How to accomplish a brute force attack
This article is designed to demonstrate how to accomplish a brute
force attack, and what it looks like from the receiving end. Brute
force means password guessing. This can only feasibly be accomplished
with the aid of good target reconnaissance and some automated
programs. While it is very easy to write your own brute force
program, there are several available for free online. I find Brutus
to be one of the best brute force tools. You can find it at
Hoobie.net.
The first step in a brute force attack (or for
that matter, any attack) is target enumeration. This is the process
by which we find where and how a target is vulnerable. I use NMAP for
almost all of my initial cursory scans of networks. Lets use the
target of my own desktop server and run an NMAP scan to find out what
we have to play with. The output from my scan follows:
nmap
-sS -O 216.25.200.135
Starting nmap V. 2.30BETA17 by
fyodor@insecure.org (
http://www.insecure.org/nmap/
)
Interesting ports on
ip-216-25-200-135.covad.dsl.fcc.net
(216.25.200.135):
Port
State Service
21/tcp open ftp
25/tcp open smtp
80/tcp open
http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp
open https
445/tcp open microsoft-ds
1025/tcp open listen
1026/tcp open nterm
1031/tcp open iad2
TCP Sequence
Prediction: Class=random positive increments
Difficulty=7635
(Worthy challenge)
Remote operating system guess: Windows 2000 RC1
through final release
Nmap run completed -- 1 IP address (1
host up) scanned in 1 second
Ok, so we’ve got
several services to choose from on this target. The first one that
catches my eye is FTP. We can use this to brute force passwords, and
we can use smtp to check for user accounts. Now the fun begins.
I’ll first try ftp to find if anonymous ftp is
enabled (which could potentially make my task a lot easier, there are
rare computers with completely open upload/download ftp servers
without strong restrictions (allowing you to upload and download to
the web root folder)).
C:\>ftp 216.25.200.135
Connected
to 216.25.200.135.
220 WIN2KSERVER Microsoft FTP Service (Version
5.0).
User (216.25.200.135:(none)): anonymous
331 Password
required for anonymous.
Password:foo@nowhere.com
530 User
anonymous cannot log in.
Login failed.
ftp> quit
221 Fuck
off!
It seems that anonymous ftp isn’t
enabled, and not only that the server is quite rude when I leave. The
server did give some confirmation that it is running Windows NT, or
in this case Windows 2000 (dead giveaway in the machine’s
name ‘WIN2KSERVER’). We’ll
try the SMTP server now to check for user names.
220
WIN2KSERVER Microsoft ESMTP MAIL Service, Version:
5.0.2195.2966
ready at Fri, 22 Jun 2001 09:08:49 –0400
vrfy
smellydell
252 2.1.5 Cannot VRFY user, but will take message for
smellydell
vrfy administrator
252 2.1.5 Cannot VRFY user, but
will take message for administrator
well, there’s
no use in verifying anyone on this server as it seems that the server
will give the same message for real and bogus accounts (all NT
servers have an ‘administrator’
account, in much the same way that *nix have root accounts). The
‘expn’ command didn’t
work at all on this server (replied with ‘unknown
command’ at expn postmaster). So at this point
I’m S.O.L., but some machines will give a very good
list of users and or active accounts using the smtp server.
Ok,
so I’m off to brute forcing. The first thing I do is
fire up Brutus.
Screenshot of brutus at startup
Next
I’ll have to modify my users list (found in
users.txt in the Brutus directory) to include users I suspect to be
on an NT server. NT always has a ‘Guest’
account and an ‘Administrator’
account. I’ll add a few more guesses. In the end my
users list looks like this:
A text file list of users
The
next step is to fire Brutus at the target, when configured for an ftp
attack, Brutus appears thus:
Configuring brutus
You’ll
notice I set the timeout higher than the default. Brutus nicely
circumvents connection limits by creating new connections for every
request. This is useful because some servers will cut your connection
after 3 bad guesses at passwords. Brutus uses the targets ability to
take multiple ftp requests and creates a new request for every guess
(I have set the program to make 10 requests simultaneously). The
timeout is the lag time that the program will allow before it makes a
new request. If you don’t set this high enough you
are likely to flood the target and either crash its server, or simply
hang Brutus. You can use a really high connection and low timeout
rate as an effective DoS attack that will knock weak servers
completely off the net.
