-1

I am new to kali pentesting and am working on a password attack for an assignment. The target has SSH and apache running so I go to the website apache is hosting and see a login. If I go to 'Create a new account' I can see the password description says "At least six characters long, should include numbers, punctuation and both upper and lower case". These are the password rules for the sign on form on the website however the goal is to break in through the SSH service. From the hints there is only one employee with an SSH account and I think I have his username. I realize this is likely implementation specific but do the password rules of a login form generally apply to SSH? What are the password rules for SSH? Are they customizable? Is there a way to find out what they are for a target?

We were also given the hint that some passwords can be up to 16 characters long. I'm using crunch to generate a dictionary file. Using a char list containing upper case, lowercase, numbers and special characters generating a password file is huge!

I used crunch to generate a password file of strictly length 6, it was a GB in size and Ncrack couldn't even open it. It gave me an error terminate called after throwing an instance of 'std::bad_alloc'. How do people generally brute force passwords bigger than 6 characters?

I also used CEWL to generate site specific passwords but ncrack didn't find anything.

Edit

I got a number of comments about things to try other than password attacks. I have been working on a lot of other things for a while but my inexperience has left me coming up short. I thought I would describe what I had tried in a new question here rather than stick it on to this one.

Community
  • 1
Nick
  • 127
  • 4
  • 1
    There's no reason to think that SSH passwords and website passwords are related in any way you – Neil Smithline Mar 01 '16 at 17:44
  • 3
    `am working on a password attack for an assignment` : sorry, but an assignment for what or for whom? It just seems to me you are trying to hack some random server. – lepe Mar 02 '16 at 01:16
  • @lepe It could be that but to be fair that sounds very similar to how some of my infosec labs were. I wouldn't say it's impossible or even unlikely that this is for an assignment. – trallgorm Mar 02 '16 at 21:54
  • It's definitely for an assignment for school and I'm still stuck. – Nick Mar 02 '16 at 23:55
  • @nhoughto: can you elaborate in your assignment? for example, which are the requirements and limitations? How is the network environment? Any other hints? For what I read, password attack is not a good strategy here (specially if they say they passwords can be up to 16 chars long), unless you have years to accomplish the assignment. – lepe Mar 03 '16 at 00:40
  • @lepe: It's a VM I have on the same network as my attack machine. It's a variation of the LAMPSecurity 8 machine. This tutorial [here](https://highon.coffee/blog/lamp-security-ctf8-walkthrough/) is strikingly similar but the method he uses didn't work. – Nick Mar 03 '16 at 01:10
  • @nhoughto: Sorry, I want to help but I don't see the similarity between your question and that article. In the article, they exploit an XSS vulnerability to inject code and gain admin rights. Later the get the MySQL credentials and dump all passwords which later are cracked offline. In your question, you are talking about `break in through the SSH service`. I will extend my answer a little bit more. – lepe Mar 03 '16 at 07:25
  • @lepe, I linked to another question in my edit above where I explain in more detail what I've been doing. – Nick Mar 03 '16 at 18:07
  • @nhoughto: I think you should had started from there. Its much more clear to me now. – lepe Mar 04 '16 at 00:43

1 Answers1

0

First, Apache and SSH are totally different beasts (as Neil already pointed it out). Password creation rules in "Apache" are set by whomever created that website (so different websites in a single apache webserver may have different rules).

For SSH, there is practically no standard rules. You can set from 1 to unlimited number of characters (including anything in the unicode table). SSH can also use keys instead of passwords which means that a dictionary attack is useless.

Brute-force attacks are commonly used against hashes, for example, if a hacker gets your passwords database it will try against all hashes (assuming passwords are protected) commonly used passwords or patterns and million of attempts per second (as the attack happens offline).

Trying to use brute-force against a server can only be successful if they don't have any kind of protection (well managed servers will block you after few attempts). As you can't try millions of passwords per second that way, its unpractical to brute-force SSH the way you are trying to do it. You have to know more about that specific user and his/her password or if you are lucky enough and he/she is using a simple password as: 123456 (see: very common passwords).

There is a lot more than this simple answer, but I hope it helps you to have a general view of what you are trying to achieve.

Addition:

These are some ways you can break in through the SSH service:

1) Guess the password : you will need patterns, prefixes, common passwords, etc. If you think you can't make it within thousands of combinations, then this is not the way to go.

2) Trick the user: somehow hijack the connection and personalize the SSH service to steal the credentials (unlikely to succeed as SSH is designed to notify the user in such situations).

3) Deploy a "Keystroke logging" code into the users computer to steal the password (not so useful in this scenario).

4) Get the SSH version (using nmap or alike), go and look for vulnerabilities in that specific version and try to exploit them (requires high coding/hacking skills).

5) Try metasploit. It seems this could be your best bet in this scenario. Unlikely to work if the SSH server is updated.

lepe
  • 2,184
  • 2
  • 15
  • 29
  • I'm not exactly sure how SSH keys work. I managed to do an anonymous FTP login and the only file was key.txt. The only entry was #flag#5e937c51b852e1ee90d42ddb5ccb8997. Put that into a hasher and you get 'misiek1'. If this is the ssh key how would one use it? – Nick Mar 02 '16 at 01:24
  • That looks to me as a password. We are talking about DSA/RSA keys, [for example, check this article](https://support.rackspace.com/how-to/logging-in-with-an-ssh-private-key-on-linuxmac/) and [this one](https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server). They are commonly of at least 1024 chars. – lepe Mar 02 '16 at 01:42
  • @nhoughto: added some alternatives. – lepe Mar 03 '16 at 07:36
  • @nhoughto Are you trying to solve any of the LAMP security practice VMs ? I have done a few not necessarily the one that you pointed out . I did LAMP 7 instead of LAMP8 . http://oldsmokingjoe.blogspot.sg/2016/02/walkthrough-lampsecurity-version-7.html I am pretty sure you are down on the wrong path trying to brute force the ssh service without enumerating other stuff that may be available . Point me to the VM ( ifs downloadable) I can have a look :D :D – rockstar Mar 03 '16 at 08:38