Kali Linux: Password Attack menggunakan Kali Linux

From OnnoWiki
Revision as of 20:28, 10 February 2016 by Onnowpurbo (talk | contribs) (New page: Sumber: http://kalilinuxcourse.blogspot.co.id/2015/10/crack-password-using-kali-linux-2.0.html Password Attacks Password Cracking is the process of recovering passwords from data that hav...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Sumber: http://kalilinuxcourse.blogspot.co.id/2015/10/crack-password-using-kali-linux-2.0.html

Password Attacks Password Cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach (brute-force attack) is to repeatedly try guesses for the password.

The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk, but involves System Administration privileges), to gain unauthorized access to a system, or as a preventive measure by System Administrators to check for easily crackable passwords. On a file-by-file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file's access is restricted.

computer programmers have been trying to create algorithms for password cracking in less time. Most of the password cracking tools try to login with every possible combination of words. If login is successful, it means the password was found. If the password is strong enough with a combination of numbers, characters and special characters, this cracking method may take hours to weeks or months. A few password cracking tools use a dictionary that contains passwords. These tools are totally dependent on the dictionary, so success rate is lower.


Tips to create the strong password

The longer the password, the harder it is to crack: Password length is the most important factor. If you select a small password, password cracking tools can easily crack it by using few words combinations. A longer password will take a longer time in guessing. Your password must be at least 8 characters long.

Always use a combination of characters, numbers and special characters: This is another thing which makes passwords hard to crack. Password cracking tools try the combination of one by one. Have a combination of small characters, capital letters, and special characters. Suppose if you have only numbers in your password. Password cracking tools only need to guess numbers from 0-9. Here only length matters. But having a password combination of a-z, A-Z, 0-9 and other special characters with a good length will make it harder to crack. This kind of password sometimes takes weeks to crack.

Variety in passwords: One important thing you must always take care. Never use same password everywhere. Cyber criminals can steal passwords from one website and then try it on other websites too. In case you are not sure about the strength of your password, you can check it from variety of online tools available for free. Try this official Microsoft Tool for checking the password strength.

https://www.microsoft.com/security/pc-security/password-checker.aspx

Example of strong password: AdZfL48024@ #$! Tools Used For Password Cracking

   GPU Tools 
   Online Attack 
   Offline Attack 
   Passing The Hash 

GPU Tools A GPU, or graphics processing unit, is used primarily for 3-D applications. It is a single-chip processor that creates lighting effects and transforms objects every time a 3D scene is redrawn. These are mathematically-intensive tasks, which otherwise, would put quite a strain on the CPU. Lifting this burden from the CPU frees up cycles that can be used for other jobs.

The simple reason to use a GPU instead of a CPU for password cracking is that it's much faster. It turns out that cracking passwords is a lot like mining Bitcoins, so the same reasons GPUs are faster for Bitcoin mining apply to password cracking. The short answer is that there are many more specialized chips on a GPU that perform 32-bit operations really quickly. Although a CPU can perform a lot of general-purpose calculations, the chips on a GPU can perform specific types of operations much faster, and in a much more parallel way

Hack Password Using Pyrit

Step 1: Put Wi-Fi Adapter in Monitor Mode with Airmon-Ng Let's start by putting our wireless adapter in monitor mode. Let's open a terminal and type:

   airmon-ng start wlan0 


Note that airmon-ng has renamed your wlan0 adapter to mon0.

Step 2: Capture Traffic with Airodump-Ng Now that our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air. We can grab that traffic by simply using the airodump-ng command.

This command grabs all the traffic that your wireless adapter can see and displays critical information about it, including the BSSID (the MAC address of the AP), power, number of beacon frames, number of data frames, channel, speed, encryption (if any), and finally, the ESSID (what most of us refer to as the SSID). Let's do this by typing:

   airodump-ng mon0 


Note all of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen.

