Hacking Exposed 6: Network Security Secrets & Solutions in Software

Creator QR Code ISO/IEC18004 in Software Hacking Exposed 6: Network Security Secrets & Solutions

Popularity: Simplicity: Impact: Risk Rating: 8 7 7 7

We start off our discussion of UNIX attacks with the most basic form of attack brute-force password guessing A brute-force attack may not appear sexy, but it is one of the most effective ways for attackers to gain access to a UNIX system A brute-force attack is nothing more than guessing a user ID/password combination on a service that attempts to authenticate the user before access is granted The most common types of services that can be brute-forced include the following: telnet File Transfer Protocol (FTP) The r commands (rlogin, rsh, and so on) Secure Shell (ssh) SNMP community names Post Of ce Protocol (POP) and Internet Message Access Protocol (IMAP) Hypertext Transport Protocol (HTTP/HTTPS) Concurrent Version System (CVS) and Subversion (SVN) Recall from our network discovery and enumeration discussion in s 1 to 3 the importance of identifying potential system user IDs Services such as finger, rusers, and sendmail were used to identify user accounts on a target system Once attackers have a list of user accounts, they can begin trying to gain shell access to the target system by guessing the password associated with one of the IDs Unfortunately, many user accounts have either a weak password or no password at all The best illustration of this axiom is the Joe account, where the user ID and password are identical Given enough users, most systems will have at least one Joe account To our amazement, we have seen thousands of Joe accounts over the course of performing our security reviews Why are poorly chosen passwords so common People don t know how to choose strong passwords or are not forced to do so Although it is entirely possible to guess passwords by hand, most passwords are guessed via an automated brute-force utility Attackers can use several tools to automate brute forcing, including the following: THC Hydra popc SNMPbrute http://freeworldthcorg/thc-hydra/ http://packetstormsecurityorg/Crackers/snmpbrute- xedupc

5:

Hydra is one of the most popular and versatile brute force utilities available Hydra includes many features and supports a number of protocols The following example demonstrates how hydra can be used to perform a brute force attack:

[schism]$ hydra -L userstxt -P passwordstxt -s 22 1921681113 ssh2 Hydra v54 (c) 2006 by van Hauser / THC - use allowed only for legal purposes Hydra (http://wwwthcorg) starting at 2008-07-25 11:37:31 [DATA] 16 tasks, 1 servers, 25 login tries (l:5/p:5), ~1 tries per task [DATA] attacking service ssh2 on port 22 [22][ssh2] host: 1921681113 login: praveen password: pr4v33n [22][ssh2] host: 1921681113 login: nathan password: texas [22][ssh2] host: 1921681113 login: adam password: 1234 [STATUS] attack finished for 1921681113 (waiting for childs to finish) Hydra (http://wwwthcorg) finished at 2008-07-25 11:37:36

In this demonstration, we have created two files The userstxt file contains a list of five usernames and the passwordstxt contains a list of five passwords Hydra will use this information and attempt to remotely authenticate to a service of our choice, in this case SSH Based on the length of our lists, a total of 25 username and password combinations are possible During this effort, hydra shows three of the five accounts were successfully brute forced For the sake of brevity, the list included known usernames and some of their associated passwords In reality, valid usernames would first need to be enumerated and a much more extensive password list would be required This of course would increase the time to complete, and no guarantee is given that user s password is included in the password list Although hydra helps automate brute-force attacks, it is still a very slow process