Login Brute Forcing

Learn how to brute force logins for various types of services and create custom wordlists based on your target.

Password Attacks

  • There are several types of password attacks, such as:

    • Password Attack

    • Dictionary attack

    • Brute force

    • Traffic interception

    • Man In the Middle

    • Key Logging

    • Social engineering

Brute Force Attack

  • A Brute Force Attack does not depend on a wordlist of common passwords, but it works by trying all possible character combinations for the length we specified.

  • Once the password length starts to increase, and we start testing for mixed casings, numbers, and special characters, the time it would take to brute force, these passwords can take millions of years.

  • All of this shows that relying completely on brute-force attacks is not ideal, and this is especially true for brute-forcing attacks that take place over the network.

  • That is why we should consider methods that may increase our odds of guessing the correct password, like Dictionary Attacks.

Dictionary Attack

  • A Dictionary Attack tries to guess passwords with the help of lists.

  • The goal is to use a list of known passwords to guess an unknown password.

  • This method is useful whenever it can be assumed that passwords with reasonable character combinations are used.

  • We can check out the SecLists repo for wordlists, as it has a huge variety of wordlists, covering many types of attacks.

Methods of Brute Force Attacks

Online Brute Force Attack

Attacking a live application over the network, like HTTP, HTTPs, SSH, FTP, and others

Offline Brute Force Attack

Also known as Offline Password Cracking, where you attempt to crack a hash of an encrypted password.

Reverse Brute Force Attack

Also known as username brute-forcing, where you try a single common password with a list of usernames on a certain service.

Hybrid Brute Force Attack

Attacking a user by creating a customized password wordlist, built using known intelligence about the user or the service.

Default Passwords

  • Default passwords are often used for user accounts for testing purposes.

  • They are easy to remember and are also used for default accounts of services and applications intended to simplify first access.

  • It is not uncommon for such user accounts to be overlooked or forgotten. Due to the natural laziness of man, everyone tries to make it as comfortable as possible.

  • We can either provide different wordlists for the usernames and passwords and iterate over all possible username and password combinations. However, we should keep this as a last resort.

  • It is very common to find pairs of usernames and passwords used together, especially when default service passwords are kept unchanged. That is why it is better to always start with a wordlist of such credential pairs (i.e. test:test), and scan all of them first.

  • It is always advised to start by scanning for default credentials, as they are very commonly left unchanged. It is even worth testing for the top 3-5 most common default credentials manually, as it can very often be found to be used.

  • We can use hydra using this command: hydra -C <Combined Word List> <IP Address> -s <Port Number> <Request Method> <Target Path>

    • Example: hydra -C /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 178.211.23.155 -s 31099 http-get /

Hydra

  • Hydra is a handy tool for Login Brute Forcing, as it covers a wide variety of attacks and services and is relatively fast compared to the others.

  • Hydra has many options when it comes to bruteforcing. For example, we can specify a wordlist or a certain keyword for both username and password.

    • Username Wordlist: -L

    • Password Wordlist: -P

    • Combined List (i.e. Username:Password): -C

    • Specific Username: -l

    • Specific Password: -p

  • We can also specify if we want to try each username with all the passwords first before going to the next username (default) or trying all usernames with each password first before going to the next password (-u option) (When provided with wordlists for both)

  • Another important flag is the -f flag which is used to tell hydra to stop after the first valid credentials.

  • There is another flag that can be used to determine the max number of parallel attempts, -t <Max Parallel Attempts> (Important because many SSH limit the number of parallel connections and drop other connections, resulting in many of our attempts being dropped.)

  • Hydra also provides many different types of requests we can use to brute force different services. If we use hydra -h, we should be able to list supported services.

  • For HTTP there are 2 modules that we are going to use:

    • Basic HTTP authentication: http[s]-{head|get|post}

    • Login forms, like .php or .aspx and others: http[s]-post-form

  • To decide which module we need, we have to determine whether the web application uses GET or a POST form. We can test it by trying to log in and pay attention to the URL. If we recognize that any of our input was pasted into the URL, the web application uses a GET form. Otherwise, it uses a POST form.

