• In this chapter, we will cover the following topics: • Exploring password-based attacks • Performing host discovery • Identifying and exploiting vulnerable services

Password based attacks:

OBJECTIVES:

  • Gaining unauthorized access to remote hosts on a network by performing attacks against its authentication system
  • Retrieving the password associated with cryptographic hashes
  • Retrieving the password to access a password-protected sensitive file

Different types of password attacks:

  • Brute-force attack: In a brute-force attack, every possible combination is tried against the system. This is a very time-consuming process as every possible password combination is tested against the authentication system of the target until the valid password is retrieved. While this method may seem to be the best method, the time constraints given for completing a penetration test are often not achievable.
  • Dictionary attack: In a dictionary attack, the threat actor uses a pre-populated wordlist that contains thousands or even millions of candidate passwords. These are tested against the authentication system of the target. Each word from the wordlist is tested; however, the attack will not be successful if a valid password is not found within the wordlist being used by the threat actor.
  • Password guessing: This is a common technique that’s used by many people, even threat actors and penetration testers, who are attempting to gain unauthorized access to a system. I have often seen IT professionals use simple and even default passwords on their networking devices, security appliances, and even the client and server systems within their organization. For instance, by performing a Google dork using common default passwords, you will easily find default passwords for various systems. These default passwords are set by the manufacturer of the device.
  • Password cracking: In this technique, the threat actor uses various tools and techniques to retrieve valid user credentials to gain unauthorized access to a system. Sometimes, a threat actor may capture a user’s password in transit across a network in plaintext by an unsecure network protocol, or even retrieve the cryptographic hash of a password.
  • Password spraying: This is the technique where a threat actor uses a single password and tests it against an authentication system with different usernames. The password is a guessable password, obtained from data breaches or a wordlist. The idea is to test which user account within a specific list uses the same password. This technique is good when testing which users
  • Credential stuffing: This technique allows a threat actor to use a common wordlist of usernames and passwords against the authentication system of a target host. This technique checks which combination of usernames and passwords leads to valid user credentials.
  • Online password attack: In an online password attack, the threat actor attempts to gain unauthorized access to a host that is running a network service or a remote access service. This allows authorized users to log in to the system across a network. A simple example of an online password attack is a threat actor attempting to retrieve the username and password of a valid user to gain access to a server that is running the Remote Desktop Protocol (RDP). Keep in mind that online password attacks focus on using a combination of passwords from a wordlist directly on a web login page or network service interface until the correct one is found.
  • Offline password attack: In an offline password attack, the threat actor uses various tools and techniques to retrieve the valid password of a password-protected file, such as a document, or even the cryptographic hash of a user’s password. A simple example of this is capturing a domain administrator’s username and password hash from network packets. The username is usually in plaintext but you may need/want to retrieve the password from the hash value.
Important

SecLists is a collection of pre-built wordlists containing passwords and usernames that are commonly used by penetration testers to perform both online and offline dictionary attacks. Furthermore, SecLists contains URLs, sensitive data patterns, and fuzzing payloads, which are valuable to penetration testers. You can find the SecLists collections at https://github.com/danielmiessler/SecLists. Additionally, you can use the wordlists command within Kali Linux to view the local wordlist repository that is already pre-loaded within the operating system


Creating a keyword-based wordlist:

  • Sometimes, web developers and IT professionals set passwords within their organizations and online web applications that are somewhat related to the organization’s goals, mission, products, and services. Custom Wordlist Generator (CeWL) is a password generator tool that enables penetration testers to perform web crawling (spidering) of a website and gather keywords to create a custom wordlist to perform dictionary-based password attacks against a system or file
  1. Let’s create a custom wordlist:
cewl example.com -m 6 -w output_wordlist.txt

cw_1 This command will generate a custom wordlist containing words with a minimum length of 6 characters using keywords from the website example.com. It will then output the results in the wordlist. txt file


Generating a custom wordlist using crunch:

  • Crunch is an offline password generator that enables penetration testers to create custom wordlists to perform dictionary-based password attacks.
  1. Let’s generate:
# options sample
crunch <min-length> <max-length> [options] –o output_file.txt
  1. To create a custom wordlist with a fixed length of 4 characters, which can be a combination of characters from 0 to 9 and A to C follow the command:
crunch 4 4 0123456789ABC -o output_file_2.txt

cw_2 Crunch created 28,561 possible combinations of passwords.