ONLINE PASSWORD ATTACKS WITH MEDUSA, NCRACK AND HDYRA
- Layout for this exercise:
1 - Introduction
- Online password attacks involve password-guessing attempts for networked services that use a username and password authentication scheme.
- This includes services such as HTTP, SSH, VNC, FTP, SNMP, POP3, etc.
- In order to be able to automate a password attack against a given networked service, we must be able to generate authentication requests for the specific protocol in use by that service.
- Tools such as Medusa, Ncrack, Hydra and even Metasploit can be used for that purpose.
2 - Medusa for HTTP brute force attack
- Medusa is a command line speedy, massively parallel, modular, login brute-forcer, supporting services which allow remote authentication.
- Medusa supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet.
- While cracking the password, host, username and password can be flexible input while performing the attack.
- Efficiency of the tool depends on network connectivity; for instance on a local system, it can test 2000 passwords per minute.
- With Medusa it is possible to perform a parallel attack, for instance cracking passwords of a few email accounts simultaneously, specifying the username list along with the password list.
- Installation and further information here:
http://foofus.net/goons/jmk/tools/
http://foofus.net/goons/jmk/medusa/medusa.html
- In the next example Medusa is used to perform a brute force attack against an htaccess protected web directory.
- First of all, let's check that the target has got open the port 80:
- Launching medusa (option -T 10 means 10 threads) against the target the attack is successful:
3 - Ncrack for RDP brute force attack
- Ncrack is a high-speed network authentication cracking tool built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.
- Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.
- Protocols supported by Ncrack include RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP, SIP, Redis, PostgreSQL, MySQL, and Telnet.
- Ncrack is available for many different platforms, including Linux, *BSD, Windows and Mac OS X. There are already installers for Windows and Mac OS X and a universal source code tarball that can be compiled on every system.
- For download and further information:
https://nmap.org/ncrack/
- The attack is successful:
4 - Hydra for SSH brute force attack
- Hydra is a fast network logon password cracking tool.
- It is available for Windows, Linux, Free BSD, Solaris and OS X, supporting many various network protocols like Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
- Download Hydra here:
https://www.thc.org/thc-hydra/
- In the next example SSH credentials are attacked with Hydra.
- Checking that the SSH service is running at port 22 of the target:
- The attack is successful:
5 - Hydra for FTP brute force attack
- This attack is similar to the previous one, with the only difference that the attacked service is FTP working at port 21:
- The attack is successful:
