Security in Computing Brute Force Attack Demonstration Report
Security in Computing Brute Force Attack Demonstration Report
Security in Computing Brute Force Attack Demonstration Report
Ankit Shrestha
Table of Contents
1. Introduction ............................................................................................................... 1
1.1 Current scenario .................................................................................................... 2
1.2 Problem Statement ................................................................................................ 4
1.3 Aim and Objective .............................................................................................. 4
2. BACKGROUND ....................................................................................................... 5
3. DEMONSTRATION ................................................................................................. 6
3.1 Architecture of virtual lab in GNS3 ......................................................................... 6
3.2 Brute-force Attack form Kali-Linux to metasploitable2 ........................................... 8
3.3 Transferring and downloading of files .................................................................. 11
4. Mitigation .............................................................................................................. 15
5. Evaluation ............................................................................................................. 18
5.1 Pros of brute force attacks mitigation strategy ..................................................... 18
5.2 Cons of Brute Force Attacks Mitigation Strategy ................................................. 19
5.3 Cost Benefit Analysis (CBA) Calculation .......................................................... 19
Conclusion ................................................................................................................... 21
Bibliography ................................................................................................................ 22
Ankit Shrestha
1. All attacks with unique password counts and times of execution (L. Bošnjak*, 2018) . 2
Ankit Shrestha
Figure 1 Expected large scale attack per day(monthly) (Murphy, 2018) ......................... 3
Figure 2 Expected very large scale attack per day (Monthly) (Murphy, 2018) ................. 3
Figure 3BRUTE-FORCE ATTACK EVOLUTION(JAN -MAY, 2020)................................ 5
Figure 4 GNS3 Architecture ............................................................................................ 7
Figure 5 pinning metasploitable2 .................................................................................... 8
Figure 6 Incorrect password ............................................................................................ 9
Figure 7 files .................................................................................................................... 9
Figure 8 Hydra command ............................................................................................. 10
Figure 9 successfully cracked password ...................................................................... 11
Figure 10 FTP ............................................................................................................... 12
Figure 11 ls cd commands ............................................................................................ 13
Figure 12 transferring file in our system ....................................................................... 13
Figure 13 putting file in the target system...................................................................... 14
Figure 14 metasploitable2 showing the file we put ........................................................ 14
Figure 15 Enabling the firewall in metasploitble2. ......................................................... 15
Figure 16 denying the FTP client request...................................................................... 15
Figure 17 checking status ............................................................................................. 16
Figure 18FTP login from Linux ...................................................................................... 16
Figure 19 lets accept the FTP client request from any where ....................................... 17
Figure 20 checking form Core_Router .......................................................................... 18
Ankit Shrestha
Abstract
The primary purpose and goal of this mission is to search for various login passwords
and to find an identical server password. This can be done with Kali Linux and
Metasploitable2 in GNS3. We have used some software installed into the Kali Linux for
these tasks to complete it. The project also aims to help the user understand the use of
the tools and break server's password. We worked out the right password for the
specific server after completing tasks using various methods. It is important that the
user should know the server's password and be able to log in to the system in seconds
and that the time is not lost. Often, more attempts are reduced, resulting in less brutal
force attacks, for login to the system. We inferred that any users who can use the Kali
Linux tools to easily access any server will know the passwords within seconds. After
that we inter into the metasploitable2 and download the file using FTP service and
transfer out file to their system. Finally, a vision of how to work in Kali Linux and
Metasploitable2 was presented and the coursework and was quickly carried out. And
after that we evaluated it and know its mitigation. Learn about the pros and cons of the
brute force attacks
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
1. Introduction
A brute force attack is the cyber-attack, that attempts to find the right one for every key
in your key.. The brute force attacks accounted for 5 percent of reported breach cases
in 2017.Attacks by brute force are straightforward and trustworthy. Attackers let a
program do the job – for example, try various usernames and password combinations –
before they found a working one. The better counter is that criminals have access to the
network and become even tougher to catch and neutralize a brutal threat (PETTERS,
2020).
An attack by brute force uses test and erroneous devices to create login credentials,
encrypt keys or to find a hidden web page. Hackers use all possible variations to guess
correctly. These assaults are carried out by 'brute force' which means that they aim to
'force' their way into their privacy (s). It's an old method of attack, but with hackers it's
still successful and widespread. As cracking will take from a couple of seconds to
several years, depending on the duration and difficulty of the password (Kaspersky,
2020).
Seq. Attack Count % Time
no.
1. Old pattern (2 lowercase letters followed by 4 115,498 76.89 20 sec
digits)
2. Increase to length six(mixedalphaspexialnum) 12,056 8.03 2 min 12
sec
3. Digits only for length 7 to 12 656 0.44 3min
17sec
4. Increase length to 8 (lower custom charset) 7,094 4.72 22min
6sec
5. Length 9 and 10(mixed custom charset, 2,071 1.38 30 min
special pattern)
6. Increment to length 9(foreign language 36 0.03 15min
charset )
1
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
The table shows that more of those brute force attacks and the most cracked password
were old pattern passwords, with more hacking in 2 seconds, and less attacks were
applied to the foreign language character passwords, with a duration of up to 9
characters. Their passwords are more frequent than the previous pattern.
2
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
In less than 10 minutes, large scale attacks are described as over 10,000 malicious
requests.
Figure 2 Expected very large scale attack per day (Monthly) (Murphy, 2018)
'There are more than 30,000 malicious requests in less than 10 minutes for very large-
scale attacks. In June 3,547,074 became the biggest brute force assault. The average
assault was 55,993 between January and June (Murphy, 2018).
3
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
Objectives
To learn about the brute force attack
To know about the GNS3 and how to use it.
Learn how to crack password using kali linux.
To show the brute force attack form kali-linux to metaspoitable done by
us.
In addition to brute force attacking, the user can also mitigate.
4
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
2. BACKGROUND
The term "brute force" explains how the attack is superficial. As the attack requires
passwords for unauthorized entry, the name can be easily seen. Brute force attacks can
be very successful, as primitive as they are. Most cyber-attackers who are specializing
in brute-force attacks use bots. Attackers typically have a set of true and often used
passwords and delegate their bots to attacking websites. Cracking by manual brute
strength takes time and most attackers use the applications and techniques for helping
them with brute force attack. With the resources available, attackers can use the right
session ID, including and try to input various combinations of passwords to access web
applications (Tucakov, 2020).
In the above figure, RDP encryption vulnerability has allowed malicious actors to access
the machine unhindered and carry out a variety of activities. The HeimdalTM security
telemetry shows that the number of brute forces attacks has risen dramatically. For
example, the January-February period is 25,000% higher than in the previous interval
(December-January). The amplitude of the phenomena was reported in late March
despite the confusion due to the uncannily high percentage (over 9,000 brute-force
attacks in one day). In early April, the anomaly begins to decrease. Relative flatline at
the end of Can observed. In April, the telemetry of Heimdal Security showed both in
terms of strength and number a visible decrease. These figures are going to fall faster,
come May. This abrupt rate transition can not, though, be taken for granted as the Can
5
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
figures are considerably higher than our proposed baseline (January).The decision-
makers in our database will justify this sudden decline (~88 percent) by ordering
additional cybersecurity counters for remote employees HeimdalTM and the resulting
strengthening of the identification and mitigation grid. In January the phenomena
followed a discontinuous pattern. Distribution involved. Our data show a difference of 7
days at the start of the month. Gapping decreases in mid-January, with attacks split
between 2 and 3 days. The distance hits the lowest level in February (brute-force
attacks registered each day). There are no noticeable holes in BFAs as far as March
and April are concerned. In May the same declaration was validated. Statistical
research has shown a concentration of 98.5% along the RDP port (3389). The
remainder focused on the login display. There have been no important infringements or
data exfile (VLADIMIR, 2020).
