Penetration Testing Of Network

Basics of Network Penetration Testing

Index

Purpose

Definition

How to Use

· Step 1: Check Open ports on router

a. Check default credentials on SSH

b. Check by opening other ports i.e. 80 or 443

c. Check for UDP port are open on your network

· Step 2: “Brute Force” Attacking SSH with Ncrack, hydra and medusa

a. Creating own word list by using crunch command

b. By Hydra

c. By medusa

d. By Ncrack

Purpose:Penetration testing of network involves a variety of methodologies designed to explore a network to identify potential vulnerabilities and test to ensure the vulnerabilities are real.The main purpose of the pentest is to improve network security and provide protection for the entire network and connected devices against future attacks.

Definition:Simulation of a process a hacker would use to launch an attack on a business network, attached devices, network applications, or a business website.

When performed consistently, a pentest process will inform your business where the weaknesses exist in your security model.

How to Use:

Step 1: Checking Open Ports on Router

The IP of my router is 192.168.1.140 and it will be the same throughout the entire write-up.

To check the how many ports are open on my network I am using NMAP. The command I am using in NMAP is

nmap –sV <My-Router-IP>

-sV : Used for version detection ,so it will detect the versions of the services running on the enumerated ports.

nmap –sV 192.168.1.140

Image for post
Image for post

There are several ports open on my router such as 22(SSH), 80(HTTP) etc.

Now we will move ahead to exploit the services running on these ports.

a. Checking default credentials on SSH

So the first step will include checking whether the service SSH have the default credentials maybe the admin just enabled the ports without changing the credentials.

We will try to establish a connecting with the router by SSH.

“SSH user-name@Server_Ip_Addresss”

The router I am using is vyos and the default credentials of this router are.

Username: vyos

Password: vyos

Command Used:

ssh vyos@192.168.1.140

enter the default password and if the password is correct you will get access to the router.

Here the password worked an now I have the root access of the router.

Image for post
Image for post

a. Checking other open ports 80 or 443

While checking open ports we saw 80 and 443 are open ports . So we will try to visit the IP as both ports 80 and 443 are used for HTTP connections

Image for post
Image for post

b. Checking foropen UDP ports

-sU: For checking UDP ports

nmap –sU <IP-Address-of-Router>

Command Used:

nmap –sU 192.168.1.140

Image for post
Image for post

You can see SNMP( Simple Network Management Protocol) which is a UDP port is open on the router.

Step 2:“Brute Forcing” the SSH credentials with ncrack, hydra and medusa

Before moving ahead to brute force the credentials the basic requirement is a good wordlist. You can get a lot of wordlists from the internet but if you want to create a custom wordlist you can do that by using crunch, which is a utility which comes preinstalled in Kali Linux and other linux distributions such as backbox.

a. Creating own word list by using crunch

Crunch min max vyos > OUTPUT-file-name

min: min length of words in list

max: max length of words in list

test: name of output file which have data of cruch command

vosy: combination of words because my credential is “vyos”

Command Used:

Crunch 4 4 vosy> test

Image for post
Image for post

b. By Hydra

hydra –l /path/of/wordlist –P /path/of/wordlist <IP-Address><service>

-l: username

-P: for password list

test: created list of password

there are two options in hydra, you can bruteforce both username and password by providing the wordlist in both options

but since I am trying the bruteforce with default username. I will only provide the wordlist for the password options.

The service can be ssh, http, smtp etc

Command Used:

hydra –l vyos –P test.txt 192.168.1.140 ssh

Image for post
Image for post

Output:

We can clearly see that the hydra is able to crack the password of the service. The password “vyos”.

c. By medusa

Medusa is same as the hydra but options are different. You can bruteforce both username and password by providing the wordlist

Usage:

Medusa –h <IP-Address>-u <UserName> –P <Password> –M <Service>

-h : host

-u : user

-P: password list

-M: for service

Command Used:

Medusa –h 192.168.1.140 -u vyos –P test –M ssh

You can provide the path of the file in the both -u and -P field if you want to bruteforce both username and password.

But I am just bruteforcing the password as I am having the default username.

medusa –h 192.168.1.140 -u vyos –P test –M ssh

Output:

You can clearly see the the medusa is able to crack the password and you are getting the SUCCESS notification in the end. The password is “vyos”

d. By Ncrack

ncrack –v –user <UserName or file> –P<Password or file><IP-Address>:<Port>

–user: username

-P: list of password

Command Used:

ncrack –v –user vyos –P test 192.168.1.40:22

You can clearly see that it was able to crack the password.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store