Sunday, October 15, 2017

Online Password Attacks: Medusa / Ncrack / Hydra


- Layout for this exercise:

1 - Introduction

- Online password attacks involve password-guessing attempts for networked services that use a username and password authentication scheme. 

- This includes services such as HTTP, SSH, VNC, FTP, SNMP, POP3, etc. 

- In order to be able to automate a password attack against a given networked service, we must be able to generate authentication requests for the specific protocol in use by that service. 

- Tools such as Medusa, Ncrack, Hydra and even Metasploit can be used for that purpose.

- The same wordlist will be used along this exercise:

2 - Medusa for HTTP brute force attack

- Medusa is a command line speedy, massively parallel, modular, login brute-forcer, supporting services which allow remote authentication.

- Medusa supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet. 

- While cracking the password, host, username and password can be flexible input while performing the attack.

- Efficiency of the tool depends on network connectivity; for instance on a local system, it can test 2000 passwords per minute.

- With Medusa it is possible to perform a parallel attack, for instance cracking passwords of a few email accounts simultaneously, specifying the username list along with the password list.

- Installation and further information here:

- In the next example Medusa is used to perform a brute force attack against an htaccess protected web directory.

-  First of all, let's check that the target has got open the port 80:

- Launching medusa (option -T 10 means 10 threads) against the target the attack is successful:

3 - Ncrack for RDP brute force attack

- Ncrack is a high-speed network authentication cracking tool built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

- Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

- Protocols supported by Ncrack include RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP, SIP, Redis, PostgreSQL, MySQL, and Telnet.

- Ncrack is available for many different platforms, including Linux, *BSD, Windows and Mac OS X. There are already installers for Windows and Mac OS X and a universal source code tarball that can be compiled on every system. 

- For download and further information:

- In the next example ncrack is used against the Remote Desktop Protocol working at port 3389:

- The attack is successful:

4 - Hydra for SSH brute force attack

- Hydra is a fast network logon password cracking tool. 

- It is available for Windows, Linux, Free BSD, Solaris and OS X, supporting many various network protocols like Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

- Download Hydra here:

- In the next example SSH credentials are attacked with Hydra.

- Checking that the SSH service is running at port 22 of the target:

- The attack is successful:

5 - Hydra for FTP brute force attack

- This attack is similar to the previous one, with the only difference that the attacked service is FTP working at port 21:

- The attack is successful: