Comprehensive Guide on Hydra – A Brute Forcing Tool

Hello friends!! Today we are going to discuss – How much impactful hydra is in cracking login credentials of various protocols to make unauthorized access to a system remotely. In this article, we have discussed each option available in hydra to make brute force attacks in the various scenario. 

Table of Content

  • Introduction to hydra
  • Multiple Features of Hydra
  • Password Guessing For Specific Username
  • Username Guessing For Specific Password
  • Cracking Login Credential
  • Use of Verbose or Debug Mode for Examining Brute Force
  • NULL/Same as Login/Reverse login Attempt
  • Save Output to Disk
  • Resuming The Brute Force Attack
  • Password Generating Using Various Set of Characters
  • Attacking on Specific Port Instead of Default
  • Making Brute Force Attack on Multiple Hosts

Introduction to Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

It supports: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Multiple Feature of Hydra

Since we are using GNOME build of Kali Linux, therefore, the “the-hydra” package is already included by default, all we need to do, open the terminal and just type “hydra -h” and press Enter. You will be welcomed by its help screen.

-R :                                         restore a previous aborted/crashed session

-I :                                           ignore an existing restore file.

-S :                                          perform an SSL connect

-s :                                          PORT   if the service is on a different default port, define it here

-l LOGIN or -L :                   FILE login with LOGIN name, or load several logins from FILE

-p PASS  or -P :                  FILE  try password PASS, or load several passwords from FILE

-x MIN:MAX:CHARSET : password bruteforce generation, type “-x -h” to get help

-e nsr :                                  try “n” null password, “s” login as pass and/or “r” reversed login

-u :                                         loop around users, not passwords (effective! implied with -x)

-C FILE :                                colon separated “login:pass” format, instead of -L/-P options

-M FILE :                               list of servers to be attacked in parallel, one entry per line

-o FILE :                                write found login/password pairs to FILE instead of stdout

-f / -F :                                  exit when a login/pass pair is found (-M: -f per host, -F global)

-t TASKS :                             run TASKS number of connects in parallel (per host, default: 16)

-w / -W TIME :                   wait time for responses (32s) / between connects per thread

-4 / -6 :                                  prefer IPv4 (default) or IPv6 addresses

-v / -V / -d :                         verbose mode / show login+pass for each attempt / debug mode

-U :                                         service module usage details

server :                                 the target server (use either this OR the -M option)

service :                               the service to crack (see below for supported protocols)

OPT :                                     some service modules support additional input (-U for module help)

Reference Source: //tools.kali.org/password-attacks/hydra

Password Guessing For Specific Username

Hydra is a very impactful tool and also quite easy to use for making a brute force attack on any protocol.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]                                                                          

Suppose you want to crack password for ftp (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.

At that moment you should go with the following command where -l option enables username parameter and -P options enables dictionary for the password list.

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Username Guessing For Specific Password

Suppose you want to crack username for FTP (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is a vice-versa situation compared to the above situation.

At that moment you should go with the following command where -L option enables dictionary for username list and -p options enables password parameter.

As you can observe it has found 1 valid username: raj for the password: 123 FTP login.

Cracking Login Credential

Suppose you want to crack username and password for FTP (or any other), wish to make username and password brute force attack by using a dictionary to guess the valid combination

At that moment you should go with the following command where -L option enables dictionary for username list and – P options enables dictionary for a password list.

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Use of Verbose or Debug Mode for Examining Brute Force

You can use -V option along with each command, with the help of verbose mode you can observe each attempt for matching the valid combination of username and password. If you will observe the given below image; then you will find there are 5 usernames in the user.txt file (L=5) and 5 passwords in a pass.txt file (P=5) and hence the total number of login attempts will be 5*5=25.

Even you can use -d option that enables debug and verbose mode together and shows complete detail of attacking mode.

As you can observe the verbose mode is showing each attempt for matching valid credential for username and password with the help of user.txt and pass.txt as well as debug mode is showing wait-time, con-wait, socket, send pid and received pid

NULL/Same as Login/Reverse login Attempt

Using option -e along with nsr enables three parameter null/same as login/reverse login while making brute force attack on the password field, if you will observe the given below image then you will notice that this time L=5 and automatically P=8 which means now the total number of login tries will be 5*8=40.

As you can observe with every username, it is trying to match the following combination along with the password list.

