Monday, March 19, 2012

Slow Brute SSH a.k.a. - A Python Based SSH Cracker, that works!

OK, so today I will provide you with a quick introduction to a really awesome SSH cracker which is based on Python, called Slow Brute SSH. It is python based but is still a Linux only script which works to perform targeted dictionary attacks against a specific SSH user instance. It has the ability to execute commands upon success and has an amazing success detection rate. I ran into problems using NCRACK myself and was looking for something better for this protocol. I tested 4-5 of the better known SSH cracking tools out there and this was the one that received my top rating, mainly due to its simplistic design and easy usability. Many of the other tools I reviewed required different version of LibSSH to be installed, particularly non-standard versions. This leads to tricky installations with tons of pre-requisites in order to get things working. This tool works well right out of the box as it should. It also presents successful findings in a super easy to read format. Here goes the quick overview…

Download and extract the tool to your Linux desktop (tar –zxvf downloadname). That’s it! It is now installed and ready to go, just jump into the folder and enter the usual “./ –help” to see the list of command options:

You can see the command syntax is fairly easy to use and pick up on. You can essentially just point and shoot and the tool does all the work, easy setup. If you want to use TOR network for added anonymity just turn on TOR prior to launching and then make sure you use the “-T” or “--tor” option to route through the standard TOR port and out to target. If SSH is running on a non-standard port (22) then you can use the “–d” argument to specify the port to attack on instead of the default, if not provided the tool will assume the standard port 22 on the target. Not a lot to this one folks, simple and works well…

Here is a quick video to show you how it works in action against live target which NCRACK was unable to successfully register successful login against, hence this tutorial and tool highlight J

Video up in next 24hrs....

Until next time, Enjoy!

NCRACK: The FTP/SSH/Telnet/HTTP(S)/POP3(S)/SMB/RDP & VNC Protocol Cracker

Ncrack is a network cracking tool that can perform bruteforce/dictionary attacks across the network. It has a wide array of modules available to use which makes it very versatile, and it is created and maintained by the same folks who gave us NMAP. Today I will show you how to use it bruteforce FTP protocol. I will be performing this attack from a Windows 7 x64 machine and my target will be a *nix machine. The full documentation on Ncrack is available from the homepage and with the download, so I will only cover FTP for now, but other protocols follow similar approach. Follow along and let the fun begin...

Download for your particular OS of choice can be found here:
NOTE: this is a command line only tool, so you will need to navigate to where you extract it to run it or add it to your path environmental details so you can run from any terminal or console window (my preference)

OK, so once it is installed we do open command prompt and then navigate to our install location "CD path/ncrack", and then run a quick help check to see what options are available "ncrack -h", will look like this:

The default syntax works like this:
·         ncrack [Options] {target and service specification}

As you can see though, there are a lot of options available so let’s provide some clarification and then attack some targets.

Identifying targets:
You can run scans however you want to find machines with open ports (typically you can do a quick check for port 21,22, 2222, and 3389).  Once you have a target or a few you can tell NCRACK how to attack. We can use the tool to attack a single IP address or a whole range of IP addresses, using standard NMAP formatting of course. We can use the following flags for inputting IP addresses, all of which have their moments as to when they are useful:
1.       –iX path/to/file.xml
a.       This takes the output from an NMAP scan where you have used the –oX flag to indicate you want the NMAP scan results to be saved in .XML format
2.       –iN path/to/file
a.       This takes the standard or normal output file that nmap saves from scan
3.       –iL path/to/file.txt
a.       This takes a user provided list of hosts or network ranges

I tend to use options 1 the most myself as if I am not inputting an entire list I am typically only running against a single host IP which can simply be typed out on command line (you can type multiple if you want too, but I use files for more than 2 myself). I should also note that you can exclude a particular IP or range of IPs with the addition of the “–exclude IP1,IP2,IP3” or “—excludefile path/to/excludefile.txt”. This will keep from scanning sensitive or production machines if you are trying to be stealth or respectful. OK, so that covers target input, now let us move to the modules and how to set them up.

