Ncrack

We will keep to continue on password breaking tools. In previous post, we went through email password cracking with Hydra. This time our topic is how to crack SSH passwords using Ncrack.

SSH (secure shell) is a service lets users remotely connect to a server by keeping the connection secure. For security reasons, telnet protocol was replaced with SSH protocol. Latest version is SSH 2.X. Unlike Telnet which does not use encryption to send data, SSH does. There are three ways of having the connection encrypted in SSH. Symmetric encryption, asymmetric encryption and hashing. Each one has its own pros and cons in terms of speed, security and easiness. For further information about how it works, you should head over to the link here.

When server is not configured well, you always have a chance to try your username-password pairs to bruteforce. Doing this automatically is where such tools come in. Hydra, Ncrack, Medusa are the well known ones for online password breaking. Like Hydra and Medusa, Ncrack is pretty straightforward and easy to use. It supports a lot of protocols like HTTP(S), POP3, SMB, SSH etc. Let's get started.

For this tutorial I used an SSH service of a website developed specially for newbies to learn the ropes. You can level up to the 27. place in a mode called Bandit. Here is the link. There it says that you should start out the game after logged in to the SSH server. Username is bandit0 and password is bandit0. I prepared a password list includes common passwords and added 'bandit0' in the list. As predicted after all failed tries, it found the valid password.

In second example, I tried to bruteforce metasploitable this time with two wordlists for both username and password. Once again it successfully found the credentials.

When you take a look at the parameters, at the top of the list you will see that it is compatible with the report types that Nmap outputs. This way it lets you work on multiple servers in a range of IP addresses. If you find any existing service which Ncrack supports to crack, it filters out others then starts out cracking. I tested out this option on metasploitable, but did not wait for it to fully complete the process. What I observered by far was that it also found an FTP service working with the same credentials which was msfadmin:msfadmin. When you work on a range of IP addresses you might want to remove some of hosts from the list with --exclude option. You would also like to adjust the concurrent parallel connection number or authentication number per connection and so forth. Some servers could be configured not to permit bruteforce attacks so they would stop responding against persistent tries.These fine adjustments can be necessary in these times, but it would take a long time to set long delay time between tries. Therefore having happy medium with parameters can be time to time difficult yet necessary in some cases. You can specify username and password lists or use a specific username with --user parameter. Password specification is the same. --pass is for single -P is for using list.

Instead of just compiling random password and username pairs, there is a way to facilitate the process. I did not touch upon Metasploit Framework in the blog yet. Metasploit has a module named ssh_enumusers. As its name says, it enumerates a username list on an SSH server analyzing each response whether the username exists or not. Enumeration tools are programmed to process and make a sense of the packets sent from servers based on the differences between responses. Enumeration could speed up the process by eliminating invalid users.

As to how you could keep your system secure, including SSH it is always advised that you frequently change your passwords and have long characters in it. There are even softwares which automatically change your passwords in time periods that it is technically impossible to crack with today's technology. Disabling root login if not necessary and using private and public keys would be smart. If the server is supposed to communicate to a certain clients only, then use firewall to drop the packets come from unknown sources.

Hydra

In this post, I will continue cracking type of attacks. Cracking email adresses plays an important role in Cyber Security in the sense that almost every platforms like social media platforms, forums and even certain applications predominantly use email addresses to create and then manage accounts. So it is highly critical to keep your passwords safe and periodically changed. Mail servers could also be configured by administrators to not permit bruteforce attacks. After a certain number of failed attempt to login, you would end up having an unresponsive server. That is when you need to dig deeper into figuring out how you can evade this sort of restrictions. Adjusting the waittime of your cracking process could help at this point.

Hydra is a built-in cracking tool in Kali Linux which can work offline and online platforms. It can work in complaince with plenty of platforms. SSH, RDP, HTTP are just few of those. You should take a look at the full list here. There is also a GUI version of this tool namely Hydra-GTK. But, I am going to stick with the console-based one. What I am going to try in this tutorial is that I will simply prepare a wordlist containing the rights password and afterwards execute a bruteforce attack with it.

Let's get back to the program. Hydra is like the previous tools simple and yet practical. There are certain parameters that are relatively common than other ones. To see the full list of options, you can type hydra -h.

(-R) In case of any mishap or pause, you would like to carry on from where you ended up.
(-S)  It also supports HTTP and HTTPS protocols. When you crack on SSL pages, it's the way to go.
(-s)  Lower case s stands for the port number of the service. Smtp servers usually run on port 465, but it is changeable server to server.
(-l, -L) Lower case l is for singular username cases. Let's say you have three usernames and a wordlist for a certain SSH server but you are not sure what password could belong what. That's when you should add -L parameter.
(-p, -P) Similarly, you have singular and plural options for password here.
(-x) You can generate predefined passwords with this. For example; -x 4:6:A1 generates passwords from 4 to 6 with upper case and numbers. For those who want to dig deeper, take a look at -hydra -h -x.
(-t) Amount of concurrent attempts happening simultaneously.
(-w) Stands for waittime between attempts.
(-v) Verbose mode.
(-V) It shows every login-password pairs attempted.
(-f) Used when you would like to exit after a succesful login found.

These above are common parameters. Every smtp server has a port number on which mail traffic functions. Email management softwares necessitate POP3 and SMTP access. So you should learn what port number your mail server uses. Here is a link you can find a list of mail server list.

I created an account on Yandex mail server beforehand for the sake of this tutorial. The mail account, we are going to work on is pentestingtr@yandex.com and its password is password123. I added this password into the wordlist. I do not recommend a lengthy password list. There's tools like crunch to prepare more specific wordlist for certain targets. Otherwise it would take a very long time to crack. One of the overarching steps in password cracking is to get as much information as you could through social-engineering. It is also a way to guess of the date of birth and name combinations and something like that. You can do that in a more automated way with wordlist generators.

As we predicted, it eventually found the right password at the end succesfully.