Lesson 5: Introduction to Hacking User Credentials

References:

• Understanding Authentication and Authorization Mechanisms (video)
• Understanding Authentication and Authorization Attacks (video)
• Exploring Password Storage Mechanisms (video)
• Understanding Password Storage Vulnerability (video)
• Cracking Passwords with John the Ripper (video)
• Cracking Passwords with hashcat (video)
• Improving Password Security (video)

Exercise 1

Default passwords are often left unchanged in many devices. You can certainly take advantage of this "malpractice". Become familiar with the default password databases available on the Internet:

• http://www.phenoelit-us.org/dpl/dpl.html
• http://cirt.net/passwords
• http://www.defaultpassword.com
• http://www.passwordsdatabase.com
• http://www.isdpodcast.com/resources/62k-common-passwords/

Exercise 2

• In your Kali machine, create three (3) users (user1, user2, and user3).

root@kali#adduser user1
root@kali#adduser user2
root@kali#adduser user3

• Configure the password with the passwd user1 command to the word password
• Configure the password with the passwd user2 command to thisissecure
• Configure the password with thepasswd user3 command to P4sswd.
• Use John the Ripper to try to crack the password and see how long it takes for the passwords to be cracked:

root@kali#john /etc/shadow

• Become familiar with Skull Security Password dumps and references.
• This post includes another good tutorial on password cracking that you can also replicate in your lab: