Penetration Testing with BackBox

Penetration Testing with BackBox

English | 2014 | ISBN: 978-1-78328-297-5 | 109 Pages | PDF | 10 MB


BackBox Team is proud to announce the publication of the first book titled “Penetration Testing with BackBox”. We had many requests from the users and members all around the community about a BackBox based book. Finally, we are deligthed to introduce the long awaited publication!
The book contains enough information to get familiar with BackBox and all its functionalities and it is based entirely on live, practical examples that everybody will enjoy reading chapter by chapter.
Overview
Experience the real world of penetration testing with Backbox Linux using live, practical examples
Gain an insight into auditing and penetration testing processes by reading though live sessions
Learn how to carry out your own testing using the latest techniques and methodologies

+

We have everything that we need now, and wecan dig around the database as we have the full list/view of the tables. Whatever we would like to check, we are able to do so. In our case, we are interested in the usertable as it possibly contains the credentials of users (including administrators) with hashed passwords. So, the next step would be exploring the content of that table to get the information we need. We will try to guess by the table names where all the user/password parameters could be stored. We can also run through all the tables without guessing as there are only 20 in our case, so we will definitely find what we are looking for. Let’s go to hunting for the access credentials. We can check the content of each single table with the following sqlmap command.

And yes, there we have it, the one we are looking for. We have the usernames and passwords hashed. Because the usernames are public IP addresses, we have shadowed them for security purposes.

Finding the encrypted password

As per the previous screenshot, wehave the admin(s) access parameters including usernames and passwords. Also, sqlmap has an amazing option after we have found the access credentials, the one that will prompt us in case we found the correct table, which we did. It will ask us if we would like to crack the hashed password via the dictionary attack.

If we choose Y, we will get a further prompt that will ask us to choose between the default dictionary file included in BackBox, a custom dictionary, or a file with the list of dictionary files, as shown in the following screenshot:

This will take quite a long time and we will need a huge amount of CPU/RAM to perform it quickly. However, this is not a problem, as a dictionary attack is just one option and we have many other alternative ways to proceed.

So, the information we are looking at is the admin(s) credentials that we have in encrypted form. The encryption form is in MD5. The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value, which is used by a very large number of security applications and is also commonly used to check data integrity.

Pick up any of the MD5 format hash passwords that we have found and try to get the password in clear text. Here is our hash key: f72053c8bad690841c9a5c310203af1a. All we have to do is visit one of the web applications that are ready to decrypt this information for us online. When we looked for an MD5 decrypterin a web search engine, the first one that we came across is available at www.md5decrypter.co.uk.