Myself, and the two other interns on my team are tasked with weekly side objectives. These objectives cover the primary stages in pen testing. Each week I will be discussing our trials here in a blog post.
Our first task was to create a rainbow table that we will use to break into one of the company’s routers. We were given several pieces of information with the challenge that was meant to represent information we social engineered from the target. The ‘discovered’ information was that the password has 2 symbols at the beginning and to look at our boss’ twitter handle.
Since we knew the target, we decided to make our dictionary list reflect specific possibilities that may have been used for the password in order to increase the efficiency of our attack. In order to do this we built a Web Scraper. We chose this route because we were then able to keep the word count low, as well as to formulate a dictionary that is specific to this target.
The scraper was programmed in Python. We used a tool called Beautiful Soup to pull any page we supplied in our script. From here the scraper got rid of any html tags, symbols, etc. and printed each individual word on a new line of a text file. We scraped the company site and sub-sites, our boss’ twitter account, and a couple of sites concerning boating and phone phreaking (hobbies). Our original word list was somewhere around 3,000 targeted words. This is significantly smaller than some dictionary files which can become over 150 million words.
We decided that the clue about his twitter handle meant that the password was in leet-speak, which is when you use numbers and symbols instead of letters. For example, leet = 1337. We also realized that we would need to try every possible combination of upper and lower case letters. After several hours of trying to program our own application to convert the dictionary file into every possible permutation of leet-speak I stumbled upon a tool called Hashcat. This tool was much more efficient than the way we were trying to do it. We passed Hashcat our dictionary list, a table of rules for the permutations, and the name of an output file. Within 15 minutes our 3000 word dictionary list grew from 30kB to 124 million possibilities and a file size of about 2GB; large enough to crash most text editors.
It was that big before every combination of symbol! This dictionary file would be terabytes in size if we added each combination of possible symbol. In order to decrease the file size and increase time we chose to stick with the most probable symbols (!@#$%&*+~=-?). Again we used Hashcat to tack every combination of symbol to the beginning of each of our words in the new leet-speak dictionary. We were not able to complete every combination of symbols to our dictionary. The file size grew to over 250GB and maxed out our drive capacity. Upon comparing our dictionaries we realized that we only missed about 5 to 10% of our dictionary. At that point in time, there wasn’t much we could do about it. We crossed our fingers and hoped we didn’t lose the password in the process.
The last part of this week’s challenge was then to make this file into a Rainbow Table. I was familiar with a tool in Kali Linux called genpmk that could be used to complete this process. I passed it our final text file with all the combinations, gave it a file to dump to, and the SSID of the target router. Genpmk will hash the words and salt them using the SSID provided to generate the Rainbow Table. We ran the hashing process in the morning and was still not finished by the end of the work day. For the sake of time our boss confirmed for us that it had already hashed the section of words containing the password. Normally we would have had to run the hashing process for up to several days.
At this point, we were finished with the week 1 challenge. Next week we will be tasked with gaining access to the router. Follow my posts over the next few weeks for the remaining weekly penetration testing challenges.
Intern Team: Me (Dylan Thomas), Joe Pecsi, Jared Rittle
Special Thanks to Rob Weiss and Gio Contreras for tips along the way!
If anyone would like to see the code or to help make improvements to our web scraper the link is below.
LINKS:
Git-Hub Web Scraper: github.com/DylSec/WebScraper
Beautiful Soup: http://www.crummy.com/software/BeautifulSoup
Hash-Cat: http://hashcat.net/hashcat
Cowpatty & Genpmk: http://www.willhackforsushi.com/Cowpatty.html