Penetration Testing Exploiting I: Password Cracking

Slides:



Advertisements
Similar presentations
Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Advertisements

Chapter One The Essence of UNIX.
Remote Desktop Access Novell at Home. Remote desktop access Works on Broadband Computer at work must.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
Guide To UNIX Using Linux Third Edition
Panasonic Computer Products Europe CF-08 Live Set up.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Remote Desktop Security Raghav Chawla, Jon Ussery Group 20.
Virtual Machine and UNIX. What is a VM? VM stands for Virtual Machine. It is a software emulation of hardware. By using a VM, you can have the same hardware.
Proprietary & Confidential How to enable Windows Remote Desktop Connection.
UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
COMP1070/2002/lec3/H.Melikian COMP1070 Lecture #3 v Operating Systems v Describe briefly operating systems service v To describe character and graphical.
CSN08101 Digital Forensics Lecture 1B: Essential Linux and Caine Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak.
bWAPP – Bee Bug – Installation
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
With Windows XP, you can share files and documents with other users on your computer and with other users on a network. There is a new user interface.
VNC Greg Fankhanel Jessica Nunn Jennifer Romero. What is it? Stands for Virtual Network Computing It is remote control software which allows you to view.
PC Maintenance: Preparing for A+ Certification Chapter 23: Using a Windows Network.
Kali Linx Attacks Jim Nasto. Window 8 Computer On my Windows 8 64 bit OS machine. I started using a Virtual Machine using Hyper V Manager and shared the.
Remote Controller & Presenter Make education more efficiently
1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.
Password Cracking By Allison Ramondetta & Christine Giordano.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
Guide to MCSE , Enhanced1 Activity 1-1: Determining the Windows Server 2003 Edition Installed on a Server Objective is to determine the edition of.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
Lesson 12: Configuring Remote Management
VDI-in-a-box TM 1 Kaviza Client End User Quick Start Manual.
Retina Network Security Scanner
Unix Machine In Computer Science for Teaching Cliff Zou Spring 2015.
IS493 INFORMATION SECURITY TUTORIAL # 1 (S ) ASHRAF YOUSSEF.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Ethical Hacking: Defeating Logon Passwords. 2 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information.
Remote Access Usages. Remote Desktop Remote desktop technology makes it possible to view another computer's desktop on your computer. This means you can.
Unix Servers Used in This Class  Two Unix servers set up in CS department will be used for some programming projects  Machine name: eustis.eecs.ucf.edu.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
INTERNET APPLICATIONS CPIT405 Install a web server and analyze packets.
Installation Guacamole Is a web application that provides access to desktop environments using remote desktop protocols (such as VNC or RDP); Installation.
Tutorial Six Linux Basics CompSci Semester Two 2016.
Getting Connected to NGS while on the Road…
Virtual Machine and VirtualBox
Penetration Testing Reconnaissance 2
Traffic Analysis– Wireshark Simple Example
Penetration Testing Scanning
Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.
CSC227: Operating Systems
Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou
A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.
Penetration Testing Offline Password Cracking
FTP - File Transfer Protocol
Exploiting Metasploitable
Telnet/SSH Connecting to Hosts Internet Technology.
Configuring Internet-related services
Backtrack Metasploit and SET
Getting Connected to NGS while on the Road…
Do anything from anywhere – tools to free your choice of OS
Do anything from anywhere – tools to free your choice of OS
Using Splunk – A Case Study
Cyber Operation and Penetration Testing Online Password Cracking Cliff Zou University of Central Florida.
Traffic Analysis– Wireshark Simple Example
Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida.
Virtual Machine and VirtualBox
Acknowledgement Content from the book:
Cyber Operation and Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack Cliff Zou University of Central Florida.
Windows desktop sharing
Virtual Machine and VirtualBox
Virtual Machine and VirtualBox
Bethesda Cybersecurity Club
Getting Started: Accessing Our Amazon AWS Server
Presentation transcript:

Penetration Testing Exploiting I: Password Cracking CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou czou@cs.ucf.edu

Acknowledgement Content from the book: “The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy”, Second Edition

Prepare Windows VM On Win7 VM (and all Win VM from Microsoft): Username: IEUser Password: Passw0rd! You can change the account password in “control panel” “user account” section Create another target account for exploitation Such as account: cis6395 Give it a simple password for password cracking exploitation Such as: abc123, 1234, 1024, abc123, secret, hello, 111111 …..

Prepare Windows VM By default, the Windows VM has enabled “remote desktop assistance” Then, if we know an account name/password on the Windows, we can remote log in it. Add the “cis6395” account to the remote desktop” user list Right click “my computer” Click “properties”  “remote” tab  “select remote users…” “add…”

Prepare Windows VM On your Kali Linux VM: Suppose your Win VM IP is: 192.168.0.101 On Kali: #rdesktop 192.168.0.101 You will be able to see the GUI of Windows! For Win7 VM, you need to logout any user account on the Win7 in order for the rdesktop to login without further asking permission!

Hydra: Remote Online Password Cracking Offline password cracking Online password cracking Hydra is included in Kali Linux Give it a discovered user name, give it a password dictionary, hydra could be very effective to find out an account password Goal: Gain access to remote services opened on some machines SSH: by Unix or Mac OS; VNC (virtual network computing): Linux Remote desktop: by Windows OS Password dictionary included in Kali Linux: A dictionary directory: /usr/share/wordlists/ John the Ripper: /usr/share/john/password.lst (a small list)

Hydra: Remote Online Password Cracking Suppose the Win7 VM remote desktop is open, and has IP of 192.168.0.101, we attack the account “cis6395”: #hydra -t 1 -V -l cis6395 -P /usr/share/john/password.lst 192.168.0.101 rdp -t 1: only use one connection (no parallel sessions since rdp does not like concurrent connection requests) -V: show each attempt -l: usename -P: password list file rdp: service name (remote desktop, tcp 3389) Note: We need to make the Win7 target logging out all user accounts in order for this rdesktop to work!

Ncrack: Remote Online Password Cracking #ncrack -p 3389 -v -user cis6395 -P /usr/share/john/password.lst 192.168.0.101 It does not show the process of passwords attempted but failed, so be patient with the list

Hydra and Ncrack: Remote Online Password Cracking A good Youtube tutorial on hydra and Ncrack: https://www.youtube.com/watch?v=hqft08F5atA Another webpage shows how to use a few more password crackers: https://hackertarget.com/brute-forcing-passwords- with-ncrack-hydra-and-medusa/

User Password Selection against Password Cracking Password dictionary included in Kali Linux: A dictionary directory: /usr/share/wordlists/ A big notorious list: rockyou.txt John the Ripper: /usr/share/john/password.lst (a small list) If you are IT security staff: Ask each of your employee checking his/her own password against the above password list $ cat rockyou.txt |grep user_password If above command returns results, then the user’s password exists in the password list and should never be used!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.