Task 10, Day 05, Brute-Forcing He knows when you’re awake

Remote Access Services

  • SSH - Secure Shell. Remote login with CLI
  • RDP - Remote Desktop Protocol. GUI access to Windows systems.
  • VNC - Virtual Network Computing. GUI access to any type of system.

Authentication

Make claim, like owner of username, and prove claim.

  • Something you know - Password/PIN
  • Something you have - Security token, mobile phone, key file
  • Something you are - Biometric

Attacking Passwords

Some types of attacks:

  • Shoulder Surfing - Looking over victim’s shoulder. Least technical knowledge.
  • Password Guessing - Using personal details (birthdays, children’s names, etc.) to guess passwords. Requires some knowledge of person.
  • Dictionary Attack - Automated password guessing from wordlist or a dictionary.
  • Brute Force Attack - Most exhaustive and time-consuming, tries all possible character combinations. Make sure word lists match person’s language. RockYou’s wordlist has > 14 million unique passwords compiled from breaches. Top 5% is still over 0.5 million.

The Task

Find VNC password of target and get flag through VNC connection.

Methodology

Scan target with nmap to find ssh/vnc services. Use Hydra to try common passwords against protocols including SSH, VNC, FTP, POP3, IMAP, SMTP, and all HTTP related methods. Syntax: hydra -l username -P wordlist.txt server service or hydra -l username -P wordlist.txt service://server

  • -l - login name, omit if username not used
  • -P - password(?), used to identify file containing possible passwords
  • server - target IP
  • service - service attacking

Optional arguments:

  • -V or -vV - verbose, shows username/password combo being tried
  • -d - debugging, detailed info of step (i.e. if trying to connecto to closed port and timing out, won’t be secret)

Flag captured.