Week 3 – Enumeration and Cracking
Week 3 is done and it was the best yet! In this course, I have a feeling that every week will be better than the one before it. I studied for 10 hours after work and on the weekend and still managed to do a little painting!
In my original post, Investing a Year in Ethical Hacking, I detail my plan to invest 416 hours in 2017 to learn ethical hacking. Current progress: 30 / 416.
The end of the month is dangerously close. The year is almost 1/12th of the way over. Are you almost 1/12th of the way to your goal for the year?
Enumerating SMTP was…. a disappointment actually.
Keep reading and I’ll explain what I found along with how I cracked some passwords!
The goal of enumerating SMTP is to figure out what email addresses are valid and what addresses are not valid. This can be used to send phishing emails or to determine usernames since they are frequently the same as the email address.
Here is the command using the built-in tools in Kali Linux:
smtp-user-enum -M VRFY -u emailAddress_at_domain.com -t
Port 587 is a standard port for secure email message submission….like SMTP port 25 but port 587 is for SMTPS(secure).( https://en.wikipedia.org/wiki/SMTPS)
Here is the output I get when checking a real email address that I know is legitimate. I won’t show the actual address on this screenshot because…well, because I don’t want you emailing it…it isn’t mine after all. The server I targeted below is a hosted Office 365 mail server. As you can see, Microsoft is not helpful here. Even though I used a legitimate email address, their server responded with 0 results which indicates that the address doesn’t exist.
Next I tried some addresses on Gmail. This was a little more entertaining but not any more useful. As you can see, the address below is not a valid email address but Google’s server responded and said that it is valid. Worthless data!
So unfortunately (well…fortunately for us defenders!), SMTP enumeration using this method is not effective against the major email providers, Office 365 and Gmail. This may be a useful technique for self-hosted Exchange or other mail servers but the big-name email hosts are on to us!
This isn’t for the CEH but I saw a cool DFIR post by Jordan Potti that reminded me of the power of the WMIC commands. I tried the command to check the startup directories and I found mostly what I would expect but one entry was really odd. I don’t know what Zoom is but I’m sure he doesn’t need to be hiding in my startup directory…deleted!
Linux is nuts. Changing directories is CASE sEnSiTiVe!!!
I have to admit, it is hard to be a Linux newbie and a hacking newbie at the same time. Every step is a painful learning experience. At one point this week, I spent probably 30 minutes trying to get into the right directory via command line. I ended up GOOGLING it! LinuxCommand.org to the rescue!
I share this because I think it is fun to laugh at myself and so anybody reading (and struggling) can see that it is just part of the process. No overnight Hax0r success for me…or you!
After I finally fumbled my way into the directory, I got to have some fun! I had copied the Sam and System files from my Windows 7 computer into this directory so it was time to crack the passwords.
Step 1: get the user name and password hashes out of the Sam and System files
From Kali: samdump2 System_FileName Sam_FileName >OutputFile.txt
Note: If you are following the PluralSight Ethical Hacking course, bkhive doesn’t seem to exist in the new versions of Kali. Just use Samdump2 instead.
Step 2: Crack the passwords
From Kali: John OutputFile.txt –format=nt -users=UserName
Note: If you are following the PluralSight Ethical Hacking course, -format=nt2 doesn’t seem to exist in this version. Use -format=nt instead.
You can see in the screenshot below that the user ‘bwayne’ had the password ‘batman’. Pwned!
Cracking passwords is pretty satisfying! You should try it sometime*. In addition to enumeration and cracking, I invested a couple hours in good old fashioned “studying”. Although my main goal is to learn how to hack, I also want to become a CEH. Some memorization is required for ports, commands, terms, etc…
*Don’t do anything illegal