55-608874 Advanced Penetration Testing

Lab 6 – Testing Users

Aim of lab 6
The aim of this lab is to understand how we start to subvert the weak point in any system; users.
We can make use of the knowledge that many users are less security aware than they should be
and tend to implement poor security practices. This lab focuses on users employing poor
password practices and how that can make pen testing a lot easier to conduct. This lab also
provides you with the opportunity to catch up with any of the other tasks from the labs that you
did not have a chance to complete. You may also want to go through some of the further tasks
from those labs.

The target for this lab is the metasploitable 2 server.

Task 1
Downloading password lists.

As noted in the lecture, users often adopt poor cyber security practices especially in their choice
of passwords. Therefore, a good place to start with password attacks is by downloading known
password text files.

Download and look at the NCSC top 100,000 password list onto your Ubuntu 24.04 VM from
[Link] These are
known compromised passwords from the [Link] data set.

Another good resource for password lists (as well as other security resources) is Daniel
Miessler’s github site at [Link] Open
the [Link] file and copy and paste the passwords into a text file. Also, have a
look at some of the other password files that are available on the site.

We now want to customise the [Link] file for use in a later task. Open the file
you saved with a text editor (Pluma on the Ubuntu 24.04 VM). Enter somewhere in the file the
word msfadmin, the password for metasploitable 2 and save the file in your home directory.

Task 2
1. Testing Web server passwords by brute force.

For this task, we are going to install three of the most popular password cracking tools that are
useful for brute forcing Web server passwords; hydra, ncrack, and medusa.

Hydra should have been installed when you installed Sparta in a previous lab as it is integrated
into that tool. However, just to make sure it is installed:

$ sudo apt install hydra

Install ncrack and medusa:

$ sudo apt install ncrack medusa

2. Testing the password of our metasploitable 2 server.

Dr John Haggerty Advanced Penetration Testing

Start your metasploitable 2 server as this will be our target. We will run each of the password
tools at the target to assess the speed at which and whether they brute force the password for
SSH. Use the password file that you created during task 1 of this lab that has the server
password.

To run hydra against SSH on metasploitable:

$ hydra –l msfadmin –P ~/[Link] [Link] ssh

The syntax for the above is; –l msfadmin is the username, -P the password file in the home
directory, target IP address and port/service. The other two tools have a similar syntax.

If you get no results to the command above, you may need to reduce the number of parallel tasks
sent to the server. Many SSH configurations limit the number of parallel tasks they accept. Note
that reducing the number of parallel tasks will mean that the scan will take longer to perform.

$ hydra –l msfadmin –P ~/[Link] [Link] –t 4 ssh

To run ncrack:

$ ncrack –p 22 -–user msfadmin –P ~/[Link] [Link]

To run medusa:

$ medusa -u msfadmin -P ~/[Link] -h [Link] -M ssh

You should find variations in speed of checks and you can change the command to include
multiple threads to speed the process up. Go through the following tutorial replacing the IP
addresses to those of your lab: [Link]
hydra-and-medusa/.

Task 3
1. Using password crackers; John the Ripper.

John the Ripper supports several common encryption technologies out-of-the-box for UNIX and
Windows-based systems. It auto detects the encryption on the hashed data and compares it
against a large plain-text file that contains popular passwords, hashing each password, and then
stopping it when it finds a match.

Note: as opposed to the brute force attacks in task 2 you will need the password file first and
you’ll learn how to do this next semester.

Install John the Ripper:

$ sudo apt install john

It will also install a data file.

To get an idea of how John the Ripper works and its capabilities, we’ll run some benchmark tests:

$ /usr/sbin/john --test

This will show you the breadth of encryption algorithms that it can crack.

We will now crack a small password file. Open a text editor (Pluma) and type the following in
password format (<user>:<hash>):

Dr John Haggerty Advanced Penetration Testing

myuser:AZl.zWwxIh15Q

Save the text file as [Link] in your home directory. Run John the Ripper against this file:

$ /usr/sbin/john ~/[Link]

This will take a little while to crack. The more powerful the computer, the faster this process takes
so on the VM it may be a little slow. If you want to see the status of the cracking operation at any
time, press the spacebar.

Once John the Ripper has cracked the password, view the results by:

$ /usr/sbin/john -–show ~/[Link]

Replace the hash in your [Link] file with other values by generating DES hashes through
the following Web site, [Link] Start with simple
passwords, such as ‘password’ and ‘password123’, and then more advanced ones to see how
good john the ripper is at cracking passwords.

We are now going to try your real passwords with John the Ripper. All linux systems will use
shadow passwords to hide the password. Therefore, we will create a file from our passwd and
shadow files using John the Ripper's unshadow tool:

$ unshadow /etc/passwd /etc/shadow > ~/[Link]

This will place our created file in our home directory. We then run John the Ripper against that
file.

$ /usr/sbin/john ~/[Link]

John the Ripper will try single crack mode first, then wordlist mode, and then incremental mode.
A mode is a method it uses to crack passwords. This again may take some time to complete.

If John the Ripper is successful in cracking one of the passwords, it will write to ~/.john/[Link].
However, that file isn't human-readable, so you can read cracked passwords with:

$ /usr/sbin/john --show ~/[Link]

To check if the root password got cracked, filter by UID:

$ /usr/sbin/john --show --users=0 ~/[Link]

2. Cracking simple password hashes.

One of the simplest ways to crack non-salted hashes is to use CrackStation

([Link] an online hash cracking tool. This has speed advantages over
RainbowCrack (see further work) in that it will give faster results as you don’t need to generate
your hash tables.

