1
00:00:00,200 --> 00:00:02,430
Speaker: It is time to switch things up a little bit

2
00:00:02,430 --> 00:00:04,530
and check out a new type of the attack

3
00:00:04,530 --> 00:00:07,020
called brute force attack.

4
00:00:07,020 --> 00:00:10,560
Unlike the previous attacks, which were vulnerabilities,

5
00:00:10,560 --> 00:00:13,710
information disclosures, or misconfigurations,

6
00:00:13,710 --> 00:00:16,290
right now, we are going to perform something

7
00:00:16,290 --> 00:00:19,140
that will be more of a presentation of the attack

8
00:00:19,140 --> 00:00:20,850
than the attack itself.

9
00:00:20,850 --> 00:00:23,160
Since we are going to cheat a little bit.

10
00:00:23,160 --> 00:00:26,010
But before I tell you how we are going to cheat,

11
00:00:26,010 --> 00:00:29,283
let's first explain what are brute force attacks?

12
00:00:30,390 --> 00:00:33,360
Well, brute force attacks is you sending

13
00:00:33,360 --> 00:00:35,970
a lot of different information to the target

14
00:00:35,970 --> 00:00:40,020
in order to figure out what information is correct.

15
00:00:40,020 --> 00:00:42,750
Now, you could be wondering what do I mean

16
00:00:42,750 --> 00:00:45,060
by sending information to the target?

17
00:00:45,060 --> 00:00:47,250
Well, this can be anything.

18
00:00:47,250 --> 00:00:51,600
In 99% of cases, it is usually usernames or passwords.

19
00:00:51,600 --> 00:00:54,390
So we send a lot of usernames and a lot of passwords

20
00:00:54,390 --> 00:00:58,230
and hope that we by accident hit the correct one.

21
00:00:58,230 --> 00:01:00,270
And when is this useful?

22
00:01:00,270 --> 00:01:02,580
Well, you usually perform this attack

23
00:01:02,580 --> 00:01:05,400
to see whether the target has default credentials

24
00:01:05,400 --> 00:01:08,100
or weak passwords.

25
00:01:08,100 --> 00:01:10,530
These type of attacks will work for example,

26
00:01:10,530 --> 00:01:12,210
if the target has a password

27
00:01:12,210 --> 00:01:14,520
that has small amount of characters,

28
00:01:14,520 --> 00:01:16,980
or if it is very easy to guess.

29
00:01:16,980 --> 00:01:20,040
For example, password, password one to three,

30
00:01:20,040 --> 00:01:21,630
is very easy to guess

31
00:01:21,630 --> 00:01:25,143
but it is also one of the most used passwords in the world.

32
00:01:26,070 --> 00:01:29,070
In this case, we know that the MSF admin

33
00:01:29,070 --> 00:01:33,420
and MSF admin is one account on the target machine.

34
00:01:33,420 --> 00:01:37,710
So we will use those credentials to log in to the SSH.

35
00:01:37,710 --> 00:01:40,200
In that sense, this will not be a real attack

36
00:01:40,200 --> 00:01:42,270
since we will be putting those credentials

37
00:01:42,270 --> 00:01:44,190
in two different lists.

38
00:01:44,190 --> 00:01:45,903
One list will contain usernames

39
00:01:45,903 --> 00:01:49,740
and other list will contain passwords.

40
00:01:49,740 --> 00:01:51,960
Then we will run the brute force attack

41
00:01:51,960 --> 00:01:54,360
and you will see it will automatically go through

42
00:01:54,360 --> 00:01:56,977
all of the usernames and passwords in those lists

43
00:01:56,977 --> 00:02:00,600
and it'll manage to find the correct ones

44
00:02:00,600 --> 00:02:04,230
which are MSF admin and MSF admin.

45
00:02:04,230 --> 00:02:05,640
Let's do it.

46
00:02:05,640 --> 00:02:07,940
To perform this using Metasploit framework,

47
00:02:07,940 --> 00:02:10,860
we're going to use an auxiliary module

48
00:02:10,860 --> 00:02:13,830
that is used for sage login.

