Category: Cracking

Brute Force WordPress Passwords with WPScan and Tor

Post author By Kyle
Post date May 18, 2018

Visit Center City Security for WordPress Penetration Testing and Security services.

I took another crack, pun intended, at brute forcing my WordPress password using WPScan. Unlike when I tried it the other day, this time I used Tor and set up a SOCKs proxy to make use of a false IP address. My thinking was that my web host might black list my IP after a certain number of failed attempts, so by using Tor I could simply switch IP addresses once the blacklist went into effect.

I am happy to say the proxy worked and the following command worked as expected:

sudo wpscan --url technicalagain.com --wordlist darkc0de.txt --username [redacted] --proxy socks5://127.0.0.1:9050 -v

The behavior of my web host did not match what I expected. Instead of blacklisting the IP, as soon as the 38th incorrect password was entered, the web host put up a 406 error and stopped allowing log in attempts for five minutes. Why does it allow 38 password attempts? Good question. So, to work around this I would have to enter 37 passwords, then wait five minutes, then enter the next 37 passwords, then wait five minutes, and slowly work through the entire dictionary list. At 37 passwords per five minutes it would take 121 days to exhaust the list of passwords on darkc0de.txt. Suffice it to say that this password policy control in place by the web host is a satisfactory deterrent for 99.99% of attackers that are not going to wait up to half a year just in hopes that my password is on the darkc0de list. It isn’t.

Visit Center City Security for WordPress Penetration Testing and Security services.

Cracking Ophcrack Password Projects

More Password Cracking – Windows Edition with Ophcrack

Post author By Kyle
Post date April 22, 2018

I continued the work I previously explained by attempting to crack a Windows administrator password. This time I created a new windows administrator, booted up using a Kali Linux USB and launched Ophcrack to go after the administrator account I set up.

After lauching Ophcrack, I navigated to the Windows partition and then \WINDOWS\System32\Config to access the SAM database. I then downloaded a Rainbow Table called Vista Free and after about 10 minutes, the admittedly weak password I setup hello123 was cracked. I was not able to crack all of the accounts – presumably because they were adequately complex.

I think next time I will experiment with chntpw to reset the Administrator password instead of attempting to crack it.

Cracking John Password

Password Cracking with John the Ripper

Post author By Kyle
Post date April 17, 2018

I did some preliminary experimenting with password cracking utility John the Ripper to test the security of my own root password. I started by installing John and dumping the /etc/passwd file.

sudo apt-get install john

unshadow /etc/passwd /etc/shadow > mypasswd.txt

The mypasswd.txt file now holds a salted hash of my root password. I then passed this over to John to work its magic.

john mypasswd.txt

John is very powerful. I experimented with the most basic of cracking settings starting with single mode, then word lists and John would have moved to an incremental mode. I am happy to say I chose a sufficiently complex password that withstood John’s single crack mode and word lists.

Password cracking is very CPU intensive and the 10+ year old server that I am working with is probably about the least appropriate computer to attempt a rigorous cracking approach. The fan kicked on immediately and my laptop starting running hot. After more than 10 minutes of cracking attempts I aborted John and you can see the output below.

This was a fun and great learning exercise. I am going to continue experimenting with John. I will test John on the passwords stored in my Password Manager next. Using this technique I will also mount the Windows partition I have on my server and attempt to access and crack the Windows password hashes from Ubuntu.