ACTIVE BRUTE-FORCE TOOLS

Active tools tend to be the last resort for password guessing. They generate a lot of noise on the network and against the victim (although they can go unnoticed for long periods of time). The toughest part of starting an active attack is obtaining a valid username on the victim system. Chapter 6 provides more information for techniques to gather usernames.

Another useful step is to try to discover the lockout threshold before launching an attack. If the lockout period on an account lasts for 30 minutes after it receives five invalid passwords, you don't want to waste 29 minutes and 30 seconds of guesses that can never succeed.

THC- Hydra

Hydra easily surpasses the majority of brute-force tools available on the Internet for two reasons: It is fast and it can target authentication mechanisms for over a dozen protocols. The fact that it is open source (under the GPL) and part of the Nessus assessment tool also adds to Hydra's merits.

Implementation

Hydra compiles on BSD and Linux systems without problem; the Cygwin and Mac OSX environments have been brought to equal par in the most current version. Follow the usual ./configure; make; make install method for compiling source code. Once you have successfully compiled it, check out the command-line arguments detailed in Table 8-2.

Table 8-2: Hydra Command-line Options

Option

Description

-R

Restores a previous aborted/crashed session from the hydra.restore file (by default this file is created in the directory from which hydra was executed).

-S

Connects via SSL.

-s n

Connects to port n instead of the service's default port.

-l name -L file

Uses name from the command line or from each line of file as the username portion of the credential.

-p password -P file

Uses password from the command line or from each line of file as the password portion of the credential.

-C file

Loads user :password combinations from file . Each line contains one combination separated by a colon .

-e [ ns ]

Also tests the login prompt for null passwords (n) or passwords equal to the username (s).

-M file

Targets the hosts listed in each line of file instead of a single host.

-o file

Writes a successful username and password combination to file instead of stdout .

-f

Exits after the first successful username and password combination is discovered for the host. If multiple hosts are targeted ( -M ), then Hydra will continue to run against other hosts until the first successful credentials are found.

-t n

Executes n parallel connects to the target service. The default is 16.

-w n

Waits no more than n seconds for a response from the service before assuming no response will come.

-v
-V

Reports verbose status information.

server

The target's IP address or hostname. For multiple targets use the M option.

service

The target's service to brute force.

The target is defined by the server and service arguments. The type of service can be any one of the following applications. Note that for several of the services, a port for SSL access has already been defined. The first number in the parentheses is the service's default port; the second number is the service's port over SSL. Make sure to use the s option if the target service is listening on a different port. These are the current services that Hydra recognizes:

  • cisco (23) Telnet prompt specific to Cisco devices when only a password is requested .

  • cisco-enable (23) Entering the enable, or super-user, mode on a Cisco device. You must already know the initial login password and supply it with the m option and without the l or L options (there is no prompt for the username). hydra m letmein P password.lst 10.0.10.254 cisco-enable

  • cvs (2401) Source code versioning system.

  • ftp (21, 990) File transfer.

  • http, http-head, http-get (80) Brute-force HTTP Basic Authentication schemes on the web service. Note that this technique expects the server to send particular HTTP response codes; otherwise , the accuracy of this module may suffer.

  • https, https-head, https -get (n/a, 443) Web services over SSL (see previous bullet).

  • http-proxy (3128) Web proxies such as Squid.

  • icq (4000, n/a) Chat software. ICQ is carried over UDP, which means it cannot be used over SSL.

  • imap (143, 993) E-mail access.

  • ldap2, ldap3 (389, 636) Lightweight Directory Access Protocol, often used for single-sign-on.

  • mssql (1433) Microsoft SQL Serverremember that more recent installs of SQL Server may use integrated authentication. Try the default SQL accounts, such as ˜sa, and Windows accounts.

  • mysql (3306, 3306) MySQL database server.

  • nntp (119, 563) USENET news access.

  • oracle-listener (1521) Oracle database server.

  • pcnfs (0, n/a) Used for printing files across a network. The default port varies among distributions and individual servers, so it must always be explicitly set with the s option. This service also uses UDP, which means that SSL cannot be applied.

  • pop3 (110, 995) E-mail access.

  • postgres (5432) PostgreSQL database server.

  • rexec, rlogin, rsh (512) Generic Unix service for remote execution; access to this service is not logged by default on some systems.

  • sapr3 (n/a) SAP database.

  • sip (5060) Voice-over IP protocol.

  • smb (139) Windows SMB services such as file shares and IPC$ access.

  • smbnt (445) As smb, but is also able to test LanMan hashes (such as those gathered by PwDump tools) for validity. This enables credential replay rather than actually brute forcing the content of the hash. Note that you must define a method ( -m ) when using this option. Valid methods are well-documented in the hydra-smbnt.c file. You'll most likely try ˜LH or ˜DH methods , which test LanMan password hashes against local or domain accounts. Use this for Windows XP and Windows 2003 servers.

  • smtp-auth (25, 465) Login for mail servers.

  • snmp (161, 1993) UDP-based network management protocol.

  • socks5 (1080) Proxy.

  • svn (3690) Source code versioning system.

  • teamspeak (8767) Distributed voice chat system, often used by gamers.

  • telnet (23, 992) Remote command shell.

  • vnc (5900, 5901) Remote administration for GUI environments.

Running Hydra is simple. The biggest problem you may encounter is the choice of username/password combinations. Here is one example of targeting a Windows SMB service. If port 139 or 445 is open on the target server and an error occurs, then the Windows Server service might not be startedthe brute-force attack will not work.

 [Paris:~] mike% ./hydra -L user.lst -P password.lst 10.0.1.11 smbnt [INFO] Reduced number of tasks to 1 (smb does not like parallel  connections) Hydra v5.0 [http://www.thc.org] (c) 2005 by van Hauser / THC <vh@thc.org> [INFO] Reduced number of tasks to 1 (smb does not like parallel connections) [DATA] 1 tasks, 1 servers, 4 login tries (l:2/p:2), ~4 tries per  task [DATA] attacking service smbnt on port 445 [STATUS] 1.00 tries/min, 1 tries in 00:01h, 3 todo in 00:04h 

Hydra reports the total number of combinations that it will try (usually the number of unique usernames multiplied by the number of unique passwords) and how many parallel tasks are running.

Tip 

You will never be able to try more than one parallel task against an SMB service, even if you use the t option to increase the number. For whatever reason, parallel logins against SMB produce too many false negatives . The default value for t is 4, which is also recommended for Cisco devices and VNC servers. The maximum is 255, but that is not necessarily the optimum or most accurate setting to use.

If you really do wish to have an optimum test, as opposed to an exhaustive test, then you may wish to consider the C option instead of supplying a file each for L (users) and P (passwords). The C option takes a single file as its argument. This file contains username and password combinations separated by a colon (:). This is often a more efficient method for testing accounts because you can populate the file with known username/password combinations, which reduces the number of unnecessary attempts when a username does not exist. This is more useful for situations where you only wish to test for default and the most common passwords.

Do not forget to use the e option when auditing your network's services. The e option turns on testing for the special case of no password ( -e n ) or a password equal to the username ( -e s ). Note that Hydra writes a state file (hydra.restore) to the current directory from which it is executed. You can use the R option to restart an interrupted scan. This also means that if you wish to run concurrent scans against different servers or different services, then you should do so in different directories. From a forensic perspective, the hydra.restore file might be a good addition to the list of common "hacker" files to search for on suspect systemsjust remember that a one-line change to the source code can change this filename.

Hydra now also includes a GUI based on the open-source GTK library. This version, called xhydra , provides all of the functionality of the command line. The following illustration shows the basic interface.

Case Study: Checking Password Policy

There are two major reasons for using a tool like Hydra, either during a network penetration test or during a system audit. The two activities sound similar in execution but differ in their goals. Consider Iain, a system administrator in the Internal Audit department. The IA folks do not administer systems; they verify that systems have been built to corporate security policy. In other words, Iain's responsibilities include testing network accounts for passwords that do not meet the company's established policy.

The policy requires that all accounts be password protected (no NULL passwords allowed) and that the password must be nontrivial (open to interpretation, but at the very least that means the password should not equal the username), must contain at least one digit and one punctuation character ( letters only are not permitted), and must be at least eight characters long. For some Windows and Unix systems, it is possible to enforce these rules when users go through the password-change process. On other systems, such as Cisco devices, it is not possible.

Iain faces the challenge of finding weak passwords in one of the following scenarios:

  • A system does not have a method for enforcing good password choices. Users must be trusted to choose a strong password.

  • A system has a method for enforcing good password choices but has been misconfigured. Users are still required by policy to choose a strong password, but it is not enforced.

  • A system has a method for enforcing good password choices, but users can easily satisfy the requirements with a trivial password (password99!, pa$$w0rd, or adm1n1str@t0r).

Now, Iain has already identified some network services that could prove to be fruitful targets. However, it would not be a good idea to just obtain the list of users, grab a 200,000-word dictionary, and start Hydra (or several Hydras since there's a lot of work to do!). Instead, he crafts a dictionary with words that do not meet policy, plus some words that do meet policy but are passwords on number/vowel substitution or similar tricks. In fact, John the Ripper (mentioned previously in this chapter) provides the perfect method for creating password lists based on length and content. Then, just as a test, he creates an oldwords.txt file that contains the root and administrator passwords used before the last required password change. The oldwords.txt file follows the username:password syntax. For example,

 root:web34addmin! Administrator:thiS1&thaT1 oracle:2bdb!2bdb 

Let's recap for a moment. Iain has created three files (and will have a fourth and fifth option):

  • Users.txt A list of every (known) username across systems.

  • Passwords.txt A list of common 17 letter combinations, plus some selected 8+ combinations with number/vowel substitution. The majority of this file can be pulled from dictionaries available on the Internet, derived from the default password.lst that comes with John the Ripper, or created by John the Ripper. The list contains no more than 1000 combinations in order to limit the number of failed logins that will be logged by the servers.

  • Oldwords.txt A list of account and password combinations that should have been changed in the last 90 days. Of course, this file must be kept secure.

  • NULL passwords Use the -e n option for Hydra to check all accounts for a blank password.

  • "Same" passwords Use the -e s option for Hydra to check all accounts for passwords that equal the username.

So far it sounds like quite a bit of work has been done without even worrying about whether or not Hydra will compile. Well, there's a good reason for this. Iain has set up a method for testing his company's password policy. At this point he is ready to launch Hydra against the selected services. (After he has once again verified that accounts will not be locked by failed login attempts.) Then, any positive matches can be brought to the attention of network and system administrators because the account has failed to meet policy requirements.

Just for a second, imagine that Iain had driven into the password audit without forethought; he grabs a random 10,000-word dictionary and launches Hydra over a three-day weekend against 200 accounts. If he's lucky it might even finish. If he's really lucky, no servers will have crashed because they ran out of disk space logging all of the failed attempts. Finally, what if a relatively strong password like "ou@te1tw2" or "-#*crAft0" shows up in the results simply because it was present in the dictionary? He would have a hard time convincing the user that they failed an audit when in reality they had chosen a strong password.

On the other hand, blind luck and a big dictionary are just the right ingredients for a successful penetration test. Thus, we come to the point where password auditing with Hydra ends and its use as a penetration-testing tool begins. In all cases, remember that locking accounts due to bad passwords is always a possible by-product of this type of testing.

 


Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net