Password Hacking in Kali Linux

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
when you log into your computer or website or anything that requires a password hopefully that password is stored in a database in some location some way in an encrypted fashion maybe it's a hash maybe it's anything but it's not plain text if a hacker threat actor adversary would gain access to that password as it's raw plain text form that could certainly be an issue but in some cases maybe even just a hash is enough for a hacker to crack the hash and then gain access to the account and access in this video I'm going to Showcase three ways where we can put our hacker hat on act as the adversary and then crack a password hash brute force or guest passwords or maybe even pass the hash in some other attacks let's dive in I'm inside of my Kali Linux virtual machine and this is going to be our attacker HQ this is where most of the operations are going to happen but I do want to let you know hey I've got another Linux server Linux host Linux computer up with Ubuntu alongside a Windows machine that will be able to go ahead and beat up in just a moment but back inside of Kali Linux I'm going to open up the terminal click that icon on the top or hit Ctrl alt t on the keyboard and I'm going to zoom in on this terminal here because first of all I want to show you what my IP address is I'm going to go ahead and say the IP Command and a for the shorthand for Adder like address s for the shorthand for show and then the interface that I want to look at in this case I'm going to look at eth0 and it currently has the IP address of 192.168.1166 now that's us that's our Kali Linux machine that's our attack box that's where we're going to be doing the hacking and Kraken over here on the victim machine the target the Ubuntu box let me fire up another terminal I'll go ahead and run the exact same command just so we can kind of get a lay of the land here then Ubuntu usually the interface is now ens 33 I'll go ahead and take a look at the IP address that is 192.168.1129 now let's say as the attacker from the Kali Linux offensive perspective we don't know any passwords for this Ubuntu machine that we're trying to break into maybe we knew you a username we were able to profile some accounts or some employees or people that use this machine but we still need to try and figure out their password one way you could do that is just kind of guess like I don't know try every single possible letter in the English alphabet every single number every single printable character on the keyboard like the letter A then the letter A A and then the letter a a b and a a c a a d Etc kind of keep moving down the list to try and generate every possible potential possibility let's try it out see this Ubuntu machine does have SSH or the secure shell running as a service so we could try to SSH into the user at 192.168.1129 It'll ask me further password but I don't know their password so I could try like the letter a and then that won't work for us let's try the letter A A maybe two A's there is a combination doesn't work either a b a c etc etc etc that is not going to work and doing it manually kind of sucks even and then we just sort of get kicked out from SSH saying look three times three strikes you're out it might be more likely though that they're actually using a word as their password like apple or magician I don't know it could be anything and this is actually pretty common I think as folks who are getting into their world with computers and Technology they would just go to create a password based off of a word that's familiar to them or something that they like or they're passionate about and in past security incidents like data breaches passwords have been uncovered that are just the most common stupid passwords like one two three four five or password so there is genuinely a list inside of your Kali Linux distribution and Linux operating system a file that's called Rock you dot text and it's currently dot gz or gzip appended to it it's in the user share wordless directory and if I hop over there change directory in there we can see that file one more time but if we try to unzip it with G unzip or gunzip oh we do not have uh write permission let me just uh super quickly change the permissions of this directory for for my current user and now let me see can I gun zip to remove that extension and extract The Rock UDOT text file we can good now I'll go ahead and cat out that rock U dot text file in the current directory and there is a whole lot of output because this is a ginormous file filled just line by line with leaked passwords or passwords that were previously made accessible in public in a recent password data breach some way somehow these were all leaked out onto the internet and it's literally 134 megabytes worth of passwords in fact we can take a look there are if I count the number of lines here what is that 14 million 344 392 passwords and rock you dot text is what's called a dictionary file for when you're doing a dictionary attack just kind of brute forcing or guessing passwords out of dictionary words now you should not have an English word as your password or maybe just adding some numbers or exclamation points at the end that's just bad security practice you shouldn't do that but it still happens some people still have that the thing is rocky.text is massive so for the sake of our learning for the sake of our experimentation I do want to show you a smaller word list or dictionary list that we might be able to use called Fast Track that has a whole lot of other potentially very common passwords whether they use some stupid simple I don't know season and then year semantic of oh it's the winter of 2013 or 2023 spring whatever a whole lot of those are common and you'll see them all the time in stupid penetration tests literally just spray that password anyway we want to try to use this with our SSH access into 192.168 111129 our Ubuntu victim but we don't want to have to type in all of these manually we need some way to automate that so we can use a tool a command line utility called Hydra I'm going to take a look at the Man pages or the manual for Hydra and you'll see it is a very fast Network logon cracker which supports many different Services you could pass in a whole lot of different arguments options or parameters and command line switches to this tool and it'll actually go ahead and Brute Force or try to repeatedly guess passwords against a service a lot of these we'll talk about in just a moment and it's the very very common things like the Target that you need and the service that you