So now I’ll fire
Brutus at the target. I’m using the default password
list that comes with the program, but there are several larger, and
more complete word lists available online. What Brutus will do is try
every username listed in the users file with every password in the
word list (and can even generate its own random word list to include
all combinations of letters, characters, and numbers). Remember that
most passwords are 8 characters long, so its usually not worthwhile
to try and brute force very short passwords. Here’s
what Brutus looks like in action:
Screenshot of brutus
attacking a target
Now, the downside to brute forcing is that
it is extremely noisy, and even the worst sysadmin should notice it.
During my demonstration my server immediately popped an alert that
the system log was full. A quick examination of the system log
reveals the problem immediately:
Screenshot of an NT event
log
All those warnings you see are bad FTP login attempts. A
double click on the alert shows:
Screenshot of an event log
detail showing the brute force attack
It isn’t
hard to figure out exactly what is going on. Even more disturbing is
the log file left behind. Here’s a
snippit:
13:30:18 216.25.200.135 [5]USER admin 331
13:30:18
216.25.200.135 [6]USER admin 331
13:30:18 216.25.200.135 [7]USER
admin 331
13:30:18 216.25.200.135 [8]USER admin 331
13:30:18
216.25.200.135 [9]USER admin 331
13:30:18 216.25.200.135 [10]USER
admin 331
13:30:18 216.25.200.135 [11]USER admin 331
13:30:18
216.25.200.135 [12]USER admin 331
13:30:18 216.25.200.135 [13]USER
admin 331
13:30:18 216.25.200.135 [4]PASS - 530
13:30:18
216.25.200.135 [14]USER admin 331
13:30:18 216.25.200.135 [5]PASS
- 530
13:30:18 216.25.200.135 [6]PASS - 530
13:30:18
216.25.200.135 [7]PASS - 530
13:30:18 216.25.200.135 [8]PASS -
530
13:30:18 216.25.200.135 [9]PASS - 530
13:30:18
216.25.200.135 [10]PASS - 530
13:30:18 216.25.200.135 [11]PASS -
530
13:30:18 216.25.200.135 [15]USER admin 331
13:30:18
216.25.200.135 [16]USER admin 331
Not only do you notice all
the tries for the same account, but you can tell it is an automated
attempt to brute force because the times of the attempts are so close
together (60 or so attempts a second). Even more damning is that my
IP address is logged all over the huge log file. Its not hard to spot
me or figure out what I’m attempting to do. Be
warned if you attempt a brute force that you are probably going to
get notice.
Now, I happened to be successful on this attempt
and got on username and password. The results are displayed in Brutus
under the ‘Positive Authentication Results’
window:
Screenshot showing brutus successfully identifying
login information
You can see the username ‘user’
and password ‘charles’ worked on the
server. Lets try them out:
C:\>ftp 216.25.200.135
Connected
to 216.25.200.135.
220 WIN2KSERVER Microsoft FTP Service (Version
5.0).
User (216.25.200.135:(none)): user
331 Password required
for user.
Password: charles
230-Fuck you!
230 User user
logged in.
ftp>
Boom, and its just that easy. Now that
I’m in my first step should be to attempt to clean
up the traces of my attack (i.e. the log files and system event
logs). Accomplishing this task takes more explanation than I have
time for here, but hopefully you get the idea.
If nothing
else, this short article should show you the value of good passwords.
If I hadn’t set up the account ‘user’
with such a crappy password this attack most likely would have been
unsuccessful. See my article on passwords for a good run down of how
to pick a good password to keep your accounts safe from brute force
attempts.