Q5PJd4dvJqYhqyh61lDdldc.J3O
wedn:$2a$10$qAmEfiMVphHhx3SVapETiOZHEqxGFNeLVReE/7LL1BFAU8V.9twly
wedn1:$2a$10$S/.Hn6DsfJ0VB4jipl26zerbxInpKZBBiqpbtyY/5nma1/QrPvTDC
wedn2:$2a$10$zGFlYo0/ojkiGOlXjc5YNevZL1eC3eA1SEl.vDekp.xBRzmHlHISq
wedn3:$2a$10$Pn8gZmJt17O7pKiTCmw9fu8/B0MjMs4CWmgtdRMtPK.XAUkfW/uNW
wedn4:$2a$10$KCseFYELP5nsan2pjg2qHukML8W/xnGTRSP9QtEo5vKVtCgL9EUoO
wedn5:$2a$10$3QDLpx/eoRWrNDmBi6HPZekILQQfrCY8/VFjmhLQa0FB23bJv.XVq
wedn6:$2a$10$IVhrhwk3EBT9y53MmyWjhe4Glxq.Mpb7q9lHeAObPiqNU4KKUCwxS
qubit:$2b$12$d5Pg0o2CXFrnjnJ014qJ7.UDUotAxVT.gMz7S/wR1NIp1wEUeiSjC
quart:$2b$12$B.k3KgR6/bVe9MoN5vNHduoqdDEuvo6JJm5u6ekWwNU4cafxMYNYO

Then, when the hashed passwords are available, we use John the Ripper to crack them against a wordlist with many passwords. Wherever they came from :) Apart from the ‘rockyou.txt’ we have worked with in a previous exercise, installation of john includes a password list somewhat smaller, and therefore more handy for test.

Example 2. john, Step 1
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ wc -l password.lst
   238195 password.lst
$ ls -l /usr/local/share/john/password.lst
$ -rw-r--r--  1 root  bin  2510270 Sep 28 11:42 /usr/local/share/john/password.lst

$ john hashes.txt --wordlist=password.lst 
Loaded 7 password hashes with 7 different salts (bcrypt [Blowfish 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (wedn4)
password         (wedn3)
password         (wedn2)
test             (wedn)
test1            (wedn1)
5g 0:00:24:35 7% 0.003389g/s 13.34p/s 28.55c/s 28.55C/s autoinduction..autoinductive
5g 0:00:24:50 7% 0.003355g/s 13.35p/s 28.55c/s 28.55C/s autosuppression..autosymbiontic
Use the "--show" option to display all of the cracked passwords reliably
Session aborted
$john hashes.txt --show                  
wedn:test
wedn1:test1
wedn2:password
wedn3:password
wedn4:password

5 password hashes cracked, 2 left

$ john hashes.txt --wordlist=password.lst 
Loaded 7 password hashes with 7 different salts (bcrypt [Blowfish 32/64 X2])
Remaining 2 password hashes with 2 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status

as we just saw, the run of john allows status messages. Perhaps more importantly, it allows interruption and display of intermidiary results. If we run the command one more time, it will not start over, but resume from where it came to earlier.

Example 3. john, YAE
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
$ echo "user:AZl.zWwxIh15Q" > hashes1.txt

$ john hashes1.txt
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
example          (user)
1g 0:00:00:00 100% 2/3 50.00g/s 2682Kp/s 2682Kc/s 2682KC/s evocate..exceptin
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ john hashes1.txt --show
user:example

1 password hash cracked, 0 left

You will notice from the CLI of example 3 that there’s no reference to a wordlist of cleartext passwords. This is possible because the installation of john supplies a 240K words long list, and this list is used as a default.

Example 4. john, YAE
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ cat nodecontacts.txt
ls@x15.dk:$2a$10$4ajboUXRaVje8famf53AUOEwBtTQMIBPoYcfXvQXUdjdS8hU9d6ta
rene@iba.dk:$2a$10$IPx29doZfFi.bfAV6fo7C.OdDq.xfLHwrKQSGs2IaELdH9ew8QxWO
abc@def.gh:$2a$10$JVizGpr3dm.qstyovAfNOO4qVgAkMjzNyBGmZJUPDst3tSyMuFgoK
abc@x15.dk:$2a$10$exSQPmlE78xE0D45ZD.S9eee.fSY4tiSICNeXHeW1hqFzmls/pwYy
tulle@x15.dk:$2a$10$kw9mFlcrq0M2TwIs.FRP0ugMLs0CXnu1PkSz660AmuUub.gDcSLEq
nmla@iba.dk:x

$ john nodecontacts.txt
Loaded 5 password hashes with 5 different salts (bcrypt [Blowfish 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:12:48 20% 1/3 0g/s 28.50p/s 28.50c/s 28.50C/s DABC@DEF.GH5..DEFABC5
0g 0:00:20:00 37% 1/3 0g/s 28.38p/s 28.38c/s 28.38C/s ,xls..,x15dk
0g 0:00:54:05 86% 1/3 0g/s 28.56p/s 28.56c/s 28.56C/s idk888888..dk888888
0g 0:01:03:07 98% 1/3 0g/s 28.32p/s 28.32c/s 28.32C/s ldk1919..ls1919
0g 0:01:04:04 98% 1/3 0g/s 28.18p/s 28.18c/s 28.18C/s tdk1910..tulle1910
0g 0:01:04:06 98% 1/3 0g/s 28.18p/s 28.18c/s 28.18C/s xdk1910..dk1910
1234             (abc@def.gh)
1234             (rene@iba.dk)
test             (abc@x15.dk)
test             (tulle@x15.dk)
test             (ls@x15.dk)
5g 0:01:06:14 100% 2/3 0.001257g/s 27.66p/s 27.78c/s 27.78C/s test..test123
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ john nodecontacts.txt --show
ls@x15.dk:test
rene@iba.dk:1234
abc@def.gh:1234
abc@x15.dk:test
tulle@x15.dk:test

5 password hashes cracked, 0 left

Hashcat

Tutorial at https://resources.infosecinstitute.com/topic/hashcat-tutorial-beginners/. more details at

https://uwnthesis.wordpress.com/2014/12/28/kali-how-to-use-hashcat-cracking-dictionaries/

man hashcat has all the data but not many words. Not informative for noobs.

Now to work:

Example 5. Unix Hashing from the CLI
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | shasum -a 512
0e3e75234abc68f4378a86b3f4b32a198ba301845b0cd6e50106e874345700cc6663a86c1ea125dc5e92be17c98f9a0f85ca9d5f595db2012f7cc3571945c123  -
                                                                                                            
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | shasum -a 256
f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2  -
                                                                                                            
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | shasum -a 1  
4e1243bd22c66e76c2ba9eddc1f91394e57f9f83  -
                                                                                                            
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | md5sum       
d8e8fca2dc0f896fd7cb4cb0031ba249  -
Example 6. Create Hashes, Script createTargetHashes
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/bash
if [ $# -ne 3 -o "$1" != '-m' ] ; then
    echo "Usage: $0 -m nn outfile" >&2; exit 1
fi
case "$2" in
    0) HASH="md5sum" ;;
    100) HASH="shasum -a 1" ;;
    1400) HASH="shasum -a 256" ;;
    1700) HASH="shasum -a 512" ;;
    *) HASH="md5sum" ;;
esac
OUTFILE=$3

echo -n "Password" | $HASH | tr -d " -" > ./"$OUTFILE"
echo -n "HELLO" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "MYSECRET" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "Test1234" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "P455w0rd" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "GuessMe" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "S3CuReP455Word" | $HASH | tr -d " -" >> ./"$OUTFILE"

executed by

Example 7. hashcat
1
2
3
./createTargetHashes.sh -m 0 fil1
# or
./createTargetHashes.sh -m 1700 fil4
Example 8. hashcat
1
$ hashcat -m 1700 -a 0 -o fil4o.txt fil4 rockyou.txt
Example 9. hashcat
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
$ hashcat -m 1700 -a 0 -o fil4o.txt fil4 $WORDLISTL 
hashcat (v6.2.5) starting

OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2867/5799 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 7 digests; 7 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
* Uses-64-Bit

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

INFO: Removed 5 hashes found as potfile entries or as empty hashes.

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.           

                                                          
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1700 (SHA2-512)
Hash.Target......: fil4
Time.Started.....: Sun Jan  9 17:55:00 2022 (5 secs)
Time.Estimated...: Sun Jan  9 17:55:05 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2778.7 kH/s (0.44ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 5/7 (71.43%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 73c Util: 71%

Started: Sun Jan  9 17:54:59 2022
Stopped: Sun Jan  9 17:55:07 2022

there is an option quiet if you don’t need all the details. The systemvariable $WORDLISTL points at /usr/share/wordlists/rockyou.txt the location of the rockyou file on KALI Linux.