want to beat up SSH on our Ubuntu host of course the login that you want to beat up the passwords or the password lists files that you want to use but there are a couple other important ones that I think are worthwhile to mention there is a capital f that will end up exiting or stopping the Hydra program after it found the first login and password pairing the correct solution if you use this it's probably worthwhile to actually have it display all the other passwords that it's trying so you can see that the progress is going through here I really really like to use Tac capital V that's verbose mode you get to show the login and password combinations for every single attempt and another worthwhile one is Tac capital I in case you are doing this repeatedly just for your learning just for demonstrations sake you can ignore in a previous or existing restore file it won't end up waiting 10 seconds to start beating up the machine again so with that I'm gonna hit Q to get out of that and I'm going to run a Hydra I'm going to use hydro attack L to specify the login or the username that we want and that will be user now I'm going to use capital P to denote the passwords file or the word list that we want to use with the password on every single line to go beat up and try to attack this we'll go ahead and use that fast track dot text file another example another subset of rock you and it's significantly smaller and faster for us and then I'll go ahead and use the target which I know is 192.168.11 129. now oftentimes Hydra likes a certain protocol or schema to represent the service that you're going to beat up here so I will use SSH and then a colon and a couple forward slashes to denote that's the service that I want to beat up on that host now we'll add in our tacv for that verbose mode attack capital I to ignore anything previously intact F to finish once you find a valid combination now I'll hit enter and it'll start doing its work here we go cruising through it I'm gonna zoom out here there's a whole lot going on trying to log in autumn 2015 Winter 2017. password SQL testing yada yada yada it's doing the hard work for us now even then this might be a little bit slow if you want to stop it you could actually add more threads to it with Tac T we could go ahead and say I don't know let's do like 40 threads see if it can rip through this a little bit faster it's going to beat it up you can see hey it's trying to go through every single possible combination and you could Supply multiple users if you were trying this against I don't know different services or you just weren't sure what that username was and there we go look at that it found an entry it found a combination looks like we have this outlined in a little bit of a green bold texture we can see the login is user and the password is Star Wars right on that host on the SSH service cool let's try it out let's see if I can go ahead and SSH into that machine and I'll specify the password as Star Wars as I'm typing that in look at that login the host gained access and now we could do do some damage hey just for proof of compromise let's go ahead and create a new file a little Please Subscribe dot text that might be present there in the current directory in their home directory let's go see if it exists bouncing back over to my Ubuntu machine let me get out of the terminal here and there it is there's our Please Subscribe dot text file there on the desktop okay so showcase number one all we did was guess a password right we just threw it through a whole dictionary list a word list but ultimately maybe that's not always going to work for us sometimes you have to genuinely crack a password hash or that sort of mathematical representation of a string of hexadecimal numbers that just validates and has a fingerprint or signature of this data we're going to do that in just a moment but first I want to reiterate you should not be using a English word or anything that's super simple and boring and basic and easy for a password that is a weak password and you should be using a password manager use a digital password manager that can figure all out all of the entropy all the complexities everything that you need for a secure password and it stores it in a safe insane way so you don't have the same password reuse for every single service you should not have any synchronized services so with that I do want to note look passport just released version 3.12 where they've added new folders for organization in the community Edition and single sign-on is available for release in the Pro Edition they're super excited about it I'm super excited about it let me give some love to passport and their new release 3.12. I don't know any of my passwords I don't know what they are they're all crazy long and complex they even have emojis in them and that's because I use a password manager and I'm a huge advocate for using a password manager to generate completely unique and secure passwords for each service or account you use and personally I use passport it's my daily driver and main password manager passports is a a free and open source password manager that allows both individuals and team members to store and share passwords securely I absolutely love how easy passport is to use and how you can make it solely your own you control your data you can host your own passport management instance completely for free and run it on your own Linux servers or Raspberry Pi or deploy it straight to cloud with hosting providers like AWS or digitalocean or just let passport handle it all for you you can easily create and store passwords in autofill wherever you need to with the passport browser extension and their mobile app that even has Biometrics for quick and easy authentication on top of that passport is completely open source you can look through the code on GitHub extend it with the rest API integrate with it on the command line and even contribute and hack on the code best of all they are a thousand percent passionate about hearing from the community they want the feedback to make your password manager the best it can be now including two-factor authentication on free accounts and even transitioning more of the subscription tier features into their Community Edition I love it you can get started with passport for free with my link below in the video description their Cloud instance is incredibly easy to spin up and they take extra precautions to keep everything secure even with a private key backup codes and a unique color and pin to protect you against phishing attacks it is password security done the right way with passport huge thanks