【网安攻防05】信息收集与密码破解练习

这是一个网络安全领域的实践练习，主要涉及信息收集和侦察技术。练习涵盖了以下几个关键方面：

• 密码破解技术(使用John the Ripper工具和编程方法)
• DNS信息收集(域名WHOIS查询和DNS区域传送)
• Google Hacking技术(使用搜索引擎发现敏感信息)
• Shodan搜索(识别暴露的网络服务和设备)

免责声明

以下所有关于黑客技术、病毒攻击、拒绝服务或任何其他计算机系统攻击手段的讲义、资料和讨论内容，仅用于教育目的。这些内容不得用于对任何计算机系统发起攻击或造成损害，也不以任何方式鼓励任何人从事此类行为。

本文所涉及的所有技术讨论仅供学习和研究使用。作者不对任何人使用这些信息用于非法用途负责。阅读本文即表示您同意不会将文中讨论或披露的任何技术手段用于实施网络攻击等违法行为。

本文遵循学术研究和技术交流的目的，拒绝为任何恶意行为提供指导。如有违法使用，使用者需自行承担所有法律责任。

Lab 1 Warm-up exercise

1. Cracking passwords

We assume that Eve have cracked a database as follows.

Username	SHA512(Password)
Alice	e37c759cb92c4c2e7d39c6f9854c3c73d3643f2a316601ff60f412c15a6bf91829ae33670a43a956628ed02371edbf942413aac06f52b481c60c8bd48efa19ad
Bob	834a0ff42987bff586f49f2f4e77e18c207adec957ac81eafdf6a4a90229331dbde9072d962cea44de1e18cbb34b6384a82f016ab86460660cca47786d97f66f

We know that the passwords are hashed using SHA512 algorithm without “salt”.

Please help Eve to find the password of Alice and Bob. (i.e., you need to find Alice_password such that SHA512(Alice_password) = e37c759cb92c4c2e7d39c6f9854c3c73d3643f2a316601ff60f412c15a6bf91829ae33670a43a956628ed02371edbf942413aac06f52b481c60c8bd48efa19ad, and the same as Bob’s)

Write your own code to crack the password. Use whatever programming language you like together with related APIs/Packages to find Alice’s and Bob’s passwords. A dictionary of password (dict.txt) is provided in A1.zip.

If you use Python, you may need to select the UTF8 encode scheme for the input of the SHA512 hash function. You need to make sure your hash function performs the same as the one in gchq.github.io/CyberChef/

Username	Password
Alice	6216900
Bob	8069017

Answer:

# see also in T1_Cracking_passwords/dict.txt
import hashlib

# Target hashes
alice_hash = "e37c759cb92c4c2e7d39c6f9854c3c73d3643f2a316601ff60f412c15a6bf91829ae33670a43a956628ed02371edbf942413aac06f52b481c60c8bd48efa19ad"
bob_hash = "834a0ff42987bff586f49f2f4e77e18c207adec957ac81eafdf6a4a90229331dbde9072d962cea44de1e18cbb34b6384a82f016ab86460660cca47786d97f66f"

# Function to compute SHA512 hash
def compute_sha512(password):
    return hashlib.sha512(password.encode('utf-8')).hexdigest()

# Read the dictionary file
with open('T1_Cracking_passwords/dict.txt', 'r', encoding='utf-8') as file:
    dictionary = file.read().splitlines()

# Crack passwords
def crack_password(target_hash):
    for word in dictionary:
        if compute_sha512(word) == target_hash:
            return word
    return None

# Find Alice's password
alice_password = crack_password(alice_hash)
print(f"Alice's password: {alice_password}")

# Find Bob's password
bob_password = crack_password(bob_hash)
print(f"Bob's password: {bob_password}")

Output:

Alice's password: 6216900
Bob's password: 8069017

2. John the ripper

Use john to crack Task 1 Alice and Bob’s password. Provide the command you use and the screenshots.

Commands
john --format=raw-sha512 --wordlist=dict.txt hashes.txt

Use john to crack the password of user ‘kali’ in passwd and shadow.

​ a. The password hash is salted

​ b. Hint: Use mutated /usr/share/john/password.lst as dictionary

What hash algorithm was used?
yescrypt ($y)
What is the password of user ‘kali’?
thunderbird1

Answer: Cracking Alice and Bob's Passwords

1. Prepare the Input File: Create a text file (e.g., hashes.txt) containing the SHA512 hashes for Alice and Bob:

   alice:e37c759cb92c4c2e7d39c6f9854c3c73d3643f2a316601ff60f412c15a6bf91829ae33670a43a956628ed02371edbf942413aac06f52b481c60c8bd48efa19ad
   bob:834a0ff42987bff586f49f2f4e77e18c207adec957ac81eafdf6a4a90229331dbde9072d962cea44de1e18cbb34b6384a82f016ab86460660cca47786d97f66f
   