Login “root” and pass “” as null password

Login “root” and pass “root” as same as the login

Login “root” and pass “toor” as the reverse of login

Save Output to Disk

For the purpose of the record maintenance, better readability, and future references, we will save the output of the hydra brute force attack in a file. To this, we will use the parameter -o of the hydra to save the output in a text file.

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file or not. In this case, our location for output is /root /output.txt.

Resuming the Brute Force Attack

Sometimes while making brute force, the attack gets paused/halt or cancel accidentally at this moment to save your time you can use -r option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from the 1st attempt.

Now you can observe the output result from the given below image where after pressing ctrl C it stopped the attack and then type hydra -R to resume the attack and continue it.

Password Generating Using Various Set of Character

Hydra has -x option that enables password generation option that involves following instructions:

-x MIN:MAX:CHARSET

MIN is used to specify the minimum number of characters in the password

MAX is used to specify the maximum number of characters in the password

CHARSET is used to specify a specification of the characters to use in the generation valid CHARSET values are: ‘a’ for lowercase letters, ‘A’ for uppercase letters, ‘1’ for numbers, and for all others, just add their real representation.

-y disables the use if the above letters as placeholders

Now suppose we want to try 123 as the password for that I should set MIN=1, MAX=3 CHARSET 1 for generating a numeric password for the given username and run following command as said.

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Now suppose we want to try abc as the password for that I should set MIN=1, MAX=3 CHARSET a for generating lowercase character password for the given username and run following command as said.

As you can observe it has found 1 valid password: abc for username: shubham for FTP login.

Attacking on Specific Port Instead of Default

Due to security concern; the network admin can change the port number of a service on another port. Hydra makes brute force attack on the default port of service as you can observe in above all attacks it has automatically made the attack on port 21 for FTP login.

But you can use -s option that enables specific port number parameter and launch the attack on mention port instead of default port number.

Suppose on scanning the target network; I found FTP is running port 2121 instead of 21, therefore, I will execute the following command for FTP login attack.

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Making Brute Force Attack on Multiple Host

If you want to use a user-pass dictionary on multiple hosts in a network then you can use -M option that enables the host list parameter and make brute force attack using the same dictionary and will try the same number of login attempt on each HOST IP mentioned in the host’s list.

Here you can observe I had saved two host IP in a text file and then used the following command to make brute force attack on multiple hosts by using the same dictionary.

As you can observe it has found 2 valid FTP logins for each Host.

Suppose you had given a list of multiple targets and wish to finish the brute force attack as soon as it has found the valid login for any host IP, then you should use -F options which enables finish parameter when found valid credential for either host from inside the host list.

As you can observe it has found 1 valid FTP logins for 192.168.1.108 and finished the attack.

Disclaimer by Hydra – Please do not use in military or secret service organizations, or for illegal purposes.

Author: Shubham Sharma is a Technical Writer, Researcher and Penetration tester contact here

Xerosploit- A Man-In-The-Middle Attack Framework

Networking is an important platform for an Ethical Hacker to check on, many of the threat can come from the internal network like network sniffing, Arp Spoofing, MITM e.t.c, This article is on Xerosploit which provides advanced MITM attack on your local network to sniff packets, steal password etc.

Table of Content

  • Introduction to Xerosploit
  • Man-In-The-Middle
  • Xerosploit Installation
  • PSCAN (Port Scanner)
  • DOS (Denial of service)
  • INJECTHTML (HTML INJECTION)
  • SNIFF
  • dspoof
  • YPLAY
  • REPLACE
  • Driftnet

Introduction to Xerosploit

Xerosploit is a penetration testing toolkit whose goal is to perform a man in the middle attacks for testing purposes. It brings various modules that allow realising efficient attacks, and also allows to carry out denial of service attacks and port scanning. Powered by bettercap and nmap.

For those who are not familiar with Man-in-the-middle attack, welcome to the world of internal network attacks

Dependencies

  • nmap
  • hping3
  • build-essential
  • ruby-dev
  • libpcap-dev
  • libgmp3-dev
  • tabulate
  • terminal tables

Built-up with various Features:

  • Port scanning
  • Network mapping
  • Dos attack
  • Html code injection
  • Javascript code injection
  • Download interception and replacement
  • Sniffing
  • DNS spoofing
  • Background audio reproduction
  • Images replacement
  • Drifnet
  • Webpage defacement and more 

Man-In-The-Middle

A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. There are many open source tools available online for this attack like Ettercap, MITMF, Xerosploit, e.t.c

From Wikipedia.org

Xerosploit Installation

Xerosploit is an attack tool for MITM which can run only on Linux OS to do so follow the simple steps:-

Open up terminal and type

It will ask to choose your operating system, here we have press 1 for Kali Linux.

Here it will display your network configuration including IP address, MAC address, gateway, and interface and hostname. Now run the following command on xerosploit console to know the initial commands:

In this grid, we have a list of commands for our attack and we are going for the man in middle attack, so I will choose scan command in my next step for scanning the whole network.

scan

This command will scan the complete network and will found all devices on your network.

As you can observe that it has scanned all the active hosts. There are so many hosts in this network; you have to choose your target from the given result. I am going to select 192.168.1.105 for the man in the middle attack.

 In the next comment, it will ask for the module you want to load for the man in the middle attack. Go with this comment and type help.

pscan (Port Scanner)

Let’s begin with pscan which is a port scanner, it will show you all the open ports on the network computer and retrieve the version of the programs running on the detected ports. Type run to execute pscan and it will show you all the open ports of the victim’s network.

DOS (Denial of service)

Type “dos” to load the module, it will send a succession of TCP-SYN request packet to a target’s system to make the machine unresponsive to legitimate traffic which means it is performing SYN Flood attack.

press ctrl + c to stop

If you are aware of HPING tool then you can notice, this module is initially using HPING command for sending countless SYN request packet.

Inject HTML (HTML Injection)

HTML injection is the vulnerability inside any website that occurs when the user input is not correctly sanitized or the output is not encoded and the attacker is able to inject valid HTML code into a vulnerable web page. There are so many techniques which could use element and attributes to submit HTML content.

So here we will replace the victim’s html page with ours. Select any page of your choice as you will notice that I have written “You have been hacked” in my index.html page which I will replace with the victim’s html page. Whatever page the victim will try to open he/she will see only the replaced one.

First, create a page as I have created & saved it on Desktop by the name of INDEX.html

Now run injecthtml command to load the injecthtml module. And then type run command to execute the injecthtml and enter the path where you have saved the file.

Bravo! We have successfully replaced the page as you can see in the picture below.

Hit ctrl^c to stop the attack.

Sniff

Now run the following module to sniff all the traffic of the victim with the command:

Then enter the following command to execute that module:

Now it will ask you if you want to use SSLTRIP to strip the HTTPS URL’s to HTTP so that we can catch the login credentials in clear text. So enter y.

When the victim will enter the username and password it will sniff and capture all the data.

Now it will open a separate terminal in which we can see all the credentials in clear text. As you can see it has successfully captured the login credentials.

Hit ctrl^c to stop the attack.

dspoof

It load dspoof module which will supply false DNS information to all target browsed hosts Redirect all the http traffic to the specified one IP.

Now type run command to execute module and then it will ask the IP address where you want to redirect the traffic, here we have given our Kali Linux IP.

Now, as soon as the victim will open any webpage he/she will get the page store in our web directories which we want to show him/her as shown in the picture below.

Hit ctrl^c to stop the attack.

Yplay

Now let’s catch the other interesting module which is yplay. It will play background video sound in the victim browser of your choice. So first execute yplay command followed by the run command and give the video i.d what you have selected.

Open your browser and choose your favorite video on YouTube which you want to play in the background in the victim’s browser. If video having any advertisement then skip that and select id from URL. Come back to xerosploit.

 To execute the yplay module for attack type run.

Insert youtube video ID which you have copy above from url in next step.

Now in no matters what the victim is doing on the laptop. If he will try to open any webpage, on the background he/shell will hear the song which we want him to listen.

Hit ctrl^c to stop the attack.

Replace

I hope all the attacks were quite interesting. But the next is going to be amazing. Now we will replace all the images of the victim’s website with our images. For this first, execute the command replace followed by the run command. Don’t forget to give the path of the .png file which you have created as a surprise box for the victim.

As the victim opens any URL he/she will be amazed to see the replaced images of his/her website as shown here.

Hit ctrl^c to stop the attack.