to passport for sponsoring this video okay now let's move on to demo number two in this case we're not gonna be guessing a password but we're gonna be trying to crack a password hash you can use a whole lot of different tools to do this you can use John the Ripper you can use hashcat you can use some online things if you can identify and recognize what sort of hash format it might be and I know that might be confusing if you aren't familiar with hashes but let me show you online I'm trying to build out a couple exercises or activities that make it a little bit easier to be able to see and demonstrate different sort of things in cyber security I'm starting small there's not a whole lot in there right now but there is one little lesson that you can just copy and paste for password tracking password hacking with John the Ripper as one of the tools and it should be accessible and easy for you you can just go and click into it and then it gives you literally instructions for everything that you need to do first things first it creates a whole lot of usernames that you could use and create a local account on your attacker machine just for demonstration purposes so let me go ahead and copy this I'll click the copy button let me move back to my terminal and I'll go ahead and just paste all this in we created giant list of usernames like Sophie Nathaniel Lauren Christopher yada yada yada and I'll have that list created for me now we have some nice syntax where we can go ahead and just create all these users with a weak password let's do it we'll copy that paste this in you can see all that syntax displayed on the screen super simple we'll need a password but that's just fine it'll go ahead and create all these users with a vulnerable password for us to try and crack with John the Ripper now on Linux all these local accounts are stored in a specific file you can see it said or a password and it's at rashado as these locations on the file system where it set or a password is World readable anyone could actually access that file if they have access because it just lists all of the potential user accounts that are created on the machine now note in between these they all have an X right after their username and their unique user identifier their home user directory blah blah blah but that X is the field for the password the X means it's masked or it's hidden or it's shadow mode and ultimately it's encrypted and that encrypted portion is stored in its set Rush Shadow now if I try to cat that out and display it we don't have access that requires root level permissions again this is just a learning lab which is for education and our exercise and activity here we could go ahead and play with it and copy it let me go ahead and show you if we had that pseudo access what does the it set reshadow file show you take a look all of these different lines for all of these different users like here's our good friend Paul he has this hash represented in a different sort of base64 encoded or salted in some way all that syntax just denotes look that is a secret sensitive key for a password representation that we could try and beat up if we gained access to these strings now if we're going to end up using the tool like John the Ripper we want to have both the ETC password and it's set with Shadow file ready for us so I'm going to end up copying both of these into a temporary location temp password and temp Shadow as you can see in that syntax and then we want to go ahead and unshadow this password using the unshadow command that comes with John the Ripper nice and easy already installed on Kali Linux so we can just run that and now we have all of the unshadowed passwords ready for use this does store them in a temporary location so that we're able to go ahead and use them with John the Ripper John the Ripper is one of those other command line utilities super duper easy to use you basically just need to pass it the hashes file that you want to look through the word list that you're going to end up using to beat it up and that's exactly what we just used before whether it's rock u.txt or if it's fast track and then we can specify a format for what kind of thing this might be again let's copy and paste let me go back to my terminal I'll paste this in and let's see if John the Ripper can crack any of these hashes look already found a password for Gloria looks like that password was secret these are all random bear in mind but they all are going to have something included in that fast track word list just for our own learning Marion hey that was password one sand had monkey Ben had basketball don't forget all of these are literally awful things that you should never have for your password use a password manager that's a fine enough example and I hope it showcases just the easy way to use John the Ripper sometimes you have to do a little bit of staging But ultimately once you have a file with your hashes tack in the word list that you want to use whether it's rocky.text and then just let it rip for the final showcase number three and I know what you're thinking like look John we've been hanging out in this Linux world but not everything is Linux most of the time you're going to be beating up you're going to be seeing a Windows machine yes you're exactly right so we're going to play with a little bit of the things that you might be able to do if you gain access to specific user hashes or ntlm hashes those are those what net logon local manager I I always forget the ntlm acronym but there are oftentimes user passwords stored in like an ntds.dit or the Sam file the secret stuff that you could pull out of registry there's a whole lot you could work with but in this case I want to showcase responder so what I'm going to do is I'm going to set up yet another tool that is already available and installed on Cali let's use responder that does need to be ran as root so we'll use the sudo command to prefix it and I'll need to specify the interface that I want to listen on to respond to different events with Tac capital I this is one of those tools that will stage a whole lot of fake masquerading services that will end up listening and waiting to see connections over HTTP or https or SMB like server message block maybe it's a web server maybe it's a DNS request maybe it's Kerberos or SQL or FTP it could be anything it's just wanting to accidentally see and then poison a request so I'm going to end up putting this side by side let's go ahead and move our Kali Linux virtual machine over to One Direction and let's move our Windows 10 virtual machine to another side again this is all just for the sake