Example 10. hashcat

The output file from the above command is fil4o.txt

1
2
3
4
5
6
$ cat fil4o.txt
e6c83b282aeb2e022844595721cc00bbda47cb24537c1779f9bb84f04039e1676e6ba8573e588da1052510e3aa0a32a9e55879ae22b0c2d62136fc0a3e85f8bb:Password
33df2dcc31d35e7bc2568bebf5d73a1e43a0e624b651ba5ef3157bbfb728446674a231b8b6e97fa1e570c3b1de6d6c677541b262ac22afda5878fa2b591c7f08:HELLO
0a9b3f20d3d588b98616f5792d957709f62a5ddd2662436e46c752a5000db6877c8c58997bd0cadc3c8f14827510cab5df92170a8ceda6ecb8275fa6b5d8f375:P455w0rd
b43f1d28a3dbf30070bf1ae7c88ee2784047fc86d7be8620c8510debbd8555b3ef0b96376a4dd494ae0561580274bcf7a3069f5c0beceff63d1237a13d4d72b7:Test1234
c7c06c1eb863fa23513834077a1ef3de11e3df81b45c84979747387398125430a53c9b5f9f84f0210819da784bf6cdb307c0dc1e019a6a9334e73990b947e3e9:MYSECRET

Hydra

Hydra is documented at https://www.kali.org/tools/hydra/ apart from the regular hydra -h of course. This article in Medium has a good overview.

The hydra -h provides some useful examples, as man pages often do:

Example 11. Ecamples from hydra -h
1
2
3
4
5
6
Examples:
    hydra -l user -P passlist.txt ftp://192.168.0.1
    hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
    hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
    hydra -l admin -p password ftp://[192.168.0.0/24]/
    hydra -L logins.txt -P pws.txt -M targets.txt ssh
Example 12. Output from hydra
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ hydra -l tester11 -P tmp/crunches.txt localhost -t 14 ssh                                   
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-07 11:18:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 14 tasks per 1 server, overall 14 tasks, 20736 login tries (l:1/p:20736), ~1482 tries per task
[DATA] attacking ssh://localhost:22/
[STATUS] 131.00 tries/min, 131 tries in 00:01h, 20607 to do in 02:38h, 14 active
[STATUS] 98.67 tries/min, 296 tries in 00:03h, 20442 to do in 03:28h, 14 active
[STATUS] 92.29 tries/min, 646 tries in 00:07h, 20092 to do in 03:38h, 14 active
[STATUS] 90.67 tries/min, 1360 tries in 00:15h, 19378 to do in 03:34h, 14 active
[STATUS] 90.65 tries/min, 2810 tries in 00:31h, 17928 to do in 03:18h, 14 active
[STATUS] 90.55 tries/min, 4256 tries in 00:47h, 16482 to do in 03:03h, 14 active
[STATUS] 90.49 tries/min, 5701 tries in 01:03h, 15037 to do in 02:47h, 14 active
[STATUS] 90.73 tries/min, 7168 tries in 01:19h, 13570 to do in 02:30h, 14 active
[STATUS] 90.88 tries/min, 8634 tries in 01:35h, 12104 to do in 02:14h, 14 active
[STATUS] 90.62 tries/min, 10059 tries in 01:51h, 10679 to do in 01:58h, 14 active
[STATUS] 90.61 tries/min, 11507 tries in 02:07h, 9231 to do in 01:42h, 14 active
[STATUS] 90.64 tries/min, 12961 tries in 02:23h, 7777 to do in 01:26h, 14 active
[STATUS] 90.64 tries/min, 14411 tries in 02:39h, 6327 to do in 01:10h, 14 active
[STATUS] 90.61 tries/min, 15857 tries in 02:55h, 4881 to do in 00:54h, 14 active
[STATUS] 90.66 tries/min, 17316 tries in 03:11h, 3422 to do in 00:38h, 14 active
[STATUS] 90.66 tries/min, 18766 tries in 03:27h, 1972 to do in 00:22h, 14 active
[STATUS] 90.55 tries/min, 20193 tries in 03:43h, 545 to do in 00:07h, 14 active
[22][ssh] host: localhost   login: tester11   password: fede
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-07 15:06:29

Exercises

The rules for handing in assignments may be found in the README

Exercise DS.5.0

Generate a file of hashes with something like

1
2
3
4
echo -n "test" | shasum | tr -d " -" > bftest 
echo -n "fede" | shasum | tr -d " -" >> bftest 
echo -n "1234" | shasum | tr -d " -" >> bftest
echo -n "Fede" | shasum | tr -d " -" >> bftest

Crack those passwords by

  • john
  • hydra
  • hashcat with dictionary attack
  • hashcat with brute force

Solutions must show the file bftest, and the command doing the crack.

Exercise DS.5.1

You must test and time brute force attacks with hashcat. Because time consumption may explode, try and compare passwords of length 3, 4, and 5 characters only.

Generate the necessary input hash file with something like the following

1
2
3
4
echo -n "NML" | shasum | tr -d " -" > bftest3 
echo -n "abc" | shasum | tr -d " -" >> bftest3 
echo -n "666" | shasum | tr -d " -" >> bftest3
echo -n "a1a" | shasum | tr -d " -" >> bftest3