  • Based on the URL scheme at the beginning, we can determine whether this is an HTTP or HTTPS post-form. If our target URL shows http, in this case, we should use the http-post-form module.

  • To find out how to use a module, we can use the "-U" flag to list the parameters it requires

    • Example: hydra http-post-form -U

  • To make it possible for hydra to distinguish between successfully submitted credentials and failed attempts, we have to specify a unique string from the source code of the page we're using to log in. Hydra will examine the HTML code of the response page it gets after each attempt, looking for the string we provided.

  • We can specify two different types of analysis that act as a Boolean value.

    • Fail (F): Provide HTML text that's present when a login has failed.

    • Success (S): Provide HTML text that's present when a login successed.

  • We can take a look at our login page and try to find a string that only shows on the login page, and not afterwards.

  • We need to choose the failure text carefully as it might lead to false positives.

Determine Login Parameters

  • We can easily find POST parameters if we intercept the login request with Burp Suite or take a closer look at the admin panel's source code.

  • We can use also the browser developer tools.

  • After getting the parameters we have to format it to the syntax of hydra.

    • Example username=test&password=test would be username=^USER^&password=^PASS^

Wordlists

  • One of the most commonly used password wordlists is rockyou.txt, which has over 14 million unique passwords, sorted by how common they are, collected from online leaked databases of passwords and usernames.

  • Basically, unless a password is truly unique, this wordlist will likely contain it.

  • More wordlists for every scenario can be found in SecLists.

  • Usernames WordList: SecLists/Usernames/Names/names.txt

  • Passwords WordList: SecLists/Passwords/Leaked-Databases/rockyou.txt

Personalized Wordlists

  • To create a personalized wordlist for the user, we will need to collect some information about them.

  • As our example here is a known public figure, we can check out their Wikipedia page or do a basic Google search to gather the necessary information. Even if this was not a known figure, we can still carry out the same attack and create a personalized wordlist for them.

CUPP

  • Many tools can create a custom password wordlist based on certain information.

  • The tool we will be using is CUPP.

  • The tool is quite basic, we just run the code with the -i option and give the details about our target and then we will get the customized wordlist.

  • Using a mix of sed we can filter passwords that doesn't meet the policy.

    • Remove Shorter than 8 Characters: sed -ri '/^.{,7}$/d' <File Name>

    • Remove No Special Characters: sed -ri '/[!-/:-@[-`{-~]+/!d' <File Name>

    • Remove No Numbers: sed -ri '/[0-9]+/!d' <File Name>

  • It is still possible to create many permutations of each word in that list. We never know how our target thinks when creating their password, and so our safest option is to add as many alterations and permutations as possible, noting that this will, of course, take much more time to brute force.

  • Many great tools do word mangling and case permutation quickly and easily, like rsmangler or The Mentalist. These tools have many other options, which can make any small wordlist reach millions of lines long.

  • The more mangled a wordlist is, the more chances you have to hit a correct password, but it will take longer to brute force.

Custom Username Wordlist

  • We should also consider creating a personalized username wordlist based on the person's available details.

  • For example, the person's username could be b.gates or gates or bill, and many other potential variations.

  • One such tool we can use is Username Anarchy

  • This tool has many use cases that we can take advantage of to create advanced lists of potential usernames.

  • The simple usecase is running the tool and providing the first and last name: ./username-anarchy <First Name> <Last Name> > <Output File Name>

    • Example: ./username-anarchy Bill Gates > bill.txt

Service Authentication Brute Forcing

  • The command used to attack a login service is fairly straightforward. We simply have to provide the username/password wordlists, and add service://<IP Address>:<Port Number> at the end.

  • Bruteforcing SSH Example : hydra -L bill.txt -P william.txt -u -f ssh://178.35.49.134:22 -t 4

  • Bruteforcing FTP Example: hydra -l m.gates -P rockyou-10.txt ftp://127.0.0.1

PreviousAttacking Web Applications with FfufNextSQL Injection Fundamentals

Last updated