Why are passwords so important to us?

For many people in life, passwords are the one thing that keeps their most precious secrets or items safe. Passwords are everything. From where we access, to who we access them as, even the ability to access a cryptocurrency wallet. In most cases, you will not find a place on the internet where someone places sensitive information and a password is not used. Over the course of time, passwords and their use have changed drastically. New technology, such as 2FA and bio metrics, makes authentication possibilities endless. However, each new possibility can pave way for new ways to exploit password encryption schemes.

These places have seen an up-tick in brute force attempts

Closing out 2019, we have seen a up-tick in brute-force attempts, and feel that we will see an increased amount of unauthorized log-in attempts from targeted user accounts. Below are examples of sectors we believe will see an up-tick of attempts in 2020.

  1. Large Banks and Credit Lenders
  2. Political Organizations
  3. Cryptocurrency Exchanges
  4. Online shops and Stores

In this guide, we will attempt to explain the subject of brute force attacks. We will try to cover as many of the main points that we can, but some subjects are outside this document’s scope. There are applications that exist in both Windows and Linux, but just using it offers little understanding to what the software is doing. This is a very loud attack that will get anyone’s attention.

**Disclaimer : This document should be used as educational material and should not be used on hardware or systems that you do not own or are not authorized in writing to do so on. We take no responsibility for this document or if a monkey beats you in the head with your keyboard while reading it. Its nothing to do with me..

What is a Brute Force Attack?

In basic understanding , a brute-force attack is an attack that is being done over and over, such as logging into a website or server. These attacks will usually contain changing small details of the attack, until the attack works, the attacker gives up, or some other means stops the attack. Here are some of the systems that can be brute-force attacked.

  1. Online Websites : Places such as Facebook, twitter, web wallets, online banks, and many more.
  2. VPS Servers : VPS rentals are big with software developers and cryptocurrency community.
  3. Cryptocurrency wallets : Cryptocurrency wallet passwords and many more types

What are the type Brute Force Attacks?

There are 3 basic types of brute-force attacks. Each has its own strengths and weaknesses. While some attacks may be slow and take a long time to complete, others are faster with more results in less time.

Basic types of attacks

  1. Enumeration : Slowest brute force
  2. Dictionary Attack : List of most likely use passwords for users.
  3. Hybrid : Combo of Enumeration and Dictionary. Uses word lists, but subs variables into word or words.

** Note : Two of the most common and feature rich password cracking or brute forcing tools available to penetration testers are THC-Hydra and Medusa. We will cover these more in the later information.

Systems and Passwords are Changing

Many systems today ask users to pick complex passwords. Most systems require passwords to be more then 8 characters, but these settings can be changed easily by the user or ignored all together. When password cracking, we begin with the minimum length and then crack upwards. Words become longer, passwords become more strange. Sometimes, the password is not in our list and time is wasted. When a word is not in our list, we can take standard output from one system, such as crunch (word list generator) and pipe (send) it to the next program as an input. Crunch is a great tool for this job.

You can find many commonly used passwords on many site contained as a word-list. Having different word-lists helps keep your attack focused and on-time. Some word-lists are specific to a certain technology, others can be for a more broad set of applications. Let’s say default hardware user names and passwords might be in one file, while others might be simple as a dictionary of words.

  1. https://wiki.skullsecurity.org/Passwords
  2. Kali Has a number of lists that come pre-installed

How to Obtain Usernames?

Often, companies will betray their users by making the username off the e-mail address. This makes it easier for the hacker to identify the account. Before brute-forcing an account, look at the companies website to see if you can get more information to help identify user accounts first. People who work in less tech savy environments are a better target than the network administrator. They are to be noticed less than the root or administration accounts or missed altogether.

Also, preform a good recon. Check Facebook, LinkedIn, or other social sites. I suggest using recong-ng to scrape information from the web to get an e-mail address to use.

Website Login Cracking with THC Hydra

THC Hydra is a password cracking tool. As a matter of fact, we think of it as more of a network logon password cracking tool. A few great features about Hydra are that you can add modules to increase the functionality of this hacking tool, and it’s very fast at what it does. Hydra also supports multiple network services.

Supported services are: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp

Hydra Command Line Options
These are some additional commands that you can pass to hydra.

To run with a set username try:

[email protected]:~#hydra -l username -p passwordlist.txt target

To run with a list for the username try:

[email protected]:~#hydra -L username.txt -p passwordlist.txt target

When using the -l switch, the  username can be a single user name, such as “admin”.  When using the -L switch username and be a username list. The password list is usually any text file that contains potential passwords. And target can be an IP address and port, or it can be a specific web form field. Although you can use ANY password text file in Hydra, Kali has several built in.

Lets look in /usr/share/wordlists and see what lists we have already

[email protected]:~#cd /usr/share/wordlists

Lets list out the contents of this directory:

[email protected]:~#ls -al

Kali Wordlist
Kali contains some wordlists to get you started. You can easier add any custom lists you wish.

You can create your own, use these or any word list you download from the web as long as it was created as Linux Friendly and is in the .txt format. Zips and tar.gz files are compressed and will have to be unpacked.

Using Hydra on Web Forms

Using Hydra on web forms adds a level of complexity, but the format is similar except that you need info on the web form parameters that Tamper Data can provide us.

The syntax for using Hydra with a web form is to use <url>:<formparameters>:<failure string> where previously we had used the target IP. We still need a username list and password list.

The most critical of these parameters for web form password hacking is the “failure string”. This is the string that the form returns when the username or password is incorrect. We need to capture this and provide it to Hydra so that Hydra knows when the attempted password is incorrect and then proceeds to the next attempt.

** Notes : Hydra requires separate copies of word-list in each memory location. Medusa use one copy and gives read only access to threads. So speed is improved as well as memory usage. Medusa is a more stable code base. Hydra tends to crash more. Both support multi OS and multi protocol. Both are able to have custom plug-ins. Medusa Protocols.

Website Form Login Cracking with Medusa

Let’s take a look at Medusa. Medusa is a network authentication brute-forcing tool.

Medusa has a lot of options for cracking many different password schemes.

It supports a wide array of protocols

  1. FTP
  2. HTTP
  3. SSH
  4. SMB
  5. VNC
  6. POP3
  7. IMAP
  8. MySQL
  9. Telnet

The factor differentiating Medusa is its capability of testing multiple systems in parallel. Medusa achieves this feat through the multi-threading directive called POSIX Threads, usually referred to as “Pthreads. When compared to the cost of creating and managing a process, a thread can be created with much less operating system overhead. Managing threads requires fewer system resources than managing processes. Users can specify a list of hosts that are to be tested and Medusa will create a child process for every host and test multiple systems at once leveraging preemptive multitasking to the fullest.

Using Medusa to brute-force a Web Login

  1. To brute-force HTTP Basic Authentication, we use the following command:
    [email protected]:~#medusa -h -u admin -P /usr/share/wordlists/rockyou.txt -M HTTP

When Medusa finds a username and password combination that works, it will exit, and display the username and password to the you.
Watch on Youtube

How Can We Defend Against Attacks?

By understanding what the attack is doing, we can define traffic filters or block the offending IP address. However, if the attacker has more IP addresses he controls, he can continue attacking the target. This can lead to a lot of time consuming monitoring task that will have to be performed by the defenders.

Here are some things that will assist you in safe guarding you accounts and other online resources.

  1. 2fa : Use two factor authorization when possible
  2. Login Notifications : Have the system notify you through email or SMS of the login
  3. Email Confirm : Have a confirmation email sent before transactions are processed.
  4. Different Password : Do not reuse passwords, and change every 6 months

Many people rent Virtual Private Servers, or VPS’s to host applications, websites, or even cryptocurrency wallets. In being a consultant, one of our biggest missions is to improve the safety of our customers. Many people who are renting VPS’s have virtual no security. Which makes them price target to be taken over by a hacker who wants to use it as a botnet. If you have a VPS you rent, you should look at the following item in close detail.

  1. CLOSE PORTS : NO Public Ports, unless needed for business. Support and other to use VPN
  2. SSH Login: Should only be accessed using VPN and never allow ROOT
  3. Config File Servers Firewall: a free and opensource firewall.
  4. Fail2ban : blocks brute for login attempts to services

There are many more complex ways to set up computer networks so that things are secure, but if you follow the items above your chances are largely increased to not getting compromised.

Leave a Reply