Sunday, 28 August 2011

Password Cracking - Brutus

Brutus is a free, online password cracker. It can use either a dictionary attack using a word list or the “brute force” method of finding passwords against HTTP sites (as in a password protected web page), a POP3 (mail) server, an FTP server, SMB, or a Telnet-enabled machine (as in a router console).

Although holding a reputation as being largely used for malicious purposes, Brutus can be a valuable authentication tool for administrators and auditors to check for weak passwords.

Before we use Brutus, we need to gather vital information that can help us streamline our options, with the hope of achieving better performance.

As an example, we are given an FTP site with an IP address of First we need to verify whether the site requires authentication or it permits anonymous logon. One of the simplest ways to do this is logging on to the FTP server using the command line (Figure 1).

Figure 1

Upon FTP-ing the site, we are prompted with a Username request. If we use “anonymous” with a blank password, assuming that anonymous logon is permitted, we will be granted access to the FTP site (Figure 2).
Figure 2

However, from Figure 2 we learn that anonymous logon is not permitted and that a username and a password are required to access the FTP site.

Next we find out what port the FTP host is using. We can use nmap in the command line.
Figure 3

We can see from the nmap scan that port 21 is opened for FTP services. Port 21 is the default for FTP.
With the information we have gathered, we are now ready to perform Brutus.

Using Brutus
Figure 4 shows the default screen of Brutus immediately after launching:
Figure 4

At the Target field, we can enter an IP address or URL of a website or an FTP server. We will use the IP address of the FTP server in our example. In the Target field, we will put (Figure 5).
Figure 5

Next we change the Type by clicking on the dropdown menu and then selecting FTP (Figure 6).
Figure 6

Notice that the in the Connection Options, the Port Number has changed from 80 (default for HTTP) to 21 which is the default for FTP connections. We have already verified from our nmap scan that port 21 is indeed being used by the FTP host.

The HTTP Options section has also changed into FTP Options. To force the attack, tick the Try to stay connected for option and select Unlimited attempts.

In the Authentication Options, let’s assume there is an “Administrator” account that can be used to access the FTP site. We will put this single username Administrator in the UserID field (Figure 7).
Figure 7

The Pass Mode field gives us an option of what type of attack to use. The default Word List attack uses a list of passwords from a text file which Brutus goes through sequentially. The Combo List includes the username with the password in the word list. The Brute Force attack is the most exhaustive type that tries every possible combination, permutations and substitutions from a given alphanumeric-and-character set.
For our example, let’s use Word List. Brutus comes with a default wordlist of passwords (words.txt) but it is recommended to use a larger list. We have obtained one such list, wordlist.txt, and we can tell Brutus to use it by putting its filename in the Pass File field (Figure 8).

Figure 8

We can now launch the attack by clicking on the Start button at the upper right side of the Brutus interface.
Figure 9

From the above figure we can see that the wordlist contains 306707 passwords. Brutus goes through each password until it finds one that, when paired with the username Administrator, allows access to the FTP site, which in this case was successful for the password found in line 111280. The Positive Authentication Results pane displays the outcome of the scan, with details such as the target host, the host type, username and the cracked password. To verify if the password obtained is correct, we again try to log on using the command line (Figure 10).

Figure 10

Success! Using the administrator username and the password obtained by Brutus we have successfully logged into the FTP server.

It is interesting to note that Brutus took only a little under 3 minutes to crack such a simple password. Again, it is recommended that a larger wordlist be used to increase the probability of success especially against more complex passwords.

Brutus also has a built-in Wordlist Generation feature. This feature is available by clicking on Wordlist Generation under the Tools menu on the main screen. The following actions are available from the Action dropdown list:
  • Convert List (LF > CRLF) - In some wordlists the line break is indicated by a single LF (Line Feed) character, such as in Unix file types. The LF > CRLF feature converts these types of lists into a DOS (and Windows) recognisable format by replacing the LF character with CRLF (Carriage Return/Line Feed).
  • Only Word Length – This simply reads the input file and copies to an output file all the words that match the specified word length parameters.
  • Remove Duplicates - This removes all duplicate entries from the word list.
  • Permutations – Words from the input file are read one at a time, and then ran against a set of permutations such as uppercase-lowercase mix, substitution of common alphabetic characters into numbers and vice versa (“leet speak”), etc, with each permutation copied into an output file. This may result to a single word having 50+ variants. This is a good way to build a larger wordlist from a smaller and simpler set of dictionary words, but may take some time to finish.
  • Create New List – The same as above but instead of reading the words from an input file, the “seed words” are provided by the user. The seed words are then ran against the user-defined permutations and then copied to a new word list.
  • Create New List for User – the same as above but creates a combo-list where both the username and the password are specified on each line. The username and any seed words you specify will be used to create the list.
  • Create New List for Users – the same as above but instead of specifying a single username, the input file will be a standard user list file.

1 comment:

Anonymous said...

great instructions. very clear thank you.