05 - Password Cracking & Gaining Remote Access - OphCrack and Armitage - Tested

NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
Password Cracking using OphCrack & Remote Attack using Armitage and
Meterpreter
What is Ophcrack
Ophcrcack is based on rainbow tables and a popular Windows password cracker freeware. It provides the free tables
for Windows 7, Vista, and XP to crack lost password for these Windows version s. And with a Graphical User Interface,
the free Windows password recovery software runs on multiple platforms, including Windows, Unix, Linux, Mac OS
X.
Ophcrack can crack password within minutes but can take time also depending on the password strength, for
example "1234567" will take less time than "wuntsg256". The free version of Ophcrack comes with a table which
can break password not more than 14 characters using only alpha numeric characters. Ophcrack uses Brute Force
method to crack password.
Pros and Cons of Ophcrack
Before you use Ophcrack, you need to have more knowledge about what Ophcrack can or can not do, so that you
can choose according to your practical situation. The following lists the pros and cons of Ophcrack.
Pros:
▪ It is freely available for downloading online.

▪ Passwords are recovered automatically using LiveCD methond.
▪ No software installation is necessary to recover passwords.
▪ No knowledge of any existing passwords is necessary.
▪ Ophcrack works not only with Windows, but also with Mac and Linux.
Cons:
▪ 649MB / 425MB LiveCD ISO image must be downloaded.

▪ LiveCD ISO image must be burned to a disc or USB device before being used.
▪ Passwords longer than 14 characters can't be recovered.
▪ Some antivirus programs mistakenly identify Ophcrack as a Trojan or virus.
▪ Unable to work on Windows 10, 8.1, 8.
Rainbow Tables in a Nutshell
Operation systems don’t store the user passwords in plain text — that’d be highly insecure, and even right out stupid.
Instead, they calculate the hashes of the passwords by putting the passwords through a one-way hash function and
store those. When one would obtain these hashes, they would still be rather useless; the password needs to be
entered, after which the hash needs to be calculated and compared to the stored password hash.
e.g. ‘makeuseof.com’ would become

