Skill Level Intermediate
- So we've looked at some of the penetration tools that you'll be responsible for, at least being aware of, with respect to use cases. So now let's look at them in a different area. Let's break them down into separate categories and let's look at each category and which tool would participate in that category. First off, we're going to start with scanners. Scanner tools that you'll likely see on the PenTest+ exam would include Nikto, OpenVAS, SQLmap, and Nessus.
Nikto is a web server vulnerability scanner, so it's specifically oriented toward looking at vulnerabilities within those web servers. OpenVAS, we've actually already seen this before. It stands for Open Vulnerability Assessment System, and OpenVAS is an open-source vulnerability scanner and it helps you determine what a particular target is running or a series of targets is running and automatically probes into the vulnerabilities that may be exploitable on that particular target.
SQLmap is a tool that helps us automatically create a SQL injection and database takeover exploits, and then finally is Nessus. Nessus is a commercially available vulnerable scanner, vulnerability scanner, it is free for non-professional use but if you're going to use it as part of any commercial endeavor, then there is a fairly steep fee; however, the licensing fee does provide a lot of additional functionality.
Nessus used to be free and open source and when it was actually converted into a commercial product then the source tree was forked and that's where OpenVAS came from, so you can almost think of OpenVAS as being the open-source version of Nessus and Nessus is the supercharged commercial version, and you see the URLs there. The next category of tools is credential testing tools. These are any types of tools that help you, as a pen tester, determine how to crack passwords or discover user IDs.
Anything that has to do with log in and access credentials, these tools will help you access. This tool category includes Hashcat, Medusa, Hydra, Cewl, and John the Ripper. When we're looking at credential testing tools, make sure you pay attention to whether a tool is online or offline. Online means that you're going to connect to some target and there's got to be some software running and you're going to actually be sending these credentials in trying to get a positive response.
Offline tools, on the other hand, depend on you grabbing some sort of file repository, maybe it's a file or collection of files of user IDs and/or passwords from the target system. You bring them back locally and you use the offline utilities to crack the passwords locally, so a little bit different in the way that these two types of utilities may work. A few more credential testing tools include Cain and Abel, Mimikatz, and these two are both online and offline; whereas Patator and W3AF are online tools, and then there's Dirbuster.
Dirbuster is a multi-threaded application to brute force directories and file names on web servers, so it's not specifically a user ID password cracker, it is a utility that gives us more information about what we may be able to access. Earlier in the course, we demonstrated Hydra, so let's take a look at another credential testing tool, John the Ripper. Now that we're back in Kali, I'm going to launch a Bash Shell and we're ready to use John the Ripper.
John the Ripper is an offline password cracking tool, which means that we have to have access to some files and then John the Ripper will go through his word list and try to see if he can crack the appropriate credentials; in other words, he's looking for a user ID and divulging that password that goes to the user ID so that we could log into a system. So in order to do that, we need a list of user IDs, we need a list of passwords that are encrypted or encoded, and then we're also going to have John use one of his own lists of common words.
That's only one mode he works in but we'll use that particular mode. John can also do more of a brute force type of approach but that's going to be a lot slower. We're on a Linux machine. In Linux, user IDs are stored in the /etc/passwd file, /etc/passwd. The passwords are not actually stored there. There's a link or a pointer in a way to another file called the /etc/shadow file, which is where the passwords are actually stored and they're not readable. So the first thing that we have to do is we need to pull these two files together.
There's a utility on Linux called Unshadow and it's made specifically for this purpose, so what it does is it takes the password file, it correlates that to the lines in the shadow file, and puts them into one file by itself. So that's our first step. So here we're going to use the command unshadow and we're going to give it /etc/passwd and /etc/shadow and we're going to save the output into a file. I'm just going to call hashfile. (claps) There it is. Not very exciting. Very, very fast. The next step is to ask John the Ripper to use his own word list and our hashfile to try to crack the passwords, so the command is simply John --wordlist.
And we're going to use John the Ripper's default word list, which is under /usr/share/john/password.lst, and we'll pass it our hashfile. And there we go. Unfortunately, this time John was not successful because there were no passwords from John's password file that he found in the hashfile that we created, so sometimes it doesn't always work. The bigger the password of the word file that John uses, the better chance you have of actually cracking it.
If he cracked, it would be stored in a file, a local file, which would be under .john. And there we go, john.pot, so if we had found anything it would be in .john/john.pot. It's a blank file, so he didn't find anything but that's how John the Ripper works. Let's take a look at another credential testing tool and it's actually looking at a couple of tools that implement a strategy called pass the hash.
Now in Windows, Windows stores passwords as hashes and if you had the hash you can actually use that hash to log into other machines on the same domain. It's called passing the hash, even though you don't know the password at all, you can use that to log in, so there's a particular level of exploit we can use within Metasploit is called the PsExec exploit. So we're going to use a combination of several tools in order to accomplish this pass the hash, privilege escalation, which is really what we're doing.
We're able to log in without having a password, so the first thing we need to do is we need to get a hash from a Windows machine. I'm going to load a command prompt. I do have to run this particular tool as an administrator, which opens up lots of questions to start with. If you can actually be an administrator on a box, how were you going to, you actually already have some authority so I'm short-circuiting a few steps here. Yes, there is a way to get hashes remotely but we're not going to go through all those steps. I'm going to use a local routine.
I'm going to use pwdump. Now this is a utility you can download from many different websites or you can find links to it from several different websites but I've already downloaded and simply put this executable in its own directory. When I run pwdump, it gives me a dump of all of the defined user IDs and their hashed passwords or the hashes for this machine. So let's use administrator. I'm going to copy this.
That's the hash password that I need. And now let's go back into our virtual machine. Back in Kali. At this point, I'm going to launch the Metasploit framework. From within Metasploit, I want to look for psexec. And there I see a list of PsExec exploits.
The one I want is, here we go, smb/psexec, so I'm going to say use windows/smb/psexec. Now this exponent is loaded. Let's show options, and we see there's several options we need to enter, so let's set RHOST to my Windows host, which will be 10.10.1.1.
And now we're going to set our SMBUser to Administrator. That's who we're going to attempt to login as, and then we set our SMB password, or SMBPass, to the value that I copied from the utility from Windows, so that's my actual hash. All right, now all that we need to do is type exploit and it will run. So that gives you an idea of what a few credential testing tools look like in real action and also a very good starting point of which ones you can use in which environments anytime that you need to hack someone's credentials.