online attack tools

Online attack tools

In the previous section, we discussed several tools that can be used to crack

passwords in the offline mode. In this section, we will discuss some password

attacking tools that must be used while you are connected to the target machine.

We will discuss the tools that can be used for the following purposes:

• Generating wordlists

• Finding the password hash

• Online password attack tool

The first two tools are used to generate wordlists from the information gathered in

the target website, while the other one is used to search the password hash in the

online password hash service database.

The online password attack tool will try to login to the remote service just like a user

correct credentials are found.

The drawback of this technique is that because you connect directly to the target

server, your action may be noticed and blocked. Also, because the tool utilizes the

Even though the tool is slow and may trigger a blocking mechanism, network

services such as SSH, Telnet, and FTP usually can't be cracked using offline

password cracking tools. You may want to be very careful when doing an online

password attack; especially, when you brute force an Active Directory (AD) server,

you may block all the user accounts. You need to check the password and lockout

policy first, and then try only one password for all accounts, so you do not end up

blocking accounts.

Privilege Escalation

CeWL

The Custom Word List (CeWL) (http://www.digininja.org/projects/cewl.

php) generator is a tool that will spider a target Uniform Resource Locator (URL)

and create a unique list of the words found on that URL. This list can then be used by

password cracker tools such as John the Ripper.

The following are several useful options in CeWL:

• --depth N or -d N: This sets the spider depth to N; the default value is 2

• --min_word_length N or –m N: This is the minimum word length; the

default length is 3

• --verbose or –v: This gives a verbose output

• --write or –w: This is to write an output to a file

If you get a problem running CeWL in Kali with an error message: Error:

zip/zip gem not installed, use gem install zip/zip to install the

required gem.

To fix this problem, just follow the suggestions to install zip gem:

gem install zip

Fetching: zip-2.0.2.gem (100%)

Successfully installed zip-2.0.2

1 gem installed

Installing ri documentation for zip-2.0.2...

Installing RDoc documentation for zip-2.0.2...

Let's try to create a custom wordlist from a target website; the following is the CeWL

command to be used:

cewl -w target.txt http://www.target.com

After some time, the result will be created. In Kali, the output is stored in the /usr/

share/cewl directory.

The following is an abridged content of the target.txt file:

Device

dataset

sauerlo

Sauer

agentChange

ouput

fileWrite

oBy

strips

mThe

Specialforces

Damian

GoD

zERo

zine

Disney

N00bz

xThe

Cracked

Question

Marc

Doudiet

Swiss

Strafor

Electric

Alchemy

Hydra

Hydra is a tool that can be used to guess or crack the login username and password.

It supports numerous network protocols, such as HTTP, FTP, POP3, and SMB. It

works by using the username and password provided and tries to log in to the

network service in parallel; by default, it will log in using 16 connections to the

same host.

To start Hydra, use the console to execute the following command:

# hydra

This will display the Hydra usage instruction on your screen.

In our exercise, we will brute force the password for a VNC server located in

192.168.56.101 and use the passwords contained in the password.lst file. The

command to do this is as follows:

# hydra -P password.lst 192.168.56.101 vnc

Privilege Escalation

The following screenshot shows the result of this command:

From the preceding screenshot, we can see that Hydra was able to find the VNC

passwords. The passwords used on the target server are password01 and password.

To verify whether the passwords obtained by Hydra are correct, just run vncviewer

to the remote machine and use the passwords found.

The following screenshot shows the result of running vncviewer:

From the preceding screenshot, we can see that we are able to log in to the VNC

server using the cracked passwords, and, we got the VNC root credential. Fantastic!

Besides using the Hydra command line, you can also use the Hydra GUI by

executing the following command:

# xhydra

The following screenshot shows the result of running the Hydra GTK to attack an

SSH service on the target:

From our experience, you may find xhydra but the options can't be customized

according to your need. For example, to check for VNC, you can't set the username;

unfortunately, xhydra won't allow you to not set the username.

