We will keep to continue on
password breaking tools. In previous post, we went through email
password cracking with Hydra. This time our topic is how to crack SSH
passwords using Ncrack.
SSH (secure shell) is a
service lets users remotely connect to a server by keeping the
connection secure. For security reasons, telnet protocol was replaced
with SSH protocol. Latest version is SSH 2.X. Unlike Telnet which
does not use encryption to send data, SSH does. There are three ways
of having the connection encrypted in SSH. Symmetric encryption,
asymmetric encryption and hashing. Each one has its own pros and cons
in terms of speed, security and easiness. For further information
about how it works, you should head over to the link here.
When server is not
configured well, you always have a chance to try your
username-password pairs to bruteforce. Doing this automatically is
where such tools come in. Hydra, Ncrack, Medusa are the well known
ones for online password breaking. Like Hydra and Medusa, Ncrack is
pretty straightforward and easy to use. It supports a lot of
protocols like HTTP(S), POP3, SMB, SSH etc. Let's get started.
For this tutorial I used an
SSH service of a website developed specially for newbies to learn the
ropes. You can level up to the 27. place in a mode called Bandit.
Here is the link. There it says that you should start out the game
after logged in to the SSH server. Username is bandit0 and password
is bandit0. I prepared a password list includes common passwords and
added 'bandit0' in the list. As predicted after all failed tries, it
found the valid password.
In second example, I tried
to bruteforce metasploitable this time with two wordlists for both
username and password. Once again it successfully found the
credentials.
When you take a look at the
parameters, at the top of the list you will see that it is compatible
with the report types that Nmap outputs. This way it lets you work on
multiple servers in a range of IP addresses. If you find any existing
service which Ncrack supports to crack, it filters out others then
starts out cracking. I tested out this option on metasploitable, but
did not wait for it to fully complete the process. What I observered
by far was that it also found an FTP service working with the same
credentials which was msfadmin:msfadmin. When you work on a range of
IP addresses you might want to remove some of hosts from the list
with --exclude option. You would also like to adjust the
concurrent parallel connection number or authentication number per
connection and so forth. Some servers could be configured not to
permit bruteforce attacks so they would stop responding against
persistent tries.These fine adjustments can be necessary in these
times, but it would take a long time to set long delay time between
tries. Therefore having happy medium with parameters can be time to
time difficult yet necessary in some cases. You can specify username
and password lists or use a specific username with --user
parameter. Password specification is the same. --pass is
for single -P is for using list.
Instead of just compiling random password and username pairs, there is a way to facilitate the
process. I did not touch upon Metasploit Framework in the blog yet.
Metasploit has a module named ssh_enumusers. As its name says, it
enumerates a username list on an SSH server analyzing each response
whether the username exists or not. Enumeration tools are programmed
to process and make a sense of the packets sent from servers based on
the differences between responses. Enumeration could speed up the
process by eliminating invalid users.
As to how you could keep
your system secure, including SSH it is always advised that you
frequently change your passwords and have long characters in it.
There are even softwares which automatically change your passwords in
time periods that it is technically impossible to crack with today's
technology. Disabling root login if not necessary and using private
and public keys would be smart. If the server is supposed to
communicate to a certain clients only, then use firewall to drop the
packets come from unknown sources.