Password authenticationcracking!

ThisarticlewillshowhowtouseHydratocheckforweak passwords.Hydratriesallpossiblepassword combinationagainstaserverontheInternetuntilone validoneisfoundtologintotheserver.Itisapowerful toolforhackersandnetworkadministratorsalike.

byDavidMaciejak,2011

eah, again an article on how to choose secure passwords Unbreakable, longandcomplicatedsotheyare impossibletoremember... Notreally!Thisarticleisdifferent! InthisarticleIwilltalkfromthe attacker point of view. Why it is not trivial to brute force a password. I will explain how Hydra can help to test for weak passwords. Hydra is available from http://www.thc.org/thc hydra/.It issupposedlythebest network login cracking tool availabletoday. This article will only give you a broadoverviewofthepotentialof Hydra.Youwillfigureouttherest byyourself. First make your network as secure as you can. Make no mistakes: One small mistake by you, one giant leap for the attacker. Setupatestnetwork

Setupatestserver Configuringservices ConfigureACL Choosinggoodpasswords UseSSL Usecryptography UseanIDS.

otherbigplayers:Mostofthose biggiessupportoneofthose protocolsbesidethewebbased loginknowntomostofyou. Yourpasswordisatriskevenif younevereverusedSMTP, POP3orIMAP. UsethehoptioninHydratoget afulllistofsupportedprotocols. Acommonmistakeofmanynew server installations is that they come with services like POP3, IMAPorSSHenabledbydefault. Access control and firewall are disabled by default. New default servers are an easy target for Hydra.

thenletHydratrytobreakinto yourownserver!

Settingupnetworks
TheInternetisstandardized.It willeitherbeIPv4orIPv6.Hydra canattackIPv4andIPv6 networksalike.Usethe6option toswitchtoIPv6.

Configuringservices andaccesscontrols
Commonprotocolsformailare SMTP,POP3andIMAP4.They areusedbysmallandlarge businessesalike,hecktheyare evenusedbygmail,hotmailand

1/3www.thc.org

Shell1.ChoosingIPversionfromcommandline
#./hydraljohnpdoeimap://192.168.0.10:143 #./hydraljohnpdoeimap://[::FFFF:192.168.0.10]:1436

Shell2.Bruteforcepasswordgeneratoroption
#./hydraljohnx5:8:A1imap://192.168.0.10:143

Research has shown that users using SSL chose weaker passwordfortheSSLconnection than for connections not using SSL. It appears there is some false sense of security lingering amongallthegood,badandugly thingswithSSL. ThisiswhereHydraattacks.

Shell3.SetSASLmethodoncommandline #./hydraljohnpdoeimap://192.168.0.10/CRAMMD5 Hydra can work through list of common passwords or can mutatethepasswordsrandomly. Usethexoptionformutatingthe password. For example use x 5:8:A1 to tryallpasswordoflength5to8 by using all possible combinations of all upper case charactersandallnumbers.

In cryptography if you do not understanditdonotuseit! Beside SSL does Hydra also support SASL (CRAMMD5, DIGESTMD5 and SCRAM SHA1). The Simple Authentication and Security Layer (SASL) is a frameworkforauthenticationand datasecurityinInternetprotocols. It decouples authentication mechanisms from application protocols. GNU project has implemented it through the GNU SASL Library called GSASL (see http://www.gnu.org/software/gsasl /). When the server is negotiating secure channel, secure method, Hydrajustrespondokletsdoit, and generates valid credential basedonthechallengesent. The SASL method can be used as shown above. Use the U option to get a full list of supportedSASLoptions.

Choosinggood passwords

UsingSSLand
Passwords are often chosen carelessly.90%ofalluserspick one of the 10 most common passwords at some point on somesystem. 123456, password, secret, lookfamiliar? Mightaswellnotuseapassword atallthen! Hydra also has a special commandlineoption:Useens to check for empty passwords and where the password is the username!

cryptographic methods
Using encryption like SSL does nothelp.SSLisprimarilyusedto encrypted the sessions between attacker and server. This is an advantagefortheattackerasthe attack is not picked up by a network Intrusion Detection System(IDS). SSL is almost never used to authenticate a client. Client side authentication is done by traditional password authentication in almost all servers.

2/3www.thc.org

Monitoring access andresources

More and more companies are buying SIEM (Security Information and Event Management) to centralized the eventaccesslogs.Thiscouldbe useful to track abnormal events onthenetwork,likeforexample manyauthenticationfailuresona givenservice.Thiskindoftool,is used to save your time, it could also automatically alerts you by using some correlated rules to detectmaliciousevents. No SIEM prevents the attack. Theymerelyinformyouafterthe event. After Hydra got in. After yourdatagotstolen.

SometimestheSIEMortheIAM (Identity and Access Management) can become the way of entry as well! These services are using LDAP. And guesswhat,Hydraalsosupports LDAP. IPS (Intrusion Prevention System) is a must have in a corporate network, nowadays suchkindofdevicealwayscome with predefined signatures to detectpasswordcrackingattacks. However,theyhaveaweakpoint, theyarebasedonadefinedrate. For example if there are 10 authenticationfailedin5seconds from the same source IP just block or quarantine the attacker forxseconds. For this purpose Hydra comes with some features to plan how

the attack is conducted. The t option can be used to set the number of concurrent tasks (defaultis16).Settingitto1and you will stay under the radar of anyIDS.

Conclusion
Choseyourpasswordwisely.Do not let IDS, IPS, SIEM, IAM or SSLlureyouintoafalsesenseof security. Try Hydra. Make sure you are safeandsecure. The best tool against hacker attacks is a smart network administrator.

Figure1.Moduleusage,exampleusingIMAP

References
HydraHomeProject:http://www.thc.org/thchydra WikipediaPage:http://en. wikipedia .org/wiki/ Hydra _(software ) SpecialthanksgoestoTHCcrew.

3/3www.thc.org