On-Line Password Breaks CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014

Transcription

1 On-Line Password Breaks CSC 193 WAKE FOREST U N I V E R S I T Y Department of Computer Science Spring 2014 Breaking Passwords We have focused on breaking system passwords Take the password file and run a crack program What if we don t have access to the password file? Programs exist that allow cracking password at the login prompt Also called on-line cracking (JTR is considered off-line) Given the network application (e.g. ssh), the program guesses... So what must we know to break a ssh account? We (the hacking program) need to also know more about the application protocol E. W. Fulp CSC 193 Spring

2 Protocols in One Slide Protocol is a set of rules governing actions Rules are very specific and consider all cases (hopefully) Required to allow programs to interact For example, consider an HTTP request Browser GET HTTP/1.1 HTTP/ OK Date: Mon, 31 Apr Web Server So why is this relevant? Crack program needs to understand format of login, type of encryption, etc... So the crack program may not work on every type of network login E. W. Fulp CSC 193 Spring Hydra Hydra is a network login cracking tool Like JTR, does various password attacks However, the attacks are on-line (against interactive logins) Direct Hydra agains a network service to crack a password Provide login(s) and password guesses What network services are susceptible? E. W. Fulp CSC 193 Spring

3 Hydra can work on the following... afp cisco cisco-enable cvs firebird ftp http-get http-head http-proxy https-get https-head https-form-get https-form-post icq imap imap-ntlm ldap2 ldap3 mssql mysql ncp nntp oracle-listener pcanywhere pcnfs pop3 pop3-ntlm postgres rexec rlogin rsh sapr3 sip smb smbnt smtp-auth smtp-auth-ntlm snmp socks5 ssh2 teamspeak telnet vmauthd vnc yo-mama mcnasty poof rick-roll And many more! See cracker_comparison.html E. W. Fulp CSC 193 Spring Installing Hydra Change to root, then... > sudo -sh > apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird2.1-dev libncp-dev libncurses5-dev > cd /opt > wget > tar -xvzf hydra-7.6.tar.gz > mv hydra-7.6 hydra > cd /opt/hydra >./configure > make > make install > exit E. W. Fulp CSC 193 Spring

4 Simple SSH Example Here is a simple of using Hydra against a ssh login > hydra ssh -s 22 -l csuser1 -P guess.txt -e n -t 10 Target computer is Protocol is SSH (port 22) Target login is csuser1 Use the password guesses in the file guess.txt Check for null passwords and passwords same as login (-e ns) Use 10 threads (-t 10) E. W. Fulp CSC 193 Spring Another Simple SSH Example Here is another example of using Hydra against a ssh login > hydra ssh -s 22 -l csuser1 -x 5:8A1 -e ns -t 10 The -x option tries a brute force search Try all password of length 5 to 8 by using all possible combinations of all upper case characters and all numbers Note, this attack (like JTR) will take some time, perhaps too much time... E. W. Fulp CSC 193 Spring

5 Hydra can be noisy... > sudo grep sshd.\*failed /var/log/auth.log [sudo] password for csuser1: Mar 31 12:23:28 vb-deb sshd[539]: Failed password for csuser1 from port ssh2 Mar 31 12:23:28 vb-deb sshd[536]: Failed password for csuser1 from port ssh2 Mar 31 12:23:28 vb-deb sshd[537]: Failed password for csuser1 from port ssh2 Mar 31 12:23:28 vb-deb sshd[535]: Failed password for csuser1 from port ssh2 Mar 31 12:23:28 vb-deb sshd[541]: Failed password for csuser1 from port ssh2 E. W. Fulp CSC 193 Spring Reducing Noise Hydra does include a few options to reduce the noise The time between attempts can be set using -W option (should be run with a low thread count, -t option) The wait time for a response can be set using -s option Try a password on all accounts (if provided) before trying another password, use the -u option E. W. Fulp CSC 193 Spring

6 Hydra and Web Forms As mentioned earlier, Hydra can also be used against web forms Must know something about how the web form (page) requests info Burp Suite can help There are two primary methods for sending and receiving credentials GET requests consists of a long URL containing all the variables in the URL, for example server.domain/request.php?var1=a&var2=b&var3=c POST requests sends the variables as part of the request header to the server, it makes the data invisible (but not inaccessible) for a normal user E. W. Fulp CSC 193 Spring We ll get to this later, but here is a simple Hydra example > hydra -e sn -v http-form-post "/customlogin.php:submit=login&username=^user^&pa Invalid credentials" -l csuser1 -P guess.txt There are three important fields separated by : Script to call, /customlogin.php Query string, submit=login&username=^user^&password=^pass^ String returned on a fail, Invalid credentials E. W. Fulp CSC 193 Spring

7 Defenses If a computer/server has external (network) logins Should regularly review log files for weirdness But that may be too late... Proactive measures would include Limit the number of failed login attempts Limit the number attempts per connection Increase the response delay, the higher the failed attempts the slower the response There are proactive tools to detect password guessing fail2ban is an interesting application, scans log files and automatically adds firewall (filter) rules E. W. Fulp CSC 193 Spring Team Assignment For each team One person create a user account on their VM Other team members try to crack the password Also check out the log files on the target computer How do I create an account on my VM? Assume you want to create a new account called farva > sudo adduser farva E. W. Fulp CSC 193 Spring

8 How can I change farva s password? > sudo passwd farva How can remove farva s account? > sudo userdel farva Want to remove all of larva s files as well? Use this instead > sudo userdel -r farva E. W. Fulp CSC 193 Spring