‘9fb883363640e11970be10a5936a37fc:b35f6f8268073d2242e0cd8b72554d8a’ when converted to Windows XP’s
LM hash.
1
A rainbow table is basically an enormous list of passwords — basically every password a brute force attack would
try — with their respective hashes included. Although this table takes a lot of time to generate, it can reduce the
cracking of passwords to minutes, or even seconds.
Downloadable Tables
Ophcrack supplies a few of these rainbow tables, free, for your use. They’re included in the Live CD, can automatically
be retrieved from the Windows executable, or downloaded from the Ophcrack website. We’ll quickly look over the
available tables, and their possibilities.
For Windows XP, Ophcrack supplies two alphanumeric tables. With these, you can crack 99.99% of all passwords
under 14 characters, consisting of a combination between letters and numbers —
abcdefghijklmnopqrstuvwxyz0123456789. Because the LM hash used by Windows XP is insensitive to
capitalization, these hash tables contain 80 billion different hashes, corresponding with 12 septillion possible
passwords.
tables_xp
You can choose between the XP free small and the XP free fast tables. These can both be used to crack the same
passwords, but because the XP free fast table is twice as large, you can crack them in half the time.
The downside of both tables is their unability to crack passwords with special characters — these can only be cracked
using the premium XP special tables.
For Windows Vista, which abandoned the weak LM hash, and moved on to the stronger NT hash, there are less
possibilities. Currently, Ophcrack only gives away a table with dictionary-words and variations (hybrids) for free. If
you’re willing to cough up a lot of money (about 99$), they also provide alphanumerical tables – including special
characters.
tables_vista
Because the NT hash is subjective to capitalization, and allows a much greater password length (whereas the LM
hash simply splits large sequences up in multitudes of smaller strings), these premium rainbow tables can range in
size from 8GB to over 130GB.
And that’s the essence of it. There’s some more technical information (a real how-to) in the Ophcrack help files
(included in the downloads).
If you’re shivering in your boots after reading this article and thinking,”Gosh, everyone’s going to know how to hack
my password. What shall I do?” Then it may be a good time to create a stronger password. Stefan wrote about 5
free password generators that will help you make nearly unhackable passwords, no matter what password hack
tools a hacker tries to use. It’s a good start.
Credits to source: www.makeuseof.com
2
What is Armitage
Armitage is a GUI for Metasploit which makes penetration testing easier. It was developed by Raphael Mudge. This
tool helps to reduce the time and also gives a good understanding of Metasploit to various security professionals.
The major advantages of using this tool are that it recommends the exploits, has advanced post-exploitation
features, and is a very good visualization of the targets.
The number of targets scanned or connected will be shown in a visual manner, which makes it more comfortable.
Time is also reduced while doing a PT as Armitage recommends the exploits and also lets us know which exploit will
work. Once the target is compromised, we can escalate the privileges or browse the files, dump the hashes, etc.
We just need to click the “start MSF” button. If you want to change the settings, then you are free to, but here I am
accepting the defaults settings.
Note: Proceed with Armitage by running the mysql start service command, if not started.
You should be getting an interface like the below image. The button has been clicked.
The Module window allows us to select exploits, payloads, and auxiliary, allows performing post-exploitation.
Another advantage is we can search the required exploit or payload, etc by using the help of wildcard.
The Target window shows the target systems. There are two types of view: Graph view & Table view
To change the view go to Armitage -> Set Target View -> Table View/Graph View
This is another major advantage of using Armitage. The compromised targets will be represented in Red. Right
clicking on the compromised target will give you various options like attack options, logins options, and various other
options from the session.
The Console window lets you interact or show information Armitage. Various consoles are like Metasploit,
Meterpreter, NMAP, shell interfaces, etc.
There are two types of scans. One is NMAP scan which basically scans the target for open ports and services. The
NMAP scan results can then be imported to Metasploit. Another method is by using msfscans. With the help of
Metasploit auxiliary modules, it enumerates several common services
Once the target is selected and scanned, the next stage would be attacking. In Armitage, we can find two options in
Attack tab. One is “by port” and another one is “by vulnerability”.
So let’s select the “by port” option in the attack tab and scan the target. Once the attack analysis is completed,
Armitage generates a list of attacks possible on the target.
Here I am going to select the dcerpc stack buffer overflow exploit to attack the target.
Once the target is compromised and the session is established, we get various options like dump hashes, browse
files, escalate privilege, perform a key scan, etc.
3
Browse files:
This functionality is very useful in this tool. It allows us to download, upload and delete files. To browse files go to
Meterpreter ->Explore -> Browse Files.
VNC:
To interact with the target host, go to Meterpreter -> Interact -> Desktop (VNC). This will stage a VNC server into the
memory and tunnel the connection through Meterpreter.
Spy using webcams and screenshots:
Once the target has been compromised, we can use Armitage to spy or take screenshots of the target host. To take
a screenshot, go to Meterpreter -> Explore -> Screenshot. Similarly we have the option for webcam in the same
location. Click “Watch” for a particular time period to automatically snap a picture for every desired time period.
Key logging:
To perform key logging, highlight a process and click “Log Keystrokes” to launch the module that migrates
Meterpreter. This starts capturing keystrokes.
Privilege Escalation:
When you want to perform further attacks on the target, you may sometimes need administrative rights. In order