We have modules available for cracking FTP, SSH, Telnet, HTTP(S), POP3(S), SMB, RDP, and VNC protocols. You can choose to use the modules one at a time or you can use multiple modules together to perform a multi-protocol attack. When you identify the module(s) you will use for your attack you also need to define a few configuration settings to handle timing, authentication, etc which all affect how well it does or does not work. Here are the options available and a little bit about what they do:

·         -m allows us to define settings specific to a single module (as defined by what follows the –m
o   Example: -m ssh:at=25
§  Sets the authentication attempts (-at) per connection to 25 for the SSH module
·         -p allows you to choose multiple modules for attacking hosts
o   Example: -p ssh,pop3
§  Uses SSH & POP3 modules against the whole IP range since it knows to read the CIDR block /24 and convert to IP range
§  You can also have the modules run against non-standard ports by simply indicating the port after the module name or IP address
·         Example: -p ssh:22,22222,pop3
·         Example2: ncrack ftp://192.168.1.*  ssh://192.168.1.*:2222
o   Modules will know to look on the default port if none is defined
·         -g allows you to set configuration settings for all options available across the board or globally, this can be used as needed or in combination with other module specific settings
o   Example: ncrack –p ssh://,cl=25  –m ssh:at=15 –g cd=3000
§  This will use the SSH module against the network, using minimum connection limit (cl=) of 25, a max authentication tries per connection of 15, while it was globally set (-g) that the connection delay between attempts be 3000 seconds

NOTE: all timing options are assumed to be provided in seconds unless you specify otherwise. You can use one of the following appended to the time: “ms” for milliseconds, “m” for minutes, or “h” for hours. Also note that there should be no spaces when defining module details as NCRACK views anything that is not an option as a host and the space can cause errors in how things are interpreted.
You can get very detailed with setting the timing options, as there is a great deal of flexibility allowed in the configuration settings, however I like to keep things a bit easier and use the predefined templates that are available as the tool has some cool built-in technology to help auto adjust line rates and attempts as well as metric parameters on the fly based on network traffic analysis done by the internal scan engine. You can override the timing template to use by simply using the “-T” argument following by the number of the template you want to use. These are similar to what have come to know from NMAP scans. The available options are 0-5, which equate to the following:
·         paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)

Example: ncrack -v –T1 –user root ssh://
§  This will launch the SSH module against the whole network using the sneaky timing template. This works well for keeping off radars and getting IP bans, but may take considerably longer to run through all of your possibilities.

NOTE: Timing levels of T4 & T5 can cause denial of service conditions on some slower services, like RDP and SSH so you may want to do a little research on the ins and outs of each protocol to help you come up with what works best.

At this point you have most of the available options to run Ncrack since it has a decent number of username and password lists included with it by default; all can be found in the “/install/path/ncrack/lists/“directory. If you want to use your own custom username list or password list you can do that too. Here are the available options to choose from, depending on how you want to set things up:
·         “-U” will define a single username to attack
·         “--user /path/to/userfile.txt” will define the path to the file of usernames to use for attacks
·         “-P /path/to/passfile.txt” will define the path to the file of passwords to use for attacks
·         “--pass password1,password2,password3” allows you to use comma separated password list as defined on command line by user
·         “--passwords-first” will instruct NCRACK to try all possible passwords for each username before moving on to the next username, whereas by default it tries each username to password before moving to next password. This is helpful if you are 100% sure you know the username you are attacking as opposed to bruteforcing both user and pass combinations (like if you dumped a database and are checking credentials on known systems)

OK, that covers the basics, here are a few world examples of how I would go about it on Linux, as well as a nice short video I put together of the whole thing in action:

Step 1:  Find open SSH,FTP,RDP ports to target using your favorite scanner (mine is NMAP)…
·         nmap -T4 iR <# of target-ip to randomly scan> -sS -p22,2222,21,3389 –oX targets.xml

NOTE: If you set the # of targets to zero (0) it will scan indefinitely which can be handy from time to time…

This will run a NMAP scan for open SSH ports running on default port of 22, or the infamous beginner admin move to port 2222 (silly admins), as well as FTP and RDP services on default ports. It will use reasonable timing methods but not super aggressive, and will use SYN packets to run the discovery. It will also make it easier to identify targets to try with NCRACK by using use the “–oX <filename>” options to send all output to a file which can then be used to feed into NCRACK as I described above, using the “–iX” option.

Step 2: figure out what modules we want to attack with and what user/pass lists we will use (if any other than default):
·         What ports did we scan for? It will help determine which modules to use…
·         Did we run the scans in a way we can import the results to keep things easier? If so where it located is and what is it called? Helps to know so you can input your command syntax properly…
·         Do we want to attack more than one protocol? If so make sure to use the right arguments or create specific scans for each attack you want to run…
·         Keep info handy :p

Step 3: Run NCRACK and await the results to come back…hopefully with popped credentials that give you access or even better full root access.
·         You can hit enter to get a status update in the terminal while waiting for it to run its course and the “p” will print a list of all the successful credentials found if you want to see mid scan whats been found.

When it is done it will show you the results, and you can then continue as you like from there. I hope you enjoyed this informative tutorial on a great cracking tool made by a great team. It is one you should definitely add to your collection if you don’t have it already. If you never used it before I highly encourage you to try it out. I haven’t had great success with SSH or HTTP myself but it is hands down the fastest for FTP and very good at handling RDP and VNC as well. Below is a little bonus video to show you an example of how it can be used against FTP. I hope you enjoyed this tutorial as much as the others, and I encourage you to check back often to see what else I have covered or come up with. If any questions on anything please just comment or shoot me a note.


Until next time, Enjoy!

Tuesday, March 6, 2012

Overview of WPScan (the Ruby Script)

Ok, so today I will be providing you with a brief introduction and tutorial on how to use the WPScan ruby script. We can use this script to quickly identify plugin modules being used on a target WordPress site as well as enumeration of version info and potential users. Once that is done we can also supply a wordlist and try to bruteforce the WP login page to see if we can get access to the admin panel (if we don’t find an open door in an existing installed module). The script is very easy to use and comes pre-installed with all dependencies on BackTrack 5 (R1 and/or R2). I will walk through the script using the latest BackTrack 5R2 which was just recently released. There is also a video at the end for those who need a visual experience, but it is simple enough to figure out if you just poke around a bit. Here goes…

We first start by launching the script and generating the help menu so we can get an idea of what we will be working with here. This brings up help menu:

COMMAND: ./wpscan.rb -h

You can see we have a few options but it is not overwhelming like some of the other tools I have shown you in the past. Before we get started we generate a plugins list for scanning, like so:

COMMAND: ./wpscan.rb --generate_plugin_list 150

My understanding of this feature is that this creates a plugins list to use for enumeration, which will trim the full list of 2000+ to a workable number based on a most popular for sorting purposes, so a top 150-500 would be sufficient in most appears to be an optional step and still not 100% on its impact on success or failure (sorry)

NOTE: this might take a few minutes depending on how high you set it

Once that is done we can start scanning our target site. I typically do things in layers so I start general and then add to it as we go. In order to run a generic scan just launch the script and point it at your target site, like so:
COMMAND: ./wpscan.rb --url

When that is done you may or may not have some information. Assuming we still want to dig a bit deeper we now scan using the “—enumerate” feature and set the argument for what we want to enumerate. We set one per scan, as my experience seems to show that it ignores any additional arguments (i.e. only 1 at a time). The syntax works the same as our generic scan but with the enumerate option added, like so:

COMMAND: ./wpscan.rb --url --enumerate u|v|p|t

Enumerate Options:
-          Users (u)
-          Version (v)
-          Plugins (p)
-          Timthumb (t)

Once we are done enumerating the info from the site that we want we can next either do some investigations on exploit-db to see if any known vulnerabilities in any of the plugins or we can try to bruteforce the login. We simply point the script at the site, set the wordlist and thread-count and then instruct it which username to work against. It does the rest J

COMMAND: ./wbscan.rb --url --wordlist /path/to/list.txt --threads 50 --username <username>

This runs the bruteforce tool at WP login page, limiting attack to the username provided (will try all user accounts if no username provided). If you are on Linux you can set the thread count as high as you like (50 works well for me) but if you are on Winblows keep the thread count at 10 for best results.

NOTE: it runs through the wordlist in the order you have it so keep your wordlist optimized for quickest path to successful results

If you want to increase the verbosity of a scan/attack in process then simply add the "-v" flag like any other tool you have used before. If you want some added security on your end you can run the scans through a proxy by adding the "--proxy host:port" flag or you can use "--tor" as an alternative and it will use the default TOR settings (localhost:9050) to route all requests through the TOR network.

That is all there is to it!

It is not a game changer but it can uncover some low hanging fruit sometimes and the bruteforce/dictionary attacks on the WordPress login panel work very well and quick thanks to the multi-threaded design (and the lack of a lock-out policy in WordPress installs which makes this all possible). I hope you found this one enjoyable enough, for those that need a little more – here is a quick video I made to outline how simple it is to use. I should note that for video this is a brand new install and the enumeration failed to find the correct username but I supplied it so you can see the full functionality of it (I also used a small wordlist to keep the video within time constraints). Hopefully this drives it home for everyone. If you use WordPress, keep up to date and always use secure passwords for all users.

Until next time, Enjoy!