- Basics Of Exploitation

Understanding Network Protocols

 1. TCP (Transmission Control Protocol)
 2. UDP (User Datagram Protocol)
 3. ICMP (Internet Control Messaging Protocol
Transmission Control Protocol
 Most of the Internet’s traffic is based upon TCP since it guarantees a
reliable communication unlike UDP.
 Most of the protocols that we encounter in our daily lives are based upon
TCP.
 Common examples are FTP, SMTP, Telnet, and HTTP.
 TCP is used whenever we need to perform a reliable communication
between a client and a server.
 TCP performs a reliable communication via the three-way handshake,
User Datagram Protocol (UDP)
 User Datagram Protocol UDP is the exact opposite of TCP.
 It is used for faster communications. An example would be for video
streaming, such as Skype (VOIP) communication.
 The advantage of this protocol over TCP is that it’s much faster and
efficient.
 The disadvantage of UDP is that it does not guarantee that the packet will
reach the destination
Internet Control Messaging Protocol
 ICMP runs upon layer 3 (network layer) of the OSI model, unlike TCP and
UDP, which runs upon layer 4.
 The protocol was developed for troubleshooting error messages on a
network.
 It is a connectionless protocol, which means that it gives us no guarantee
that the packet will reach the destination.
 Common applications that use ICMP are “Ping” and “Traceroute.”
Server Protocols
 All server protocols are divided into two basic categories:
 1. Text-based protocols
 2. Binary protocol
Text-Based Protocols
Text-based protocols are human readable protocols, and this is where you,
as a penetration tester, need to spend most of your time as they are very easy
to understand.
Common examples of text based protocols are HTTP, FTP, and SMT
Binary Protocols
 Binary protocols are not human readable and are very difficult to
understand.
FTP
 FTP stands for File Transfer Protocol; it runs on port 21.
 FTP is commonly used for uploading/ downloading files from a server.
 FTP is the weakest link in a network because it’s unencrypted
SMTP
 SMTP stands for Simple Mail Transfer Protocol.
 It runs on port 25.
 It is used in most of the mailing servers nowadays.
 As a penetration tester, we will encounter SMTP a lot as it’s always exposed
on the Internet and would mostly contain sensitive information
HTTP
 You open up your browser, type a URL into the address bar, and connect to
the website.
 The protocol you are using to do this is HTTP.
 It runs upon port 80.
 It’s a fundamental of the web.
Attacking Network Remote Services
 we will learn to use various tools such as
 Hydra
 Medusa
 and Ncrack
 to crack usernames and passwords for various network services such as
FTP, SSH, and RDP
Types of Brute Force Attacks
 Traditional Brute Force
 Dictionary Attacks
 Hybrid Attacks
Types of Brute Force Attacks….
Brute Force Attacks
 In a traditional brute force attack, it will try all the possible
 combinations to guess the correct password.
 This process is very usually time consuming; if the password is long, it will
take years to brute-force.
Traditional Brute Force:
 In a traditional brute force attack, you will try all the possible
combinations to guess the correct password.
 This process is very usually time consuming;
 if the password is long, it will take years to brute-force.
Types of Brute Force Attacks…
 Dictionary Attacks
 In a dictionary-based brute force attack, we use a custom wordlist, which
contains a list of all posssible username and password combinations.
 It is much faster than traditional brute force attacks and is the
recommended approach for penetration tests.
 The only downside is that if the password is not available in the list, the
attack won’t be successful.
Types of Brute Force Attacks….
 Hybrid Attacks
 Hybrid brute force attacks are a combination of both traditional brute
force attack and dictionarybased attack. The idea behind a hybrid attack
is that it will apply a brute force attack on the dictionary list.
Common Target Protocols
 Common Target Protocols Though there are lots of protocols that we can target,
we will commonly come across only the following network protocols/services:
 FTP
 SSH
 SMB
 SMTP
 HTTP
 RDP
 VNC
 MySQL
 MS SQ
Tools
 to crack usernames and passwords for various network services such
as FTP, SSH, and RDP

 Hydra
 Medusa
 Ncrack
What is Hydra?
 Hydra is an open source, password brute-forcing tool designed
around flexibility and high performance in online brute-force attacks.

 Online brute force refers to brute forcing used in online network

protocols, such as SSH, Remote Desktop Protocol (RDP) and HTTP
(e.g., HTTP basic authentication), as well as on HTML forms.
Hydra
 Hydra comes preloaded with a username/password list.
 We can predefine a username or a username list
 Alternatively, we can use our own custom password list to increase
the chances of success.
Basic Syntax for Hydra
 Here is the basic syntax for hydra to brute-force a service.

