Brute-force search (exhaustive search) is a mathematical method, which difficulty depends on a number of all possible solutions. The definition «brute-force» is usually used in the context of hackers attacks when the intruder tries to find valid login/password to an account or service.

Let’s examine tools are possible to use for brute-force attacks on SSH and web services, which are available in Kali Linux (Patator, Medusa, THC Hydra, Metasploit) and BurpSuite.

All materials gave in this article are intended for educational purposes. Using the materials in illegal purposes is prohibited.

Brute-force SSH

As an example we will take test machine 192.168.60.50 and try to find a user test password using SSH. We will use popular passwords from the standart dictionary rockyou.txt.

Patator

To find the password with Patator use a command:

patator ssh_login host=192.168.60.50 user=test password=FILE0 0=/root/wordlist -x ignore:mesg=’Authentication failed’

where:

ssh_login — is a necessary module;

— is a necessary module; host — is our target;

— is our target; user — is user’s login, for which the password is found, or file contains many logins for multiple search;

— is user’s login, for which the password is found, or file contains many logins for multiple search; password — is a dictionary contains passwords;

— is a dictionary contains passwords; -x ignore:mesg=’Authentication failed’ — is a command not to display a line contains that message. The filtering parameter is chose individually.

THC Hydra

For password mining using THC Hydra run the command:

hydra -V -f -t 4 -l test -P /root/wordlist ssh://192.168.60.50

where:

-V — to display a couple login+password while the password mining;

— to display a couple login+password while the password mining; -f — is a stop as soon as the password for specified login will be found;

— is a stop as soon as the password for specified login will be found; -P — is a path to the password dictionary;

— is a path to the password dictionary; ssh://192.168.60.50 — is a service and victim IP address.

Medusa

For password mining using Medusa run the command:

medusa -h 192.168.60.50 -u test -P /root/wordlist -M ssh -f -v 6

where:

-h — is victim IP address;

— is victim IP address; -u — is a login;

— is a login; -P — is a dictionary path;

— is a dictionary path; -M — is a module choice;

— is a module choice; -f — is stop as soon as the valid login/password couple is found;

— is stop as soon as the valid login/password couple is found; -v — is a setting of the message display on the monitor during the password mining.

Metasploit

Find the instrument for brute-force attack using SSH:

search ssh_login

and get the answer:

Use module:

use auxiliary/scanner/ssh/ssh_login

Use command show options to review necessary parameters. For us these are:

rhosts — is victim IP address;

— is victim IP address; rport — is a port;

— is a port; username — is SSH login;

— is SSH login; useerpass_file — is a dictionary path;

— is a dictionary path; stop_on_success — is a stop as soon as login/password couple will be found;

— is a stop as soon as login/password couple will be found; threads — is a number of flows.

The indication of necessary parameters is using «set» command.

set rhosts 192.168.60.50

set username test

set userpass_file /root/wordlist

set stop_on_success yes

set threads 4

set rport 22

When the necessary parameters are indicated bring in the command «run» and wait.

Countering

Limit the number of set connections using firewall. Example of setting iptables:

-A INPUT -i eth0 -p tcp --dport 22 -m connlimit --connlimit-above 1--connlimit-mask 32 -j REJECT --reject-with tcp-reset.

This rule will limit access to SSH for every IP address to 1 connection per second, that will make the brute-force more difficult. Also an effective solution can be using two-factor authentication (for example using eToken) or authentication using Public Key Infrastructure (PKI) and using ACL based on IP addresses.

Brute-force WordPress

Examine other example — brute-force the password for web form authorization window.

As an example we will brute-force WordPress administrator account.

BurpSuite

First it is necessary to understand the authorization process. For that we will use BurpSuite. To review what kinds of requests are pass through BurpSuite, we have to try to authorize with any password and login.

Well done, we saw POST request for authorization and we will work with it. It is noted in BODY what login and password were checked, that means we can try fill necessary values.

Transmit this request into Intruder and choose there necessary attack parameters. In the point Payload Positions leave the attack type sniper, but for the check leave the parameter pwd only. Thus, only this parameter will change during the attack.

Download necessary dictionary and start the attack:

According to web application behavior we can see that incorrect password returns code answer 200. After dictionary brute-force we can see that one of the passwords gave the code answer 302 — this password is correct.

This method takes much more time, than using Patator, THC Hydra, Medusa etc. Even taking into account we used small dictionary, BurpSuite was searching the password about 40 minutes.

THC Hydra

Let’s try to find password using THC Hydra. As we know, if the authorization is incorrect the code is 200, if the authorization is correct the code is 302. Try to use this information. To start use the command:

hydra -V -f -l admin -P /root/wordlist -t 4 http-post-form://192.168.60.50 -m “/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.60.50%2Fwp-admin%2F&testcookie=1:S=302”

Here we will fill required parameters:

-I — is a user name;

-P — is a password dictionary;

-t — is a number of flows;

http-post-form — is a form type (in our case POST);

/wp-login.php — is an authorization page URL;

^USER^ — shows where user name should be filled;

^PASS^ — shows where the password from the dictionary should be filled;

S=302 — is an indication which answer THC Hydra refers. In our case if authorization is successful the answer is 302.

Patator

As we know, if the authorization is failed the code is 200, if the authorization is successful the code is 302. We will use the same principle that we used with THC Hydra. To start use the command:

http_fuzz — is a module for brute-force attack on HTTP;

url — is an authorization page addresses;

FILE0 — is the password dictionary path;

body — is an information transmitted in POST request;

-t — is a number of flows;

-x — in this case we indicate the command not to display messages lines which are contained parameter with code 200;

accept_cookie — saving cookie parameter and its transmission into the next request.

In result the password was found.

Nmap

Nmap utility allows to make password mining for authorization web forms if use http-wordpress-brute with corresponding arguments:

--script-args — is an arguments addition;

user or userdb — is a login or file contains logins;

pass or passdb — is password or dictionary indication;

thread — is a number of flows;

firstonly=true — to display results after the first correct passwords.

nmap 192.168.60.50 --script http-wordpress-brute --script-args ‘user= admin,passdb= /root/wordlist, http-wordpress-brute.thread=3, brute.firstonly=true’

Countering

Limit (make it more difficult) brute-force attacks on web applications using iptables (like SSH) and Nginx tools:

…

limit_req_zone $binary_remote_addr zone=req_limits:10m rate=30r/s;

…

location / {

…

limit_req zone=req_limits burst=10;

limit_req_status 429;

…

}

These settings will allow to limit the request number from one IP address to 40 per second. To obfuscate the password mining task use following method:

to use firewall and other software to limit the number of requests to the protected service;

to use tools against fast key validity check (for example Captcha).

Conclusion

In this article we superficially examined some of popular tools. To reduce the brute-force attack risk follow the recommendations:

use hard to crack passwords;

not to create passwords using personal data, for example birth date or name+birth date or phone number;

change password regularly;

use different passwords for every accounts.

Not so many people follow these recommendations (as well as secure web development recommendations), that is why it is necessary use different program solutions:

to limit IP address connection or, if it is impossible, to limit the simultaneous number of server connections (using iptables, Nginx etc.);

to use two-factor authentication;

detect and block these attacks using SIEM, WAF or other tools (for example fail2ban).

Welcome to the Pentestit Test lab

Penetration testing laboratories “Test lab” emulate an IT infrastructure of real companies and are created for a legal pen testing and improving penetration testing skills. Laboratories are always unique and contain the most recent and known vulnerabilities.

While developing “Test lab” labs we try to cover almost every IT areas: network security, security of OSs and applications. Participants are offered to exploit the variety of vulnerabilities in network components and cryptographic mechanisms, in configurations and code, and also using a human factor.

Access to the laboratory is absolutely free: lab.pentestit.ru. After registration the user gets login and password for a remote connection to the laboratory.