Step 3: Airodump-Ng on To Capture Handshake Our next step is to focus our efforts on one AP, on one channel, and capture critical data from it. We need the BSSID and channel to do this. Let's open another terminal and type:

   airodump-ng --bssid 08:86:30:74:22:76 -c 6 -w WPAcrack mon0 


08:86:30:74:22:76 is the BSSID of the AP -c 6 is the channel the AP is operating on

WPAcrack is the file you want to write to

mon0 is the monitoring wireless adapter* As you can see in the screenshot above, we're now focusing on capturing data from one AP with a ESSID of Belkin276 on channel 6. The Belkin276 is probably a default SSID, which are prime targets for wireless hacking as the users that leave the default ESSID usually don't spend much effort securing their AP. Step 4: Aireplay-Ng Deauth In order to capture the encrypted password, we need to have the client authenticate against the AP. If they're already authenticated, we can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the process.

Let's open another terminal and type:

   aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0 


100 is the number of de-authenticate frames you want to send 08:86:30:74:22:76 is the BSSID of the AP mon0 is the monitoring wireless adapter

After capturing the handshake use pyrit to crack the wifi password as

In the dictionary and crunch attack, PMKs speed is near 4000 which will take lots of time to crack wifi so use the below trick to increase the speed of attack. This will provide 60000-100000 PMKs depends on client hardware. Steps To Use Pyrit To Crack Password

1. svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit_svn

Download the pyrit file

2. cd pyrit_svn/pyrit/ ./setup.py build install

Build and install setup.py file

3. cd ..

Step back to pyrit_svn 4. cd cpyrit_calpp

Go to cpyrit_calpp directory

5. Edit setup.py and find VERSION = '0.4.0-dev and change to VERSION = '0.4.1-dev

also find CALPP_INC_DIRS.append(os.path.join(CALPP_INC_DIR, 'include')) and replace with CALPP_INC_DIRS.append(os.path.join(CALPP_INC_DIR, 'include/CAL'))

Save the file

6. ./setup.py build install

Build and install and edited file

7. pyrit –e MTNL create_essid

Create essid in pyrit databases

8. pyrit -i wordlist .lst import_passwords

Import the dictionary in pyrit databases

9. pyrit batch

Create table in pyrit databases

10.pyrit –r MTNL .cap attack_db

Perform attack on handshake file

Offline Attack

Cmospwd

CmosPwd is a cross-platform tool to decrypt password stored in CMOS used to access a computer’s BIOS setup.


Crunch

Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. crunch can generate all possible combinations and permutations.

Generate a dictionary file containing words with a minimum and maximum length of 6 (6 6) using the given characters (0123456789abcdef), saving the output to a file (-0 6chars.txt):

   root@kali:~# crunch 6 6 0123456789abcdef -o 6chars.txt 


hash-identifier

Software to identify the different types of hashes used to encrypt data and especially passwords.

   root@kali:~# hash-identifier 


John the Ripper

John the Ripper is another well-known free open source password cracking tool for Linux, Unix and Mac OS X. A Windows version is also available. This tool can detect weak passwords. A pro version of the tool is also available, which offers better features and native packages for target operating systems. You can also download Openwall GNU/*/Linux that comes with John the Riper.

Combine the provided passwd (passwd) and shadow (shadow)(shadow) and redirect them to a file (> unshadowed.txt):

   root@kali:~# unshadow passwd shadow > unshadowed.txt


Using a wordlist (–wordlist=/usr/share/john/password.lst),


apply mangling rules (–rules) and attempt to crack the password hashes in the given file (unshadowed.txt):

   root@kali:~# john --wordlist=/usr/share/john/password.lst --rules unshadowed.txt 


johnny

Johnny provides a GUI for the John the Ripper password cracking tool.

   root@kali:~# johnny


RainbowCrack

RainbowCrack is a hash cracker tool that uses a large-scale time-memory trade off process for faster password cracking than traditional brute force tools. Time-memory trade off is a computational process in which all plain text and hash pairs are calculated by using a selected hash algorithm. After computation, results are stored in the rainbow table. This process is very time consuming. But, once the table is ready, it can crack a password must faster than brute force tools.

You also do not need to generate rainbow tablets by yourselves. Developers of RainbowCrack have also generated LM rainbow tables, NTLM rainbow tables, MD5 rainbow tables and Sha1 rainbow tables. Like RainbowCrack, these tables are also available for free. You can download these tables and use for your password cracking processes.

This tool is available for both Windows and Linux systems.


rcracki-mt

rcracki_mt is a modified version of rcrack which supports hybrid and indexed tables. In addition to that, it also adds multi-core support.

Crack the password hash (-h 5d41402abc4b2a76b9719d911017c592) using 4 CPU cores (-t 4) and the specified rainbow tables (tables2/md5/):

   root@kali:~# rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 4 tables2/md5


RSMangler

RSMangler will take a wordlist and perform various manipulations on it similar to those done by John the Ripper the main difference being that it will first take the input words and generate all permutations and the acronym of the words (in order they appear in the file) before it applies the rest of the mangles.

Use the original wordlist (cat words.txt |) and mangle words with a minimum length of 6 (-m 6) and maximum length of 8 (-x 8), using stdin as input (–file -) and redirecting the results to a new wordlist (> mangled.txt): root@kali:~# cat words.txt | rsmangler -m 6 -x 8 --file - > mangled.txt

   root@kali:~# wc -l mangled.txt 


TrueCrack

TrueCrack is able to perform a brute-force attack based on:

Dictionary: read the passwords from a file of words.

Alphabet: generate all passwords of given length from given alphabet.

TrueCrack works on gpu and cpu

   root@kali:~# truecrack -t truecrypt_vol -k ripemd160 -w passes.txt 


cachedump It is used to recover the windows password using cached entries.

CacheDump will create a CacheDump NT Service to get SYSTEM right and make his stuff on the registry. Then, it will retrieve the LSA Cipher Key to decrypt (rc4/hmac_md5 GloubiBoulga) cache entries values. A John The Ripper module has been developed to attack the hashed values that are retrieved

chntpw

It is used to Removing Windows OS Passwords.

So Lets' get started:

Step 1: Mounting the drive containing Windows OS-> This one is easy ain't it? Well so that you might not have forgotten how to do it, I'll type the syntax:

   ntfs-3g /dev/sda1 /media/win


Note that 'sda1' in above command is the partition on which Windows OS is installed yours can be different. To check yours simply type fdisk -l which will list your all partitions and then check by yourself on which partition your Windows OS is installed.

Step 2: Now move to the config folder of windows os using below command:

   cd /media/win/Windows/System32/config/


Step 3:Type the following command to see the list of users available on Victim's Machine:

   chntpw -l SAM


Step 4:Copy the name of user whose password you want to crack and then enter the below command to crack the password of selected user:

   chntpw -u <username> SAM


dictstat

It is used to Generate dictionary file statistics


fcrackzip

fcrackzip is a fast password cracker partly written in assembler. It is able to crack password protected zip files with brute force or dictionary based attacks.

1.Open Terminal type fcrackzip –help this command will open fcrackzip with help options

2. Let’s make a zip file in windows 7 PC than we will copy paste it into Kali Linux afterthat we will try to break this password by fcrackzip. I created a zip file. This zip file’s password is 12345678.

3. Now we are going to break this password protected zip file. If you know your password has numeric (ex- 123..) and how many digits there in your password. Here we know our password is numeric (e.g. 123…) and its total 8 digits. If you have just small thought or knowledge about your password It will you to speed up your brute force attack against your zip file.

Syntax – fcrackzip –u –c <your password character type> –p <total digits> zip file path

   fcrackzip –u –c 1 –p aaaaaaaa ‘/root/Desktop/Test.zip’


Here,

The –u option, Try to decompress the first file by calling unzip with the guessed password. This weeds out false positives when not enough files have been given.

The –c option lets you select the character set, '1' here means password can be a numeric.

