Overview of Intercepter NG Features
The year of expectations did not go in vain and it is compensated by quite interesting functions that appeared in the new version of the tool. The release took place ahead of schedule and some of the previously planned functions were not included in it due to the fact that much more important innovations have appeared.
In the new version, there is a previously demonstrated attack on Active Directory (Ldap Relay), a Java Injection function, an exploit for the HeartBleed, Plugin Detector vulnerability, but I would like to focus on very different things.
Intercepter-NG has a network brute-force password mode for a number of protocols: FTP \ IMAP \ POP3 \ SMTP \ SMB \ SSH \ LDAP \ HTTP. The reason for the creation of such a functional once again was the lack of a modern and functional brute forser for Windows. From native tools only Brutus comes to mind, which has not been updated for more than ten years and does not support, for example, SSH. All cygwin THC-Hydra builds are built without SSH support, and Ncrack, in spite of the declared support for SSH, never worked in any test. Of course, if you wish, you can assemble Hydra yourself, but in any case, that Hydra, that Ncrack, are basically console-based, and the GTK version of Hydra again requires additional assembly. Therefore, the creation of a modern window brute forcer was not devoid of meaning.
Anyway, today THC-Hydra is the most advanced tool for network brute force with a large number of supported protocols and authorization methods. Initially, no attempts were made to compete with the leader, but the final results were very unexpected, and we will talk about them ...
')
It is logical that upon completion of the work it was interesting to compare the speed of searching in Intercepter and Hydra. At first it was planned to add to the comparison and Ncrack, but since in a number of tests, he missed a valid authorization, did not work with SSH, and in general, according to the results of other tests, Hydra was slower in everything, it was decided to exclude him. In the comparative table for each protocol, two values of busy time are indicated. The first, longer value is obtained by single-threaded iteration. In Hydra, the concept of "flow" is called "task" (= task). The second digit represents the best time received when the streams are increased to the optimal number. A blind increase in flows of 2-3-5 times does not give a similar increase in productivity, because Each specific implementation of a network service has its own characteristics, in one way or another, affecting the speed of multi-threaded work and suitability for brute force. Testing was carried out on a list of passwords of 2000 words.
As can be seen from the table, in the case of LDAP \ SMTP \ HTTP Intercepter and Hydra with multi-threaded brute force have the same results, and in the remaining FTP \ POP3 Intercepter was faster. The conclusion of this test is not that Intercepter is faster than Hydra, but that it is at least no slower and suitable for solving the corresponding problems.
The FTP \ IMAP \ POP3 \ SMTP \ LDAP protocols support standard plain-text authentication algorithms. Due to the fact that Intercepter is a native NT application, brute-force SMB is implemented using system API functions, without regard to various authorization methods (NTLMv1, v2, Kerberos). For SSH, support for the password and keyboard interactive methods is implemented, and for HTTP: Basic Auth and HTTP POST method with an indication of the pattern. The template is built in the same way Hydra. It is necessary to specify the names of variables transmitted to the server, as well as the keyword indicating that the authorization failed, for example, 'Error' or 'Invalid'. Included is a dictionary for 10,000 words, as well as a heuristic search method. When using it, a keyword is set, on the basis of which a small number of derived variants is generated. During the shooting of the demo video, I arbitrarily hammered the word test into the heuristic mode and surprisingly the program reported that the password was found. At first I thought that an error had occurred, but it turned out that the password is really working and belongs to some test account of the forum.
Another significant feature of the new version is that the original Intercepter can now be run under Wine. The main problem to do this before was caused by the fact that Winpcap and Wine are incompatible things. Some time ago, the so-called wrapper was discovered, which translated the calls to winpcap functions to unix libpcap. To still run Intercepter under Linux, I had to finish the wrapper and the Intercepter itself, since Some winpcap functions are missing in libpcap, and some have distinctive specifics under different platforms.
Unfortunately, the used method of traffic routing under Windows is not workable in Linux, therefore complex MiTMs (sslstrip, ssl mitm, smb hijack, ldap relay, http injection) do not work, but arp poison, dhcp mitm, wpad mitm, dns over icmp works mitm, data recovery and new network brute force mode. Even in this form, it is many times greater than the console unix version of Intercepter and will be useful on security-oriented Linux distributions.
Thanks to the successful launch under Linux, there was a desire to conduct another Intercepter test in the native Hydra conditions, this time including in the SSH test.
In single-threaded tests, Intercepter has a slight lag, but with multithreading both tools show the same results. Separately, consider SSH testing, in which Hydra was significantly slower.
The first test was conducted on the SSH server, which supported the password method, which works much faster than keyboard interactive. Apparently, Hydra ignored such a gift and tried to choose a password using the interactive method, which takes much longer, hence the estimated time - 55 minutes, which I did not even wait until the end. Multi-threaded testing took much less time, but more than Intercepter. The second testing was conducted on the SSH server with the password mode disabled and here both tools performed on an equal footing. This test once again confirmed the high efficiency of Intercepter and the proximity of the results to such a narrowly specialized instrument as THC-Hydra.
