1
00:00:00,300 --> 00:00:06,210
It is time to switch things up a little bit and check out a new type of attack called brute force attack,

2
00:00:06,930 --> 00:00:13,230
unlike the previous attacks, which were vulnerabilities, information, disclosures or misconfiguration.

3
00:00:13,680 --> 00:00:19,440
Right now, we are going to perform something that will be more of a presentation of the attack than

4
00:00:19,440 --> 00:00:22,730
the attack itself, since we're going to cheat a little bit.

5
00:00:23,130 --> 00:00:29,130
But before we tell you how we are going to cheat, let's first explain what our brute force attacks.

6
00:00:30,380 --> 00:00:37,070
Well, brute force attacks is you sending a lot of different information to the target in order to figure

7
00:00:37,070 --> 00:00:39,410
out what information is correct?

8
00:00:39,980 --> 00:00:44,720
Now, you could be wondering, what do I mean by sending information to the target?

9
00:00:45,080 --> 00:00:49,190
Well, this can be anything in 99 percent of cases.

10
00:00:49,220 --> 00:00:51,310
It is usually usernames or passwords.

11
00:00:51,590 --> 00:00:57,310
So we send a lot of user names and a lot of passwords and hope that we by accident hit the correct one

12
00:00:58,190 --> 00:00:59,120
and one.

13
00:00:59,120 --> 00:00:59,810
Is this useful?

14
00:01:00,260 --> 00:01:07,300
Well, you usually perform this attack to see whether the target has default credentials or weak passwords.

15
00:01:08,090 --> 00:01:09,750
These type of attacks will work.

16
00:01:09,770 --> 00:01:15,920
For example, if the target has a password that has a small amount of characters or if it is very easy

17
00:01:15,920 --> 00:01:21,350
to guess, for example, password, password, one, two, three is very easy to guess.

18
00:01:21,590 --> 00:01:25,040
But it is also one of the most used passwords in the world.

19
00:01:26,050 --> 00:01:33,790
In this case, we know that the MSF admin and MSF admin is one account on the target machine, so we

20
00:01:33,790 --> 00:01:36,850
will use those credentials to log in to DSH.

21
00:01:37,690 --> 00:01:43,240
In that sense, this will not be a real attack since we will be putting those credentials into different

22
00:01:43,240 --> 00:01:43,720
lists.

23
00:01:44,170 --> 00:01:48,880
One list will contain user names and other list will contain passwords.

24
00:01:49,750 --> 00:01:54,790
Then we will run the brute force attack and you will see it will automatically go through all of the

25
00:01:54,790 --> 00:02:02,110
usernames and passwords in those lists and it will manage to find the correct ones, which are MSF admin

26
00:02:02,110 --> 00:02:03,580
and MSF admin.

27
00:02:04,220 --> 00:02:04,870
Let's do it.

28
00:02:05,650 --> 00:02:12,430
To perform this using Metsola framework, we are going to use an auxiliary module that is used for S.H.

29
00:02:12,460 --> 00:02:12,940
login.

30
00:02:13,840 --> 00:02:20,560
If we search S.H. right here, we will get a bunch of the results.

31
00:02:20,560 --> 00:02:24,850
But the one that we are interested in is all the way up, I believe.

32
00:02:24,850 --> 00:02:30,170
And it is this one auxillary scanner as Sage-Grouse S.H. Longet.

33
00:02:30,790 --> 00:02:32,530
Let's copy the auxiliary module name.

34
00:02:34,910 --> 00:02:40,310
And let's type down here, use and base the module name.

35
00:02:41,350 --> 00:02:49,760
If we type show options for this module, we can see we have a lot of options available to specify.

36
00:02:50,530 --> 00:02:56,350
Keep in mind that only some of them are required and a lot of them aren't, as we can see by this column

37
00:02:56,500 --> 00:02:57,100
right here.

38
00:02:57,940 --> 00:03:02,560
Let's see what are the things that we need in order for this brute force attack work.

