Heist¶
Easy External Enumeration IIS Penetration Tester Level 1 Password Cracking Authentication Weak Credentials User Enumeration Memory Dump
$ nmap -sV -sC 10.129.132.228
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-11 10:27 WIB
Nmap scan report for 10.129.132.228
Host is up (0.13s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-time:
| date: 2022-06-11T03:29:01
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.01 seconds
http://10.129.132.228/attachments/config.txt, from the conversation we know that user hazard use cisco router
version 12.2
no service pad
service password-encryption
!
isdn switch-type basic-5ess
!
hostname ios-1
!
security passwords min-length 12
enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
!
username rout3r password 7 0242114B0E143F015F5D1E161713
username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
router bgp 100
synchronization
bgp log-neighbor-changes
bgp dampening
network 192.168.0.0Â mask 300.255.255.0
timers bgp 3 9
redistribute connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
no ip http server
no ip http secure-server
!
line vty 0 4
session-timeout 600
authorization exec SSH
transport input ssh
after browsing with the keywork cisco crack password, I found https://www.ifm.net.nz/cookbooks/passwordcracker.html website to crack type 7 hash. Then I searched for crack type 5 and found https://www.ifm.net.nz/cookbooks/cisco-ios-enable-secret-password-cracker.html, but for cracking type 5 it takes a lot of time, so I looked for another solution, then I used john the ripper, and it worked
$ echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' > hash
$ john -w=/path/to/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stealth1agent (?)
1g 0:00:00:46 DONE (2022-06-11 12:12) 0.02150g/s 75371p/s 75371c/s 75371C/s stealthxxx..ste8897
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
so the password is
(not complete yet...) :D