AoC 2022 Day 5: Brute Force Attack

Remote Access Services

When seated at your computer, you can effortlessly manage it using the associated keyboard and mouse. How can we control a computer system that is located physically elsewhere? The location of the computer could be in another room, building, or nation. A variety of software packages and protocols were created as a result of the requirement for remote administration of computer systems. We will mention three examples:

  1. SSH
  2. RDP
  3. VNC

SSH, or Secure Shell, stands for. It was initially utilized for remote login in Unix-like systems. It gives the user access to a command-line interface (CLI) so they can issue commands.

RDP, sometimes referred to as Remote Desktop Connection (RDC), Remote Desktop, and just Remote Desktop, stands for Remote Desktop Protocol (RD). It offers an MS Windows graphical user interface (GUI).  When using Remote Desktop, the user can see their desktop and use the keyboard and mouse as if sitting at the computer.

Virtual Network Computing is referred to as VNC. It offers access to a graphical user interface that enables seeing the desktop and, optionally, mouse and keyboard control. Any system having a graphical user interface, such as Microsoft Windows, Linux, and even macOS, Android, and Raspberry Pi, can use VNC.

Based on our systems and needs, we can select one of these tools to control a remote computer; however, for security purposes, we need to think about how we can prove our identity to the remote server.

Authentication

When a system verifies your identification, the process is referred to as authentication. The user must first assert their claim to a particular unique identity, such as ownership of a particular username. The user must also demonstrate their identification. This process is usually achieved by one, or more, of the following:

  1. Something you know refers, in general, to something you can memorize, such as a password or a PIN (Personal Identification Number).
  2. Something you have refers to something you own, hardware or software, such as a security token, a mobile phone, or a key file. The security token is a physical device that displays a number that changes periodically.
  3. Something you are refers to biometric authentication, such as when using a fingerprint reader or a retina scan.

Back to remote access services, we usually use passwords or private key files for authentication. Using a password is the default method for authentication and requires the least amount of steps to set up. Unfortunately, passwords are prone to a myriad of attacks.

Attacking Passwords

The most used form of authentication is passwords. They are, regrettably, open to several assaults. Some assaults, like shoulder surfing and password guessing, don’t call for any technological expertise. Other assaults call for the use of automated tools.

The following are some of the ways used in attacks against passwords:

  1. Shoulder Surfing: Looking over the victim’s shoulder might reveal the pattern they use to unlock their phone or the PIN code to use the ATM. This attack requires the least technical knowledge.
  2. Password Guessing: Without proper cyber security awareness, some users might be inclined to use personal details, such as birth date or daughter’s name, as these are easiest to remember. Guessing the password of such users requires some knowledge of the target’s personal details; their birth year might end up as their ATM PIN code.
  3. Dictionary Attack: This approach expands on password guessing and attempts to include all valid words in a dictionary or a word list.
  4. Brute Force Attack: This attack is the most exhaustive and time-consuming, where an attacker can try all possible character combinations.

Let’s focus on dictionary attacks. Over time, hackers have compiled one list after another of passwords leaked from data breaches. One example is RockYou’s list of breached passwords. The choice of the word list should depend on your knowledge of the target. For instance, a French user might use a French word instead of an English one. Consequently, a French word list might be more promising.

RockYou’s word list contains more than 14 million unique passwords. Even if we want to try the top 5%, that’s still more than half a million. We need to find an automated way.

Hacking an Authentication Service

We want an automated way to try the common passwords or the entries from a word list; here comes THC Hydra. Hydra supports many protocols, including SSH, VNC, FTP, POP3, IMAP, SMTP, and all methods related to HTTP. The general command-line syntax is the following:

hydra -l username -P wordlist.txt server service where we specify the following options:

  • -l username-l should precede the username, i.e. the login name of the target. You should omit this option if the service does not use a username.
  • -P wordlist.txt-P precedes the wordlist.txt file, which contains the list of passwords you want to try with the provided username.
  • server is the hostname or IP address of the target server.
  • service indicates the service in which you are trying to launch the dictionary attack.

Consider the following concrete examples:

  • hydra -l mark -P /usr/share/wordlists/rockyou.txt MACHINE_IP ssh will use mark as the username as it iterates over the provided passwords against the SSH server.
  • hydra -l mark -P /usr/share/wordlists/rockyou.txt ssh://MACHINE_IP is identical to the previous example. MACHINE_IP ssh is the same as ssh://MACHINE_IP.

You can replace ssh with another protocol name, such as rdpvncftppop3 or any other protocol supported by Hydra.

There are some extra optional arguments that you can add:

  • -V or -vV, for verbose, makes Hydra show the username and password combinations being tried. This verbosity is very convenient to see the progress, especially if you still need to be more confident in your command-line syntax.
  • -d, for debugging, provides more detailed information about what’s happening. The debugging output can save you much frustration; for instance, if Hydra tries to connect to a closed port and timing out, -d will reveal this immediately.

NB: Options for verbosity or debugging can be helpful if you want Hydra to update you about its progress.

Connecting to a VNC Server on Linux

Many clients can be used to connect to a VNC server. We recommend using Remmina.

  1. To start Remmina, from the Applications menu in the upper right, click on the Internet group to find Remmina.

Remmina can be launched from the Internet group in the Applications menu.

2. If you get a dialog box to unlock your login keyring, click Cancel.

You can click cancel if asked to unlock your login keyring.

3. We need to select the VNC protocol and type the IP address of the target system, as shown in the figure below.

To connect to a VNC server using Remmina, you need to select the VNC protocol and type the IP address of the target.

And that’s it. We are in 😄

~ Source: Tryhackme.

Challenge Solution