When it comes to choosing a password, it always comes at the worst possible time.
And since, moreover, it is necessary to remember it... passwords are often based on simple notions: first name, brand, memory...
Fortunately, security managers impose password management policies designed to prevent these abuses...
Well, ...
In 90% of the cases, the capital letter is at the beginning of the password, the numbers and the special character at the end...
Please stop using Ferrari12$ as password...
RockYou, a California based company, made it possible to authenticate on facebook applications without having to re-enter passwords. In December 2009, it was hacked.
The database containing the unencrypted names and passwords of its 32 million customers was stolen and then made public.
An analysis of the passwords showed that two thirds of the passwords were less than 6 characters long, and that the most commonly used password was 123456.
This list of passwords, sorted by frequency is frequently used in CTF.
On Kali, the file, zipped, is stored in: /usr/share/wordlists/rockyou.zip
In the terminal, to get into good habits, the file can be found at: /usr/share/wordlists/rockyou.txt
password list Rockyou: rockyou.txt
To find out if your email address is present in a data leak, use the Firefox Monitor service.
https://monitor.firefox.com/
A professional never keeps a password.
It records a hash.
A hash is generated by a mathematical function from the user's password.
When the user enters his password, the software calculates the hash and sends it to the server which compares it with the hash it has stored.
If the two hashes match, then the user knows the password, and is authenticated.
If someone sniffs the messages, he won't see the password, just the Hash.
Knowing the Hash, it is complicated to retrieve the password.
To calculate a Hash of the password '123456' with the MD5 function, use the following command in the terminal :
$ printf '123456' | md5sum
123456 will always give the same MD5 Hash.
The MD5 function has been widely used in the past, but the power of today's processors requires the use of more complex functions to be cracked such as SHA1, SHA256 or SHA512.
.
The size of the hash increases with the complexity of the algorithm.
printf '123456' | sha1sum
7c4a8d09ca3762af61e59520943dc26494f8941b
printf '123456' | sha256sum
8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
Note: we use 'printf' and not 'echo' for a hash calculation. Echo adds a line break which is taken into account by the Hash.
Longer Hashes are more complicated to break, but it is still possible to pre-calculate them for common passwords such as the ones found in RockYou list.
To avoid the pre-calculation of Hash, we use Salts.
These are additional values that are added at the beginning of the password before calculating the Hash.
The hash check remains fast, but the pre-calculated tables become useless, they have to be recalculated for each Salt.
Compute the hash of 123456, with the Salt ABCDE, and the Hash MD5 function in python:
$ python3 -c "import crypt; print(crypt.crypt('123456', '$1$ABCDE$'))"
With openssl: -1: MD5 password, -5:SHA256 and -6:SHA512
$ openssl passwd -1 -salt ABCDE 123456
The result is : $1$ABCDE$Kn5RIMYO1QXy7GtJysNSC1
Composed by three fields $xx$xx$xx :
$1 : hash function is MD5 ($5 SHA256, $6 SHA512)
$ABCDE : Salt
$Kn5RIMYO1QXy7GtJysNSC1 : MD5 hash of 123456+salt
Use online services to crack hash:
Try: e10adc3949ba59abbe56e057f20f883e
The /etc/passwd file is a text file with each line describing a user account.
Each line consists of seven fields separated by a colon.
Here is an example of a recording:
jsmith:x:1001:1000:Joe Smith,Room 1007,(234)555-8910,(234)5550044,email:/home/jsmith:/bin/sh
The first lines of the file are usually system accounts.
User accounts are often described in the last lines.
This file allows to quickly identify users, applications (tomcat, mysql, www_data,...), their working directories, and whether or not they have access to a shell.
Wikipedia: https://en.wikipedia.org/wiki/Passwd
John The ripper allows to check if a hash corresponds to a password present in a list.
Save one or more hashes in hash.txt file.
$ echo 'root:$1$1337$WmteYFHyEYyx2MDVXln7Y1' >hash.txt
$ echo 'wordpressuser1:$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0' >>hash.txt
Use John the ripper to break the password using its internal password list:
$ john hash.txt
Use John the ripper to break the password using the Rockyou list:
$ john hash.txt --wordlist=/etc/share/wordlists/rockyou.txt
John no longer displays passwords he has already broken.
To view these passwords:
$ john hash.txt --show
There are several versions of John on the Internet. The Kali and Parrot distributions, install the John Community Enhanced -jumbo version. This distribution is available at https://github.com/openwall/john
$ sudo snap install john-the-ripper
$ john
John the Ripper 1.9.0-jumbo-1 OMP [linux-gnu 64-bit 64 AVX2 AC]
Bruteforce /etc/shadows with John:
$ unshadow /etc/passwd /etc/shadow > hash.txt
$ john hash.txt --wordlist=/etc/share/wordlists/rockyou.txt
$ john hash.txt --show
Bruteforce MySQL Hash with John:
mysql -u dbuser -p drupaldb
show databases;
show tables;
select name, pass from users;
exit
-------+---------------------------------------------------------+
| name | pass |
+-------+---------------------------------------------------------+
| | |
| admin | $S$DvQI6Y6xxxxxxxxxxxxxxxxxxxxxxxxxEDTCP9nS5.i38jnEKuDR |
| Fxxxx | $S$DWGrxefxxxxxxxxxxxxxxxxxxxxxxxxxxxx3QBwC0EkvBQ/9TCGg |
| ..... | $S$Drpxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/x/4ukZ.RXi |
+-------+---------------------------------------------------------+
echo '$S$DWGrxefxxxxxxxxxxxxxxxxxxxxxxxxxxxx3QBwC0EkvBQ/9TCGg'>hash.txt
$ john hash.txt --wordlist=/etc/share/wordlists/rockyou.txt
$ john hash.txt --show
Bruteforce a pasword protected id_rsa id (id used for ssh connections):
RSA header:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25325A9B318F344B8391AFD767D6D
NhAAAAAwEAAQAAAgEA4hHFXkYNJLp47GZdP1LEJ3rueKhu4c9SCqzbeJfaWUJY/nZSmV76
Let check if the password is in the Rockyou list.
$ python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
$ john hash.txt --show
Many software and equipment are installed with default configurations and passwords.
Very often, these passwords are not changed..
Vendor Username Password
------ -------- --------
Raspberrypi pi raspberry
3COM BLANK 12345
APACHE admin jboss4
Apache admin tomcat
Apache tomcat tomcat
Adobe admin admin
Airlink BLANK admin
Apple admin public
Belkin admin none
Borland politically correct
Bunker OS BLANK 123456
Cisco EAdmin BLANK
Cisco BLANK Cisco
D-Link BLANK private
Del Administrator storageserver
Edimax admin 123
F5 admin admin
kali kali kali
Netgear BLANK password
parrot user toor
Raspberrypi pi raspberry
ubuntu user BLANK