2. Run John the Ripper: Use the following command to crack the passwords:

   john --format=raw-sha512 --wordlist=dict.txt hashes.txt
   

3. View the Results: After the cracking process completes, use the following command to display the cracked passwords:

   john --show hashes.txt
   

Answer: Cracking Kali's Passwords

1. Combine passwd and shadow:

   unshadow passwd shadow > hash.txt
   

2. Run John the Ripper:

   john --format=crypt --wordlist=/usr/share/john/password.lst --rules hash.txt
   

3. View the Results:

   john --show hash.txt
   

3. Whois lookup

Please gather the whois information of the following domains: megacorpone.com and hku.hk.

Fill in your findings

可以浏览器搜索 whois.domaintools.com， whois.net

也可以命令行

https://whois.domaintools.com
https://whois.net

Domain Name: megacorpone.com
Registrar
GANDI SAS
Name Servers
NS1.MEGACORPONE.COM, NS2.MEGACORPONE.COM, NS3.MEGACORPONE.COM
Creation Date
2013-01-22T22:01:00Z
Contact Information (List all Names, Addresses, Phone numbers, Email addresses)
名称: Alan Grofield 组织: MegaCorpOne 地址: 2 Old Mill St, Rachel, Nevada, 89001, US 电话: +1.9038836342

Domain Name: hku.hk
Registrar
Hong Kong Domain Name Registration Company Limited (HKDNR)
Name Servers
NS1.HKU.HK NS2.CUHK.EDU.HK NS2.HKU.HK NS3.HKU.HK NS4.HKU.HK NS10.GDNSDEF.COM NS10.GDNSEC.COM
Expiry Date
07-06-2033
Contact Information (List all Names, Addresses, Phone numbers, Email addresses)
Registrant: THE UNIVERSITY OF HONG KONG (香港大學) INFORMATION TECHNOLOGY SERVICES, THE UNIVERSITY OF HONG KONG, POKFULAM ROAD, HONG KONG Administrative Contact: HKU ADMINISTRATIVE CONTACT Phone: +852-28592491 Fax: +852-25597904 Technical Contact: KATHERINE KWOK Phone: +852-39172497 Fax: +852-25597904 Address: INFORMATION TECHNOLOGY SERVICES, THE UNIVERSITY OF HONG KONG, POKFULAM ROAD, HONG KONG

4. DNS Enumeration

Use host command to:

​ a. Create a Bash script for DNS forward lookup brute force. (You can fill in your code to the skeleton code file “dns_forward_lookup.sh”.)

​ b. Create a Bash script that can identify the name servers and test DNS zone transfer on each of them. (You can fill in your code to the skeleton code file “dns_axfr.sh”.)

Example outputs of dns_forward_lookup.sh

Example outputs of dns_axfr.sh:

Use your scripts above to perform DNS forward lookup and attempt zone transfer on megacorpone.com and hku.hk. (Common service names are provided in list.txt.)

megacorpone.com
DNS forward lookup results
www.megacorpone.com has address 149.56.244.87 mail.megacorpone.com has address 167.114.21.68 admin.megacorpone.com has address 167.114.21.64 www2.megacorpone.com has address 149.56.244.87 ns1.megacorpone.com has address 51.79.37.18 ns2.megacorpone.com has address 51.222.39.63 vpn.megacorpone.com has address 167.114.21.76 mail2.megacorpone.com has address 167.114.21.69 test.megacorpone.com has address 167.114.21.75 support.megacorpone.com has address 167.114.21.74
DNS zone transfer results (Please fill NONE if zone transfer is not success)
Testing zone transfer on ns3.megacorpone.com.... Testing zone transfer on ns1.megacorpone.com.... Testing zone transfer on ns2.megacorpone.com.... admin.megacorpone.com has address 167.114.21.64 beta.megacorpone.com has address 167.114.21.65 fs1.megacorpone.com has address 167.114.21.66 intranet.megacorpone.com has address 167.114.21.67 mail.megacorpone.com has address 167.114.21.68 mail2.megacorpone.com has address 167.114.21.69 ns1.megacorpone.com has address 51.79.37.18 ns2.megacorpone.com has address 51.222.39.63 ns3.megacorpone.com has address 66.70.207.180 router.megacorpone.com has address 167.114.21.70 siem.megacorpone.com has address 167.114.21.71 snmp.megacorpone.com has address 167.114.21.72 support.megacorpone.com has address 167.114.21.74 syslog.megacorpone.com has address 167.114.21.73 test.megacorpone.com has address 167.114.21.75 vpn.megacorpone.com has address 167.114.21.76 vpn2.megacorpone.com has address 167.114.21.77 vpndev.megacorpone.com has address 167.114.21.78 vpnprod.megacorpone.com has address 167.114.21.79 www.megacorpone.com has address 149.56.244.87 www2.megacorpone.com has address 149.56.244.87

