We start off our discussion of UNIX attacks with the most basic form of attack— brute-force password guessing. A brute-force attack may not appear sexy, but it is one of the most effective ways for attackers to gain access to a UNIX system. A brute-force attack is nothing more than guessing a user ID/password combination on a service that attempts to authenticate the user before access is granted. The most common types of services that can be brute-forced include the following:
• File Transfer Protocol (FTP)
• The “r” commands (rlogin, rsh, and so on)
• Secure Shell (ssh)
• SNMP community names
• Post Offi ce Protocol (POP) and Internet Message Access Protocol (IMAP)
• Hypertext Transport Protocol (HTTP/HTTPS)
• Concurrent Version System (CVS) and Subversion (SVN)
Services such as finger, rusers, and sendmail are used to identify user accounts on a target system. Once attackers have a list of user accounts, they can begin trying to gain shell access to the target system by guessing the password associated with one of the IDs. Unfortunately, many user accounts have either a weak password or no password at all. The best illustration of this axiom is the “Joe” account, where the user ID and password are identical. Given enough users, most systems will have at least one Joe account. To our amazement, we have seen thousands of Joe accounts over the course of performing our security reviews. Why are poorly chosen passwords so common? People don’t know how to choose strong passwords or are not forced to do so.
Although it is entirely possible to guess passwords by hand, most passwords are guessed via an automated brute-force utility. Attackers can use several tools to automate brute forcing, including the following:
• THC – Hydra
Also read ―> Cracking Files
Hydra is one of the most popular and versatile brute force utilities available. Hydra includes many features and supports a number of protocols. The following example demonstrates how hydra can be used to perform a brute force attack:
In this demonstration, we have created two files. The users.txt file contains a list of five usernames and the passwords.txt contains a list of five passwords. Hydra will use this information and attempt to remotely authenticate to a service of our choice, in this case SSH. Based on the length of our lists, a total of 25 username and password combinations are possible. During this effort, hydra shows three of the five accounts were successfully brute forced. For the sake of brevity, the list included known usernames and some of their associated passwords. In reality, valid usernames would first need to be enumerated and a much more extensive password list would be required. This of course would increase the time to complete, and no guarantee is given that user’s password is included in the password list. Although hydra helps automate brute-force attacks, it is still a very slow process.
NOTE: This is for educational purpose only we are not responsible for any type of inconvenience caused by reader.