Privilege Escalation

Medusa

Medusa is another online password cracker for network services. It has the

characteristics of being speedy, massively parallel, and modular. Currently, it has

modules for the following services: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP

(NetWare), PcAnywhere, POP3, PostgreSQL, rexec, Rlogin, rsh, SMB, SMTP (VRFY),

SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, and a generic wrapper module.

You can find the differences between Medusa and Hydra at

http://foofus.net/goons/jmk/medusa/medusa-compare.html.

During our penetration testing engagement, we usually run Medusa and

Hydra to get more complete information about the targets.

To start the Medusa cracker, use the console to execute the following command:

# medusa

This will display the Medusa usage instructions on your screen.

The useful options in Medusa are as follows:

• -u or –U [FILE]: This is for reading the username or username list file.

• -h or –H [FILE]: This is for reading the hostname or hostname list file.

• -p or –P [FILE]: This is for reading the password or password list file.

• -M: This is the name of the module to be used. You can use the –d option to

find the module names.

• -O: This is the output file.

• -v: This is the verbose level. We found that by setting the –v 4 option, we

only got the successful credential's list.

Let's run Medusa to crack the VNC password as we did earlier by giving the

following command:

# medusa -u root -P password.lst -h 192.168.56.101 -M vnc -v 4

The following is the result of running this command:

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

<jmk@foofus.net>

ACCOUNT FOUND: [vnc] Host: 192.168.56.101 User: root Password:

password [SUCCESS]

Medusa is only able find one VNC password, while Hydra is able to find two

VNC passwords.

Network spoofing tools

In the previous section, we discussed several tools that can be used to crack

passwords. In this section, we will have a look at several tools that can be used for

network spoofing to elevate the privilege.

Network spoofing is a process to modify network packets, such as the MAC

address and IP address. The goal of this process is to get the data from two

communicating parties.

DNSChef

DNSChef (http://thesprawl.org/projects/dnschef/) is a DNS proxy; it can be

used to fake a domain request to point to a local machine that belongs to the attacker

instead of the real host. With this capability, an attacker can control the victim

network traffic.

Before you can use DNSChef, you need to configure the victim machine DNS server

to point to your machine containing DNSChef:

• In Linux, you can modify the /etc/resolv.conf file to point to

your machine

• In Windows, you can configure this in the Network Connections option

from the Control Panel

If you don't have the access to modify the DNS file mentioned in the first bullet item,

you can use options such as ARP spoofing and setting up a rogue DHCP server,

giving a fake DNS server.

For the following exercises, we are going to use two machines. One is the DNSChef

server with an IP address of 192.168.2.21, and the victim has an IP address of

192.168.2.22. For the victim, we will use the Metasploitable virtual machine.

Let's see DNSChef in action.

Setting up a DNS proxy

To set up DNSChef as a proxy, just run the following command in the DNSChef server:

# dnschef

In the same machine, configure it to use the localhost as a DNS server.

If you query a domain google.com of type A, use the following command:

host –t A google.com

Privilege Escalation

The following is the result in the DNSChef proxy:

In this case, DNSChef only acts as a proxy. It will redirect all the requests to the

upstream nameserver; in this case, the DNS Server 8.8.8.8.

Faking a domain

Before we fake a google.com domain, let's see the original DNS response for

google.com:

Now, let's fake the DNS response regarding google.com. Change the /etc/resolv.

conf file to point to DNSChef.

The following are the DNSChef commands to be given:

# dnschef --fakeip=192.168.2.21 --fakedomains google.com

--interface 192.168.2.21 -q

In the victim machine, we give the following command to get the google.com

IP address:

$ host –t A google.com

The following is the result of this command:

google.com has address 192.168.2.21

In the DNSChef machine, you will see the following information:

DNSChef doesn't support IPv6 yet in Version 0.1, so you need to upgrade to Version

0.2 (https://thesprawl.org/media/projects/dnschef-0.2.1.tar.gz) if you

want to use IPv6.

To use IPv6, just add the -6 option to the DNSChef command line.

Let's fake the google.com IPv6 address. The original google.com IPv6

address is 2404:6800:4003:802::1003. The DNSChef IPv6 address is

fe80::a00:27ff:fe1c:5122/64.

In the DNSChef server, give the following command to fake the google.com

IPv6 address:

dnschef.py -6 --fakeipv6 fe80::a00:27ff:fe1c:5122 --interface :: -q

arpspoof

An arpspoof tool is a tool that can be used to sniff the network traffic in a switch

environment. In the previous chapter, we stated that sniffing network traffic in a

switch environment is hard, but by using arpspoof, it is easy.

The arpspoof tool works by forging the ARP replies to both communicating parties.

Privilege Escalation

In a normal situation, when host A wants to communicate with host B (gateway),

it will broadcast an ARP Request to get the MAC address of host B. Host B will

respond to this request by sending its MAC address as an ARP Reply packet. The

same process is done by host B. After that, host A can communicate with host B as

shown in the following figure:

A B

(1) ARP Request

(2) ARP Reply

(3) ARP Request

(4) ARP Reply

MAC : 11.11.11.11.11.11 MAC : 22.22.22.22.22.22

If an attacker C wants to sniff the network traffic between A and B, it needs to send

the ARP replies to A telling that the IP address of B now has the MAC address

of 33.33.33.33.33.33, which belongs to C. The attacker C also needs to spoof the

ARP cache of B by telling it that the IP address of A now has the MAC address of

33.33.33.33.33.33.

A B

MAC : 11.11.11.11.11.11 MAC : 22.22.22.22.22.22

MAC : 33.33.33.33.33.33

After the ARP spoofing works, the entire network traffic between A and B will go

through C first.

Before you can use arpspoof, you need to enable the IP forwarding feature in your

Kali Linux machine. This can be done by giving the following command as root:

# echo 1 > /proc/sys/net/ipv4/ip_forward

To start the arpspoof command line, use the console to execute the following

command:

# arpspoof

This will display the arpspoof usage instructions on your screen.

For our exercise, we have the following information. The first machine is a gateway

with the following configuration:

• MAC address: 00-50-56-C0-00-08

• IP address: 192.168.65.1

• Subnet mask: 255.255.255.0

The victim machine has the following configuration:

• MAC address: 00-0C-29-35-C9-CD

• IP address: 192.168.65.129

• Subnet mask: 255.255.255.0

The attacker machine will have the following configuration:

• MAC address: 00:0c:29:09:22:31

• IP address: 192.168.65.130

• Subnet mask: 255.255.255.0

The following is the original ARP cache of the victim:

Interface: 192.168.65.129 --- 0x30002

Internet Address Physical Address Type

192.168.65.1 00-50-56-c0-00-08 dynamic

To ARP spoof the victim, enter the following command:

# arpspoof -t 192.168.65.129 192.168.65.1

On the victim machine, wait for some time and try to make a connection to the

gateway by doing a ping test to the gateway. Later, the victim, ARP cache, will

be changed.

Interface: 192.168.65.129 --- 0x30002

Internet Address Physical Address Type

192.168.65.1 00-0c-29-09-22-31 dynamic

Privilege Escalation

You will notice that in the victim ARP cache, the MAC address of the gateway

machine has been changed from 00-50-56-c0-00-08 to 00-0c-29-09-22-31, which

belongs to the attacker machine's MAC address.

Ettercap

Ettercap (http://www.ettercap-project.org/) is a suite of tools to do a man-

in-the-middle attack on LAN. It will perform attacks on the ARP protocol by

positioning itself as the man in the middle. Once it achieves this, it is able to do

the following:

• Modify data connections

• Password discovery for FTP, HTTP, POP, SSH1, and so on

• Provide fake SSL certificates to foil the victim's HTTPS sessions

ARP is used to translate an IP address to a physical network card address (MAC

address). When a device tries to connect to the network resource, it will send a

broadcast request to other devices on the same network asking for the MAC address

of the target. The target device will send its MAC address. Then, the caller will

keep the association of the IP-MAC address in its cache to speed up the process if it

connects to the target again in the future.

The ARP attack works when a machine asks the MAC address associated with an IP

address of a target. The attacker can answer this request by sending its own MAC

address. This attack is called ARP poisoning or ARP spoofing. This attack will work

if the attacker and the victim are located in the same network.

Kali Linux provides the Ettercap tool to do this attack. Ettercap comes with three

modes of operation: text mode, curses mode, and graphical mode using GTK.

To start Ettercap in text mode, use the console to execute the following command:

# ettercap -T

To start Ettercap in curses mode, use the console to execute the following command:

# ettercap -C

To start Ettercap in graphical mode, use the console to execute the following

command:

# ettercap -G

In our exercise, we will use Ettercap to do a DNS spoofing attack. The machine's

configuration is the same as in the previous section, but we will have two additional

machines: a DNS server with an IP address of 192.168.2.1 that wants to be spoofed,

and the web server located in the attacker IP address, 192.168.2.22, to receive all of

the HTTP traffic. The attacker has an IP address of 192.168.2.21.

The following steps are taken to do the DNS spoofing:

1. Start Ettercap in the graphical mode.

2. Navigate to Sniff | Unified sniffing from the menu and select your

network interface.

3. Scan the host in your network by navigating to Hosts | Scan for hosts.

4. View the host by navigating to Hosts | Hosts list.

5. Select the machines to be poisoned. We select machine 192.168.2.1 (DNS server)

as target 1 by clicking on Add to Target 1 and machine 192.168.2.22 as target 2:

Privilege Escalation

6. Start the ARP poisoning process by navigating to Mitm | Arp poisoning.

Next, the MAC address of the DNS server and victim will be set to the

attacker's MAC address.

7. Set the configuration file in /usr/share/ettercap/etter.dns with the

domain you want to spoof and the replacement domain:

google.com A 192.168.2.21

*.google.com A 192.168.2.21

www.google.com PTR 192.168.2.21

This will redirect google.com to the attacker web server.

8. Activate the dns_spoof plugin by going to Plugins | Manage the plugins,

and double-click on the dns_spoof plugin to activate it.

9. In the victim machine, navigate to google.com to see the effect:

From the preceding screenshot, we can see that the DNS spoofing works.

Instead of seeing the Google website, the victim is redirected to the attacker

web server.

10. To stop the spoofing, go to Mitm | Stop mitm attack(s).

If you feel that doing this whole process in graphical mode is too cumbersome, you

don't need to worry. Ettercap in text mode can also do this in a much simpler way.

The following is the command to do the same DNS spoofing:

# ettercap -i eth0 -T -q -P dns_spoof -M ARP /192.168.2.1/

/192.168.2.22/

The following is the result of this command:

Scanning for merged targets (2 hosts)...

2 hosts added to the hosts list...

ARP poisoning victims:

GROUP 1 : 192.168.2.1 F4:EC:38:EC:07:DC

GROUP 2 : 192.168.2.22 08:00:27:43:15:18Starting Unified sniffing...

Activating dns_spoof plugin...

dns_spoof: [safebrowsing-cache.google.com] spoofed to [192.168.2.21]

Using the Ettercap command-line version is much simpler if you know the

commands and options. To quit the text mode, just press Q.

Network sniffers

A network sniffer is a software program or a hardware device that is capable of

monitoring the network data. It is usually used to examine the network traffic by

copying the data without altering the content. With the network sniffer, you can see

what information is available in your network.

Previously, network sniffers were used by network engineers to help them solve the

network problems, but it can also be used for malicious purposes. If your network

data is not encrypted and your network uses a hub to connect all the computers, it

is very easy to capture your network traffic, such as your username, password, and

e-mail content. Fortunately, things become a little bit complex if your network is

using a switch, but your data can still be captured.

Privilege Escalation

There are many tools that can be used as network sniffers. In this section, we will

describe some of those which are included in Kali Linux. You may want to do

network spoofing (refer to the Network spoofing tools section) first because it is often a

requirement to conduct a successful sniffing operation.

dsniff

The dsniff tool can be used to capture the passwords available in the network.

Currently, it can capture passwords from the following protocols: FTP, Telnet,

SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF,

PPTP MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster,

PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer,

Microsoft SMB, Oracle SQL*Net, Sybase, and Microsoft SQL protocols.

To start dsniff, use the console to execute the following command:

# dsniff -h

This will display the dsniff usage instructions on your screen. In our exercise, we will

capture an FTP password. The FTP client IP address is 192.168.2.20 and the FTP

server IP address is 192.168.2.22, and they are connected by a network hub. The

attacker machine has the IP address of 192.168.2.21.

Start dsniff in the attacker machine by giving the following command:

# dsniff -i eth0 -m

The -i eth0 option will make dsniff listen to the eth0 network interface and the -m

option will enable automatic protocol detection.

In another machine, open the FTP client and connect to the FTP server by entering

the username and password.

The following is the result of dsniff:

dsniff: listening on eth0

-----------------

20/08/13 18:54:53 tcp 192.168.2.20.36761 -> 192.168.2.22.21 (ftp)

USER user

PASS user01

You will notice that the username and password entered to connect to the FTP server

can be captured by dsniff.

tcpdump

The tcpdump network sniffer is used to dump the packet contents on a network

interface that matches the expression. If you don't give the expression, it will display

all the packets, but if you give it an expression, it will only dump the packet that

matches the expression.

The tcpdump network sniffer can also save the packet data to a file, and it reads the

packet data from a file too.

To start tcpdump, you need to use the console to execute the following command:

# tcpdump –i eth0 –s 96

This command will listen on the eth0 network interface (-i eth0) and capture the

packet in a size of 96 bytes (-s 96).

Let's try to sniff an ICMP packet from a machine with an IP address of

192.168.56.101 to a machine with an IP address of 192.168.56.102. We sniff on the

eth0 interface (-i eth0), don't convert address to names (-n), don't print timestamp

(-t), print packet headers and data in hex and ASCII (-X), and set the snaplen value to

64 (-s). The command we use in the machine 192.168.56.102 is as follows:

# tcpdump -n -t -X -i eth0 –s 64 icmp and src 192.168.56.102 and dst

192.168.56.101

The following screenshot shows the result of this command:

The tcpdump network sniffer will only display the packets that match the given

expression. In this case, we only want to display the ICMP packet from the machine

with an IP address of 192.168.56.102 to the machine with an IP address of

192.168.56.101.

Wireshark

Wireshark is a network protocol analyzer. The user interface allows the user to

understand the information contained in the network packets captured more easily.

Privilege Escalation

Following are several Wireshark features:

• Supports more than 1,000 protocols

• Ability to do live capture and offline analysis

• Has the most powerful display filters in the industry

• Captured network data can be displayed via GUI or via a command-line

TShark tool

• Able to read/write many different capture file formats, such as tcpdump

(libpcap), Network General Sniffer, Cisco Secure IDS iplog, Microsoft

Network Monitor, and others

• Live data can be read from IEEE 802.11, Bluetooth, and Ethernet

• The output can be exported to XML, Postscript, CSV, and plaintext

To start Wireshark, go to Kali Linux | Sniffing/Spoofing | Network Sniffers |

wireshark, or use the console to execute the following command:

# wireshark

This will start the Wireshark network protocol analyzer. To start live capture,

click on the network interface on which you want to capture network data in the

Interface List.

If there is network traffic, the packets will be displayed on the Wireshark window.

To stop the capture, you can click on the fourth icon on the top entitled Stop running

the live capture, or you can navigate to Capture | Stop in the menu.

To only display particular packets, you can set the display filter.