There are five kinds of brutal assaults: simple attacks, dictionary attacks, hybrid attacks,
reverse attacks and authentication. Anyone with curiosity and a small expertise will
learn a brute force decrypting tool, a device that performs brute force attacks
automatically. Typically people use techniques of brute force to break passwords or to
decode hacked databases of passwords. The effectiveness and the computational
power of the individuals who developed the brute force tool. Your average lone-wolf
bedroom hacker cannot afford a computer's top-level password. But over time a
hacker's concept has shifted. Nowadays, a large number of Internet offenders have
access to the top password cracking strategies available, which are financed and
closely coordinated (academy, 2019).
3. DEMONSTRATION
6
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
7
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
If it is pinning than we are ready to move too next step as it is the sign of success.
8
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
As shown in the figure we don’t know the password and we failed to attempt 3 login.
After trying 3 times we failed and message pops out saying maximum number of tries
exceeded.
Figure 7 files
After that we create a file where more we add lot of possible password in a file necause
brute force is all about this thing.
9
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
In the above figure, I am using hydra tool as it helps us in the password cracking.
And it is easy to use as well the command (hydra –l msfadmin –P passwordsearch
ftp://10.10.10.13 –V) means we are using hydra tool and we know that the username is
msfadmin and for password cracking we need a lot of random password which is in
passwordsearchwhich is used as a dictionary and ftp and add victim ip which is
10.10.101.14. the attempts are started as show in the figure.
10
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
In the above figure, we can clearly see the 100 attempts and after finding that the
password is msfadmin it automatically detect the correct one and message like target
successfully complete, 1 valid password found is shown. And shows the time and date
when was the password was cracked. This was the first step of this attack. And it was
done successfully done.
11
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
FTP refers to file transfer protocol which is made for exchange of file and data across
the network
Figure 10 FTP
After we know the password we will enter into the metasploible2 by using the ftp
command which will ask us for the username where we should put msfadmin and then
we are asked for the password which I cracked a minute ago. We entered the
password. It was login successful. And binary mode of file transfer is being used.
12
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
Figure 11 ls cd commands
After that I was looking the file by showing its list by the ls command after that I want to
the vulnerable directory by cd command and again show ls command for what was
inside this directory. We were shown as per the figure and we will try to download the
www.test.login.nat.com.
13
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
In this get command this command helps us to get this file as 150 opens binary mode
data connection for that file after that the transfer will show it is done. After that it will
show the file transfer in bytes in some seconds.
We are putting a file in their system which was made by us as demo to show that we
can put a file full of virus which may affect the system of the victim. As shown in the
figure, 200 port commands was shown successful and data of virus.file which was
created by us was sent and transfer was shown complete as 58bytes sent in 0sec. The
second figure shows it all that the file me put with the help of kali-Linux was successfully
injected.
14
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
4. Mitigation
1st step: Enabling the firewall in metasploitble2.
In the above figure, Firewall status was deactivated. So, the execution of the order was
allowed to enable the firewall. After enabled, it was tested whether or not the status and
firewall setup is enabled. And commands is shown and the firewall is enable.
2nd step : denying the FTP client request
15
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
In the above figure, the first command is used to deny any login form 10.10.10.254 to
any port and the rule is added it will block FTP client request form the mentioned ip
address and was successfully executed. The command “sudo ufw status verbose” show
the deny of the ip address mentioned before as the tcp and udp both are in the denied
states. It was also successfully executed.
3rd step: checking status
In the given figure, we were putting a command as the command should have showed
us enter username and password but after the command we had done before help the
metasploirtable2 as the note was seen as the host seems down.
16
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
The FTP login attempt was carried out before when the firewall was disabled. It took
long time to execute at the first and then I did it again and leaved it for many minutes
the ftp connection timed out. This occurred when a firewall metasploitable2 dropped the
request from the FTP client.
5th step: lets accept the FTP client request from any where
Figure 19 lets accept the FTP client request from any where
The job was not finished simply by blocking the incoming Linux FTP client. Thus,
metasploitable2 also needed to approve FTP customer request from other
devices/hosts including Core_Router in the tropology. The allow anywhere was shown
and it was a success.
