Hacking passwords using brute force, a vulnerable machine in Kali GNU/Linux with hydra, medusa, ncrack – easy

Naturally, for the purpose of studying this software, I use a virtual machine on my personal computer, and not a remote host or server.
My main Kali GNU/Linux system, the target of my attack is the Metasploitable2-Linux virtual machine. In general, Metasploitable2-Linux was created for penetration testing (pentest, white hat hacking) of another well-known framework – metasploit-framework. But I will not use metasploit-framework in this case, but will try to attack the vulnerable host with brute force programs – hydra, medusa, ncrack.

So we have two tasks now:
I “Raise” the vulnerable machine in a virtual box and configure it.
II Exploit machine vulnerabilities.

I. Oddly enough, the first task turned out to be much more difficult than the second.
You can download an image of a vulnerable machine here https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
After downloading, we will see the archive, which we will unpack.
We see that there are several files inside the archive.
Next, install all the software we need with the command:
sudo apt install nmap whatweb hydra medusa ncrack virtualbox
In the Kali GNU/Linux operating system, the nmap whatweb hydra medusa ncrack packages are pre-installed, but I need to install virtual box.
After installation, open the program

Click “create”, give a name, select the type Linux, Version Other Linux 64bit

Next, we set 512MB of RAM, 2 processor cores, about 2GB of hard disk space. Next is very important!!! We choose to use the existing virtual hard disk Metasploitable.vdmk.

Next, you need to configure the network bridge, this is also extremely important. I use a USB cord to connect to the network, which means that this must be selected for the virtual host, otherwise the virtual host will be assigned an ipv6 address and the hacking procedure will either become more complicated, or such a host will not have access to the local network at all. Click settings (right mouse button on our virtual machine) then network. Select the network bridge and usb0 interface.

This completes the configuration and installation.

II The hack itself

We launch our virtual machine, log in with the username and password msfadmin. We enter the ifconfig command and see the IP address of the machine – 192.168.166.234.

Next, we scan the host (some commands and programs are executed as root, so sometimes the sudo prefix is ​​necessary):
whatweb 192.168.166.234
sudo nmap 192.168.166.234

We see services, OS, other information, as well as open ports.
We create dictionaries of users and passwords – user.txt, pass.txt. I have them very small, I will display their contents with the cat command.

Information on utilities, attacked protocols, in the screenshots below:

Next, we begin hacking using the brute force method. To begin with, ncrack. Let's enter three commands in turn:

ncrack -U user.txt -P pass.txt 192.168.166.234:21 -v
ncrack -U user.txt -P pass.txt 192.168.166.234:23 -v
ncrack -U user.txt -P pass.txt 192.168.166.234:22 -v

As you can see from the screenshot, the password-login pair was selected successfully in all three cases. That is, the program starts searching through dictionaries of logins and passwords, indicating the port of the vulnerable service (21 – ftp, 22 – ssh, 23 – telnet). In turn, we found out the open ports using nmap.

Just for fun, let’s log in via telnet (port 23) to the vulnerable machine, using the login and password msfadmin selected by ncrack.
As you can see in the screenshot below, it was successful:

Next we use medusa:

sudo medusa -U user.txt -P pass.txt -h 192.168.166.234 -M ssh
sudo medusa -U user.txt -P pass.txt -h 192.168.166.234 -M ftp

As you can see, for the jellyfish it is necessary to assign not a port, but a protocol (in this case, ssh and ftp)
As you can see from the screenshots below, the jellyfish also copes with the task:

Now we use hydra, by analogy, only for this program it is necessary to specify both the port and protocol in addition to dictionaries:

hydra -L user.txt -P pass.txt ftp://192.168.166.234:21

As you can see from the screenshots below, it’s successful, and Hydra highlights the selected login-password pair:

Let's try to log into ftp using the user-user pair selected by Hydra:

Successfully

As can be seen from the examples, all three utilities hydra, medusa, ncrack have a similar syntax. And it’s quite easy to use them against the target host; you just need to create (or download) dictionaries of logins and passwords, after scanning open ports with nmap. But this kind of program can only be used on vulnerable machines like Metasploitable, or it can be used in an authorized manner, as part of an audit on the server of a company with which a contract has been signed for an information security audit (in other words, a pentest). Unauthorized use of such programs is illegal.

Thank you all for your attention until we meet again.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *