Password Brute-Forcing Tips

00:00

password, brute forcing tips are learning objective is to describe some useful tips when trying to brute force protocols and web services.

00:09

So you saw what I did on that Wordpress site, I put a user in there. I want to see the different responses between a user I knew and the user I didn't.

00:17

But some Wordpress sites will lock you out after maybe three wrong attempts at a user name and password. So check the response when you enter something and it's incorrect and it says you have x amount of times before you were locked out of that service, in which case is not a good idea to brute force that password username and password,

00:37

you're gonna get locked out and you can't do it ever again.

00:39

Or it can block you for a certain length of time, maybe an hour, maybe a day.

00:44

So be aware of that. The other thing is a test between hydra and crack and Medusa

00:50

showed, and crack was the fastest. Now that's good to know. You could be very proficient within crack. I think it's better to know a particular one of these tools really well, get to know each of them. But you know, I, I always default to hydra. Hydra is the one that I feel most comfortable with and I like.

01:11

So it's good to know that in crack was the fastest, but I've had a lot of success with hydra. So that's usually my go to tool.

01:19

Yeah.

01:19

Word lists.

01:22

So that is going to determine your success. I always go and say rocky dot txt. There are other ones you can use that are more targeted rather than waiting, you know, days for rock you to to find the correct password. There are lists already in Cali under, users share word lists.

01:40

Um, also you can create a custom word list you saw me use Cool. Um, to kind of hone in because I knew that person liked turtles to kind of hone in on

01:52

which words might be the correct one for their password.

01:55

So be mindful that word lists can really make or break you and determine how quickly you find a password.

02:05

So is it worth waiting hours? Um,

02:07

you know, in the labs and things like that,

02:10

let's just say, you know, I would start a tool and, and hope that it would work and after, you know, seven hours of it not working, it's probably not gonna work. You probably won't find the correct username and password.

02:23

So be aware of that. And also be aware of the stress it puts on the box.

02:29

If you're hammering a web server with thousands of requests, um, you may Dossett and you can't use that service.

02:38

So be aware. And this is of course true for the labs. Right. The labs are a shared environment.

02:44

So if you were running a tool on a box

02:47

and you're sending thousands of requests, you could be discussing that service for somebody else.

02:53

Yeah.

02:54

So let's go do a demo.

03:00

So I've come across this website 1921681222

03:05

and it has basic authentication. So

03:08

they will ask me for a user name and password. I don't know what that is. I can try to enumerate users on this box by doing a few different things.

03:20

So what I want to do is I want to use End Map and I've already determined that

03:27

s uh simple network management Protocol S N M. P. Is enabled here.

03:32

So I'm gonna do End map. S you notice summary routes. So I don't need to do Sudo port 161 sc. This didn't do the default the default scripts

03:45

for S and M. P.

03:47

And let's see what we get.

03:50

We should get a list of users

03:53

in the output.

03:57

And we do we have admin administrator, guest, E user, S, S, H D. S safety server

04:04

and user

04:06

you can also do that with S and M. P. Walk.

04:12

You need to know the oh I'd string which I googled to get the users.

04:17

So I said and it's an S and M. P. Walk had a very verbose output. But if you specify the oh I D like I did here I can see I have what different users on this box. This will help me hone in on brute forcing. The other thing that you can do with basic authentication

04:34

is use End Map again. This is why you see I use End Map a lot. It's very versatile.

04:40

Somebody you script. HDP brute port 81 921681222 Very very very verbose.

04:48

And we'll see if that successfully brute force is the login.

04:53

Mhm.

04:54

Mhm.

04:58

Now there are the I'm going to also use N crack hydrogen Medusa

05:01

on this basic off page. In addition to End map and we can compare all the different tools.

05:15

So right now is trying combinations of boo. That was fast.

05:20

So we see it found admin Hunter an admin. I love you and that Nice. We can do that with N crack.

05:30

Yeah.

05:33

So I'm gonna specify a specific user. In this case

05:38

we can of course create a user list.

05:41

But N crack is m http you as user P is our password list. Rock you

05:47

and

05:49

F. Will make it stop upon success.

05:54

So if we're right up there, Hunter,

05:59

yep. We see Hunter is the password.

06:02

Okay, let's try Hydro. Now,

06:05

I'm gonna try hydra on the user admin.

06:12

So hydra admin we're using Rock you again

06:16

using HP. Head request an index at html.

06:24

So and I've already found it. But I just want to show you the different tools here

06:29

and it found login. Admin password. I love you.

06:33

All right, let's give the Medusa a try.

06:36

So, we know we have I. E. User

06:40

from S. And M. P.

06:47

Mhm.

06:49

Yeah.

06:49

With my user there.

06:51

So

06:55

we'll use Medusa.

07:00

I user. This is a custom password list that I'm using now.

07:03

Just because it's not. I know that if I ran this in Rocky would take a very long time.

07:10

So I see that it found I user and password of this weird password here.

07:16

So those are the outputs of the three different tools. Now let's log in. I eat user.

07:21

We'll use this password.

07:25

Let's try this again.

07:28

E user

07:30

we have a password. My mouse isn't working.

07:40

Okay now what do we see

07:43

first? We see him a pretty bad web web developer because I just made this basic page here. Congrats you have bypassed basic authentication, bank safe passwords,

07:53

bank safe password list. So I click here and I see all these banks safe passwords.

08:01

Now what I can do

08:03

is

08:05

create a file

08:07

bank pass

08:11

and all through these in here.

08:16

Now I can use hash ID on this.

08:20

Yes

08:22

and see what it says

08:24

and I see that it doesn't know the hash probably because this is bank safe in here. So I can also do

08:31

is hash identifier

08:35

Paste one of these hashes and tells me that it's a shot. 5 12.

08:39

So I will get out of here.

08:43

Mhm.

08:45

And now I want to use john

08:46

on this file.

08:50

Mhm.

08:50

Yeah.

08:52

And because I know what it is. I want to specify that I wanna do format equals raw shot 5 12

09:01

and we see it cracked all of them. We have to perform a dragon snoopy and summer. So we've cracked all of these.

09:11

Mhm.

09:15

So, let's try these tools on some other protocols. Let's try them on SMB and see what happens. I want to try hydra

09:26

on I user with our custom password list. We're gonna do SMB want to see what happens, cracks it very easily there.

09:33

Now let's try Medusa.

09:41

Yeah,

09:41

I had to do S. M S M B N. T. Here and have to stop on success.

09:52

They're here you go. Admin. I love you.

09:56

And we'll try and crack on SMB.

10:00

You'll notice on end crack. I specify the port

10:03

instead of S. N. B.

10:11

All right.

10:11

User hunter.

10:13

There's also telnet enabled on this box. And the one tool that I found that worked is Hydro maybe you know why I'm partial Hydro's. I've just had so much success with it.

10:24

So let's try this now. It will actually warn you

10:28

says telnet by its nature is unreliable. So choose FTP or Ssh etcetera if available.

10:37

So if we do find a username or password that works, we could try that until now tell Net.

10:43

But if we don't have those options, all we have is telnet,

10:46

then I'll put my money on hydra.

10:58

All right. So we see it found the correct password for telnet.

11:03

It may take a really long time.

11:05

But

11:07

tell that's great because

11:11

it allows us to have full access to this box

11:20

and there you go. Get your command prompt there.

11:24

So now you've seen a few different tools and how to brute force different protocols and also how to crack some passwords,

11:33

I should say with johN if I didn't specify the shock value,

11:37

that would also take a very, very, very long time to crack. So it's worth it to specify a format

11:43

by identifying the hash value there.