7. Web Services
In the dynamic landscape of cybersecurity, maintaining robust authentication mechanisms is paramount. While technologies like Secure Shell (SSH) and File Transfer Protocol (FTP) facilitate secure remote access and file management, they are often reliant on traditional username-password combinations, presenting potential vulnerabilities exploitable through brute-force attacks. In this module, we will delve into the practical application of Medusa, a potent brute-forcing tool, to systematically compromise both SSH and FTP services, thereby illustrating potential attack vectors and emphasizing the importance of fortified authentication practices.
SSH is a cryptographic network protocol that provides a secure channel for remote login, command execution, and file transfers over an unsecured network. Its strength lies in its encryption, which makes it significantly more secure than unencrypted protocols like Telnet. However, weak or easily guessable passwords can undermine SSH's security, exposing it to brute-force attacks.
FTP is a standard network protocol for transferring files between a client and a server on a computer network. It's also widely used for uploading and downloading files from websites. However, standard FTP transmits data, including login credentials, in cleartext, rendering it susceptible to interception and brute-forcing.
Kick-off
We begin our exploration by targeting an SSH server running on a remote system. Assuming prior knowledge of the username sshuser, we can leverage Medusa to attempt different password combinations until successful authentication is achieved systematically.
The following command serves as our starting point:
$ medusa -h <IP> -n <PORT> -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -t 3Let's break down each component:
-h <IP>: Specifies the target system's IP address.-n <PORT>: Defines the port on which the SSH service is listening (typically port 22).-u sshuser: Sets the username for the brute-force attack.-P 2023-200_most_used_passwords.txt: Points Medusa to a wordlist containing the 200 most commonly used passwords in 2023. The effectiveness of a brute-force attack is often tied to the quality and relevance of the wordlist used.-M ssh: Selects the SSH module within Medusa, tailoring the attack specifically for SSH authentication.-t 3: Dictates the number of parallel login attempts to execute concurrently. Increasing this number can speed up the attack but may also increase the likelihood of detection or triggering security measures on the target system.
$ medusa -h IP -n PORT -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -t 3
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
...
ACCOUNT FOUND: [ssh] Host: IP User: sshuser Password: 1q2w3e4r5t [SUCCESS]Upon execution, Medusa will display its progress as it cycles through the password combinations. The output will indicate a successful login, revealing the correct password.
Gaining Access
With the password in hand, establish an SSH connection using the following command and enter the found password when prompted:
This command will initiate an interactive SSH session, granting you access to the remote system's command line.
Expanding the Attack Surface
Once inside the system, the next step is identifying other potential attack surfaces. Using netstat (within the SSH session) to list open ports and listening services, you discover a service running on port 21.
Further reconnaissance with nmap (within the SSH session) confirms this finding as an ftp server.
Targeting the FTP Server
Having identified the FTP server, you can proceed to brute-force its authentication mechanism.
If we explore the /home directory on the target system, we see an ftpuser folder, which implies the likelihood of the FTP sever username being ftpuser. Based on this, we can modify our Medusa command accordingly:
The key differences here are:
-h 127.0.0.1: Targets the local system, as the FTP server is running locally. Using the IP address tells medusa explicitly to use IPv4.-u ftpuser: Specifies the usernameftpuser.-M ftp: Selects the FTP module within Medusa.-t 5: Increases the number of parallel login attempts to 5.-F: this will stop once a valid user/pass is found
Retrieving The Flag
Upon successfully cracking the FTP password, establish an FTP connection. Within the FTP session, use the get command to download the flag.txt file, which may contain sensitive information.