Driftnet

 We will use the driftnet module to capture all the images the victim is surfing on the web with following commands and it will save all captured picture in opt/xerosploit/xedriftnet.

Once the attack is launched; we can sniff down all the images that he is viewing on his computer in our screen. We can do much more with this tool simply by using the move you can shake the browser contents 

As you can observe that all the images what victim is viewing on his/her system are captured in your system successfully.

Hopefully!  So it is needless to say that this tool XERSPLOIT is quite interesting and useful as well for performing so many attacks. I hope readers are gonna like this.

HaPpY hAcKing!!

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

Generate Metasploit Payload with Ps1encode

In this article, we will learn the Ps1Encode tool and how to use it by generating malware in different file formats such as HTA, EXE, etc.

Introduction

The working code of Ps1Encode is developed by Piotr Marszalik, Dev Kennedy with few others. Ps1Encode is used to generate a malicious payload in order to generate a meterpreter session. While generating the payload, it will encode it too. It is a different way to bypass Whitelisting and security on the target system. It’s developed in ruby and allows us to create a series of payloads which are based on Metasploit but can be prepared in any format we desire. The final aim is to get a PowerShell running and execute our payload through it.

There are various formats for our malware that are supported by Ps1Encode are the following :

  • raw (encoded payload only – no powershell run options)
  • cmd (for use with bat files)
  • vba (for use with macro trojan docs)
  • vbs (for use with vbs scripts)
  • war (tomcat)
  • exe (executable) requires MinGW – x86_64-w64-mingw32-gcc [apt-get install mingw-w64]
  • java (for use with malicious java applets)
  • js (javascript)
  • js-rd32 (javascript called by rundll32.exe)
  • php (for use with php pages)
  • hta (HTML applications)
  • cfm (for use with Adobe ColdFusion)
  • aspx (for use with Microsoft ASP.NET)
  • lnk (windows shortcut – requires a webserver to stage the payload)
  • sct (COM scriptlet – requires a webserver to stage the payload)

You can download Ps1Encode from here using git clone command as shown in the image below :

Once it’s downloaded, let’s use the help command to check the syntax that we have to use. Use the following set of commands for that :

Following are the syntaxes that we can use :

-i : defines localhost IP

-p : defines localhost port value

-a : defines payload value

-t : defines the output format

Now, we will generate a malicious raw file using the following command :

Copy the code generated using the above command in the file with the extension.bat. and then share it by using the python server. You can start the server using the following command :

Simultaneously, start the multi handler to have a session with the following set of commands :

Once the file is executed in the victims’ PC, you will have your session as shown in the image above. Now we will generate our malware in the form of HTA file. Use the following command to generate the HTA file :

Following script will be created due to the above command, send this file to the victim’s PC using python server like before.

Simultaneously, start the multi handler to have a session with the following set of commands :

Once the file is executed in the victims’ PC, you will have your session as shown in the image above. Now we will try and generate an EXE file with the following :

Send this file to the victim’s PC using python server like before a shown in the image above. Simultaneously, start the multi handler to have a session with the following set of commands :

This way, you can use Ps1Encode to generate files in any format. As you can see, it’s pretty simple and convenient along with being user-friendly. Possibilities with Ps1Encode are endless.

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Beginner’s Guide to Impacket Tool kit (Part 1)

While solving CTF challenges, several times I had to use this amazing tool “Impacket”. It is a collection of Python classes for working with network protocols. In fact, some of its python classes are added to the Metasploit framework for taking remote session.

Table of Contents

  • Introduction to Impacket
  • Lab set-up Requirement
  • Remote Code Execution
  • SMB/MRC
  • Kerberos
  • Windows Secrets
  • Server Tools/MITM Attacks
  • WMI
  • Known Vulnerabilities
  • MSSQL / TDS
  • File Formats
  • Others

Introduction to Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.
Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

The following protocols are featured in Impacket:

  • Ethernet, Linux “Cooked” capture.
  • IP, TCP, UDP, ICMP, IGMP, ARP.
  • IPv4 and IPv6 Support.
  • NMB and SMB1, SMB2 and SMB3 (high-level implementations).
  • MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS, and HTTP.
  • Plain, NTLM and Kerberos authentication, using password/hashes/tickets/keys.
  • Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, DCOM, WMI
  • Portions of TDS (MSSQL) and LDAP protocol implementations.