Instructions for running Intercepter under wine will soon appear in the blog . More detailed changelog on the site . Below is a demo video.
In the new version, there is a previously demonstrated attack on Active Directory (Ldap Relay), a Java Injection function, an exploit for the HeartBleed, Plugin Detector vulnerability, but I would like to focus on very different things.
Intercepter-NG has a network brute-force password mode for a number of protocols: FTP \ IMAP \ POP3 \ SMTP \ SMB \ SSH \ LDAP \ HTTP. The reason for the creation of such a functional once again was the lack of a modern and functional brute forser for Windows. From native tools only Brutus comes to mind, which has not been updated for more than ten years and does not support, for example, SSH. All cygwin THC-Hydra builds are built without SSH support, and Ncrack, in spite of the declared support for SSH, never worked in any test. Of course, if you wish, you can assemble Hydra yourself, but in any case, that Hydra, that Ncrack, are basically console-based, and the GTK version of Hydra again requires additional assembly. Therefore, the creation of a modern window brute forcer was not devoid of meaning.
Anyway, today THC-Hydra is the most advanced tool for network brute force with a large number of supported protocols and authorization methods. Initially, no attempts were made to compete with the leader, but the final results were very unexpected, and we will talk about them ...
')
It is logical that upon completion of the work it was interesting to compare the speed of searching in Intercepter and Hydra. At first it was planned to add to the comparison and Ncrack, but since in a number of tests, he missed a valid authorization, did not work with SSH, and in general, according to the results of other tests, Hydra was slower in everything, it was decided to exclude him. In the comparative table for each protocol, two values of busy time are indicated. The first, longer value is obtained by single-threaded iteration. In Hydra, the concept of "flow" is called "task" (= task). The second digit represents the best time received when the streams are increased to the optimal number. A blind increase in flows of 2-3-5 times does not give a similar increase in productivity, because Each specific implementation of a network service has its own characteristics, in one way or another, affecting the speed of multi-threaded work and suitability for brute force. Testing was carried out on a list of passwords of 2000 words.
As can be seen from the table, in the case of LDAP \ SMTP \ HTTP Intercepter and Hydra with multi-threaded brute force have the same results, and in the remaining FTP \ POP3 Intercepter was faster. The conclusion of this test is not that Intercepter is faster than Hydra, but that it is at least no slower and suitable for solving the corresponding problems.
The FTP \ IMAP \ POP3 \ SMTP \ LDAP protocols support standard plain-text authentication algorithms. Due to the fact that Intercepter is a native NT application, brute-force SMB is implemented using system API functions, without regard to various authorization methods (NTLMv1, v2, Kerberos). For SSH, support for the password and keyboard interactive methods is implemented, and for HTTP: Basic Auth and HTTP POST method with an indication of the pattern. The template is built in the same way Hydra. It is necessary to specify the names of variables transmitted to the server, as well as the keyword indicating that the authorization failed, for example, 'Error' or 'Invalid'. Included is a dictionary for 10,000 words, as well as a heuristic search method. When using it, a keyword is set, on the basis of which a small number of derived variants is generated. During the shooting of the demo video, I arbitrarily hammered the word test into the heuristic mode and surprisingly the program reported that the password was found. At first I thought that an error had occurred, but it turned out that the password is really working and belongs to some test account of the forum.
Another significant feature of the new version is that the original Intercepter can now be run under Wine. The main problem to do this before was caused by the fact that Winpcap and Wine are incompatible things. Some time ago, the so-called wrapper was discovered, which translated the calls to winpcap functions to unix libpcap. To still run Intercepter under Linux, I had to finish the wrapper and the Intercepter itself, since Some winpcap functions are missing in libpcap, and some have distinctive specifics under different platforms.
Unfortunately, the used method of traffic routing under Windows is not workable in Linux, therefore complex MiTMs (sslstrip, ssl mitm, smb hijack, ldap relay, http injection) do not work, but arp poison, dhcp mitm, wpad mitm, dns over icmp works mitm, data recovery and new network brute force mode. Even in this form, it is many times greater than the console unix version of Intercepter and will be useful on security-oriented Linux distributions.
Thanks to the successful launch under Linux, there was a desire to conduct another Intercepter test in the native Hydra conditions, this time including in the SSH test.
In single-threaded tests, Intercepter has a slight lag, but with multithreading both tools show the same results. Separately, consider SSH testing, in which Hydra was significantly slower.
The first test was conducted on the SSH server, which supported the password method, which works much faster than keyboard interactive. Apparently, Hydra ignored such a gift and tried to choose a password using the interactive method, which takes much longer, hence the estimated time - 55 minutes, which I did not even wait until the end. Multi-threaded testing took much less time, but more than Intercepter. The second testing was conducted on the SSH server with the password mode disabled and here both tools performed on an equal footing. This test once again confirmed the high efficiency of Intercepter and the proximity of the results to such a narrowly specialized instrument as THC-Hydra.
Instructions for running Intercepter under wine will soon appear in the blog . More detailed changelog on the site . Below is a demo video.
Source: https://habr.com/ru/post/231369/
All Articles