to escalate the privilege, go to Meterpreter -> Access -> Escalate Privileges menu. This will highlight the privilege
escalation modules.
Dump Password hashes:
To dump the Windows password hashes, go to Meterpreter -> Access -> Dump Hashes. The hashes can be dumped
using two methods-lsass method and the other is the registry method. In Lsass method, the password hashes are
grabbed from the memory and work against Windows XP/2003; whereas in registry method, it works for all modern
windows systems. Once the hashes are dumped, it can be exported to pwdump format and can be cracked by using
various tools.
Brute forcing Passwords:
We can brute force passwords using the auxiliary module found in the modules tab. If you want to brute force logins,
then search in the modules tab using the keyword “login”. For example lotus_domino_login is a module for brute
forcing lotus domino logins. Now Metasploit can brute force the username and passwords by selecting the username
file and password file .
Another option of attack in Armitage is Browser based attacks. We can either select the exploit from the drop down
list which can be found in the Attack tab->Browser attacks or we can directly browse for the exploits from the
“exploit” tab found inside the modules tab. In this example, let’s select the recent IE exploit named Internet Explorer
CSS recursive import. This exploit basically exploits memory corruption vulnerability within MS HTML engine
(mshtml).
There are few parameters which can be set like LHOST, SRVPORT and URIPATH. The exploit launches a server
attacker system, and waits for a connection from the victim. Once the victim connects to the malicious URL
4
http://192.168.X.X:8080/ from Internet Explorer, the attacker gains control of the victim and gets the post-
exploitation attack options to further attacks.
All these options are available in Metasploit, but Armitage makes it easier for us by automating most of the actions.
Another Attack which we will see in this paper is the “Browser Autopwn” from the attack tab. Once the module is
launched, it uses a combination of client side and server side techniques to fingerprint HTTP clients and then
automatically exploit them. This module generates various exploits for the browser and once the victim opens the
malicious link, the particular exploit for the victim’s browser will be executed and the attacker gains control of the
victim.
Automated Exploitation:
Armitage comes with another option called “Hail Mary”. This is an automated exploitation and can be used when
manual exploitation fails. This is a smart db_autopwn where it finds relevant exploits for the targets, filter them
accordingly, etc. If the host is scanned and if you don’t know what the next step should be, then at that moment you
can use this automated exploitation. Select “Hail Mary” from Attacks tab and the Armitage will find all the exploits
via db_autopwn, sort them and launch the exploits against the host and then will give the session for further
exploitation.
Client side Exploitation:
Metasploit has various client-side exploits and with the help of Armitage, we can easily use these exploit against the
targets. It’s clear from the name itself that we will be targeting the application in the remote target rather than its
service.
The client side exploitation can be performed either by using browser exploits or file format exploits.
Cyber Attack Management
Armitage organizes Metasploit's capabilities around the hacking process. There are features for discovery, access,
post-exploitation, and maneuver. This section describes these features at a high-level, the rest of this manual covers
these capabilities in detail.
Armitage's dynamic workspaces let you define and switch between target criteria quickly. Use this to segment
thousands of hosts into target sets. Armitage also launches scans and imports data from many security scanners.
Armitage visualizes your current targets so you'll know the hosts you're working with and where you have sessions.
Armitage recommends exploits and will optionally run active checks to tell you which exploits will work. If these
options fail, use the Hail Mary attack to unleash Armitage's smart automatic exploitation against your targets.
Once you're in, Armitage exposes post-exploitation tools built into the Meterpreter agent. With the click of a menu
you will escalate your privileges, log keystrokes, dump password hashes, browse the file system, and use command
shells.
Armitage makes it trivial to setup and use pivots. You'll use compromised hosts as a hop to attack your target's
network from the inside. Armitage uses Metasploit's SOCKS proxy module to let you use external tools through your
pivots. These features allow you to maneuver through the network.
5
The rest of this manual is organized around this process, providing what you need to know in the order you'll need
it.
Necessary Vocabulary
To use Armitage, it helps to understand Metasploit. Here are a few things you must know:
Metasploit is a console driven application. Anything you do in Armitage is translated into a command Metasploit
understands. You can bypass Armitage and type commands yourself (covered later). If you're lost in a console, type
help and hit enter.
Metasploit presents its capabilities as modules. Every scanner, exploit, and payload is available as a module. To
launch a module, you must set one or more options to configure the module. This process is uniform for all modules
and Armitage makes this process easier for you.
When you exploit a host, you will have a session on that host. Armitage knows how to interact with shell and
meterpreter sessions.
Meterpreter is an advanced agent that makes a lot of post-exploitation functionality available to you. Armitage is
built to take advantage of Meterpreter. Working with Meterpreter is covered later.
The Metasploit Unleashed course maintained by the Offensive Security folks is excellent. I recommend reading it
before going further.
2. Getting Started
2.1 Requirements
Armitage exists as a client and a server that allow red team collaboration to happen. The Armitage client package is
made available for Windows, MacOS X, and Linux. Armitage does NOT require a local copy of the Metasploit
Framework to connect to a team server.
These getting started instructions are written assuming that you would like to connect to a local instance of the
Metasploit Framework.
Armitage requires the following:
▪ Metasploit Framework and its dependencies.

