Dictionary SSH Hack.

Disclaimer.

this is technologically advanced article about hacking SSH password by writing SSH Client using Java Library for this.

to understand this article, one has to know a little about programming (preferably in Java), & a little about SSH.


Dangers.

this method can be used to obtain root password of vulnerable systems, thus taking over computers.

... process of obtaining root password & installing a rootkit can be automated as well.


potential vulnerable systems can be found using a web crawler software that scans for open ports, like nmap does, looking for port 22.

not every ssh server allows for root login, but there's still the danger of escalating access privileges with other hacks.

not every ssh server runs on port 22 as well.


C0de.



C0de.

(click to enlarge image).


... this time i did dictionary attack on SSH password.

... c0de is available for download here.

(it requires Jsch library & it's dependencies).


As another way, a standard SSH client can be used ... with a script that performs many hack attempts in a loop, by executing ssh client many times.


Why ip address spoofing does not work with SSH hacks?

... because SSH service requires two-way communication.

Client sends requests, and awaits responses from the server.

Without 'knowing' the source IP address, response can't be sent to a proper computer (ssh client).

It's possible however to attack from a 'proxy' server, or from a different machine with different IP address controlled by a hacker, to bypass IP block or to misdirect.


TOR Anonymity for a SSH Hack.

it's still possible to perform an 'Anonymous SSH Hack' using 'The Onion Router' for example.

Dictionary Webapp Hack.

Disclaimer.

this is technologically advanced article about hacking 'the Internet Applications' & other Tools.

to understand this article, one has to know a little about programming (preferably in Java), a little about web applications, & a little about HTTP Protocol.


HTTP Request analysis.

i've used Google Chrome's tool called 'HTTP Trace' to look at HTTP Request sent to a sample webapp i was running at my computer.

i've looked at a failed login attempt.


   

Failed Login Data.

(click on image to enlarge it).

C0de.

then i've downloaded Apache's HTTP Client Library & wrote a little of the code that 'forged' HTTP Requests & tried to login into an app in a loop.

i've looked at results of both failed & succesful login attempts, then came up with a final version of the code as follows:




C0de for a Hack.

(click on image to enlarge it).


it doesn't matter much that a succesful login attempt is with 'bad request' status, we've got the information that the password is correct still.


... presented code is very simple & can be refined in many ways ... but this all would only obscure the main idea that a program can be used to perform a Dictionary or Brute Force attacks on a webapp.


C0de without a 'Bad Request'.

... slightly refined code, without 'Bad Request' status message is available on a screenshot below & can be downloaded here as well.




C0de, slightly refined.

(click on image to enlarge it).


i've 'printed' first server hit (HTTP GET Request) on monitor screen, analyzed it, noticed the 'jsessionid' part & formed code that extracted it.

... a proper use of HTTP POST parameters, including 'jsessionid' was the key for overcoming 'Bad Request' problem & message as well.

then i've did part of the code responsible for extracting & comparing page's title to determine if we succesfully logged in or not.


... further c0de refinements could include loading passwords dictionary from a file, or generating it somehow & an option of performing more or less refined brute force attacks.


Security Measures.

how to protect against attacks as these?

... with captcha & account locking functionality, but this opens webapp to 'Account Lockout' vulnerability - any user might be prevented from logging in to app.


Other Considerations.

this is brutus / hydra software equivalent (hacks done more or less manually instead of using someone's complete tools).

this method can be used to hack tomcat webapp server's password, web services, routers, ssh, ... & other tools.

just download client library for a given service or app & write code that attacks passwords via the given protocol.

captcha won't protect all the time, but delays after failed login as well as use of strong passwords that change with time should.