The -p option lets you select an initial string to start brute-force attack

Note – as you can see I wrote ‘aaaaaaaa’, if you will count this is total 8 digits means I assumed that my password can be 8 digits but in this step if my assumption will be wrong, like my password have 8 digits and I will write there ‘aaaaaaa’ (only 7 digits) than fcrackzip will not crack your password.

4. If you know your password is numeric but you don’t know there are how many digits. You can assume a password digit range. Here I am thinking that my password can be minimum 4 digits to maximum 8 digits.

Syntax – fcrackzip –u –c <your password character type> -l <password digits range> zip file path

    fcrackzip –u –c 1 –l 4-8 ‘/root/Desktop/Test.zip’


5. In this Example I created another Zip file with small (lower case) alphabet digits as password. Here password is ‘abcdefgh’. If your password has small alphabets characters and length of password is 8 digits.

Syntax – fcrackzip –u –c <your password character type> –p <total digits> zip file path

   fcrackzip –u –c a –p aaaaaaaa ‘/root/Desktop/Test1.zip’


Here we are using ‘a’ after –c because our password has small (lower case) alphabet. If you have doubt that the password can be capital (upper case) alphabet than you have to write capital ‘A’. If you think that your password has both upper and lower case than you can write ‘Aa’. Just like this if you doubt your password has lower case (a), Upper case (A), numeric (1). You have to write there ‘Aa1’.

6. Range of password digits

7. Here we are using brute force a zip file password which has upper case (A), lower case (a), numeric (1), and symbol (@). Use "!" for including special characters !:$%&/()=?{[]}+*~#. If you want to specify only some of the characters then mention them using " : ". In this image I want to specify only one (@) character so I used :@.

8. Now we are going to crack this zip password by using dictionary attack. Just for an example I am making a small dictionary manually so it will take less time to crack.

9. Now run the command for cracking this zip file password

Syntax – fcrackzip –u –D –p <dictionary file path> <zip file path>

   fcrackzip –u –D –p ‘/root/Desktop/dic’ ‘/root/Desktop/Test.zip


hashcat

It is a CPU-based password recovery tool.Hashcat or cudaHashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat or cudaHashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others.

   root@kali:~# hashcat -m 0 -a 0 /root/md5.txt /root/rockyou.txt


md5.txt : File in which hashed password is saved

/root/rockyou.txt : path of dictionery file which used to crack hashed password


hashid

Identify the different types of hashes used to encrypt data and especially passwords.


maskgen

Generate hashcat masks


opcrack

A Microsoft Windows password cracker using rainbow tables

Ophcrack uses Rainbow Tables to crack NTLM and LM hashes into plain text, its a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. If you have a complex password it will take a lot longer than simple passwords, and with the free tables your password may never be cracked.


sipcrack

SIPcrack is a SIP login sniffer/cracker that contains 2 programs: sipdump to capture the digest authentication and sipcrack to bruteforce the hash using a wordlist or standard input.

sipcrack bruteforces the user’s password with the dump file generated by sipdump. If a password is found, the sniffed and cracked login will be updated in the dump file.

Sipcrack needs a wordlist to launch an attack. As a result, it will give you the password.

   root@bt:/Desktop/SIPCrack# ./sipcrack pass.txt -w list.txt 


sucrack

Multithreaded Linux/UNIX tool for brute-force cracking of local user accounts via su.


Online Attack

acccheck

The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the ‘smbclient’ binary, and as a result is dependent on it for its execution. Scan the IP addresses contained in smb-ips.txt (-T) and use verbose output (-v):

   root@kali:~# acccheck.pl -T smb-ips.txt -v


Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

   root@kali:~# burpsuite


CeWL

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

CeWL also has an associated command line app, FAB (Files Already Bagged) which uses the same meta data extraction techniques to create author/creator lists from already downloaded.

Scan to a depth of 2 (-d 2) and use a minimum word length of 5 (-m 5), save the words to a file (-w docswords.txt), targeting the given URL


   root@kali:~# cewl -d 2 -m 5 -w docswords.txt http://google.com


Cisco-Auditing-Tool Perl script which scans cisco routers for common vulnerabilities.

