Data Security 5 - Ethical Hacking
References for this Part
Model Solutions Previous Lesson
Model Exercise DS.4.0
Example M1. Login loginBCR.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
# loginBCR.py
import bcrypt
import sqlite3
import sys
def verify(user, pwd):
con = sqlite3.connect('test.db')
cur = con.cursor()
try:
sql = 'select password from user where userid = ?'
cur.execute(sql, (user,))
row = cur.fetchone()
if not row:
return False
readpwd = row[0]
pwd = pwd.encode()
rc = bcrypt.checkpw(pwd, readpwd)
return rc
except sqlite3.Error as err:
print(err.sqlite_errorcode, err.sqlite_errorname)
return False
if __name__ == "__main__":
argv = sys.argv
entereduser = argv[1]
enteredpassword = argv[2]
if (verify(entereduser, enteredpassword)):
print(f'you are *in*, wellcome {entereduser}')
else:
print('Nice try, but try again!')
|
Example M2. Login loginBCR.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
// verifyps.js
const bcrypt = require('bcryptjs');
const sqlite3 = require('better-sqlite3');
// https://www.npmjs.com/package/better-sqlite3
const argv = process.argv;
const db = new sqlite3('test.db');
const verify = function (user, pwd) {
// read user in db
let sql = 'select userid, password from user where userid = ?';
let stmt = db.prepare(sql);
let rows = stmt.get(user);
// extract password as readpwd
let readpwd = rows.password;
let rc = bcrypt.compareSync(pwd, readpwd);
return rc;
}
let entereduser = argv[2]
let enteredpassword = argv[3];
if (verify(entereduser, enteredpassword)) {
console.log('You chose wisely, you are in');
} else {
console.log('Try again');
}
if (db) db.close();
|
Model Exercise DS.4.1
This exercise is meant for demoing use of another
algorithm. SHA256 is not recommended for use with
password hashing in real life.
Example M3. Register register256.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
# register256.py
# https://docs.python.org/3/library/sqlite3.html for doc
# https://www.slingacademy.com/article/python-sqlite3-insert-new-row-get-id/
import hashlib
import rock
import sqlite3
import sys
def hash_password(pwd):
pwd_bytes = pwd.encode('utf-8')
hash_obj = hashlib.sha256(pwd_bytes)
hash = hash_obj.hexdigest()
return hash
def register(user, pwd, textstring):
con = sqlite3.connect('test.db')
cur = con.cursor()
h256 = hash_password(pwd)
try:
res = cur.execute('insert into user256 values(?, ?, ?)', (user, h256, textstring))
con.commit()
return True
except sqlite3.Error as err:
print(err)
return False
if __name__ == '__main__':
argv = sys.argv
entereduser = argv[1]
enteredpassword = argv[2]
enteredcomment = argv[3]
rockyou = rock.Rockyou()
exists = rockyou.search(enteredpassword)
if not exists:
result = register(entereduser, enteredpassword, enteredcomment)
if not result:
print('db error')
else:
print('inserted')
else:
print('inadequate password')
|
Example M4. Login login256.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
# login256.py
import hashlib
import sqlite3
import sys
from register256 import hash_password
def verify(user, pwd):
con = sqlite3.connect('test.db')
cur = con.cursor()
try:
sql = 'select password from user256 where userid = ?'
cur.execute(sql, (user,))
row = cur.fetchone()
if not row:
return False
readhash = row[0]
enteredpwdhash = hash_password(pwd)
if enteredpwdhash != readhash:
return False
return True
except sqlite3.Error as err:
print(err.sqlite_errorcode, err.sqlite_errorname)
return False
if __name__ == "__main__":
argv = sys.argv
entereduser = argv[1]
enteredpassword = argv[2]
if (verify(entereduser, enteredpassword)):
print(f'you are *in*, welcome {entereduser}')
else:
print('Nice try, but try again!')
|
Ethical Hacking
Disclaimer
Hacking, in its colloquial sense, is illegal. Therefore,
unless specifically, and explicitly allowed, you are not
allowed to do what is taught here on other networks than
your own.