Lab set-up Requirement

For the following practical we will require two systems,

  • A Windows Server with Domain Controller Configured
  • A Kali Linux

Here, in our lab scenario, we have configured the following settings on our systems.

Windows Server Details

  • Domain: Pentest.local
  • Username: Administrator
  • Password: [email protected]
  • IP Address: 192.168.1.103

Now let’s install the Impacket tools from GitHub. Firstly, clone the git, and then install the Impacket using the following the commands :

 This will install Impacket on your Kali Linux. After installation let’s take a look at the tools that Impacket have in its box.

I have placed all script in the same category which is performing the same task.

  • Remote code Execution : atexec.py, dcomexec.py, psexec.py, smbexec.py and wmiexec.py
  • SMB/MSRPC : getArch.py, ifmap.py, lookupsid.py, samrdump.py, services.py, netview.py, smbclient.py, opdump.py, rpcdump.py and reg.py
  • Kerberos: GetST.py, GetPac.py, GetUserSPNs.py, GetNPUsers.py, ticketer.py and raiseChild.py
  • Windows Secret: mimikatz.py
  • Server Tools/MiTM Attacks: karmaSMB.py and smbserver.py
  • WMI: wmipersist.py
  • Known Vulnerabilities: sambaPipe.py and sambaPipe.py
  • MSSQL / TDS: mssqlclient.py
  • File Formats: ntfs-read.py and registry-read.py.
  • Others: mqtt_check.py, rdp_check.py, sniffer.py, ping.py, and ping6.py

In this tutorial guide, we have elaborated two categories (Remote Code Execution & SMB/MSRPC) in a brief description.

Remote Code Execution

atexec.py: This script executes the command on the target machine through the Task Scheduler service and returns the output as shown in the image below :

dcomexec.py: This script gives a semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently, it supports MMC20. Application, Shell Windows and Shell Browser Window objects.

psexec.py: On running psexec script, RemComSvc script is running in the background and providing the functionality.

What is RemCom? : RemCom is a small (10KB upx packed) remoteshell/telnet replacement that lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with the full interactive console without having to install any client software. On local machines it is also able to impersonate so can be used as a silent replacement for Runas command.

Source: //github.com/kavika13/RemCom

smbexec.py: A similar approach to PSEXEC w/o using RemComSvc. Our implementation goes further than initiating a local smbserver to receive the output of the commands. This is useful in the situations where the target machine does NOT have a writable share available.

wmiexec.py: This script provides a semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. It runs with elevated privileges. The working of this script is Highly stealthy.

SMB/MSRPC

getArch.py: This script will connect to a target (or list of targets) machine/s and gather the OS architecture type installed by using a documented MSRPC feature and doesn’t require any authentication at all.

Note: Remember this trick will not work if the target system is running Samba.

ifmap.py: This script will bind to the target’s MGMT interface to get a list of interface IDs. It will use that list on top of another list of interface and will try to bind each interface and reports whether the interface is listed and/or listening.

lookupsid.py: This script allows you to bruteforce the Windows SID through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.

 

samrdump.py: An application that communicates with the Security Account Manager(SAM) Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.

From the given image you can observe that it extracts the usernames along with UIDs and complete account details such as password complexity and so on.

services.py: This script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change.

As you can observe from the given image that it dumps the list of all services running or stopped.

netview.py: This script extracts a list of the sessions opened at the remote hosts and keeps track of them by looping over the hosts found and keeping track of who logged in/out from remote servers.

As we know that the netview command is used to identify the sessions opened at the remote hosts and keep track and from the given image you can observe that it is keeping the track of target machine whenever it is active or logged off.

z

smbclient.py: This script lets you list the files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It’s an excellent example to see how to use impacket.smb in action.

From the given image you can observe, it is showing all shares directory of the target machine.

opdump.py: This script binds to the given hostname: port and MSRPC interface. Then, it tries to call each of the 256 operation numbers in turn and reports the outcome of each call.

To run this command you have to give MSRPC interface and for that first, you need to run ./ifmap.py command and then from its output result choose UUID for which you want to run opdump.py script.

rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well-known endpoints.

reg.py: Remote registry manipulation tool through the [MS-RRP] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility.

Reference Source: //www.secureauth.com/labs/open-source-tools/impacket

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here