Scan the host (-h 192.168.99.230) on port 23 (-p 23), using a password dictionary file (-a /usr/share/wordlists/nmap.lst):

   root@kali:~# CAT -h 192.168.99.230 -p 23 -a /usr/share/wordlists/nmap.lst


DBPwAudit

DBPwAudit is a Java tool that allows you to perform online audits of password quality for several database engines. The application design allows for easy adding of additional database drivers by simply copying new JDBC drivers to the jdbc directory. Configuration is performed in two files, the aliases.conf file is used to map drivers to aliases and the rules.conf tells the application how to handle error messages from the scan.

Scan the SQL server (-s 192.168.1.130), using the specified database (-d testdb) and driver (-D MySQL) using the root username (-U root) and password dictionary (-P /usr/share/wordlists/nmap.lst)

   root@kali:~# dbpwaudit -s 192.168.1.130 -d testdb -D MySQL -U root -P /usr/share/wordlists/nmap.lst


FindMyHash

It will crack hashes with online service.

Specifying the hash algorithm (MD5), attempt to crack the given hash (-h 098f6bcd4621d373cade4e832627b4f6)

   root@kali:~# findmyhash MD5 -h 098f6bcd4621d373cade4e832627b4f6


THC-Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

It supports: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Attempt to login as the root user (-l root) using a password list (-P /usr/share/wordlists/metasploit/unix_passwords.txt) with 6 threads (-t 6) on the given SSH server (ssh://192.168.1.123):

root@kali:~# hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 6 ssh://192.168.1.123


Keimpx

keimpx is an open source tool, released under a modified version of Apache License 1.1.

It can be used to quickly check for valid credentials across a network over SMB. Credentials can be:

   Combination of user / plain-text password.
   Combination of user / NTLM hash.
   Combination of user / NTLM logon session token.
   Read a list of IP addresses (-l /root/smbopen.txt) and attempt to login as the user victim (-U victim) with a password of s3cr3t (-P s3cr3t) with a verbosity level of 1 (-v 1), running in batch mode (-b)
   root@kali:~# keimpx -l /root/smbopen.txt -U victim -P s3cr3t -v 1 -b


Ncrack Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more. Protocols supported include RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet.

Use verbose mode (-v), read a list of IP addresses (-iL win.txt), and attempt to login with the username victim (–user victim) along with the passwords in a dictionary (-P passes.txt) using the RDP protocol (-p rdp) with a one connection at a time (CL=1):

   root@kali:~# ncrack -v -iL win.txt --user victim -P passes.txt -p rdp CL=1


Patator

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage

Do a MySQL brute force attack (mysql_login) with the root user (user=root) and passwords contained in a file (password=FILE0 0=/root/passes.txt)against the given host (host=127.0.0.1), ignoring the specified string (-x ignore:fgrep=’Access denied for user’):

   root@kali:~# patator mysql_login user=root password=FILE0 0=/root/passes.txt host=127.0.0.1 -x ignore:fgrep='Access 


phrasendrescher

phrasen|drescher (p|d) is a modular and multi processing pass phrase cracking tool. It comes with a number of plugins but a simple plugin API allows an easy development of new plugins.

Use the SSH brute force plugin (ssh) and the passwords in a wordlist (-d passes.txt) against the target server (-t 192.168.1.202), displaying verbose output (-v):

   root@kali:~# pd ssh -d passes.txt -t 192.168.1.202 -v


THC-pptp-bruter

Brute force program against pptp vpn endpoints (tcp port 1723). Fully standalone. Supports latest MSChapV2 authentication. Tested against Windows and Cisco gateways. Exploits a weakness in Microsoft’s anti-brute force implementation which makes it possible to try 300 passwords the second.


WebScarab

WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

   root@kali:~# webscarab

- See more at: http://kalilinuxcourse.blogspot.co.id/2015/10/crack-password-using-kali-linux-2.0.html#sthash.9fAniGLD.dpuf




Referensi