Wireshark Hack Discovery Tour (4)--Brute force hack

Wireshark Hack Discovery Tour (4)--violent hack poly-frontal lab2015/08/10 10:33

Mr.right, K0r4dji

Disclaimer: The attack method mentioned in this article is only to expose, attack the malicious network attacks, do not imitate, otherwise the consequences are at your own risk.

I. Personal views

Brute force, that is, the brute force of the way a large number of attempts to guess the password. There are 3 ways to guess a password:

1, permutation combination : First list the possibility of the combination of passwords, such as numbers, uppercase letters, small letters, special characters, etc., by password length from 1 bits, 2 bits ... Gradually try to guess. Of course, this method needs high-performance crack algorithm and CPU/GPU to do support.

2, Dictionary crack : Most attackers do not have high-performance crack algorithm and CPU/GPU, in order to save time and improve efficiency, using social engineering or other methods to build a deciphering dictionary, with the existence of the dictionary user name, password to guess broken.

3. Combination of permutation combination + dictionary hack . In theory, as long as you have a strong enough computer and long enough time, most passwords can be cracked.

There are two common scenarios for brute force cracking:

1, before the attack, try to decipher whether the user has a weak password or a regular password, if there is, then the entire attack will play a multiplier effect.

2, after a large number of attacks, can not find the user network system vulnerabilities or weaknesses, then only on the brute force, expect to get a weak password or a regular password. Therefore, the user especially the administrator to set a weak password or a regular password is very dangerous, it is possible to become a hacker attack "stepping stone" or "the last straw."

Brute force can be used in a wide range of applications, as long as the entry must be logged in the portal can be used to attack with brute force. Application level such as: Web page, mail, FTP service, TELNET service, etc., protocol level such as: HTTP, HTTPS, POP3, Pop3s, IMAP, IMAPS, SMTP, SMTPS, FTP, Telnet, RDP, QQ, MSN and so on. This article lists only some of the common protocols, and other protocols are similar.

Second, the normal login status

To identify brute force attacks from the communication data level, we first need to be aware of the data format of the various protocols for normal login. Let's take a look at the common data format for the POP3/SMTP/IMAP/HTTP/HTTPS/RDP protocol authentication process, which differs slightly depending on the format of the server type. (Description: This chapter uses the server environment for EXCHANGE2003 and Wampserver)

1. POP3 Agreement

+ok Microsoft Exchange Server 2003 POP3 .... 6.5.6944.0 (a-ba21a05129e24.test.org)   ... The server is ready CAPA   //To get a list of feature options for this server +ok Capability list Followstopuserpipeliningexpire neveruidl. User [email protected]    //POP3 server send account name +okpass [email protected]    //POP3 Server send password +ok User successfully lo Gged on.   Certification successful Stat+ok 21568quit+ok Microsoft Exchange Server 2003 POP3 ..... 6.5.6944.0 .....

2. SMTP protocol

a-ba21a05129e24.test.org Microsoft ESMTP MAIL Service, version:6.0.3790.3959 ready at  Thu, 6 2015 11:10:17 +0 +  //service Ready EHLO MR.RIGHTPC//Host name 250-a-ba21a05129e24.test.org Hello [192.1.14.228] ... Okauth LOGIN//  authentication start 334 vxnlcm5hbwu6  //USERNAME:ANVMZW5NMDAXQHRLC3QUB3JN  //Enter the user name Base64 code 334 Ugfzc3dvcmq6  //password:mxfhekbxu1g=   //Enter the base64 encoding of the password 235 2.7.0 authentication successful.    Certification success

3. IMAP protocol

* OK Microsoft Exchange Server 2003 IMAP4rev1 ..... 6.5.6944.0 (a-ba21a05129e24.test.org)     ... IMAP service ready bf8p capability* CAPABILITY IMAP4 imap4rev1 IDLE login-referrals mailbox-referrals NAMESPACE literal+ uidplus C hildrenbf8p OK CAPABILITY completed.s3yg LOGIN "jufeng002" "[email protected]"        //Enter user name: jufeng002, password: [email Protected]s3yg OK LOGIN completed.     Certification success

4. HTTP protocol

There are many HTTP protocol authentication formats, only one of which is listed here as a reference.

referer:http://192.1.14.199:8080/login.html     //Login address uname=jufeng001&upass=1qaz%40wsxhttp/1.1 OK...< Script>alert (' OK ') </script>//enter the user name jufeng001, password 1qaz%40wsx,web the server returns http/1.1 200 and the popup dialog "OK" indicates the success of the authentication.

5. HTTPS protocol

HTTPS protocol for encryption protocol, from the data is difficult to determine whether the success of authentication, only according to the data head combined with social engineering to judge. If there is no view of the Web page, mail the steps, if any, will generate encrypted data.

From the data can be seen in the HTTPS header authentication negotiation process, after authentication has a large number of encrypted data, the basic can judge the success of authentication. SSL authentication process See:

6. RDP protocol

RDP is the Windows Remote Control protocol that uses the TCP3389 port. The encryption algorithm used in this version is: 128-bit RC4, the red line for the login authentication process, after the successful operation of the landing data.

Iii. identification of violent cracking

From the principle of brute force, we can see that a lot of guessing errors are generated in the attack. In general, attackers will collect or guess some user names, related dictionaries and blasting algorithms before blasting to improve efficiency.

1, POP3 blasting

It can be found that the attackers continue to enter the user name jufeng001, different passwords to try, the server also a large number of errors: -ERR Logon failure: unknown user name or bad password . Follow Tcpstream can be seen more clearly.

By extracting all the information, you can know what user names and passwords the attacker guessed.

2. SMTP Blasting

SMTP protocol is often a gap in the user's message security management, so it is exploited by hackers.

It can be found that the attackers continue to enter the user name jufeng001, different passwords to try, the server also a large number of errors: 535 5.7.3 Authentication unsuccessful . Follow Tcpstream:

3. IMAP BLASTING

As can be seen from the following two images, IMAP blasting will repeat the login "username" and "password", as well as the error of login failure: NO Logon failure: unknown user name or bad password .

4.HTTP Blasting

Because of the existence of a large number of Web servers, the blasting behavior for HTTP can be said to be the most, the study of blasting methods and the number of people bypassing the mechanism is also more. This is only described in the simplest web lab environment.

First open the data can be seen, a short period of time a large number of login page request package.

Extract follow Tcpstream can see the input user name, password situation, the server return value is no longer a successful login "OK", but the login error "...".

The "..." is not returned without content, this is because Wireshark cannot recognize the reason for the Chinese encoding, we can click Hex dump to see the hexadecimal encoded content.

Save the extracted follow Tcpstream information as 1.html and open it in a browser.

5.HTTPS Blasting

The explosion of HTTPS including other SSL protocols is difficult to monitor from the communication level because the authentication process is encrypted, and it is not possible to know the user name, password, and authentication success of the attacker. But from the principle of blasting, there will be a lot of log-in process, and there is no successful authentication, and there will be no successful operation process.

During the blasting process, the certification process is constantly appearing: "", "", Client Hello Server Hello etc., did not appear after the successful login operation of large amounts of encrypted data.

Click Info to find out that in less than 2 seconds there will be 16 authentication, the basic can be judged as brute force.

6.RDP Blasting

RDP blasting is very much used in hacker attacks, and once the login password is cracked, the machine can be controlled basically. Because the RDP protocol data is also encrypted, there are some difficulties in the identification of the explosion, the following describes another method of rapid identification, this method is also applicable to other protocol explosion.

First we count the normal login RDP protocol TCP port and other information, you can see the normal login, in a certain time is a set of "source port and destination port."

Take a look at the information such as TCP port of the explosion RDP protocol, we can see a lot of different "source port and destination port" in a short time, and the packet number and byte length are basically the same. This indicates that a large number of movements are basically the same "short communication", and then combined with the data format can be identified as a brute force behavior.

7. Simultaneous multi-user blasting

In order to provide a hit rate, attackers tend to collect a large number of user masterpieces for the dictionary at the same time to carry out the explosion, hoping to achieve "Oriental not bright West" effect. This blasting method is also very good recognition, its communication principle is: The same attack IP simultaneously logged in a large number of different user names, try different passwords, a large number of failed login errors.

For the simultaneous jufeng001, jufeng002, jufeng003, jufeng004 and other users to carry out the demolition.

8. How to identify the successful blasting

Of course, the discovery of a blasting attack is only part of the job, and more importantly, it is important to know whether the attacker was successful or not, and what effect it would have on us if successful. The following is based on Wireshark to show how to discover the success of blasting.

(1) First of all, we need to understand the attacker's blasting protocol, and the protocol login successful server return value. For example, for POP3 blasting, we know from the previous introduction that if the login succeeds the server returns: " +OK User successfully logged on ".

2) Search for "" in the data +OK User successfully logged on .

(3) The successful login information returned by the server is found by search.

(4) Follow Tcpstream found that the attacker after attempting a large number of false passwords, finally burst successfully: User name jufeng001, password [email protected].

Iv. Summary

1, whether users or administrators, we have to pay attention to the weak password or regular password This security issue, do not let security protection in detail.

2, verification code mechanism to prevent violent cracking only applies to the HTTP/HTTPS protocol, can not prevent other protocols.

3, understand the violent crack communication principle, from the communication level to monitor and prevent can be realized.

4, important management system login rights are more than blasting attack behavior, login permissions are best to bind administrators commonly used IP address or increase authentication mechanism, do not give hackers the opportunity to explode.

Favorite Share

Poly-Feng Laboratory 2015-08-12 13:26:37

@xsser_w the exchange of articles, please criticize-_-in detail.

Replyxsser_w 2015-08-12 11:28:51

Article quality ... Worrying aha haha

ReplyMr, Mario 2015-08-10 13:26:21

Dsdsd

Back to the poly-Feng Lab

Thanks to the Licensing page template

Wireshark Hack Discovery Tour (4)--Brute force hack