First, we need to generate some MD5 hashes. Go to [Link] and

type in a word to generate a hash value.

Copy the hash and go to CrackStation. Enter the hash and press the Crack Hashes button.

Try simple passwords first and then move through to more complicated passwords. You should
see that it finds hashes of common passwords quite quickly but may be unable to crack more
complicated ones.

Dr John Haggerty Advanced Penetration Testing

One advantage of this site is that they make the word lists available for download giving you
either 15 GB of potential passwords or a smaller list of 684 MB.

3. Cracking password hashes with Hashcat.

Hashcat is designed to break even the most complex passwords from a variety of sources
including salted hashes. To do this, it enables the cracking of a specific password in multiple
ways, combined with versatility and speed. Hashcat uses pre-computed dictionaries, rainbow
tables, and even a brute-force approach to find an effective and efficient way crack passwords.

NOTE: Hashcat has problems working on the latest Ryzen processors so try to use a machine
with another type of processor.

Install Hashcat:

$ sudo apt install hashcat

If you want the most up-to-date version, go to [Link]

We will need to create a dictionary with MD5 hashes of several passwords. Using the Terminal,
type the following:

$ echo -n "Password" | md5sum | tr -d " -">> target_hashes.txt

$ echo -n "HELLO" | md5sum | tr -d " -">> target_hashes.txt
$ echo -n "1234qwer" | md5sum | tr -d " -">> target_hashes.txt
$ echo -n "Test1234″ | md5sum | tr -d " -">> target_hashes.txt
$ echo -n "P455w0rd" | md5sum | tr -d " -">> target_hashes.txt
$ echo -n "GuessMe" | md5sum | tr -d " -">> target_hashes.txt
$ echo -n "msfadmin" | md5sum | tr -d " -">> target_hashes.txt
$ echo -n "S3CuReP455Word" | md5sum | tr -d " -">> target_hashes.txt

This will create a file called target_hashes.txt in your home directory. The -n option removes the
new line added to the end of a password. This is important as we don’t want the new line
characters to be hashed with our password. The tr –d " -" removes any characters that are a
space or hyphen from the output.

Check your password hashes:

$ cat target_hashes.txt

Hashcat works by comparing the hashes in the target file to a word list. Therefore, we are going
to use the [Link] file that we created in task 1.

Note: while Hashcat is a very useful tool, it is not 100% accurate so may miss some passwords.

Run Hashcat against our target file:

$ hashcat -m 0 -a 0 -o [Link] target_hashes.txt darkweb2017-

[Link]

Where:
-m 0 designates the type of hash we are cracking (MD5)
-a 0 designates a dictionary attack
-[Link] is the output file for the cracked passwords
target_hashes.txt is our input file of hashes
[Link] is the wordlist file for this dictionary attack

Dr John Haggerty Advanced Penetration Testing

To view the results of your Hashcat password attack:

$ cat [Link]

Task 4
The Social-Engineer Toolkit (SET) is an open-source pen test framework designed for social
engineering. SET has a number of custom attack vectors that allow you to make a believable
attack quickly. Whilst the focus of SET is social engineering, it does also provide a number of pen
test tools as well as it integrates metasploit and nmap.

1. Download and install SET

The SET’s development is hosted on github at [Link]

toolkit.

Install SET (note: there is a space between social-engineer-toolkit/ setoolkit/):

$ git clone [Link]

setoolkit/
$ cd setoolkit
$ pip3 install -r [Link]
$ sudo python3 [Link]

Run setoolkit:

$ sudo setoolkit

If you have successfully installed SET, you will be presented with a menu. Items 1 – 3 are the
most interesting to us as they provide access to social engineering and pen test tools.

2. Send a phishing email using SET

Follow the tutorial at [Link] to send a

phishing email.

3. Using Web site attack vectors

Follow the tutorial at [Link] to harvest usernames and passwords

from a target.

4. Further features of SET

SET is a powerful tool and can be used in a variety of ways. Explore the SET framework to
identify potential attacks that you could use during a pen test.

Further Work (Optional)

1. John the Ripper is a powerful tool and can be used to generate password files. Go through the
tutorial at [Link] to generate
password lists and variations of passwords that could be used for cracking.

2. Rainbow tables are special dictionary tables that use hash values instead of standard
dictionary passwords. Normally, when you crack a password hash, your computer computes a
word, generates the hash, then compares to see if there is a match. If there is, the password is
correct; if not, it will keep guessing. Rainbow tables work on the principle of a time-memory trade-

Dr John Haggerty Advanced Penetration Testing

off. This means that hashes are pre-generated by a computer and stored in a large rainbow table
file with all of the hashes and words that correspond to them.

Download the latest version of RainbowCrack from [Link] Make sure

you select the Ubuntu zip file that does NOT only work with purchased tables. Move the file into
your home folder and unzip it.

Just generating rainbow tables takes between 2-7 hours, hence this task is in the further work
section. Installing RainbowCrack on your host OS will speed the process up.

Go through the tutorial at [Link]

them-crack-passwords-0131470/.

3. Mimikatz is an open-source application that allows users to view and save Windows
authentication credentials. Attackers commonly use Mimikatz to steal credentials and escalate
privileges: in most cases, endpoint protection software and anti-virus systems will detect and
delete it. Conversely, pen testers use Mimikatz to detect and exploit vulnerabilities in your target’s
networks so you can fix them.

Mimikatz runs on Windows. Therefore, you will need to download a Windows Virtualbox VM from
[Link] and add it to your
cyber security lab to run the application.

Go through the tutorial at: [Link] to learn

how to use Mimikatz.

Dr John Haggerty Advanced Penetration Testing