of learning so I'm using a local account in the virtual machines here so let's say that our user our Windows victim or Target happened to be trying to get to maybe a a service on their Network maybe their organization has a file share maybe some location in the network where they actually work with scripts or development info other things it could be anything and I realized look this is maybe a little bit of an extrapolated example but I I do want to get this across for the demonstration's sake so please press the I believe button or bear with me suspended disbelief maybe they were trying to get to or malware or whatever payload drove them to this UNC path like a backslash backslash inside of Windows Explorer accessing an SMB share 192.168.11.165 but maybe there was some accidental typo or something and they went to 166 where our attacker Kali Linux over on the left hand side is waiting and ready to receive their authentication request whether they enter their username or credentials or not because the connection's been made already ntlm is going to end up passing along their hashes and credentials now we could actually use this we could grab this data and do something specific you can see that from this Target 192.168-11153 and the desktop user host name and username along with their ntlm hash for their credentials is something that we already have access to we've seen it now within responder looks like it came through twice hey that's okay whatever we've got what we need here let's grab it and let's work with it I'm gonna close out of responder with control C and let's just create a note now let me go ahead and Echo I don't know ntlm hashes dot text I'll paste this in and now rather than drawing the Ripper we could use something like hashcat another utility that's built in and installed in Kali Linux and it is exactly a advanced CPU based password recovery utility when you're given a hash it will try to crack hashes now hashcat has a little bit of more specific options to it it's not as easy and as user friendly as John the Ripper you'll need to pass in an attack mode and a hash type along with the hashes that you want to try and beat up you can also use tax Force to ignore warnings in case it's just like not happy with your CPU or GPU or whatever but if we scroll down there's a whole lot more to dig into because we kind of need to know what specific numbers or values should we give to hashcad for this attack mode or this hash type taking a closer look here Attack Mode could be a couple options it could be I don't know zero being set to straight one is combination three is Brute Force straight is probably just going to procedurally work through our word list or do anything that it might just try to beat up and that's okay for us to use right now let's use Attack Mode zero so attack a zero now the hash type we need to find something that Associates with our ntlm hash note there are a ton of different types of hashes that you could be working with whether it's mb5 whether it's shot one whether it's I don't know Blowfish whether it's B Crypt whether it's different Renditions of whatever here is net ntlm V2 which matches what we saw in responder so I'm leaning towards this five six zero zero one quick note though if you aren't sure there are a ton of example hashes online if you simply Google I don't know hashcat example hashes if we wanted to search through this list for ntlm we could see okay there's a static boring straight hash but this 5500 net ntlm whatever that gives some examples of what the syntax might look like this net ntlmv2 with a 5 600 that's exactly what we were looking at just a moment ago with the username colon colon and then a couple of other fields and values and numbers that represent this hash it looks like 5600 is what we want now we have everything that we need we have all the ingredients that we could actually use to run hash cat on the command line so let's use Tac a for that attack mode 0 straight as that option let's use tacm for five six zero zero for the net ntlm V2 hashes and of course we need to actually Supply the hashes that we've seen this is the value that we pulled from responder and we were able to go ahead and put that into a file but we still need our word list file let's go ahead and use user share word lists and what do you think should we try uh Fast Track one more time let's see what we've got here let's see if it'll try it now hashcat spits out a whole lot of output But ultimately once you find something that comes through it will display cracked with a little bit of info and a little like list sort of format display I'll show you that in just a moment and let's see if our password is in Fast Track or we should move up to something like rock you the significantly bigger word list and dictionary file oh okay looks like it just came through right then and there looks like it is cracked we have a password here somewhere oh it displays it up at the top so that's one thing to note here when you're using hashcad uh given the hash that you've provided it will end up displaying the whole hash again and then the actual password following it a after a colon there so capital P password at sign in zero for fancy pass whatever another bad dumb stupid password and that's it that is enough fireworks for this video but my goodness hey I think we covered a whole lot of ground password guessing and brute forcing with Hydra cracking some hashes with John the Ripper whether it's just simple Linux user accounts or even Windows net ntl mv2 hashes for user authentication with hashcad so a little bit of a wide array of all the things we might be able to do but ultimately look password security doesn't have to be hard it shouldn't have to be something that we make these stupid mistakes for use a password manager seriously I know there are a whole lot of options out there I'm a big fan of passports it's what I use personally it's my daily driver and I love it I think they're doing really cool stuff for the community and especially in their 3.12 or the 3.12 release they're just continuing to add great new features for everyone even the Community Edition you can host it locally if you want doesn't have to be open the internet or they could just do it for you put on the cloud whatever I hope you enjoy hope you like this video hope you give passport a try like comment subscribe see in the next video
Info
Channel: John Hammond
Views: 659,542
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: 4X5aoQ8i-_g
Channel Id: undefined
Length: 24min 22sec (1462 seconds)
Published: Tue Apr 04 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.