CompTIA PenTest+ Certification For Dummies
Book image
Explore Book Buy On Amazon
The second category of pentesting tools that appears in the CompTIA PenTest+ objectives is credential testing tools. Credential testing tools help you crack passwords for user accounts on a system. There are a number of password cracking tools out there, but these are the tools the PenTest+ exam wants you to be familiar with.

Hashcat

Hashcat is a common password-cracking tool used to crack the hashes on passwords. Hashcat can crack hashes from a number of different hashing algorithms, including MD5, SHA1, and more. Hashcat can use dictionary attacks and brute-force attacks to crack the password hashes.

For example, you could use the following command:

hashcat -m 0 -a 0 -o output.txt target_hashes.txt /usr/share/wordlists/rockyou.txt

Where:
  • -m 0 specifies the hash mode. 0 means MD5, while 100 is SHA1.
  • -a 0 specifies the attack mode. 0 means a dictionary attack.
  • -o specifies the output file to write the cracked passwords to. In this example, I used txt.
  • txt is the file that contains the hashes to be cracked.
  • txt is the dictionary list file that comes with Kali Linux.
You can view the many parameters of Hashcat and their possible values by typing hashcat -h in a Linux terminal.

Medusa and Hydra

Medusa and Hydra are also password-cracking tools included with Kali Linux you can use to crack passwords. Medusa is a fast password-cracking tool that can encapsulate the password attack into different protocols, such as HTTP, FTP, IMAP, MSSQL, POP3, SMTP, TELNET, SSH, and many more.

For Medusa on Kali Linux, use the following command:

medusa -h 192.168.1.3 -u admin -P rockyou.txt -M ssh

This command will try to crack the password for a user known as admin on system 192.168.1.3 using SSH as the protocol and the password list file of rockyou.txt.

Hydra is a password-cracking tool that can encapsulate the attack inside many protocols as well, such as FTP, HTTP, HTTPS, LDAP, MS-SQL, MySQL, RDP, POP3, SMB, SSH, and many more. Notice that you can use it to crack passwords over RDP. So you could use Nmap to discover all systems on the network running RDP and then use Hydra to attempt to crack the admin password. For example, use this command to detect systems with RDP on the network:

nmap -sS 192.168.1.0/24 -p 3389

Once you have discovered the systems running RDP, you can then try to crack the passwords with the following command (assuming 192.168.1.3 is one of the systems):

hydra -l administrator -P rockyou.txt rdp://192.168.1.3

Where:
  • -l is the name of the user account to crack. Note you can use -L instead with a text file containing a list of users.
  • -P specifies the password list file to use. In this example I used txt.
  • Rdp://192.168.1.3 is the system we want to crack the password on. Note the URL starts with the protocol. If you want to crack the password over FTP or HTTP, you would simply start the URL with those protocols.
Hydra can be used to crack passwords using many different internet protocols; for example, you can use Hydra to brute force into a website using HTTP or HTTPS. In the following example, I demonstrate how to use Hydra to crack the login DVWA site that is running on the Metasploitable2 VM:

1. Ensure the Kali Linux and Metasploitable2 VMs are running, run ifconfig on each, and record the IP address:

Kali Linux: __________________

Metasploitable2: _____________

2. On Kali Linux, launch a browser and type http://<ip_metasploitable2>.

3. Choose the DVWA link.

4. Right-click on the page and choose Inspect Element.

You should now have the web page and the HTML source code shown on the screen.

5. In the bottom half of the screen, choose the Network tab to monitor network traffic as you try to logon to the site.

6. In the main logon screen, type your name in the Username and Password textboxes and then choose the Login button.

You will notice that your login fails (on the web page under the Login button), but you will also see on the Network tab that the page was posted to login.php.

7. Select the login.php POST method line (see the following figure).

On the right you can see the details of the request (Header, Cookies, Params).

Inspecting the http post request. Inspecting the http post request

8. Choose the Edit and Resend button in order to recreate the HTTP post request message and gather information that Hydra needs to perform the password attack.

Hydra needs the hostname or IP address, the login page URL, the request body, and the error message. Record the information:

Host/IP: ______________________________________________

Login page (Referer without host/IP): ______________________

Request body: _________________________________________

Error message: _________________________________________

In my example, I recorded the following information:

Host/IP: 192.168.67.137

Login page (Referer without host/IP): /dvwa/login.php

Request body: username=glen&password=glen&Login=Login

Error message: Login failed (error shown on page)

9. Next, replace the actual username and password with variables of ^USER^ and ^PASS^ as shown below:

Host/IP: 192.168.67.137

Login page (Referer without host/IP): /dvwa/login.php

Request body: username=^USER^&password=^PASS^&Login=Login

Error message: Login failed (error shown on page)

Note that ^USER^ and ^PASS^ are variables, which means that for every username and password read from a user list file and password list file, those words will be placed in those variables in order to try a large number of usernames and passwords from the one command.

