Basics of Network Penetration Testing
How to Use
· Step 1: Check Open ports on router
a. Check default credentials on SSH
b. Check by opening other ports i.e. 80 or 443
c. Check for UDP port are open on your network
· Step 2: “Brute Force” Attacking SSH with Ncrack, hydra and medusa
a. Creating own word list by using crunch command
b. By Hydra
c. By medusa
d. By Ncrack
Purpose:Penetration testing of network involves a variety of methodologies designed to explore a network to identify potential vulnerabilities and test to ensure the vulnerabilities are real.The main purpose of the pentest is to improve network security and provide protection for the entire network and connected devices against future attacks.
Definition:Simulation of a process a hacker would use to launch an attack on a business network, attached devices, network applications, or a business website.
When performed consistently, a pentest process will inform your business where the weaknesses exist in your security model.
How to Use:
Step 1: Checking Open Ports on Router
The IP of my router is 192.168.1.140 and it will be the same throughout the entire write-up.
To check the how many ports are open on my network I am using NMAP. The command I am using in NMAP is
nmap –sV <My-Router-IP>
-sV : Used for version detection ,so it will detect the versions of the services running on the enumerated ports.
nmap –sV 192.168.1.140
There are several ports open on my router such as 22(SSH), 80(HTTP) etc.
Now we will move ahead to exploit the services running on these ports.
a. Checking default credentials on SSH
So the first step will include checking whether the service SSH have the default credentials maybe the admin just enabled the ports without changing the credentials.
We will try to establish a connecting with the router by SSH.
The router I am using is vyos and the default credentials of this router are.
enter the default password and if the password is correct you will get access to the router.
Here the password worked an now I have the root access of the router.
a. Checking other open ports 80 or 443
While checking open ports we saw 80 and 443 are open ports . So we will try to visit the IP as both ports 80 and 443 are used for HTTP connections
b. Checking foropen UDP ports
-sU: For checking UDP ports
nmap –sU <IP-Address-of-Router>
nmap –sU 192.168.1.140
You can see SNMP( Simple Network Management Protocol) which is a UDP port is open on the router.
Step 2:“Brute Forcing” the SSH credentials with ncrack, hydra and medusa
Before moving ahead to brute force the credentials the basic requirement is a good wordlist. You can get a lot of wordlists from the internet but if you want to create a custom wordlist you can do that by using crunch, which is a utility which comes preinstalled in Kali Linux and other linux distributions such as backbox.
a. Creating own word list by using crunch
Crunch min max vyos > OUTPUT-file-name
min: min length of words in list
max: max length of words in list
test: name of output file which have data of cruch command
vosy: combination of words because my credential is “vyos”
Crunch 4 4 vosy> test
b. By Hydra
hydra –l /path/of/wordlist –P /path/of/wordlist <IP-Address><service>
-P: for password list
test: created list of password
there are two options in hydra, you can bruteforce both username and password by providing the wordlist in both options
but since I am trying the bruteforce with default username. I will only provide the wordlist for the password options.
The service can be ssh, http, smtp etc
hydra –l vyos –P test.txt 192.168.1.140 ssh
We can clearly see that the hydra is able to crack the password of the service. The password “vyos”.
c. By medusa
Medusa is same as the hydra but options are different. You can bruteforce both username and password by providing the wordlist
Medusa –h <IP-Address>-u <UserName> –P <Password> –M <Service>
-h : host
-u : user
-P: password list
-M: for service
Medusa –h 192.168.1.140 -u vyos –P test –M ssh
You can provide the path of the file in the both -u and -P field if you want to bruteforce both username and password.
But I am just bruteforcing the password as I am having the default username.
medusa –h 192.168.1.140 -u vyos –P test –M ssh
You can clearly see the the medusa is able to crack the password and you are getting the SUCCESS notification in the end. The password is “vyos”
d. By Ncrack
ncrack –v –user <UserName or file> –P<Password or file><IP-Address>:<Port>
-P: list of password
ncrack –v –user vyos –P test 192.168.1.40:22
You can clearly see that it was able to crack the password.