Task 10, Day 05, Brute-Forcing He knows when you’re awake
Remote Access Services
SSH - Secure Shell. Remote login with CLI
RDP - Remote Desktop Protocol. GUI access to Windows systems.
VNC - Virtual Network Computing. GUI access to any type of system.
Authentication
Make claim, like owner of username, and prove claim.
Something you know - Password/PIN
Something you have - Security token, mobile phone, key file
Something you are - Biometric
Attacking Passwords
Some types of attacks:
Shoulder Surfing - Looking over victim’s shoulder. Least technical knowledge.
Password Guessing - Using personal details (birthdays, children’s names, etc.) to guess passwords. Requires some knowledge of person.
Dictionary Attack - Automated password guessing from wordlist or a dictionary.
Brute Force Attack - Most exhaustive and time-consuming, tries all possible character combinations.
Make sure word lists match person’s language. RockYou’s wordlist has > 14 million unique passwords compiled from breaches. Top 5% is still over 0.5 million.
The Task
Find VNC password of target and get flag through VNC connection.
Methodology
Scan target with nmap to find ssh/vnc services. Use Hydra to try common passwords against protocols including SSH, VNC, FTP, POP3, IMAP, SMTP, and all HTTP related methods. Syntax: hydra -l username -P wordlist.txt server service or hydra -l username -P wordlist.txt service://server
-l - login name, omit if username not used
-P - password(?), used to identify file containing possible passwords
server - target IP
service - service attacking
Optional arguments:
-V or -vV - verbose, shows username/password combo being tried
-d - debugging, detailed info of step (i.e. if trying to connecto to closed port and timing out, won’t be secret)