▪ PostgreSQL Database
▪ Nmap
▪ Oracle's Java 1.7
To quickly install all of the dependencies, you have a few options:
Use a Linux distribution for penetration testing such as Kali Linux or Pentoo Linux.
These distributions ship with Metasploit and its dependencies installed for you.
Use the MSF Installer Script created by DarkOperator.

This option will setup an environment that uses Git for updates.
Use the official installer provided by Rapid7.

This option will require you to register with Rapid7 to get updates.
6
Kali Linux
Kali Linux comes with the Metasploit Framework installed. This is a good option if you want to get up and running
with Armitage quickly.
1. Setup Instructions (do these once!)

2. Open a terminal
3. Start the database: service postgresql start
4. Initialize the database: service metasploit start
5. Stop the metasploit service: service metasploit stop
6. Install/Update Armitage: apt-get update ; apt-get install armitage
7. Use Java 1.7 by default (32-bit Kali):
8. update-java-alternatives --jre -s java-1.7.0-openjdk-i386
9. Use Java 1.7 by default (64-bit Kali):
10. update-java-alternatives --jre -s java-1.7.0-openjdk-amd64
11. How to Start Armitage
12. Open a terminal
13. Start the PostgreSQL database: service postgresql start
14. (this does not happen automatically in Kali Linux)
15. cd /path/to/armitage
16. ./armitage
17. How to update Metasploit
18. Open a terminal
19. msfupdate
20. service metasploit start
21. service metasploit stop
Penetration Testing using Armitage
As a responsible ethical hacker, security engineer or penetration tester you should be familiar with the tools to
perform a penetration testing
HANDS-ON LAB: Remote Command Execution
Lab Objectives:
▪ To find out the tools used by attacker in controlling a remote PC
Lab Duration:
▪ Time: 30 minutes
Lab Environment
▪ NEXUS-KALI 192.168.145.130
▪ NEXUS=SRV1 192.168.145.139
▪ NEXUS=SRV2 192.168.145.131
Lab Tasks
▪ To provide the company a solution to remote attacks
7
Tools
▪ Armitage
▪ Ophcrack
▪ Kali Linux
Step-by-Steps Instructions
Rainbow Tables and Ophcrack with Armitage
Step 1. From the left bar menu click Armitage
Step 2. It will open up a setting to connect to local host 127.0.0.1 and set up the basic environment
accept the default login ID & Password: test, then click connect (default login ID msf & password is test)
Step 3. A message "A Metasploit RPC server is not running... click Yes to start Metasploit"
Step 4. Once Armitage screen is open -> click hosts - nmap scan - quick scan (OS sdetect)
type 192.168.145.139 this will run a basic nmap
A message will pop up saying "scan complete" just click ok
The victim’s PC will change its icon with thunder, meaning infected
Step 5. Click Attacks - Find attacks – ok
Step 6. Highlight the victim’s server – Attack – smb – MS08_067_netapi – Launch
You will see that the icon turns red and lightning bolt which means the server has been compromised and a message
saying session 1 open which means you are connected to the victim’s server
Step 7. You can also perform other remote execution to the victim’s server by following the command
Right-click the server then click Meterpreter 1 – interact – command shell
8
You have now root access.
You should now be inside the c:\windows\system32\ and can browse the whole drive c:
Try these command