hku.hk
DNS forward lookup results
www.hku.hk has address 147.8.2.58 mail.hku.hk has address 147.8.2.126 mail.hku.hk has address 147.8.2.128 webmail.hku.hk has address 147.8.2.130 ns1.hku.hk has address 147.8.2.3 ns2.hku.hk has address 147.8.145.32 mail2.hku.hk has address 147.8.2.68
DNS zone transfer results (Please fill NONE if zone transfer is not success)
Testing zone transfer on ns2.hku.hk.... Testing zone transfer on ns2.cuhk.edu.hk.... Testing zone transfer on ns3.hku.hk.... Testing zone transfer on ns4.hku.hk.... Testing zone transfer on ns10.gdnsec.com.... Testing zone transfer on ns10.gdnsdef.com.... Testing zone transfer on ns1.hku.hk.... None

Describe the pros and cons for recursive queries and iterative queries in a DNS query from the security point of view.

递归查询 (Recursive Queries):

• 优点 (Pros):
• Simpler for clients since the DNS server handles the entire resolution process. 对客户端来说更简单，因为DNS服务器处理所有工作。
• Resolver caching improves performance and reduces traffic. 解析器的缓存可以提高性能并减少流量。
• Clients only need to send a single query. 客户端只需要发起一次查询。
• 缺点 (Cons):
• DNS servers are vulnerable to cache poisoning attacks. DNS服务器容易受到缓存投毒攻击。
• High resource consumption on the DNS server. DNS服务器资源消耗较高。
• Can be exploited for DNS amplification in DDoS attacks.可能被利用进行DNS放大DDoS攻击。
• Compromised servers may return malicious results. DNS服务器如果被攻破可能返回恶意结果。

迭代查询 (Iterative Queries):

• 优点 (Pros):
• Clients have more control over the resolution process. 客户端对解析过程有更多控制。
• Lower resource consumption on DNS servers. DNS服务器资源消耗较少。
• Reduces the risk of cache poisoning. 降低缓存投毒的风险。
• Harder to exploit for DDoS attacks. 较难被用于DDoS攻击。
• 缺点 (Cons):
• Requires multiple queries, increasing network traffic. 需要多次查询，增加网络流量。
• More complex implementation on the client side. 客户端实现更复杂。
• Each step of the resolution process can be attacked. 解析过程的每一步都可能被攻击。
• May expose more query information to attackers. 可能向攻击者暴露更多查询信息。

Answer: Fill in the script

host 命令介绍

host 是一个用于DNS查询的基本命令，主要用途是：

1. 将域名转换为IP地址（正向查询）
2. 将IP地址转换为域名（反向查询）
3. 查询邮件服务器、域名服务器等信息

基本用法：

host example.com          # 查询域名的IP地址
host -t NS example.com    # 查询域名服务器
host -t MX example.com    # 查询邮件服务器

案例：

host google.com:
google.com has address 142.250.190.78
google.com has IPv6 address 2404:6800:4008:c07::67

host -t NS google.com:
google.com name server ns1.google.com.
google.com name server ns2.google.com.
google.com name server ns3.google.com.
google.com name server ns4.google.com.

host -t MX google.com:
google.com mail is handled by 10 smtp.google.com.
google.com mail is handled by 20 alt1.smtp.google.com.
google.com mail is handled by 30 alt2.smtp.google.com.
google.com mail is handled by 40 alt3.smtp.google.com.

两个脚本的区别

1. dns_forward_lookup.sh（正向查找）

• 就像在网站前面加www、mail、ftp等常见前缀，看看能不能访问
• 比如：
  • www.example.com
  • mail.example.com
  • ftp.example.com
• 需要一个文件列出所有想要尝试的前缀（www、mail、ftp等）
• 相当于一个一个猜测可能存在的子域名

2. dns_axfr.sh（区域传送）

• 这是一种直接向DNS服务器请求"所有"域名记录的方式
• 如果服务器配置不当，可能会直接给出该域名下的所有记录
• 相当于不用猜，直接要求服务器给出所有信息
• 但现在大多数服务器都会禁止这种操作，因为这样太不安全了

举个生活中的例子：

• dns_forward_lookup.sh 就像你在猜一个公司的分机号码，从001开始试到999
• dns_axfr.sh 就像你直接向前台要整个公司的分机号码表

通常的结果：

• forward lookup 会找到一些常用的子域名
• zone transfer 大多数情况下会被拒绝，因为这相当于把整个域名信息都暴露出来

# dns_axfr.sh
#!/usr/bin/bash
# 如果没有提供域名参数，显示使用说明并退出
if [ -z "$1" ];
then
    echo "[*] Simple Zone transfer script with host command."
    echo "[*] Usage: $0 <domain name>"
    exit 0
fi
# 变量说明：$1是用户输入的域名

