Password Attacks - Password Mutations | Academy

Raum44 · October 21, 2023, 11:32pm

try using John the Ripper if you have some troubles

skilfoy · October 22, 2023, 6:37pm

Update: You’ll need the first ~11000 from mut_password.list`

Guigui · October 24, 2023, 4:20pm

Hello the passwd is b*****numéro ? No ? because I test a connection ssh but nothing…

kuv4z · December 12, 2023, 11:54am

Hi everyone,

I was “stuck” in the Password Mutations section for 2 days (3 hours 16 minutes in total). I was frustrated to myself as the content of the section is actually fairly straightforward, so I thought I was doing something wrong.

I will share some (what I think will be) some helpful steps for anyone that is stuck on the same section.

Note that you can just do the first 2 steps and try to brute-force FTP with the first mutated list as shown in the previous section (Network Services), but the scan will last ~2 hours.

Enumerate the target to find out which ports and services are listening (there should be 3).
Download the password.list and the custom.rule files from the Resources tab on the top right corner and create a mutated list exactly as the section instructs to. It should result to a ~94k wordlist (you can check that with wc -w [filename]).
Enumerate SMB using the tools used at the Footprinting module (use enum4linux-ng.py). If done properly, you will find some info that will help you refine (just remove 100+ words really) the current mutated wordlist ( filter wordlist based on word length content: awk 'length($0) >= 5' mut_password.list > mut_password2.list).
You can refine this list further by leveraging the tips mentioned during the section: most passwords start with a capital letter and ! is a very common ending character. Thus, you can create a new rule and apply it to the current mutated wordlist:

# the new rule file
$ cat custom.rule1
c $!
  
# apply rule to the current mutated list
$ hashcat --force mut_password2.list -r custom.rule1 --stdout | sort -u > mut_password3.list
  
# check wordcount
$ wc -w mut_password3.list
54440 mut_password3.list

# keep words that start with a Capital letter
$ grep '^[A-Z]' mut_password3.list > mut_password4.list

# check wordcount
$ wc -w mut_password4.list
47880 mut_password4.list

Use this final wordlist to brute-force either SMB (using MSF’s auxiliary/scanner/smb/smb_login module making sure to set the user as sam), FTP (hydra -l sam -P mut_password4.list ftp://[target-IP] -t 48), or SSH (hydra -l sam -P mut_password4.list ssh://[target-IP] -t 48).

Timescales:

Scanning FTP using mut_password4.list and -t 48: ~10 minutes.
Scanning SMB using mut_password4.list via MSF: ~30 minutes.
Scanning SSH using mut_password4.list and -t 48: ~60 minutes.

thor.elveneyes · March 26, 2024, 10:47pm

Because Ftp use a UDP protocol, and it is not use a 3 way handshake, for this is most fast and probably, being an old protocol, don’t have many restrictions.

fizzo007 · March 28, 2024, 2:16pm

how did you solve it please?

fizzo007 · March 28, 2024, 2:41pm

thank you

Ankb · April 11, 2024, 6:29pm

Hi,
I just did it
try hydra -t 48 -l sam -P mut_password.list ftp://IP

Ankb · April 11, 2024, 6:31pm

Hi,
I just did it,
try hydra -t 48 -l sam -P mut_password.list ftp://IP

nothikiko · April 15, 2024, 9:05pm

thanks a lot for this. just for the others though learning, consider doing nmap and enumerating the other services itll give you an idea of the minimum password policy. also consider the warnings from hydra why ftp would be faster than ssh. and instead of sed a much shorter and cleaner way of filtering out your initial list is with using awk length

techboy187 · April 20, 2024, 2:28am

Time saving suggestion. This tip assumes you understand the lesson and just need a short cut to the answer instead of wasting hours of time brute forcing. Like others have said the PW begins with capital B. Take your mutated list and grep out only the PWs that begin with B and pipe it to a new mutated list. “grep B 94k_mutated.list > mutated_B.list” For me that whittled mutated list from 94k to 3.4k. Hydra with 64 threads against FTP with your mutated_B.list. Took about 3 minutes to crack.

Darthmaul0x0 · May 3, 2024, 6:27am

Much appreciate the detailed explanation @kuv4z it is much needed. Following the instructions to the tee in the question is very important, I was using the incorrect custom.rule and entered into many rabbit holes just to discover that the resources zip file contains the custom.rule

ChranO · May 29, 2024, 7:00pm

Really cant get my head around it. Says it gonna take 17 hours with the mut_password.list

Does it take that long or does the password get brute forced fairly early?

menhack · July 11, 2024, 5:32pm

Hi everyone,
first, wget the .zip
mutate the wordlist
filter the wordlist with only the B password
take the first 11k password
use 48 thread -t48 then u will got your pass in 2-3 minutes

d3lvx · August 4, 2024, 9:33pm

Thank you for this, I was not looking forward to hours long bruteforce

Otrash3r · August 4, 2024, 11:06pm

Try googling with mass list password

tannn · August 8, 2024, 3:41am

Thank you, it helps me a lot

HTTP_RevShell · August 9, 2024, 11:49pm

Time saving tip: You can use threads with xargs and trying to connect with smbclient, and use grep “Sharename” && echo “Password: {}” to know the pass used to successfully connect

Wilhelm77 · October 5, 2024, 8:27pm

You are not the hero we deserve, but the one we need.

Thanks a looooot man.
This Password with the DC Character and best Hero character still works up to this day.

luckymurphy · October 14, 2024, 2:06pm

This is the key, but think why you would split, maybe a password length rule that may be in existence. Tools to split the file based on character length are grep, split, cut. depending on your guesses here, it can still take an hour or more, but you can extend the VM and the pawnbox using the little plus signs next to their timeouts to give you more time to run.