Kali
The penetration tester, the eufemism describing the ethical hacker,
normally has a dedicated laptop for that part of his job. That
laptop probably has Kali, or … installed on it.
Kali from Live USB
Kali Live
Kali from Docker
Kali Docker
Anonymizing Your Kali Activity
Kali Anonymous
Cracking Passwords
In a login process the user enters a cleartext password and a
user id. These credentials are sent to an application. The
application reads the user’s data from its database.
In order to decide whether the credentials received from
user match what it read from its database, it has to
compare the hashed password from the database with the
cleartext received from the login form. The two will
never match, so to verify, the application must
hash the received cleartext password, and then compare
the two hashes. If they match, the user is assigned a
’logged in’ token of some kind.
Now, examining this, the process of cracking passwords is
the same. Some of the technical components are different,
but logically they are identical.
The cracker does not (commonly) use a login form.
Instead they have a list, file, of passwords that they
want to try.
The cracker does not (commonly) use the live database of
users. Instead they present a stolen list of hashed
passwords to the process.
For each stolen password hash, the hashing algorithm is
identified. The algorithm is then used to hash the entries
in the list of cleartext passwords, one by one, and
comparing that hash to the current hash from the stolen
hashes. If they match the cleartext password from the
list is logged as a result. If they dont, the cracker
iterates to the next stolen hash.
You will notice the preparatory steps from the crackers side:
- Steal the hashed passwords of the targets
- Compile a long list of cleartext passwords
Next we shall look at john and hashcat that operate
as described.
John the Ripper, john
The documentation is to be found at
https://www.varonis.com/blog/john-the-ripper/
In this concrete case we have made john attempt to crack the passwords
stolen from test.db.
Example 1. File with the hashes, hashes.txt
1
2
3
4
5
6
7
8
9
10
11
|
ls4:$2b$12$sU1uR7S5cioCg0RotY.oPu4Y1.Q5PJd4dvJqYhqyh61lDdldc.J3O
nml:$2b$12$sU1uR7S5cioCg0RotY.oPu4Y1.Q5PJd4dvJqYhqyh61lDdldc.J3O
wedn:$2a$10$qAmEfiMVphHhx3SVapETiOZHEqxGFNeLVReE/7LL1BFAU8V.9twly
wedn1:$2a$10$S/.Hn6DsfJ0VB4jipl26zerbxInpKZBBiqpbtyY/5nma1/QrPvTDC
wedn2:$2a$10$zGFlYo0/ojkiGOlXjc5YNevZL1eC3eA1SEl.vDekp.xBRzmHlHISq
wedn3:$2a$10$Pn8gZmJt17O7pKiTCmw9fu8/B0MjMs4CWmgtdRMtPK.XAUkfW/uNW
wedn4:$2a$10$KCseFYELP5nsan2pjg2qHukML8W/xnGTRSP9QtEo5vKVtCgL9EUoO
wedn5:$2a$10$3QDLpx/eoRWrNDmBi6HPZekILQQfrCY8/VFjmhLQa0FB23bJv.XVq
wedn6:$2a$10$IVhrhwk3EBT9y53MmyWjhe4Glxq.Mpb7q9lHeAObPiqNU4KKUCwxS
qubit:$2b$12$d5Pg0o2CXFrnjnJ014qJ7.UDUotAxVT.gMz7S/wR1NIp1wEUeiSjC
quart:$2b$12$B.k3KgR6/bVe9MoN5vNHduoqdDEuvo6JJm5u6ekWwNU4cafxMYNYO
|
Then, when the hashed passwords are available, we use John the
Ripper to crack them against a wordlist with many passwords.
Wherever they came from :)
Apart from the ‘rockyou.txt’ we have worked with in a previous
exercise, installation of john includes a password list
somewhat smaller, and therefore more handy for test.
