CPTS #05: Password Attack
Remember to create a custom password list like the example in this module and take a cup of coffee.
Easy Lab
Proceed to perform an Nmap scan on the target machine to identify open ports and running services.
Found the open port information, proceed to brute force using the provided username and password list. Successfully brute-forced the FTP service with the correct username and password.
Logged in successfully as user mike. And found an id_rsa file that may be used for SSH access.
Perform John the Ripper to crack this SSH key by first converting it to the correct format using ssh2john, then crack it using the rockyou wordlist. Then I will find the passphrase for the SSH key.
Logged in to SSH as user mike using the SSH key.
Now, just look around and find the root password in some interesting files.
Medium Lab
Proceed to perform an Nmap scan on the target machine to identify open ports and running services.
Found an SMB service, so we will use CrackMapExec to brute-force the credentials quickly
After finding the credentials for the SMB service, continue using CrackMapExec to list the shares available for this user.
I found a password-protected zip file, so we need to convert it to the correct format for cracking by using zip2john. And I need to use a custom password list for this crack. Just use the example in this module.
Found the password of this zip file, let’s unzip it and find a document file that is password protected again. Let’s crack it by using John the Ripper again.
Open the document and I found the root password for a server.
So let’s use these credentials to SSH into the server.
Nothing interesting in this server, but I found a local database running on this server.
So let’s try to log in to this local MySQL using the user “jason,” but I cannot access it. Therefore, I need to find some default passwords for the MySQL server.
After querying the database, we found the user “denis” along with his password. Now, let’s log in as denis and enumerate his directory.
We can see the id_rsa key in Denis’s directory. Let’s download this file and use John the Ripper to crack the SSH key.
After finding the passphrase for this key, I wondered which user I needed to log in as. Not Denis, since I could already log into his account using the password. So, I decided to use this key with the root user and successfully logged in. In fact, you can identify the user just by reading the .pub file.
Hard Lab
As a normal day, let’s perform an nmap scan to gather information for the attack.
I know that user Johanna is present on many hosts. So, let’s brute-force her password to access RDP.
After logging in as Johanna, I found a KeePass file. I need to download it and crack it to find some information.
Successfully cracked the KeePass file and found the credentials for David. Now, let’s use runas with David’s credentials to open a command prompt.
In David’s directory, I found a VHD file protected by BitLocker. To proceed, I need to crack the BitLocker protection to access the contents of the VHD file.
Next, I import the VHD to our machine. Since I’m using a Windows machine as my host, I just need to copy the VHD file from my VM to my host Windows machine and import it.
I found the SAM and SYSTEM files. It’s wonderful, right?
Next, I use secretdump to dump the information.
At this time, I’ll use Hashcat to crack the NTML Hash.
Now, just RDP to the machine by using the Administrator credentials.
