Jump to content

  •  
  • Gởi Bài viết Mới

Photo

Ncrack – Remote Desktop Brute Force Tutorial

Ncrack – Remote Desktop Brute Ncrack Remote Brute Force Tutorial

  • Please log in to reply
4 replies to this topic

#1 Mộ Dung Nguyệt Bang

Mộ Dung Nguyệt Bang

    Em Vẫn Cô Đơn Trong Cuộc Vui Nhiều Người

  • Administrators
  • 443 Bài viết:

Posted 25 November 2012 - 04:33 PM

The Remote Desktop Protocol is often underestimated as a possible way to break into a system during a penetration test. Other services, such SSH and VNC are more likely to be targeted and exploited using a remote brute-force password guessing attack.

For example, let’s suppose that we are in the middle of a penetration testing session at the “MEGACORP” offices and we already tried all the available remote attacks with no luck. We tried also to ARP poisoning the LAN looking to get user names and passwords, without succeeding.

From a previus nmap scan log we found a few Windows machines with the RDP port open and we decided to investigate further this possibility. First of all we need some valid usernames in order to guess only the passwords rather than both.

We found the names of the IT guys on varius social networking websites. Those are the key IT staff:

jessie tagle
julio feagins
hugh duchene
darmella martis
lakisha mcquain
ted restrepo
kelly missildine


Didn’t take long to create valid usernames following the common standard of using the first letter of the name and the entire surname.

jtagle
jfeagins
hduchene
dmartis
lmcquain
trestrepo
kmissildine


Software required:

Linux machine, preferably Ubuntu.
nmap and terminal server client, sudo apt-get install tsclient nmap build-essential checkinstall libssl-dev libssh-dev

About Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more. Protocols supported include RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet

Please Login or Register to see this Hidden Content



Installation

Please Login or Register to see this Hidden Content

Please Login or Register to see this Hidden Content


Nmap fast scan with input from list of hosts/networks

Please Login or Register to see this Hidden Content


From the log we can see two machines with the microsoft terminal service port (3389) open, looking more in depth to the services available on the machine 192.168.56.10 we can assume that this machine might be the domain controller, and it’s worth trying
to pwn it.

At this point we need to create a file (my.usr) with the probable usernames previously gathered.

Please Login or Register to see this Hidden Content


We need also a file (my.pwd) for the password, you can look on the internet for common passwords and wordlists.

Please Login or Register to see this Hidden Content


At this point we run Ncrack against the 192.168.56.10 machine.

Please Login or Register to see this Hidden Content


We can see from the Ncrack results that all the user names gathered are valid, and also we were able to crack the login credential since they were using some weak passwords. Four of the IT staff have some kind of restrictions on the machine, except hduchene that might be the domain administrator, let’s find out.

Run the terminal server client from the Linux box

tsclient 192.168.56.10 use Hugh Duchene credential ‘hduchene’ ‘passw0rd’ and BINGO !!!

Posted Image

At this point we have the control of the entire MEGACORP domain, unlimited access to all the corporate resources related to the domain. We can add users, escalate privileges of existing users, browse over the protected network resources, install backdoors and root-kits, and more and more.

Posted Image

Final remarks.

For the penetration testers: don’t give up at first hurdle, there’s always another way to break in Posted Image .

For the IT staff: Lack of password policy enforcing complexity and strength lead to a disaster.

source:

Please Login or Register to see this Hidden Content


Xinh đẹp , dễ thương , gợi cảm đó là em Mộ Dung Nguyệt Bang

#2 Nỡm

Nỡm

    Không cho nghịch nữa

  • Cảnh Vệ
  • PipPipPip
  • 316 Bài viết:

Posted 26 November 2012 - 09:15 AM

Why not
Microsoft Remote Desktop Protocol CVE-2012-2526 Remote Code Execution Vulnerability [crtical]
Tai to - chim lớn

#3 Lee Hye Kim

Lee Hye Kim

    Cố Vấn

  • Search/Seek and destroy
  • 255 Bài viết:

Posted 26 November 2012 - 09:28 AM

Why not
Microsoft Remote Desktop Protocol CVE-2012-2526 Remote Code Execution Vulnerability [crtical]


Vậy Nỡm trình bày cách attack lỗi này thử xem.

Cách ở trên là brute Nỡm có cao kiến gì nữa không ?

#4 Z-Crew

Z-Crew

    Hunter

  • Administrators
  • 412 Bài viết:

Posted 28 November 2012 - 02:43 PM

Trên Windows thì dùng cái này:

Please Login or Register to see this Hidden Content


Còn cái CVE thằng ku kia nói thì anh không public exploit đâu, đừng có mơ nhá.
tHe ReTurn !

#5 ACK

ACK

    Member

  • Cảnh Vệ
  • PipPip
  • 23 Bài viết:

Posted 28 November 2012 - 02:45 PM

Chủ thớt trình bày rất là khó hiểu.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users