# 使用host命令查询指定域名的NS记录（名称服务器）
# cut -d " " -f4 将结果按空格分割并取第4个字段，即名称服务器地址
ns_servers=$(host -t NS $1 | cut -d " " -f4)

# 对每个找到的名称服务器进行区域传送测试
for ns in $ns_servers; do
    echo "Testing zone transfer on $ns..."
    # 使用host -l命令尝试区域传送，并只显示包含"has address"的行
    host -l $1 $ns | grep "has address"
done


#dns_forward_lookup.sh
#!/usr/bin/bash

# 检查是否提供了两个参数（列表文件和域名）
# 如果参数数量不等于2，显示使用说明并退出
if [ "$#" -ne 2 ]; 
then
    echo "[*] Simple DNS forward lookup script with host command"
    echo "[*] Usage: $0 <list file> <domain name>"
    exit 0
fi

# 变量说明：
# $1: 子域名列表文件
# $2: 要查询的域名

# 从列表文件中逐行读取子域名
# 对每个子域名执行DNS查询
# host命令用于DNS查询
# grep "has address" 只显示成功解析的结果
# || true 确保即使没有结果脚本也继续运行
while read subdomain; do
    host $subdomain.$2 | grep "has address" || true
done < $1

5. Google Hacking

Please use the Google Hacking technique and the Google Hacking Database (GHDB) to conduct information gathering. Give an example how to use Google’s operators to conduct information gathering (e.g. password or other sensitive information) from the Internet. You cannot use the same example in the lecture.

Your Google search query
filetype:sql "password"
Explain the purpose of your search query and what kind of information you are able to find
The query searches for SQL files (filetype:sql) that contain the word "password". These files are often exposed due to misconfigured servers or accidental uploads, potentially revealing sensitive information like database credentials. 该查询搜索包含“password”单词的SQL文件（filetype:sql）。这些文件可能因服务器配置错误或无意上传而被公开，从而泄露敏感信息，如数据库凭据。
Please suggest counter measures for such kind of information leakage
Ensure sensitive files are not publicly accessible by properly configuring servers. Use access control mechanisms like authentication. Regularly audit for exposed files using automated tools. Encrypt sensitive data and avoid storing plaintext credentials. Train developers to handle sensitive files responsibly. 通过正确配置服务器，确保敏感文件不可公开访问。 使用身份验证等访问控制机制。 定期使用自动化工具审计暴露的文件。 培训开发人员正确处理敏感文件。

6. Shodan

Using the Shadon.io to identify machines in Hong Kong have exposed the “Remote Desktop Protocol” (RDP) service to the public internet. Please provide the filtering query in the screenshot and explain your command.

Your search query
port:3389 country:"HK"
Explain the purpose of your search query
The query searches for devices in Hong Kong (country:"HK") that have the Remote Desktop Protocol (RDP) service running on port 3389 (port:3389). It helps identify systems exposed to the public internet and potentially vulnerable to attacks. 该查询用于搜索香港（country:"HK"）运行远程桌面协议（RDP）且开放3389端口（port:3389）的设备。这可以帮助识别暴露在公共互联网中的系统，并评估其潜在的攻击风险。
Please express your views on the pros and cons of expose the RDP services to the public internet
允许远程访问计算机，支持远程办公或IT支持的设置。对于分布式团队的企业来说非常方便。暴露系统于暴力破解攻击和勒索软件风险之下。如果未正确配置安全措施，则增加未经授权访问的风险。经常成为威胁攻击者利用RDP漏洞的目标。

Give another example how to use Shodan to conduct information gathering (e.g. vulnerable machines and IoT devices).

Your search query
title:"webcam" country:"US"
Explain the purpose of your search query and what kind of information you are able to find
The query searches for publicly accessible webcams (title:"webcam") located in the United States (country:"US"). It can reveal unsecured IoT devices like webcams that are accessible over the internet, potentially exposing video streams or control panels. 该查询用于搜索美国（country:"US"）公开访问的网络摄像头（title:"webcam"）。这可能会暴露未加密的物联网设备，例如可以通过互联网访问的视频流或控制面板。
Please express your views on the impact of Shodan on the cybersecurity industry (do NOT copy directly from the websites) and cite the references you refer to
Shodan 是安全研究人员和组织识别暴露系统和漏洞的强大工具，可以帮助主动降低风险。 提高了对保护联网设备安全重要性的认识。 攻击者可能会滥用 Shodan 来定位并利用易受攻击的系统。 暴露了用户和组织在设备安全意识方面的不足。 References: Shodan Official Website: www.shodan.io Article on RDP Threats: www.csoonline.com