6th step: checking form Core_Router
17
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
As shown in the above figure, the command before worked properly as the Core_Router
can got through it easily. It was a success at the last as the evaluation part is come to
an end.
5. Evaluation
18
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
19
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
There is a SIC firm, which was infected once every 3 months by the brute-
force attack, causing an incidence of $2 000. In order to decrease the risk at an
appropriate amount of $3000 annually, the company agreed to employ an entry
of pen-tester every 3 months. Without adding any hardware or software
components, pen-tester corrected all vulnerabilities related to the brute-force
attack. The annual loss expectation was thus lowered to $1500 as a result of the
brute force attack. The cost value estimate is now time to calculate.
Soln,
Here,
Annual loss due to brute force attack (ALEpost)= $1500
Annual rate of occurrence (ARO)=1 per 3 months = 4 times per annual
Annual Loss per incident = SLE * ARO
= $2000 * 4
= $8000
Annual loss expectancy prior (ALC) = $8000
Cost of pen-tester (ACS) = $3000
CBA = ALEprior –ALEpost -ACS
= $8000- $1500- $3000
=$3500
In this case, the costs of temporary recruitment by the annual expense are lower
than the anticipated losses attributed to brute-force attacks. The positive
advantage in recruiting the pen-tester.
20
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
Conclusion
In today’s world the technology and their system has grown so much. As the
growth of different firewall there grows different malware and attacking strategies
which can affect all the people around the world as the hackers hacks their
system and they can misused it so easily. The brute forces attack also an attack
which can affect the people who was or will be the victims of this attacks.
In this project the attack was delivered and show in the GNS3 was a success.
We performed a brute force attack into metasploitable2 to crack its password
with the help of hydra which is tool of kali Linux. In cracked the password with the
help of dictionary of more than 99 passwords. As brute force attack is the attack
in which we attends the password many times the password was correct at the
100th time and we cracked the password. After that we inter into the
metasploitable2 and download the file using FTP service and transfer out file to
their system. Finally, a vision of how to work in Kali Linux and Metasploitable2
was presented and the coursework and was quickly carried out. With the help of
teacher and a lot of research I was able to complete my coursework in time.
21
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING
Bibliography
academy. (2019) academy [Online]. Available from: https://www.avast.com/c-what-is-a-
brute-force-attack [Accessed 20 April 2021].
cisco. (2014) electricmonk [Online]. Available from:
http://www.electricmonk.org.uk/2014/02/07/what-is-gns3/ [Accessed 20 April 2021].
HAYES, A. (2021) Incestopedia [Online]. Available from:
https://www.investopedia.com/terms/c/cost-benefitanalysis.asp [Accessed 21 April
2021].
Kaspersky. (2020) Kaspersky [Online]. Available from:
https://www.kaspersky.com/resource-center/definitions/brute-force-attack [Accessed 19
April 2021].
L. Bošnjak*, J.S.a.B.B. (2018) Brute-force and dictionary attack on hashed real-world
passwords. Maribor: Electronics and Microelectronics (MIPRO) University of Maribor,
Faculty of Electrical Engineering and Computer Science/Institute of Informatics.
Murphy, K. (2018) FOREFENIX [Online]. Available from:
https://www.foregenix.com/blog/stronger-and-frequent-brute-force-attacks-are-now-the-
norm [Accessed 19 April 2021].
PETTERS, J. (2020) VARONIS [Online]. Available from:
https://www.varonis.com/blog/brute-force-attack/ [Accessed 19 April 2021].
Tucakov, D. (2020) phoenixNAP [Online]. Available from:
https://phoenixnap.com/blog/brute-force-attack [Accessed 20 April 2021].
VLADIMIR. (2020) HEIMDAL SECURITY [Online]. Available from:
https://heimdalsecurity.com/blog/brute-force-attack/ [Accessed 20 April 2021].
22
Ankit Shrestha