49
00:02:13,830 --> 00:02:15,633
If we search SSH,

50
00:02:17,940 --> 00:02:18,930
right here,

51
00:02:18,930 --> 00:02:20,520
we will get a bunch of the results.

52
00:02:20,520 --> 00:02:22,318
But the one that we are interested in

53
00:02:22,318 --> 00:02:24,840
is all the way up I believe,

54
00:02:24,840 --> 00:02:26,160
and it is this one,

55
00:02:26,160 --> 00:02:30,780
auxiliary scanner ssh slash SSH login.

56
00:02:30,780 --> 00:02:32,780
Let's go with the auxiliary module name.

57
00:02:34,950 --> 00:02:36,640
And let's type down here

58
00:02:37,560 --> 00:02:40,443
use and pace the module name.

59
00:02:41,340 --> 00:02:43,173
If we type show options,

60
00:02:44,400 --> 00:02:48,180
for this module, we can see we have a lot of options

61
00:02:48,180 --> 00:02:50,550
available to specify.

62
00:02:50,550 --> 00:02:53,250
Keep in mind that only some of them are required

63
00:02:53,250 --> 00:02:54,900
and a lot of them aren't

64
00:02:54,900 --> 00:02:57,930
as we can see by this column right here.

65
00:02:57,930 --> 00:03:00,390
Let's see what the things that we need

66
00:03:00,390 --> 00:03:03,450
in order for this brute force attacked work.

67
00:03:03,450 --> 00:03:05,280
We got the brute force speed

68
00:03:05,280 --> 00:03:07,953
and this is how fast it'll try the passwords.

69
00:03:09,030 --> 00:03:11,400
We can specify a single password

70
00:03:11,400 --> 00:03:13,200
or a password file

71
00:03:13,200 --> 00:03:16,920
and we will be going with the password file in our case,

72
00:03:16,920 --> 00:03:19,140
we must specify the RHOST,

73
00:03:19,140 --> 00:03:21,240
which is the IP address of the target.

74
00:03:21,240 --> 00:03:24,840
The RPORT is the ssh port on the target machine

75
00:03:24,840 --> 00:03:27,330
and let's just double check it is 22 here

76
00:03:27,330 --> 00:03:30,360
and it is also 22 in our scan,

77
00:03:30,360 --> 00:03:32,940
so that is already set correctly.

78
00:03:32,940 --> 00:03:35,670
Here we can also set the username

79
00:03:35,670 --> 00:03:38,970
and this username field is a single username,

80
00:03:38,970 --> 00:03:41,280
or we can set the user file,

81
00:03:41,280 --> 00:03:44,790
which would be the file containing bunch of usernames.

82
00:03:44,790 --> 00:03:46,860
Another possible option that we can do

83
00:03:46,860 --> 00:03:49,620
is set userpass file.

84
00:03:49,620 --> 00:03:52,050
And what this userpass file is

85
00:03:52,050 --> 00:03:55,290
is a file containing both usernames and passwords.

86
00:03:55,290 --> 00:03:57,139
As it says right here,

87
00:03:57,139 --> 00:03:58,920
file containing users and passwords

88
00:03:58,920 --> 00:04:02,760
separated by space one pair per line.

89
00:04:02,760 --> 00:04:04,560
Now for this particular attack,

90
00:04:04,560 --> 00:04:07,050
we are going to be using a password file

91
00:04:07,050 --> 00:04:10,110
and a user file separately.

92
00:04:10,110 --> 00:04:13,830
So what we must do first is we must create those files.

93
00:04:13,830 --> 00:04:15,930
Let us open another terminal,

94
00:04:15,930 --> 00:04:19,959
navigate to the desktop of our mister hacker account

95
00:04:21,029 --> 00:04:24,990
and let's nano usernames.txt

96
00:04:24,990 --> 00:04:27,993
This will be our list containing usernames.

97
00:04:28,860 --> 00:04:31,260
And let's just for the purposes of this tutorial,

98
00:04:31,260 --> 00:04:35,445
write a few of them, so admin root

99
00:04:35,445 --> 00:04:36,850
test123

100
00:04:37,890 --> 00:04:42,750
Let's go with the system and msfadmin.

101
00:04:42,750 --> 00:04:46,478
We must add the correct one in order for the SSH root force

102
00:04:46,478 --> 00:04:48,033
to be able to find it.

103
00:04:49,020 --> 00:04:50,973
And after it, let's add one more.

104
00:04:52,106 --> 00:04:55,500
Let's call this one admin123.

105
00:04:55,500 --> 00:04:57,510
So this is six usernames.

106
00:04:57,510 --> 00:04:59,280
Of course, in a real life attack.

107
00:04:59,280 --> 00:05:01,650
you would be using much bigger lists.

108
00:05:01,650 --> 00:05:03,720
But for now for the purposes of this tutorial,

109
00:05:03,720 --> 00:05:07,110
we will create these small lists and see whether it'll work.

110
00:05:07,110 --> 00:05:10,260
So we got our usernames file right here,

111
00:05:10,260 --> 00:05:13,470
and it has the correct username specified.

112
00:05:13,470 --> 00:05:14,373
Let's save it.

113
00:05:15,930 --> 00:05:18,360
Now we need to do the same thing with the password.

114
00:05:18,360 --> 00:05:21,550
So let's nano passwords.txt

115
00:05:23,070 --> 00:05:24,753
Here, let's type password,

116
00:05:25,731 --> 00:05:27,960
password123,

117
00:05:27,960 --> 00:05:29,640
hello world.

118
00:05:29,640 --> 00:05:32,730
Let's also type msfadmin, which is the correct password

119
00:05:32,730 --> 00:05:35,070
and we know it at the moment

120
00:05:35,070 --> 00:05:37,900
and at the end let's type test1234

121
00:05:38,880 --> 00:05:41,010
So here, we have five passwords

122
00:05:41,010 --> 00:05:42,903
and one of them is the correct one.

123
00:05:43,890 --> 00:05:45,243
Let's save this file.

124
00:05:46,440 --> 00:05:50,130
And if I type LS, we should have both of the files

125
00:05:50,130 --> 00:05:52,800
in our desktop directory.

126
00:05:52,800 --> 00:05:56,370
Let's specify them right here in our options.

127
00:05:56,370 --> 00:05:59,322
So, the password file must be the entire path

128
00:05:59,322 --> 00:06:02,520
to this passwords.txt

129
00:06:02,520 --> 00:06:04,639
So we must specify the entire path.

130
00:06:04,639 --> 00:06:06,300
To check out the entire path,

131
00:06:06,300 --> 00:06:08,310
I can type print working directory

132
00:06:08,310 --> 00:06:11,313
inside of desktop directory and copy this.

133
00:06:14,340 --> 00:06:16,530
And inside of our Metasploit framework

134
00:06:16,530 --> 00:06:19,900
we can type set pass underscore file

135
00:06:20,910 --> 00:06:25,910
and then paste the path, add slash, and then passwords.txt

136
00:06:29,610 --> 00:06:32,460
This now set the path to the pass file

137
00:06:32,460 --> 00:06:35,550
to be this path right here.

138
00:06:35,550 --> 00:06:39,270
And we must do the same thing for the usernames.

139
00:06:39,270 --> 00:06:42,040
Let's type set user underscore file

140
00:06:44,520 --> 00:06:47,118
paste the same path right here

141
00:06:47,118 --> 00:06:49,140
and add instead of passwords.txt

142
00:06:49,140 --> 00:06:53,223
let's add usernames.txxt, press enter.

143
00:06:53,223 --> 00:06:55,920
And if I type show options once again,

144
00:06:55,920 --> 00:06:58,650
let's see what else do we need to specify.

145
00:06:58,650 --> 00:07:00,570
Here, the password file and the user file

146
00:07:00,570 --> 00:07:02,490
has already been specified

147
00:07:02,490 --> 00:07:06,090
but we must also specify the RHOSTS for this work.

148
00:07:06,090 --> 00:07:06,923
So let's do it.

149
00:07:06,923 --> 00:07:09,790
If I type set RHOSTS, type the IP address

150
00:07:09,790 --> 00:07:13,470
on my Metasploitable, clear the screen

151
00:07:13,470 --> 00:07:15,483
and I check out options once again.

152
00:07:16,890 --> 00:07:18,000
All seems to be set.

153
00:07:18,000 --> 00:07:20,190
We will leave the brute force speed to be five,

154
00:07:20,190 --> 00:07:21,603
which is the fastest.

155
00:07:22,650 --> 00:07:25,170
And one more thing that we want to change is this

156
00:07:25,170 --> 00:07:26,534
verbose right here.

157
00:07:26,534 --> 00:07:29,250
This is currently set to false.

158
00:07:29,250 --> 00:07:31,140
We want to set it to true.

159
00:07:31,140 --> 00:07:33,540
And this verbose means that it'll print out

160
00:07:33,540 --> 00:07:36,030
even the failed usernames and passwords.

161
00:07:36,030 --> 00:07:38,978
It will not only print the successful login.

162
00:07:38,978 --> 00:07:40,710
Let me show you right here.

163
00:07:40,710 --> 00:07:44,670
If I set verbose to be equal to true, clear the screen

164
00:07:44,670 --> 00:07:46,113
and run this.

165
00:07:49,200 --> 00:07:50,747
Here it is, it started our attack.

166
00:07:50,747 --> 00:07:54,120
It is going to try every single combination

167
00:07:54,120 --> 00:07:56,853
of usernames and passwords from those two files.

168
00:07:57,810 --> 00:08:00,960
Now you might notice this isn't going that fast.

169
00:08:00,960 --> 00:08:03,900
And it'll print out all of these failed passwords

170
00:08:03,900 --> 00:08:08,790
until it reaches the combination of msfadmin and msfadmin

171
00:08:08,790 --> 00:08:11,130
as both username and password.

172
00:08:11,130 --> 00:08:13,130
Let's wait for that combination to come,

173
00:08:14,580 --> 00:08:16,260
and here it is.

174
00:08:16,260 --> 00:08:20,310
We found the correct ssh username and password.

175
00:08:20,310 --> 00:08:23,010
Once it prints out this success rate here.

176
00:08:23,010 --> 00:08:25,710
This means it found the correct username and password,

177
00:08:25,710 --> 00:08:27,930
and you can just control see this,

178
00:08:27,930 --> 00:08:29,010
if it didn't stop,

179
00:08:29,010 --> 00:08:30,963
in order to stop the brute forcing.

180
00:08:31,800 --> 00:08:34,110
Now I know what you're thinking once again,

181
00:08:34,110 --> 00:08:36,667
this is not a true attack since we added username

182
00:08:36,667 --> 00:08:39,270
and password to the list.

183
00:08:39,270 --> 00:08:42,059
But once again, remember that you will do this

184
00:08:42,059 --> 00:08:44,700
for the week credentials and the default passwords.

185
00:08:44,700 --> 00:08:46,620
And of course in real attacks,

186
00:08:46,620 --> 00:08:48,990
you would be using much bigger lists than these

187
00:08:48,990 --> 00:08:50,793
that we created right here.

188
00:08:51,630 --> 00:08:53,640
And many of those bigger lists,

189
00:08:53,640 --> 00:08:56,670
we can find inside of our Ca Linux machine.

190
00:08:56,670 --> 00:08:58,950
However, more about them later.

191
00:08:58,950 --> 00:09:01,260
For now, we just tested it out to make sure

192
00:09:01,260 --> 00:09:03,870
that this brute force attack works.

193
00:09:03,870 --> 00:09:07,230
We can also see right here it opened the command shell

194
00:09:07,230 --> 00:09:10,320
as soon as it found the correct username and password.

195
00:09:10,320 --> 00:09:14,460
But if you press Ctrl C or you waited for this to finish,

196
00:09:14,460 --> 00:09:17,400
it doesn't seem that we can execute commands anywhere.

197
00:09:17,400 --> 00:09:20,100
We just went back to our auxiliary module right here.

198
00:09:20,100 --> 00:09:21,573
We are not inside of a shell.

199
00:09:22,410 --> 00:09:24,600
Well, once something like this happens,

200
00:09:24,600 --> 00:09:26,910
Metasploit saves the shell in the background

201
00:09:26,910 --> 00:09:29,820
so we can still enter that shell.

202
00:09:29,820 --> 00:09:31,920
To check out all of the available shells

203
00:09:31,920 --> 00:09:34,080
that we currently have established.

204
00:09:34,080 --> 00:09:36,453
We can type the command sessions.

205
00:09:38,190 --> 00:09:43,190
And here we can see we got one shell over ssh

206
00:09:43,710 --> 00:09:45,963
to the IP address of the Metasploitable.

207
00:09:47,280 --> 00:09:48,930
To enter inside of this session,

208
00:09:48,930 --> 00:09:53,040
we can type the command sessions dash I

209
00:09:53,040 --> 00:09:55,290
and then this session ID.

210
00:09:55,290 --> 00:09:56,970
In my case it is one.

211
00:09:56,970 --> 00:09:59,760
And it'll probably be in your case as well.

212
00:09:59,760 --> 00:10:02,163
So if I set here sessions I one,

213
00:10:03,270 --> 00:10:05,250
this will start interaction with this shell

214
00:10:05,250 --> 00:10:08,130
and it'll open our shell right here.

215
00:10:08,130 --> 00:10:11,190
And you can now execute the commands as usual.

216
00:10:11,190 --> 00:10:13,740
Who am I? will tell me the I'm msfadmin.

217
00:10:13,740 --> 00:10:15,720
If I want to become the root account,

218
00:10:15,720 --> 00:10:20,520
I type sudo su, type in msfadmin password,

219
00:10:20,520 --> 00:10:22,650
and I type, who am I once again.

220
00:10:22,650 --> 00:10:24,273
Now I'm root count.

221
00:10:25,260 --> 00:10:27,990
Another way that you can establish ssh connection

222
00:10:27,990 --> 00:10:29,880
once knowing the username and password,

223
00:10:29,880 --> 00:10:31,290
is like this.

224
00:10:31,290 --> 00:10:33,930
First, let's exit out of this,

225
00:10:33,930 --> 00:10:36,450
exit out of Metasploit framework.

226
00:10:36,450 --> 00:10:40,020
And now that you know the username and password of the ssh,

227
00:10:40,020 --> 00:10:44,700
we can open our terminal and type ssh msfadmin,

228
00:10:44,700 --> 00:10:47,760
which is the username at and then the IP address

229
00:10:47,760 --> 00:10:49,140
of the Metasploitable,

230
00:10:49,140 --> 00:10:53,190
which is 192.168.1.9 in my case.

231
00:10:53,190 --> 00:10:54,483
If I press here enter,

232
00:10:55,680 --> 00:10:57,150
it'll ask me this question,

233
00:10:57,150 --> 00:10:58,980
Are you sure you want to continue connecting?

234
00:10:58,980 --> 00:11:01,113
I want to specify yes right here,

235
00:11:02,460 --> 00:11:07,410
and it'll ask me for the password for this specific account.

236
00:11:07,410 --> 00:11:09,680
And we know that the password is msfadmin,

237
00:11:09,680 --> 00:11:12,750
so I will type it right here and here it is.

238
00:11:12,750 --> 00:11:16,110
We opened the terminal of the Metasploitable.

239
00:11:16,110 --> 00:11:18,783
If I type, who am I we are msfadmin.

240
00:11:20,400 --> 00:11:24,660
And that would be about it for the ssh brute force attack.

241
00:11:24,660 --> 00:11:28,260
Don't worry, real brute force attacks will perform later

242
00:11:28,260 --> 00:11:32,160
regarding website logging forms and wifi cracking.

243
00:11:32,160 --> 00:11:34,200
This video was just to introduce you

244
00:11:34,200 --> 00:11:36,390
to the concept of brute forcing.

245
00:11:36,390 --> 00:11:39,780
If you were to exploit a target like this in real life,

246
00:11:39,780 --> 00:11:42,060
it'll be considered weak credentials

247
00:11:42,060 --> 00:11:44,430
or default credentials vulnerability,

248
00:11:44,430 --> 00:11:46,500
and you would of course write it down

249
00:11:46,500 --> 00:11:48,153
as a critical vulnerability.

250
00:11:49,050 --> 00:11:52,320
Great, that is another vulnerability covered.

251
00:11:52,320 --> 00:11:55,653
Let's go and hunt the next one down in the next video.