From Security Weekly Wiki
Jump to navigationJump to search

Password Cracking With THC-Hydra

I read a brief article on Hydra last week and it reminded my just what a great tool this is for remote password cracking. I use it on many of my assessments. The first thing you need to do is make certain that you have separate, special, permission to run these tests. Password cracking is usually a welcomed addition to any assessment, provided you tell the customer exactly what is happening and when.

THC-Hydra: Setup and configuration

The first step is to download and compile THC-Hydra, which you can get here. And important thing to note when setting up this utility is that you must pay attention to the build process. THC-Hydra will require libraries in order to crack various services. For example, in order to crack SSH, you much have the appropriate SSH libraries, otherwise this feature will be disabled. Take the following as an example:

Starting hydra auto configuration ...

Checking for openssl (libssl/ssl.h) ...

                                   ... found

Checking for Postgres (libpq) ...

                             ... NOT found, module postgres disabled

Checking for SVN (ibsvn_client-1 libapr-0.so libaprutil-0.so) ...

                             ... NOT found, module svn disabled

Checking for SAP/R3 (librfc/saprfc.h) ...

                                     ... NOT found, module sapr3 disabled

Get it from http://www.sap.com/solutions/netweaver/linux/eval/index.asp Checking for libssh (libssh/libssh.h) ...

                                     ... NOT found, module ssh2 disabled

Get it from http://0xbadc0de.be/ - use v0.11!

Hydra will be installed into .../bin of: /usr/local

 (change this by running ./configure --prefix=path)

Writing Makefile.in ...



ARM/PalmPilot users: please run ./configure-arm or ./configure-palm respectivly

In the above output Hydra has told us that it cannot find the libraries for Postgres, SVN, SAP, or SSH2). After installing all of these we get the following:

Now we are ready to run make and make install. I like to create a directory called /etc/hydra/ where I will store my configuration and dictionaries.

Obtaining Dictionaries

The most important component to any password cracking is the username and password dictionaries. You will need both, as most services will require both a username and a password. Where do you get these? You have to find them for yourself :) (Please do not ask me as I will not share them). In all seriousness, Google is your friend. Here are a few links to get you started:

Default Password List From Phenoelit Top Ten Admin Passwords to Avoid Many Default Router Passwords John The Ripper - Buy your password lists

I tend to have 2-3 different password databases that I start with. The first and most basic are all the stupid passwords (secret, ciso, etc..). The second level will layer on top of that all of the default password lists. The third layer includes everything mentioned before, and adds a nice english dictionary. These will typically range from 100 or so passwords, to 40,000+ passwords. I also keep at least two different username databases, one with common defaults (root, administrator) and one with many more. Then, layered on top of all of those will be my own customizations based on the customer (gleaning from the web site, dumping the LDAP database, etc...).

Stories for Discussion

Chris Paget of IOActive doing an RFID Hacking Presentation at Blackhat - [Joe] - "Secure card maker HID Corp. is objecting to a demonstration of a hacking tool at this week's Black Hat Federal security conference in Washington, D.C. that could make it easy to clone a wide range of so-called "proximity" door access cards." - [Larry] Talk was canceled due to legal threats by HID. moar info

Reverse hacker wins $4.3M in suit against Sandia Labs - [Joe] - "Shawn Carpenter was awarded a $4.3 million award — more than twice the amount he sought and money he thinks he'll never see. Carpenter worked for Sandia National Labs as an intrusion detection analyst. He anayzed. He detected. He reported. He was fired — in Janurary 2005 after sharing his results with the FBI and the U.S. Army. Computerworld asked him what he hoped to achieve in that investigation. Answer: 'In late May of 2004, one of my investigations turned up a large cache of stolen sensitive documents hidden on a server in South Korea. In addition to U.S. military information, there were hundreds of pages of detailed schematics and project information marked 'Lockheed Martin Proprietary Information — Export Controlled' that were associated with the Mars Reconnaissance Orbiter. ... It was a case of putting the interests of the corporation over those of the country.' Ira Winkler, author of Spies Among Us , said the verdict was 'incredibly justified. Frankly, I think people [at Sandia] should go to jail' for ignoring some of the security issues that Carpenter was trying to highlight with his investigation."

IGiGle - [Larry] Irongeek's Wigle to Google earth conversion. Lets you view wigls data on google earth. The resulting maps are very detailed...

Old Mac WiFi hacks revealed! - [Larry] Remember all the hubbub about the Mac wireless driver vulnerabilities? Well, David Maynor demped them live, and cleared up the misconceptions.

Madwifi Kernel buffer overflow - [Larry] by crafting some specialized packets involving WPA/RSN, upon reciving the packet, the madwifi driver can cough up a connect back.

SELinux vs Solaris trusted Extensions - [Larry] A comparison article between SELinux and the Solaris Trusted Extensions. An excellent comparison, basically stating that the Solaris product is better - of course, the article was written by someone at Sun.

Oracle, Again? - [Larry] David Litchfield illustrated a new attack method for Oracle databases, that does not require the aboility to create procedures or functions - it only requires Create Session. this blows a lot of the donwnplay that Oracle has given about many attacks. not to mention, it affects all Oracle versions.

Drive by pharming - [Larry] I only wantd to give this one few minutes. User browsws to a site, whcih lats a java app. said java app connects to thier home router, with a default password and modified dns servers. User surfs to commerce or banking site, and is redirected to a phony site as determined by the compromised DNS setting. Paul, I know you have comments on this one. Something similar to the CoWF "evil bastard" firmware.

Solaris Telnet Worm - [Larry] Yep, it exists, as confirmed by arbor networks. Hopefully it only got a handfull of machines...right?

Firmware new place for rootkit? - [Larry] I think we called this one a while back. Also see the CoWF evil bastard firmware. So, how do you check for malware/ootkist on your embedded device?

Stop and Plop Data thefts - [Larry] looks like they modded the pin terninals. Don't forget about physical security!

5 Mistakes of Data Encryption - [Joe] -

1.) Not using encryption when it is easy and accepted
2.) Inventing your own cryptographic algorithm
3.) "Hard-coding" secrets
4.) Storing keys with data
5.) Not handling data recovery

Low-Resource Routing Attacks Against Anonymous Systems - [Joe] - Paper on how to statistically xmoke Tor using low resource machines which report having higher resources, allowing them to permeate a Tor network for privacy-crippling results (warning: math)