Example 2. john, Step 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
$ wc -l password.lst
238195 password.lst
$ ls -l /usr/local/share/john/password.lst
$ -rw-r--r-- 1 root bin 2510270 Sep 28 11:42 /usr/local/share/john/password.lst
$ john hashes.txt --wordlist=password.lst
Loaded 7 password hashes with 7 different salts (bcrypt [Blowfish 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
password (wedn4)
password (wedn3)
password (wedn2)
test (wedn)
test1 (wedn1)
5g 0:00:24:35 7% 0.003389g/s 13.34p/s 28.55c/s 28.55C/s autoinduction..autoinductive
5g 0:00:24:50 7% 0.003355g/s 13.35p/s 28.55c/s 28.55C/s autosuppression..autosymbiontic
Use the "--show" option to display all of the cracked passwords reliably
Session aborted
$john hashes.txt --show
wedn:test
wedn1:test1
wedn2:password
wedn3:password
wedn4:password
5 password hashes cracked, 2 left
$ john hashes.txt --wordlist=password.lst
Loaded 7 password hashes with 7 different salts (bcrypt [Blowfish 32/64 X2])
Remaining 2 password hashes with 2 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status
|
as we just saw, the run of john allows status messages.
Perhaps more importantly, it allows interruption and display
of intermidiary results. If we run the command one more
time, it will not start over, but resume from where it
came to earlier.
Example 3. john, YAE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
$ echo "user:AZl.zWwxIh15Q" > hashes1.txt
$ john hashes1.txt
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
example (user)
1g 0:00:00:00 100% 2/3 50.00g/s 2682Kp/s 2682Kc/s 2682KC/s evocate..exceptin
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ john hashes1.txt --show
user:example
1 password hash cracked, 0 left
|
You will notice from the CLI of example 3 that there’s no reference
to a wordlist of cleartext passwords. This is possible because
the installation of john supplies a 240K words long list,
and this list is used as a default.
Example 4. john, YAE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
$ cat nodecontacts.txt
ls@x15.dk:$2a$10$4ajboUXRaVje8famf53AUOEwBtTQMIBPoYcfXvQXUdjdS8hU9d6ta
rene@iba.dk:$2a$10$IPx29doZfFi.bfAV6fo7C.OdDq.xfLHwrKQSGs2IaELdH9ew8QxWO
abc@def.gh:$2a$10$JVizGpr3dm.qstyovAfNOO4qVgAkMjzNyBGmZJUPDst3tSyMuFgoK
abc@x15.dk:$2a$10$exSQPmlE78xE0D45ZD.S9eee.fSY4tiSICNeXHeW1hqFzmls/pwYy
tulle@x15.dk:$2a$10$kw9mFlcrq0M2TwIs.FRP0ugMLs0CXnu1PkSz660AmuUub.gDcSLEq
nmla@iba.dk:x
$ john nodecontacts.txt
Loaded 5 password hashes with 5 different salts (bcrypt [Blowfish 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:12:48 20% 1/3 0g/s 28.50p/s 28.50c/s 28.50C/s DABC@DEF.GH5..DEFABC5
0g 0:00:20:00 37% 1/3 0g/s 28.38p/s 28.38c/s 28.38C/s ,xls..,x15dk
0g 0:00:54:05 86% 1/3 0g/s 28.56p/s 28.56c/s 28.56C/s idk888888..dk888888
0g 0:01:03:07 98% 1/3 0g/s 28.32p/s 28.32c/s 28.32C/s ldk1919..ls1919
0g 0:01:04:04 98% 1/3 0g/s 28.18p/s 28.18c/s 28.18C/s tdk1910..tulle1910
0g 0:01:04:06 98% 1/3 0g/s 28.18p/s 28.18c/s 28.18C/s xdk1910..dk1910
1234 (abc@def.gh)
1234 (rene@iba.dk)
test (abc@x15.dk)
test (tulle@x15.dk)
test (ls@x15.dk)
5g 0:01:06:14 100% 2/3 0.001257g/s 27.66p/s 27.78c/s 27.78C/s test..test123
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ john nodecontacts.txt --show
ls@x15.dk:test
rene@iba.dk:1234
abc@def.gh:1234
abc@x15.dk:test
tulle@x15.dk:test
5 password hashes cracked, 0 left
|
Hashcat
Tutorial at https://resources.infosecinstitute.com/topic/hashcat-tutorial-beginners/.
more details at
https://uwnthesis.wordpress.com/2014/12/28/kali-how-to-use-hashcat-cracking-dictionaries/
man hashcat has all the data but not many words.
