The first step I took was checking out the /etc/passwd file. I wanted to see what other usernames were valid and to see what other information I could gather. Lets take a look at the file
We can see that the user accounts of aadams, bbanter and ccoffee all exist on this server. The passwd file might look a little intimidating at first but its pretty easy to break down. The first field contains the username followed by the password field. This is ually just a * as the passwords are encrypted and stored in the shadow file. The next field is a number which represents the User-ID. In our case bbanter has a UID of 1001
Next is the Group-ID. We see that bbanter and ccoffee both have a GID of 100. Notice the aadams account has a GID of 10.
After the group ID is the GECOS field which stores various user info followed by their home directory information.
Lets try to gain access to aadams account
The first tool I used was BruteSSH
I let BruteSSH run for awhile but I was impatient so I killed the process and tried to use THC-Hydra
When I ran hydra I had a strange output saying it couldn't connect to port 22. I later found out that hydra was running too fast and I needed to add the -T switch and specify the number of login attempts to 8 at a time or less
I then ran into another issue with Hydra. It always quit before going through the entire wordlist and never found the password. After some research I found that Hydra version 5.9 was having a problem with its SSH module. I had to download version 6.1 to get it to work.
After installing and running version 6.1 hydra found the password in under 10 minutes
No comments:
Post a Comment