10. Now that we have all of the information, Start a terminal session in Kali Linux.

11. Enter the following Hydra command to attempt to crack the login page of the site:

hydra -L userlist.txt -P passlist.txt <host_IP> http-post-form “<login_page>:<request_body>:<error_message>”

Note that:

-L refers to a text file containing a list of users.

-P specifies the password list file to use.

<host_IP> refers to the IP or hostname of the website.

http-post-form is the method to use to perform password attack.

<login_page> refers to the URL of the login web page.

<request_body> refers to the username and password parameters.

<error_message> is the error message that was displayed on the page when the login failed.

In my example, this is the command I executed to perform the password attack on the DVWA site:

hydra -L userlist.txt -P passlist.txt 192.168.67.137 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed”

If a username and password are found, you will see them displayed on the screen, as shown.

Using Hydra Using Hydra to crack credentials for the website

Note that if you would like to see the actual username and passwords that are attempted display on the screen while the attack is occurring, you can add -V to the end of the command like this:

hydra -L userlist.txt -P passlist.txt 192.168.67.137 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed” -V

For the PenTest+ certification exam, remember that Hashcat, Medusa, and Hydra are all examples of password-cracking tools available on Kali Linux.

CeWL

CeWL, short for Custom Word List generator, is a unique credential-cracking tool in the sense that it is used to generate a text file containing potential passwords by crawling through a site.

You could use the following command to generate a wordlist file:

cewl -d 2 -m 5 -w words.txt http://www.yourcustomer.com

Where:
  • -d 2 specifies the depth in the site to go. Here we are going two links deep.
  • -m 5 specifies the minimum length of characters in the words picked up.
  • -w specifies the file to write the list of potential passwords to.

John the Ripper

John the Ripper is a multiplatform password-cracking tool that runs on platforms such as Windows and Linux, and can crack passwords stored in different hash forms such as MD5 and SHA.

The John package that comes with Kali Linux includes a number of tools such as:

  • mailer: The mailer command is used to email users who have their passwords cracked.
  • john: The john command is the John the Ripper password-cracking tool.
  • unafs: The unafs command is used to warn users about their weak passwords.
If you have the passwords in a file, you can attempt to crack those passwords with the following command:

john --format=raw-md5 target_hashes.txt

Where:
  • --format specifies the type of hash values being cracked (MD5 in my example).
  • target-hashes.txt specifies the text file containing the list of hashes.
In this figure you can see that I ran John the Ripper against a file called target_hashes.txt and it was able to crack two of the passwords: Password and HELLO.

John the Ripper Using John the Ripper to crack password hashes

You can also use a wordlist file with John the Ripper to perform a dictionary attack on the password list using the following command:

john --format=raw-md5 --wordlist rockyou.txt target_hashes.txt

Cain and Abel

Cain and Abel is an older password-cracking tool that has a number of features. It can easily capture traffic on the network and then discover passwords that are sent in clear text. It can also be used to crack many different types of passwords, such as MD5 hashes, Cisco hashes, Windows passwords, and password-protected files.

Mimikatz

Mimikatz is a post-exploitation tool available in Kali Linux that is used to steal passwords off a Windows system after the system has been exploited. The tool steals the passwords by locating passwords stored in memory on the exploited system and aids in gaining access to other systems on the network.

Prior to Windows 10, Windows would load the encrypted passwords into memory with a feature called WDigest and the secret key to decrypt the passwords. Mimikatz leverages this and is able to decrypt the passwords. In Windows 8.1, Microsoft added the capability to disable the WDigest functionality, and it is disabled by default in Windows 10. However, after compromising a system, you could enable it again.

To use Mimikatz after you have exploited a system, you can use the commands shown here:

mimikatz # <strong>privilege::debug</strong>

Privilege ‘20’ OK

Note that the first command is to verify that you have the privileges to run the command (you must be an administrator to run Mimikatz). If you receive a return status code of Privilege '20' OK, then you are an administrator.

Next, we load the Sekurlsa module for Mimikatz, which will retrieve the passwords from memory:

mimikatz # sekurlsa::logonpasswords

As output you will receive a list of usernames found in memory with the LM hash, the NTLM hash, and the SHA1 hash of the passwords, as well as information such as the username, domain name, and the password in plain text.

For the PenTest+ certification exam, know that John the Ripper and Cain and Abel are password-cracking tools. Also know that Mimikatz is a post-exploitation tool that can be used to steal passwords after gaining administrative access to the system.

patator and DirBuster

Two additional password-cracking tools to be familiar with are Patator and DirBuster. Patator is a password-cracking tool that is used to crack passwords given the hash values of the password, while DirBuster is an Open Web Application Security Project (OWASP) designed to locate directory and filenames on a web server.

About This Article

This article can be found in the category: