Understanding and attacking password-based systems
Table of Contents
Introduction
This is lab where you can test some content related with the usage of passwords. You'll find some examples where you can test if your password is compromised, or how robust are your passwords.
In order to use this lab, it is recommended to use:
a web browser
Kali Linux, with some tools installed
Metasploitable 2 VM (used as a target).
Understanding Passwords
This part is useful for checking the security of passwords and to understand its robustness.
Check your passwords
There have been some data leakages on the Internet that contain a massive amount of accounts, with the passwords of millions and millions of users. Troy Hunt, a security researcher, as created a web site called "have I been pwned" that allows any user to look for an email address or telephone number, that might be part of an existing data leak.
Using this web site try to look for the following:
Look to see if some of your accounts have been compromised (also look at the details of those accounts);
Look at the amazing list of Pwned web sites. Found anything interesting?
Look for information online about the most recent Facebook data breach (2021).
Massive list of passwords
There are multiple sites that aggregate lots of passwords. These passwords can be used to conduct dictionary attacks, that test all the existing passwords to check if some of them works.
One of the most well know data breach that involved non-encrypted user accounts was the Rockyou social application site, mainly developing widgets for Facebook. Rockyou sufered a data breach that resulted in the exposure of 32 million user accounts.
Direct download of the Rockyou passwords
Checking for password robustness
One of the most important measures in terms of security for a password is its robustness. One way to determine the password robustness is through the measure of the password entropy. Password entropy predicts how difficult a given password would be to crack through guessing, brute force or dictionary attacks or other common methods. Entropy is measured in bits.
Just for checking the entropy of the passwords lets do the following:
Visit the web site of GeneratePasswords and look and the password entropy calculation calculation formula;
Also look at why the password strength meters are not that great (those you find on most websites);
Check the entropy of the different types of passwords using a password strength calculator;
Check on EFF Dice-Generate Passphrases. Look at the wordlist dictionary. Try the proposed process to create a great passphrase;
Also look at the Diceware Passphrase web site;
Finally try to create a passwords/passphrases and check its strength.
Attacks on Passwords
There are two generic ways to attack passwords: either through a dictionary attack or a brute-force attack. There are other techniques, but these are the most common ones.
Let us simulate a situation in which we have an attacker that is going to try to exploit a victim. For the attacker, Kali Linux will be used. For the victim, we will use the Metasploitable 2.
Lets assume that the victim has the following email address: 192.168.8.148.
Looking for password-based services
Next we are going to analyze the system either using "nmap
" or "massscan
". Let's use nmap
first:
And obtain the following results:
And now let's use the massscan
tool (it requires it to run as sudo
):
Resulting in:
So it was possible to conclude that there are plenty of services open on the machine. To this point we can understand the exposition degree of the victim. It is possible to understand there are services such as ftp, ssh, and http which are running on the machine.
Last updated