39
00:03:03,420 --> 00:03:07,810
We got the brute force speed, and this is how fast it will try to password's.

40
00:03:09,000 --> 00:03:15,740
We can specify a single password or a password file and we will be going with the password file in our

41
00:03:15,740 --> 00:03:20,750
case, we must specify to our hosts, which is the IP address of the target.

42
00:03:21,230 --> 00:03:24,560
The airport is the S.H. Port on the target machine.

43
00:03:24,800 --> 00:03:26,030
And let's just double check.

44
00:03:26,030 --> 00:03:30,160
It is 22 here and it is also 22 in our scan.

45
00:03:30,320 --> 00:03:33,260
So that is already set correctly here.

46
00:03:33,260 --> 00:03:41,060
We can set the username and this username field is a single user name or we can set the user file,

47
00:03:41,270 --> 00:03:45,920
which will be the file containing a bunch of user names are not a possible option.

48
00:03:45,920 --> 00:03:49,010
That we can do is set user pass file.

49
00:03:49,550 --> 00:03:56,230
And for this user file is is a file containing both usernames and passwords, as it says right here,

50
00:03:56,240 --> 00:04:01,850
a file containing users and passwords separated by space one pair Pearline.

51
00:04:02,730 --> 00:04:09,170
Now, for this particular attack, we're going to be using our passport file and I used to file separately.

52
00:04:10,080 --> 00:04:16,920
So what we must do first is we must create those files, let us open another terminal, navigate to

53
00:04:16,920 --> 00:04:19,920
the desktop of our Mr. Hacker account.

54
00:04:20,970 --> 00:04:23,900
And let's neno user names, Dot.

55
00:04:24,990 --> 00:04:27,840
This will be our list containing user names.

56
00:04:28,770 --> 00:04:34,560
And let's just for the purposes of this tutorial, write a few of them, so admin route.

57
00:04:35,580 --> 00:04:36,780
Test one, two, three.

58
00:04:37,890 --> 00:04:46,680
Let's go with the system and MSF admit we must add the correct one in order for the SSA brute force

59
00:04:46,860 --> 00:04:47,940
to be able to find it.

60
00:04:48,950 --> 00:04:54,650
And after it, let's add one more, let's call this one admin one, two, three.

61
00:04:55,490 --> 00:04:57,350
So this is six usernames.

62
00:04:57,470 --> 00:05:01,280
Of course, in a real life attack, you would be using much bigger list.

63
00:05:01,640 --> 00:05:06,140
But for now, for the purposes of this material, we will create these small lists and see whether it

64
00:05:06,140 --> 00:05:06,570
will work.

65
00:05:07,100 --> 00:05:13,030
So we've got over user names file right here and it has the correct user name specified.

66
00:05:13,490 --> 00:05:16,130
Let's save it now.

67
00:05:16,130 --> 00:05:18,350
We need to do the same thing with the password.

68
00:05:18,370 --> 00:05:20,210
So let's neno passwords.

69
00:05:20,510 --> 00:05:24,620
Dot here, let's tie password.

70
00:05:25,790 --> 00:05:27,320
Password one, two, three.

71
00:05:28,020 --> 00:05:28,880
Hello world.

72
00:05:29,640 --> 00:05:34,280
Let's also type MSF admin, which is the correct password and we know it at the moment.

73
00:05:35,030 --> 00:05:37,040
And at the end let's type test.

74
00:05:37,040 --> 00:05:37,880
One, two, three, four.

75
00:05:38,880 --> 00:05:42,810
So here we have five passwords and one of them is the correct one.

76
00:05:43,900 --> 00:05:45,160
Let's save this file.

77
00:05:46,440 --> 00:05:51,910
And if I type, unless we should have both of the files in our desktop directory.

78
00:05:52,790 --> 00:06:00,380
Let's specify them right here in our options, so the passport file must be the entire path to this

79
00:06:00,380 --> 00:06:01,460
password dot.

80
00:06:02,510 --> 00:06:06,310
So we must specify the entire path to check out the entire path.

81
00:06:06,320 --> 00:06:11,180
I can type working directly inside of desktop directory and copy this.

82
00:06:14,280 --> 00:06:19,830
And inside the government's plate framework, we can typeset, pass, underscore, file.

83
00:06:20,850 --> 00:06:21,900
And then Paiste.

84
00:06:23,500 --> 00:06:27,850
The path at Slash and then Password's dot, the.

85
00:06:29,650 --> 00:06:38,540
This now set the path to the file to be this path right here and we must do the same thing for the user

86
00:06:38,560 --> 00:06:38,890
names.

87
00:06:39,250 --> 00:06:41,980
Let's typeset user underscore file.

88
00:06:44,490 --> 00:06:51,490
Face the same path right here and add instead of passwords not to steal it, said user names dot the

89
00:06:52,560 --> 00:06:58,950
press enter and if we don't show options once again, let's see what else do we need to specify here?

90
00:06:58,950 --> 00:07:04,800
The password file and the user file has already been specified, but we must also specify the our hosts

91
00:07:04,800 --> 00:07:05,700
for this to work.

92
00:07:06,090 --> 00:07:06,870
So let's do it.

93
00:07:06,880 --> 00:07:14,310
If I type set our hosts type the IP address on my anticipatable cleared the screen and they check out

94
00:07:14,310 --> 00:07:15,330
options once again.

95
00:07:16,880 --> 00:07:21,470
All seems to be set, we believe, the brute force speed to be five, which is the fastest.

96
00:07:22,590 --> 00:07:26,280
And one more thing that we want to change is this verbose right here.

97
00:07:27,250 --> 00:07:29,030
This is currently set to follow.

98
00:07:29,300 --> 00:07:34,990
We want to set it to you and this for both means that it will print out even the failed usernames and

99
00:07:34,990 --> 00:07:35,520
passwords.

100
00:07:36,010 --> 00:07:38,620
It will not only print the successful login.

101
00:07:39,310 --> 00:07:40,320
Let me show you right here.

102
00:07:40,660 --> 00:07:45,970
If I set for both to be able to try to clear the screen and from this.

103
00:07:49,100 --> 00:07:49,790
Here it is.

104
00:07:49,970 --> 00:07:51,620
It started our attack.

105
00:07:51,770 --> 00:07:56,720
It is going to try every single combination of usernames and passwords from those two files.

106
00:07:57,770 --> 00:08:03,890
Now, you might notice this isn't going that fast and it will print out all of these failed passwords

107
00:08:03,890 --> 00:08:10,650
until it reaches the combination of massive admin and massive admin as both username and password.

108
00:08:11,120 --> 00:08:12,890
Let's wait for that combination to come.

109
00:08:14,520 --> 00:08:22,530
And here it is, we found the correct S.H. username and password once it prints out this success rate

110
00:08:22,530 --> 00:08:22,750
here.

111
00:08:23,010 --> 00:08:29,010
This means it found the correct username and password and you can just control C this if it didn't stop

112
00:08:29,040 --> 00:08:30,800
in order to stop the brute forcing.

113
00:08:31,770 --> 00:08:33,230
Now I know what you're thinking.

114
00:08:33,240 --> 00:08:38,370
Once again, this is not a troll attack since we added username and password to the list.

115
00:08:39,210 --> 00:08:45,270
But once again, remember that he would do this for the weak credentials and default passwords and of

116
00:08:45,270 --> 00:08:50,640
course, in real attacks, he would be using much bigger lists than these that we created right here.

117
00:08:51,570 --> 00:08:57,870
And many of those bigger lists we can find inside the bubble clinics machine, however, more about

118
00:08:57,870 --> 00:08:58,490
them later.

119
00:08:58,920 --> 00:09:03,210
For now, we just tested it out to make sure that this brute force attack works.