 Example with Username Set to “administrator”

 Hydra –L administrator –P password.txt <target IP ><service>

 Example with Username Set to username list

 Hydra –L users.txt –P password.txt <target IP ><service>

Cracking Services with Hydra
Let’s start by cracking an ftp password with hydra, which is one of
the most commonly found services. For that, we need an ftp
service to be running on the target.

Consider the target machine having an IP address of 192.168.75.40.

By performing a simple port scan with nmap tool we figure out

that the target machine is running an FTP server at port 21.
 Cracking Services with Hydra
 Hydra –l administrator –P/pentest/passwords/wordlist/darkcode.lst 192.168.75.140 ftp

 We have specified the username as “administrator” followed by the –P parameter and the location
where the wordlist is located.
 In BackTrack, the default list is located in the /pentest/passwords/wordlist/ directory
Notice that hydra has managed to find the password:
“aedis”.
we know the username and the password for the ftp server, we can try logging in.
Type in “ftp” followed by the server name. It will ask for username and password.
After entering it, we will be able to log in to the FTP server, where we can issue
further commands
Medusa
 Medusa is an alternative to Hydra and is a really fast password
cracking tool.
 It is a parallel brute force tool just like Hydra. However, it is much
more stable and faster than Hydra.
we need four parameters in order to run
Medusa
 –h = Hostname to attack
 –u = Username to attack
 –P = Password file
 –M = Service to attack
OpenSSH Username
 if a username with root is available or not.
 Syntax:
 root@root:#./ssh_user_enum.py -user root -Host
Cracking SSH with Medusa
 medusa –h 192.168.75.141 –u root –P password.txt –M ssh
After a few attempts, it managed to find the correct password,
which was “rafay”. Now, you can log in to the SSH server using your
favorite SSH client such as putty
Ncrack
 ncrack is one of the tool for password cracking.
 it is based upon nmap libraries.
 it can be combined with nmap to yield great results.
 the only disadvantage with this tool is that it supports very few services,
namely, ftp, ssh, telnet, ftp, pop3, rdp, and vnc.
Basic Syntax
 we can execute the “ncrack” command without parameters in the terminal
to find out what parameters are required for using ncrack.
 –u = username to attack
 –p = password file
 –p = port of the service to attack (lowercase p)
 –f = quit cracking after the first credential is found
Cracking an RDP with Ncrack
 # ncrack –u administrator –
P/pentest/passwords/wordlists/darkc0de.lst rdp://192.168.75.140

 Once our credentials are cracked, we can use rdesktop to log in to the
RDP.

 #rdesktop –u administrator –p aedis

Combining Nmap and Ncrack for Optimal
Results
we will scan our network for all live hosts with open ports within our local network
192.168.75.1/24 and then export the results to ncrack, where it will automatically attempt to
crack all the services requiring authen
  Now, from ncrack, we will execute the following command to brute-force
all the network services requiring authentication.

Command:
ncrack –vv –u administrator
–P/pentest/passwords/wordlists/darkc0de.lst –iX/root/Desktop/output.xml –f
MySQL Servers
 Metasploit
 the metasploit framework contains a large number of tools that
enable penetration testers to identify security vulnerabilities,
carry out attacks, and evade detection.
some of the most commonly used tools:
 msfconsole—this is the main metasploit command-line interface
(cli). it allows testers to scan systems for vulnerabilities, conduct
network reconnaissance, launch exploits, and more.
 exploit modules—allow testers to target a specific, known
vulnerability.
 auxiliary modules—allow testers to perform additional actions
required during a penetration test which are not related to directly
exploiting vulnerabilities. for example, scanning, and denial of
service (dos).
 post-exploitation modules—allow testers to deepen their access on
a target system and connected systems.
 Step 1—Launch Metasploit by typing “msfconsole”.
 Step 2—Issue the following command—use auxiliary/scanner/mysql/mysql_
 login
 Step 3—Type the IP address of the target after SET RHOSTS command.
 Step 4—Define a USER _ FILE that contains the list of all possible usernames.
 Step 5—Define a PASS _ FILE that contains the list of all possible passwords.
 Step 6—Finally, type run to execute the module
hydra and medusa to crack a mysql password
 hydra –l root –P/pentest/passwords/wordlist/darkcode.lst
192.168.75.140 mysql
metasploit
 Commands:
 msfconsole – To launch metasploit use
auxiliary/scanner/mysql/mysql _ login (Within Metasploit Console)
 set RHOSTS
 Run
Using Null Passwords

 We can also attempt to authenticate into the MS SQL server by using

a null password. We can
 do this by using an nmap script called ms-sql-empty-password. The
syntax for the script is as
 follows:
 nmap –p 1433 --script=ms-sql-empty-password <Target Host>
 The output would look like this, if the log-in is successful
 | ms-sql-empty-password: | [172.16.222.152\PROD]
 |_ sa: => Login Success