ATTACKING NETWORK REMOTE SERVICES
In previous chapters, we have learned to enumerate open ports and the corresponding services running upon those ports, as well as assessing the vulnerabilities of the services by various methods. Now it’s time to exploit those vulnerabilities.
In this section, we will learn to use various tools such as Hydra, Medusa, and Ncrack to crack usernames and passwords for various network services such as FTP, SSH, and RDP. Any network service that supports authentication is often using default or weak passwords, which can be easily guessed or cracked via a brute force/dictionary attack. Most penetration testers don’t pay much attention to utilizing brute force attacks. But in my opinion, they are the fastest way to gain access to a remote system if used in an intelligent manner.
However, the downsides of these attacks are that they can disrupt the service or cause denial-of-service. Also, they are easily detected by intrusion detection/prevention devices. Therefore, the opinion in the community is that brute force attacks should be rarely attempted. What my opinion is that although they generate lots of noise and may be ineffective when the passwords are complex, if they are carried out efficiently they could be very useful and may allow an easy penetration into the remote system.
Apart from brute force attacks, we will also discuss various other ways to exploit some network services such as FTP, SMTP, and SQL Server.
In this section, we will learn to use various tools such as Hydra, Medusa, and Ncrack to crack usernames and passwords for various network services such as FTP, SSH, and RDP. Any network service that supports authentication is often using default or weak passwords, which can be easily guessed or cracked via a brute force/dictionary attack. Most penetration testers don’t pay much attention to utilizing brute force attacks. But in my opinion, they are the fastest way to gain access to a remote system if used in an intelligent manner.
However, the downsides of these attacks are that they can disrupt the service or cause denial-of-service. Also, they are easily detected by intrusion detection/prevention devices. Therefore, the opinion in the community is that brute force attacks should be rarely attempted. What my opinion is that although they generate lots of noise and may be ineffective when the passwords are complex, if they are carried out efficiently they could be very useful and may allow an easy penetration into the remote system.
Apart from brute force attacks, we will also discuss various other ways to exploit some network services such as FTP, SMTP, and SQL Server.
OVERVIEW OF BRUTE FORCE ATTACKS
Brute force attack is a process of guessing a password through various techniques. Commonly, brute force attacks are divided into three categories:
TRADITIONAL BRUTE FORCE
In a traditional brute force attack, you will try all the possible combinations to guess the correct password. This process is very usually time consuming; if the password is long, it will take years to brute-force. But if the password is short, it can give quick results. Though there are alternative methods to reduce the time taken to brute-force a password, but still under a normal penetration test this type of attack should be avoided.
DICTIONARY ATTACKS
In a dictionary-based brute force attack, we use a custom wordlist, which contains a list of all possible username and password combinations. It is much faster than traditional brute force attacks and is the recommended approach for penetration tests. The only downside is that if the password is not available in the list, the attack won’t be successful. We have already discussed some tools that can be used to gather password lists from victim’s website in the “Information Gathering Techniques” post. So what we learned in that post will start to make sense now.
HYBRID ATTACKS
Hybrid brute force attacks are a combination of both traditional brute force attack and dictionary-based attack. The idea behind a hybrid attack is that it will apply a brute force attack on the dictionary list. An example of this type of attack is the following:
A university has set up a password policy where the password is their “first name” followed by their date of birth. For example, my first name is “Rafay” and my date of birth is February 5, 1993; therefore, my password would be “Rafay521993.” In this case, neither traditional brute force nor dictionary attack would be effective, but the hybrid attack would be.
COMMON TARGET PROTOCOLS
Though there are lots of protocols that we can target, we will commonly come across only the following network protocols/services:
FTP
SSH
SMB
SMTP
HTTP
RDP
VNC
MySQL
MS SQL
SSH
SMB
SMTP
HTTP
RDP
VNC
MySQL
MS SQL
Generally, if you are trying to crack any one of these services, the methodology will be the same. All you would need to do is change a few parameters within the tools.
TOOLS OF THE TRADE
There are several tools that could be used for cracking network remote services, and each of them has its own pros and cons depending upon what protocols you are targeting. Let’s take a look at them one by one.
THC HYDRA
THC hydra is one of the oldest password cracking tools developed by “The Hackers Community.” By far, Hydra has the most protocol coverage than any other password cracking tool as per my knowledge, and it is available for almost all the modern operating systems. I use hydra most of the times for my penetration tests. The only thing I do not use it for brute-forcing HTTP authentication, because there are better tools for it, which we will discuss in the “Web Hacking” post.
BASIC SYNTAX FOR HYDRA
Hydra comes preloaded with a username/password list. We can predefine a username or a username list; the choice is ours. Alternatively, we can use our own custom password list to increase the chances of success. The very first choice would be to use top 100 or 1000 worsed passwords.
A collection of good passwords list can be found at packetstorm(http://packetstormsecurity.com/Crackers/wordlists/). Here is the basic syntax for hydra to brute-force a service.
A collection of good passwords list can be found at packetstorm(http://packetstormsecurity.com/Crackers/wordlists/). Here is the basic syntax for hydra to brute-force a service.
EXAMPLE WITH USERNAME SET TO “ADMINISTRATOR”
Hydra –L administrator –P password.txt <target ip > <service>
EXAMPLE WITH USERNAME SET TO USERNAME LIST
Hydra –L users.txt –P password.txt <target ip > <service>
Note: We need to define the location of the username/password list file for hydra to work.
Cracking Services with Hydra
Let’s start by cracking an ftp password with hydra, which is one of the most commonly found services. For that, we need an ftp service to be running on the target. Consider the target machine having an IP address of 192.168.75.40.
By performing a simple port scan with nmap we figure out that the target machine is running an FTP server at port 21.
Cracking Services with Hydra
Let’s start by cracking an ftp password with hydra, which is one of the most commonly found services. For that, we need an ftp service to be running on the target. Consider the target machine having an IP address of 192.168.75.40.
By performing a simple port scan with nmap we figure out that the target machine is running an FTP server at port 21.
Looking at the other services such as Ms-term-serv and Netbios, we can conclude that the FTP server is being run on the Windows operating system which has the username “administrator” by default. (We can also verify it by performing an OS detection with nmap) So we can specify the username as “administrator” in hydra, which can save us some time, but it’s recommended that you use a wordlist.
Now in order to use hydra to brute-force the ftp password, we need to issue the following
command:
hydra –l administrator –P/pentest/passwords/wordlist/darkcode.lst 192.168.75.140 ftp
Now in order to use hydra to brute-force the ftp password, we need to issue the following
command:
hydra –l administrator –P/pentest/passwords/wordlist/darkcode.lst 192.168.75.140 ftp
The command is very simple. We have specified the username as “administrator” followed by the –P parameter and the location where the wordlist is located. In BackTrack, the default list is located in the /pentest/passwords/wordlist/ directory.
Notice that hydra has managed to find the password: “aedis”. While performing this brute
force attack, a huge traffic was noticed on the server end, and from the ftp logs, we could see hydra in action, where it has left a huge log of presence.
Notice that hydra has managed to find the password: “aedis”. While performing this brute
force attack, a huge traffic was noticed on the server end, and from the ftp logs, we could see hydra in action, where it has left a huge log of presence.
These brute force attacks are not recommended. Now that we know the username and the password for the ftp server, we can try logging in. Type in “ftp” followed by the server name. It will ask for username and password. After entering it, we will be able to log in to the FTP server, where we can issue further commands.
In a similar manner, we can use Hydra to brute-force other services such as SSH, SMB,
and RDP. The method for cracking a webform is a bit different; however, there are much better tools to do it than Hydra, which we will discuss when we reach the “Web Hacking post”
and RDP. The method for cracking a webform is a bit different; however, there are much better tools to do it than Hydra, which we will discuss when we reach the “Web Hacking post”
HYDRA GUI
For all GUI fans, there is a GUI version of Hydra, which is available by default in BackTrack. All you need to do is to type “Xhydra” or “HydraGTK” from the command line to explore it.
No comments:
Post a Comment