# Lab 5.1: Password Guessing

### **Deliverable 1.  Provide a screenshot that shows the lookup and reported hostname.**

<figure><img src="https://lh4.googleusercontent.com/6FQ3SY74FQJdZlVIkbc3w_oOV1G4vv9CEEThPkcFKGULF4Myudmf3xsGf7vUcrEWIMZ4CNlyCzFoEaa5WkwjjCmU5GdMv0CuwlNn90cNFEnduAPhZpQxY8b9iZD7oiL2Q0Nui3O3lAQyqPnE-A93Cdc" alt=""><figcaption></figcaption></figure>

Word list generation:

```bash
cewl http://10.0.5.21/bios/frodo -d 1 | grep '[A-Z]' > frodo.small.txt
cewl http://10.0.5.21/bios/pippin -d 1 | grep '[A-Z]' > pippin.small.txt
cewl http://10.0.5.21/bios/bilbo -d 1 | grep '[A-Z]' > bilbo.small.txt
cewl http://10.0.5.21/bios/samwise -d 1 | grep '[A-Z]' > samwise.small.txt
```

<figure><img src="https://lh3.googleusercontent.com/BzOUeOpxocQ6hz3xCcc48ZOcnVXbf2zqA19XqEmvNpm6RCdFSywSn5sdaEah6-ZNj0GDjR6iQTegnbiTm-5Wv7HIy1N13oP2JPG0yWfwJ4UvytWLLwtgJkrvIp61v0tYWKUWcCsmwV5yla_2xZ54BDk" alt=""><figcaption></figcaption></figure>

Did some filtering by hand

<figure><img src="https://lh6.googleusercontent.com/2GpfnAiJKJzLR8_8MmD3d7WtAqRJ2npgVop77iQRb2zu4NddIlT1D2bO3Y2elgf8UsYuJcuqnfzpW7-9I5311u16ZitYHHnJWk-oMeoylui53YqB85wzTMphrEHNVIScdxPqxUwKCtUF13z2OGCpNQY" alt=""><figcaption></figcaption></figure>

rsmangler:

```bash
rsmangler --file samwise.small.txt -x 12 -m 9  -l -s -e -i -p -u  -a --output samwise.mangled.txt
rsmangler --file frodo.small.txt -x 12 -m 9  -l -s -e -i -p -u  -a --output frodo.mangled.txt
rsmangler --file pippin.small.txt -x 12 -m 9  -l -s -e -i -p -u  -a --output pippin.mangled.txt
rsmangler --file bilbo.small.txt -x 12 -m 9  -l -s -e -i -p -u  -a --output bilbo.mangled.txt
```

<figure><img src="https://lh5.googleusercontent.com/pHLXgqD9e7JzaCeZrTZIifCRMbqXzltbrz_uM3M5uu5aZXYC3K4fDPhcl2a0AGiqbMVJ9ltNr5paPgcYPlm5cWJCLwa5by673qnk6WSKEnHBOmiv22zGMfJlhEa2mX8rJQCZxawoPDwCDqYWGSKWOII" alt=""><figcaption></figcaption></figure>

### **Deliverable 2.  Using what you have during the reconnaissance modules, run a scan to determine any listening tcp services to include the service versions.  Provide a screenshot of both your command and results.**

<figure><img src="https://lh6.googleusercontent.com/AssNzxw9GnfFwaz1n-oDNdQ0xb9ENfEIhRkCOus_dFakoz5pHmf7aMB6MyV4ZCXa-H8HyyvSq8vqd1eBsqGnyCnsRaMgfmobEWKf9xhfR3gZ0McY_i2khzSjIYjSqg3WrQJRdtsRjK4BFuT2F-tgaYY" alt=""><figcaption></figcaption></figure>

### **Deliverable 3.  Let's see if we can get a little more information on your website such as hidden directories.  Research the dirb command and run it against the webserver.  Turn off recursion.   Provide a screenshot of anything secret you've found.**

```
dirb http://10.0.5.21 -r
```

<figure><img src="https://lh4.googleusercontent.com/JvUTY6tsKwW1FiieetwvdQp_XysAKG1GCLx93259UavO6AoVVZs1v27T0tgnF4Cnl9gprNv1k4Vp0UqupmO6_SEiPhdrshrMwUpJSVdMvBmZQUsjWKhs_YvAp5oShOuJ62jNBhK8lGSmSoSVsfDgIzE" alt=""><figcaption></figcaption></figure>

### **Deliverable 4.  Provide a screenshot that displays a prompt when attempting to access a protected directory.**

<figure><img src="https://lh4.googleusercontent.com/7rD8NfBzCMpKvL0Pkv-MITdYma_z7KLVZ7ZJyaooZ-X4gdwT8VfcjQSpjgVE5LAMWYC9c-WzlC0xwk94rrPYrU34ZUwkpoQt3yF0fjBZMNcsHXqnGl_-F1-FVzUOQ3tvQu-wORZMeULZ3uJkJ5A2unc" alt=""><figcaption></figcaption></figure>

### **Deliverable 5.  For at least 3 shire staff, bypass authentication on the protected directory using the tool of your choice.  Provide screenshot(s) showing the tool execution and the guessed password. (Make sure you validate all of these work)**

<figure><img src="https://lh3.googleusercontent.com/BqvFNjLCHKHNfIq8rejpDLQHucqgmdI3_yzBGWgFTkPO5DfFt3hcSJeDCy_zlZSNDXKyz6N5orLJa1w29KBCSuNeWxi2Fp3YK2vpn0TA-9hqMHqNvwVn66oC9skM5XsrrDvXGH-fYF1SKHdGBZeYlQ0" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh3.googleusercontent.com/H8cJqPBwjjAWZvd_Bv1jRO-PH-D4KLn_rCSl4NvbYgfKtkdcErqmcElyBcCQpUrTHR45Am8lyAc19JUNRMGJ838iCSoGp1vTh_8enr1qXw1TGDaQlD55iwfXbhOa6wMREerkA-rYERCBptiltpggtYE" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh5.googleusercontent.com/BmgR5XgD_XHWl6YCn4vfISFm4JJTqfnR8ZjOv9JRDBiXzomYk4v2PISua296-U3j_exRFvwY6_hzkD6XfcqsobkVEkozylioafR9lrNSCd3ZXTkriw-ii35rw9G3uTYhf4WD4-R64AbGLwbyPs4_TlE" alt=""><figcaption></figcaption></figure>

### **Deliverable 6.  Submit screenshots of your tool of choice reporting successful ssh password guesses of at least 3 member's linux accounts.**

<figure><img src="https://lh4.googleusercontent.com/6lHGGDpOlsBzj1HO-pcY5hH2eG_C3E8xW__n3EXQ4p43TP4iHb4QYvJW0IEeodSUo9-uyYu_7BZxZ8HpZldzaS0YX7JakoY_TCoXUt1vtmCdcJQkqYA0YngeeV5VV-7dv4SYD53Tzl5SBHo5xTNBvg0" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://paul-gleason.gitbook.io/sec-335-eth.-hacking-and-pen.-testing/labs/lab-5.1-password-guessing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.