Not informative for noobs.
Now to work:
Example 5. Unix Hashing from the CLI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | shasum -a 512
0e3e75234abc68f4378a86b3f4b32a198ba301845b0cd6e50106e874345700cc6663a86c1ea125dc5e92be17c98f9a0f85ca9d5f595db2012f7cc3571945c123 -
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | shasum -a 256
f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 -
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | shasum -a 1
4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 -
┌──(nml㉿kali)-[~/thehack]
└─$ echo 'test' | md5sum
d8e8fca2dc0f896fd7cb4cb0031ba249 -
|
Example 6. Create Hashes, Script createTargetHashes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
#!/usr/bin/bash
if [ $# -ne 3 -o "$1" != '-m' ] ; then
echo "Usage: $0 -m nn outfile" >&2; exit 1
fi
case "$2" in
0) HASH="md5sum" ;;
100) HASH="shasum -a 1" ;;
1400) HASH="shasum -a 256" ;;
1700) HASH="shasum -a 512" ;;
*) HASH="md5sum" ;;
esac
OUTFILE=$3
echo -n "Password" | $HASH | tr -d " -" > ./"$OUTFILE"
echo -n "HELLO" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "MYSECRET" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "Test1234" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "P455w0rd" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "GuessMe" | $HASH | tr -d " -" >> ./"$OUTFILE"
echo -n "S3CuReP455Word" | $HASH | tr -d " -" >> ./"$OUTFILE"
|
executed by
Example 7. hashcat
1
2
3
|
./createTargetHashes.sh -m 0 fil1
# or
./createTargetHashes.sh -m 1700 fil4
|
Example 8. hashcat
1
|
$ hashcat -m 1700 -a 0 -o fil4o.txt fil4 rockyou.txt
|
Example 9. hashcat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
$ hashcat -m 1700 -a 0 -o fil4o.txt fil4 $WORDLISTL
hashcat (v6.2.5) starting
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2867/5799 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 7 digests; 7 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
* Uses-64-Bit
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
INFO: Removed 5 hashes found as potfile entries or as empty hashes.
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1700 (SHA2-512)
Hash.Target......: fil4
Time.Started.....: Sun Jan 9 17:55:00 2022 (5 secs)
Time.Estimated...: Sun Jan 9 17:55:05 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2778.7 kH/s (0.44ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 5/7 (71.43%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 73c Util: 71%
Started: Sun Jan 9 17:54:59 2022
Stopped: Sun Jan 9 17:55:07 2022
|
there is an option quiet if you don’t need all the details.
The systemvariable $WORDLISTL points at /usr/share/wordlists/rockyou.txt
the location of the rockyou file on KALI Linux.
Example 10. hashcat
The output file from the above command is fil4o.txt
1
2
3
4
5
6
|
$ cat fil4o.txt
e6c83b282aeb2e022844595721cc00bbda47cb24537c1779f9bb84f04039e1676e6ba8573e588da1052510e3aa0a32a9e55879ae22b0c2d62136fc0a3e85f8bb:Password
33df2dcc31d35e7bc2568bebf5d73a1e43a0e624b651ba5ef3157bbfb728446674a231b8b6e97fa1e570c3b1de6d6c677541b262ac22afda5878fa2b591c7f08:HELLO
0a9b3f20d3d588b98616f5792d957709f62a5ddd2662436e46c752a5000db6877c8c58997bd0cadc3c8f14827510cab5df92170a8ceda6ecb8275fa6b5d8f375:P455w0rd
b43f1d28a3dbf30070bf1ae7c88ee2784047fc86d7be8620c8510debbd8555b3ef0b96376a4dd494ae0561580274bcf7a3069f5c0beceff63d1237a13d4d72b7:Test1234
c7c06c1eb863fa23513834077a1ef3de11e3df81b45c84979747387398125430a53c9b5f9f84f0210819da784bf6cdb307c0dc1e019a6a9334e73990b947e3e9:MYSECRET
|
Hydra
Hydra is documented at https://www.kali.org/tools/hydra/
apart from the regular hydra -h of course.