cd\
dir
delete resume.doc
Step 8. To collect the password of all users in the servers you can go
Right-click the server – Meterpreter 1 – Access – Dump Hashes – lsass method and all users and hash password will
be shown under meterpreter console. Highlight the whole line for nexus_test_user2 and copy
9
Step 9. Now we are going to run a password cracker Ophcrack to see what the password for nexus_test_user2 is
Click applications – 05-Password Attacks – ophcrack – Load – single Hash and paste the hash then click ok – Crack
and the password should be displayed under LM Pwd2 and NT pwd.
Now try cracking the password for Administrator
10
Step 10. Type help then you will see all the available commands for meterpreter
meterpreter > help
Core Commands
=============
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Step 10. Try deleting the eventlog. Go to NEXUS-SRV1 password is 123 then - open a command prompt – type
eventvwr from the command prompt and click the application you can see there more than thousands of event’s
Step 11. Now go back to NEXUS-KALI meterpreter console and type clearev this will clear the eventlog from
Windows. Go back to NEXUS-SRV1 an you will see its been cleared
meterpreter > clearev

[*] Wiping 1607 records from Application...
[*] Wiping 396 records from System...
[*] Wiping 2638 records from Security...
Step 12. Now let’s try remote desktop from kalo using the password you just crack
rdesktop -k en-us -a 16 -f -u nexus_test_user2 -p 123 192.168.145.139
congratulations for hacking the server!!!!
Result of penetration testing: by now you should know how attacker gather gain control over remote PC
Question: As a Nexus Ethical Hacker what should you do to protect your company from attacker gaining access?
11

05 - Password Cracking &amp; Gaining Remote Access - OphCrack and Armitage - Tested

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

05 - Password Cracking &amp; Gaining Remote Access - OphCrack and Armitage - Tested

Uploaded by

Copyright:

Available Formats

NEXUS EDUCATION SERVICES

Pros and Cons of Ophcrack

▪ It is freely available for downloading online.

▪ 649MB / 425MB LiveCD ISO image must be downloaded.

Rainbow Tables in a Nutshell

e.g. ‘makeuseof.com’ would become

Credits to source: www.makeuseof.com

Spy using webcams and screenshots:

Dump Password hashes:

Brute forcing Passwords:

Client side Exploitation:

Cyber Attack Management

Armitage requires the following:

▪ Metasploit Framework and its dependencies.

To quickly install all of the dependencies, you have a few options:

Use the MSF Installer Script created by DarkOperator.

Use the official installer provided by Rapid7.

1. Setup Instructions (do these once!)

Penetration Testing using Armitage

HANDS-ON LAB: Remote Command Execution

Rainbow Tables and Ophcrack with Armitage

Step 1. From the left bar menu click Armitage

A message will pop up saying "scan complete" just click ok

Step 5. Click Attacks - Find attacks – ok

Step 6. Highlight the victim’s server – Attack – smb – MS08_067_netapi – Launch

Right-click the server then click Meterpreter 1 – interact – command shell

You have now root access.

Try these command

Now try cracking the password for Administrator

meterpreter > help

meterpreter > clearev

rdesktop -k en-us -a 16 -f -u nexus_test_user2 -p 123 192.168.145.139

congratulations for hacking the server!!!!

You might also like

05 - Password Cracking & Gaining Remote Access - OphCrack and Armitage - Tested

05 - Password Cracking & Gaining Remote Access - OphCrack and Armitage - Tested