120
00:09:03,870 --> 00:09:09,060
We can also see right here, it opened the comment shell as soon as it found the correct username and

121
00:09:09,060 --> 00:09:09,570
password.

122
00:09:10,290 --> 00:09:16,170
But if you press control, see or you waited for days to finish, it doesn't seem that we can execute

123
00:09:16,170 --> 00:09:17,160
commands anywhere.

124
00:09:17,380 --> 00:09:20,060
We just went back to our auxiliary module right here.

125
00:09:20,100 --> 00:09:21,450
We are not inside of a shell.

126
00:09:22,360 --> 00:09:27,820
Well, once something like this happens, matters, it saves the shell in the background so we can still

127
00:09:27,820 --> 00:09:28,900
enter that shell.

128
00:09:29,820 --> 00:09:35,370
To check out all of the available shells that we currently have established, we can type the command

129
00:09:35,610 --> 00:09:40,770
sessions and here we can see we got one shell.

130
00:09:41,930 --> 00:09:45,950
Overassessed H to the IP address of the matter, split the.

131
00:09:47,260 --> 00:09:55,000
To enter inside of this session, we can type the command sessions, dashi, and then this session ID,

132
00:09:55,240 --> 00:09:59,290
in my case it is one and it will probably be in your case as well.

133
00:09:59,740 --> 00:10:01,990
So if I said here, sessions, I want.

134
00:10:03,300 --> 00:10:09,150
This will start interaction with this shell and it will open our shell right here, and you can now

135
00:10:09,150 --> 00:10:10,960
execute the commands as usual.

136
00:10:11,190 --> 00:10:11,790
Who am I?

137
00:10:11,850 --> 00:10:12,750
Well, tell me the time.

138
00:10:12,750 --> 00:10:16,200
MSF admin, if you want to become the first account I type.

139
00:10:16,250 --> 00:10:24,120
So you type in MSF admin password and I type who am I once again now I'm able to count.

140
00:10:25,220 --> 00:10:30,650
Another way that you can establish a connection once knowing the username and password is like this,

141
00:10:31,280 --> 00:10:35,680
first let's exit out of this exit out of metal framework.

142
00:10:36,380 --> 00:10:44,570
And now that we know the username and password of DSH, we can open our terminal and type as MSF admin,

143
00:10:44,720 --> 00:10:49,640
which is the username at and then the IP address of them anticipatable, which is one.

144
00:10:49,640 --> 00:10:54,350
I just want to state that one, that nine in my case, if I press your enter.

145
00:10:55,720 --> 00:11:00,060
It will ask me this question, are you sure you want to continue connecting, I want to specify.

146
00:11:00,100 --> 00:11:00,970
Yes, right here.

147
00:11:02,400 --> 00:11:09,360
And it will ask me for the password, for this specific account, and we know that password, this massive

148
00:11:09,790 --> 00:11:12,540
cell, type it right here and here it is.

149
00:11:12,720 --> 00:11:15,300
We opened the terminal of them at this point.

150
00:11:16,080 --> 00:11:18,690
If at that point my we are MSF.

151
00:11:20,350 --> 00:11:26,710
And that would be about it for the S.H. brute force attack, don't worry, real brute force attacks

152
00:11:26,710 --> 00:11:31,510
will perform later regarding website login forms and wi fi cracking.

153
00:11:32,170 --> 00:11:35,500
This video was just to introduce you to the concept of brute force.

154
00:11:36,370 --> 00:11:42,250
If you were to exploit a target like this in real life, it would be considered weak credentials or

155
00:11:42,250 --> 00:11:44,260
default credentials, vulnerability.

156
00:11:44,560 --> 00:11:48,040
And you would, of course, write it down as a critical vulnerability.

157
00:11:49,060 --> 00:11:49,470
Great.

158
00:11:49,930 --> 00:11:51,860
That is another vulnerability covered.

159
00:11:52,300 --> 00:11:55,530
Let's go and hunt the next one down in the next video.