Automate Brute-Force Attacks for Nmap Scans

-

Using Hydra, Ncrack, and other brute-forcing tools to crack passwords for the first time can be frustrating and confusing. To ease into the process, let's discuss automating and optimizing brute-force attacks for potentially vulnerable services such as SMTP, SSH, IMAP, and FTP discovered by Nmap, a popular network scanning utility.
BruteSpray, developed by Jacob Robles and Shane Young, is a Python script capable of processing an Nmap scan output and automating brute-force attacks against discovered services using Medusa, a popular brute-forcing tool. BruteSpray is the much-needed nexus that unifies Nmap scans and brute-force attacks.

Step 1Set Up BruteSpray & Medusa

An older version of BruteSpray can be found in the Kali repositories. To avoid potential confusion, any version of BruteSpray which may already be installed should be removed using the below command.
apt-get autoremove brutespray

Next, clone the BruteSpray repository.
git clone https://github.com/x90skysn3k/brutespray.git

Then, cd into the "brutespray" directory and use pip, a tool for installing and managing Python packages, to install the BruteSpray dependencies. This command is required to run BruteSpray. The -r argument instructs pip to install the dependencies found in the "requirements.txt" file.
cd brutespray/
pip install -r requirements.txt

Lastly, install Medusa. This can be done using the below command.
apt-get install medusa

The --help argument can be used to verify BruteSpray is working properly and to view the available options.
./brutespray.py --help

That's it for downloading BruteSpray and installing dependencies — there are no modifications or configurations required.
Other prerequisites which may be useful for following along with this tutorial are Nmap (of course), a general understanding of how Nmap works, and a simple wordlist for password-guessing attacks. Nmap can be installed and downloaded using the below command, if you don't already have it.
apt-get install nmap

The wordlist I'm using in this guide can be downloaded with the following command. You can, of course, use any wordlist that you want from leaked password databases, other wordlists online, or from custom wordlist-building tools such as Mentalist, CeWL, and Crunch.
wget 'https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt'

Step 2Generate Nmap Output Files

BruteSpray requires an Nmap output file to function. These files can be created using Nmap's -oX or -oG arguments as seen in the below Nmap command. The -sV means it will probe open ports to determine the service and version information.
Usage of -oG is the most important argument here. It will save the Nmap output to a local file in grepable format. This allows BruteSpray to effectively process the services and ports found on the target server. Similarly, the -oX argument will save the Nmap output to an XML output, which is also supported by BruteSpray but less human-readable.
nmap -sVTU -p ports TargetServer -oG filename.gnmap

The newly create .gnmap file can be viewed using the cat command.
cat filename.gnmap

Take note of the "open" ports discovered by Nmap as these services are now available for automated brute-force attacks.

Step 3Automate Brute-Force Attacks with BruteSpray

BruteSpray currently supports nearly two dozen services by default. The supported services can be viewed using the --modules argument. They include SSH, FTP, Telnet, VNC, MsSQL, MySQL, PostgreSQL, RSH, IMAP, NNTP, pcAnywhere, POP3, rexec, rlogin, SMBNT, SMTP, SVN, vmauthd, and SNMP.
./brutespray.py --modules

1Interactive Mode

The -i argument can be used to enable an interactive mode, a guided mode designed to maximize the ease of use.
./brutespray.py --file filename.gnmap -i

Simply follow the prompts and the brute-force attack will begin.

2Target Individual Services

Targeting a single service can be accomplished using the --service argument and specifying the protocol. If the --username argument isn't specified when using --service, BruteSpray will use the default username list found in the wordlist/ssh/user file. This list of usernames can be modified at any time.
./brutespray.py --file filename.gnmap --service ssh


3Configure Custom Wordlists & Usernames (Optional)

There are small built-in wordlists and username lists that are automatically used when a particular service is brute-forced. For example, the "password" file, located in the wordlist/ssh/ directory, contains passwords used when brute-forcing SSH services. Each supported service has its own dedicated directory in the wordlist/ directory.


It would be possible to manually change the built-it wordlists using the below cp command to copy over a custom wordlist.


cp /path/to/customPasswords.list wordlist/ssh/password
Built-in username lists can also be changed using the below command.
cp /path/to/customUser.list wordlist/vnc/user
Alternatively, custom password and usernames lists can be used from command line with the --passlist and --username arguments.
./brutespray.py --file filename.gnmap --username UsernameHere --passlist /path/to/desired/passwords.list --service ftp

Comments

Post a Comment

Popular posts from this blog

How To Unlock Windows Computer from Android or iPhone

-
Image
Learn How To Unlock Windows Computer from Android or iPhone: How to unlock your computer with the help of your android smartphone, you will need a Rohos Logon Key software installed both on your Android and Computer to gain access you computer. T here is numerous article on the internet concerning how to secure your PC while you are not at the computer, Some of us even try to search that is there any procedure to unlock your PC with the help of the smartphone? But let’s tell you there is an easy method out there by which you can easily Unlock your computer with the help of your Android smartphone. How To Unlock Windows Computer for Android or iPhone With this method, you need your smartphone to unlock your computer after logging in into your windows login screen and for that, you have to connect your smartphone with your PC to identify the right authentication to PC to unlock it. So read out the below steps proceed. It is possible to access your computer without th
Read more

How To Change Serial Number Of Your Android

-
Image
How To Change Serial Number Of Your Android Set the custom serial number on your Android mobile to hide its identity over the network and over the various app servers that use your device serial number to work with the help of xposed module. Android Serial number of every mobile device is its identity to recognize that network on the cellular network and to accept the licenses that have been made for that device, and this identity is by default set by the phone’s manufacturer. You can’t change the IMEI number to detect over the cellular network, but you can change this on your device for the temporary time for the apps and the devices licenses. And this fakes your device identity, and you can use this in a very cool way of faking some recharge apps to get the bonus. So, in this guide, we will be discussing the same. So have a look at complete guide explained below to proceed. How To Change Serial Number Of your Android The method is quite simple, an
Read more