Write-up to Password Spraying
The password is known but not the username. This is a realistic task, if one assumes that many people assuming that many use a password that is too weak.
The task gives me a password, a range of valid usernames (500 pieces) and I am supposed to find the password. To make matters worse, the password changes every 60 minutes. Furthermore, only 10 invalid login attempts are possible, otherwise you are blocked for 10min by fail2ban.
- Search for a tool that iterates username and keeps password constant.
- Read Fail2Ban documentation to find out if it works like a ReverseProxy or if it reads log files and thus reads log files and thus reacts delayed.
- Look for a tool that can change IP addresses (Tor?). The Fail2ban service blocks sender IPs.
- Search vulnerability database to find ways against fail2ban. Possibly crashes from the tool are useful for our purposes (see point 2).
- To point 1 in the procedure Hydra or Medusa offer themselves. A tutorial for this can be found at redteamtutorials.com. can be found. Hydra also has a UI that can be used.
- According to documentation it scans the log files.
files, which may allow an attack by fast iteration.
It scans log files and detects patterns which correspond to possible breaking attempts and then performs actions. Most of the time, it consists of adding a new rule in a firewall chain and sending an e-mail notification to the system administrator.
- Hydra can accept a proxy list. At 500 attempts / 10 about 50 proxies are needed. There are many proxy lists on the internet which are sufficient for our purposes.
- There is also a tool Proxychain that can override the network functions can be overridden and used.
- With Excel / LibreOffice a list of usernames can be created (Autoincrement function).
I use proxychain. Partially it can’t resolve the DNS and this can be done at the expense of
privacy by commenting out the
proxy_dns parameter in /etc/proxychains4.conf.
can be disabled.
- start Tor - no special configuration needed
- check proxychain config in /etc/proxychains4.conf, if socks4 127.0.0.1 9050 is entered in [ProxyList]. is entered. 3.
- create a list of usernames and save it (e.g. as usernames.txt). Can be created with Excel/libreOffice.
- configure Hydra command via UI and then copy for console (http)
proxychains4 -f proxychains4_2.conf hydra -t 64 -s 80 -v -V -I -L /root/usernames.txt -p password -f -m / pwspray.vm.vuln.land http-get.
- configure hydra command via UI and then copy it for console (ftp)
torsocks hydra -t 4 -s 21 -v -V -w 360 -I -L /root/usernames_ftp.txt -p password -f -m / pwspray.vm.vuln.land ftp. To Note that
-t 4will only open 4 connections at a time.
- configure hydra command via UI and then copy for console (ssh)
torsocks hydra -t 2 -s 22 -v -V -w 360 -I -L /root/usernames.txt -p password -f -m / pwspray.vm.vuln.land ssh. Note that is
-t 2which will open only 2 connections at a time.
- submit result
The whole proxy setup is quite tedious and error-prone. Generally it is not recommended using the Tor Service but the Tor Browser with integrated Tor.