This article in Medium
has a good overview.
The hydra -h provides some useful examples, as man pages
often do:
Example 11. Ecamples from hydra -h
1
2
3
4
5
6
|
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
|
Example 12. Output from hydra
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
$ hydra -l tester11 -P tmp/crunches.txt localhost -t 14 ssh
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-07 11:18:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 14 tasks per 1 server, overall 14 tasks, 20736 login tries (l:1/p:20736), ~1482 tries per task
[DATA] attacking ssh://localhost:22/
[STATUS] 131.00 tries/min, 131 tries in 00:01h, 20607 to do in 02:38h, 14 active
[STATUS] 98.67 tries/min, 296 tries in 00:03h, 20442 to do in 03:28h, 14 active
[STATUS] 92.29 tries/min, 646 tries in 00:07h, 20092 to do in 03:38h, 14 active
[STATUS] 90.67 tries/min, 1360 tries in 00:15h, 19378 to do in 03:34h, 14 active
[STATUS] 90.65 tries/min, 2810 tries in 00:31h, 17928 to do in 03:18h, 14 active
[STATUS] 90.55 tries/min, 4256 tries in 00:47h, 16482 to do in 03:03h, 14 active
[STATUS] 90.49 tries/min, 5701 tries in 01:03h, 15037 to do in 02:47h, 14 active
[STATUS] 90.73 tries/min, 7168 tries in 01:19h, 13570 to do in 02:30h, 14 active
[STATUS] 90.88 tries/min, 8634 tries in 01:35h, 12104 to do in 02:14h, 14 active
[STATUS] 90.62 tries/min, 10059 tries in 01:51h, 10679 to do in 01:58h, 14 active
[STATUS] 90.61 tries/min, 11507 tries in 02:07h, 9231 to do in 01:42h, 14 active
[STATUS] 90.64 tries/min, 12961 tries in 02:23h, 7777 to do in 01:26h, 14 active
[STATUS] 90.64 tries/min, 14411 tries in 02:39h, 6327 to do in 01:10h, 14 active
[STATUS] 90.61 tries/min, 15857 tries in 02:55h, 4881 to do in 00:54h, 14 active
[STATUS] 90.66 tries/min, 17316 tries in 03:11h, 3422 to do in 00:38h, 14 active
[STATUS] 90.66 tries/min, 18766 tries in 03:27h, 1972 to do in 00:22h, 14 active
[STATUS] 90.55 tries/min, 20193 tries in 03:43h, 545 to do in 00:07h, 14 active
[22][ssh] host: localhost login: tester11 password: fede
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-07 15:06:29
|
Exercises
The rules for handing in assignments may be found in the
README
Exercise DS.5.0
Generate a file of hashes with something like
1
2
3
4
|
echo -n "test" | shasum | tr -d " -" > bftest
echo -n "fede" | shasum | tr -d " -" >> bftest
echo -n "1234" | shasum | tr -d " -" >> bftest
echo -n "Fede" | shasum | tr -d " -" >> bftest
|
Crack those passwords by
- john
- hydra
- hashcat with dictionary attack
- hashcat with brute force
Solutions must show the file bftest,
and the command doing the crack.
Exercise DS.5.1
You must test and time brute force attacks with hashcat.
Because time consumption may explode, try and compare
passwords of length 3, 4, and 5 characters only.
Generate the necessary input hash file with something like the following
1
2
3
4
|
echo -n "NML" | shasum | tr -d " -" > bftest3
echo -n "abc" | shasum | tr -d " -" >> bftest3
echo -n "666" | shasum | tr -d " -" >> bftest3
echo -n "a1a" | shasum | tr -d " -" >> bftest3
|