Module Code & Module Title

CC5004NI Security in Computing

Assessment Weightage & Type

30% Individual Coursework

Year and Semester

2020 -21 Autumn

Student Name: Ankit Shrestha

London Met ID: 19031266
College ID: NP01NTA190158
Assignment Due Date:25TH APRIL 2021
Assignment Submission Date:21st APRIL 2021
Word Count (Where Required):4065 words
I confirm that I understand my coursework needs to be submitted online via Google Classroom under the relevant
module page before the deadline for my assignment to be accepted and marked. I am fully aware that late
submissions will be treated as non-submission and a mark of zero will be awarded

Ankit Shrestha
Table of Contents
1. Introduction ............................................................................................................... 1
1.1 Current scenario .................................................................................................... 2
1.2 Problem Statement ................................................................................................ 4
1.3 Aim and Objective .............................................................................................. 4
2. BACKGROUND ....................................................................................................... 5
3. DEMONSTRATION ................................................................................................. 6
3.1 Architecture of virtual lab in GNS3 ......................................................................... 6
3.2 Brute-force Attack form Kali-Linux to metasploitable2 ........................................... 8
3.3 Transferring and downloading of files .................................................................. 11
4. Mitigation .............................................................................................................. 15
5. Evaluation ............................................................................................................. 18
5.1 Pros of brute force attacks mitigation strategy ..................................................... 18
5.2 Cons of Brute Force Attacks Mitigation Strategy ................................................. 19
5.3 Cost Benefit Analysis (CBA) Calculation .......................................................... 19
Conclusion ................................................................................................................... 21
Bibliography ................................................................................................................ 22

Ankit Shrestha
1. All attacks with unique password counts and times of execution (L. Bošnjak*, 2018) . 2

Ankit Shrestha
Figure 1 Expected large scale attack per day(monthly) (Murphy, 2018) ......................... 3
Figure 2 Expected very large scale attack per day (Monthly) (Murphy, 2018) ................. 3
Figure 3BRUTE-FORCE ATTACK EVOLUTION(JAN -MAY, 2020)................................ 5
Figure 4 GNS3 Architecture ............................................................................................ 7
Figure 5 pinning metasploitable2 .................................................................................... 8
Figure 6 Incorrect password ............................................................................................ 9
Figure 7 files .................................................................................................................... 9
Figure 8 Hydra command ............................................................................................. 10
Figure 9 successfully cracked password ...................................................................... 11
Figure 10 FTP ............................................................................................................... 12
Figure 11 ls cd commands ............................................................................................ 13
Figure 12 transferring file in our system ....................................................................... 13
Figure 13 putting file in the target system...................................................................... 14
Figure 14 metasploitable2 showing the file we put ........................................................ 14
Figure 15 Enabling the firewall in metasploitble2. ......................................................... 15
Figure 16 denying the FTP client request...................................................................... 15
Figure 17 checking status ............................................................................................. 16
Figure 18FTP login from Linux ...................................................................................... 16
Figure 19 lets accept the FTP client request from any where ....................................... 17
Figure 20 checking form Core_Router .......................................................................... 18

Ankit Shrestha
Abstract
The primary purpose and goal of this mission is to search for various login passwords
and to find an identical server password. This can be done with Kali Linux and
Metasploitable2 in GNS3. We have used some software installed into the Kali Linux for
these tasks to complete it. The project also aims to help the user understand the use of
the tools and break server's password. We worked out the right password for the
specific server after completing tasks using various methods. It is important that the
user should know the server's password and be able to log in to the system in seconds
and that the time is not lost. Often, more attempts are reduced, resulting in less brutal
force attacks, for login to the system. We inferred that any users who can use the Kali
Linux tools to easily access any server will know the passwords within seconds. After
that we inter into the metasploitable2 and download the file using FTP service and
transfer out file to their system. Finally, a vision of how to work in Kali Linux and
Metasploitable2 was presented and the coursework and was quickly carried out. And
after that we evaluated it and know its mitigation. Learn about the pros and cons of the
brute force attacks

Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

1. Introduction
A brute force attack is the cyber-attack, that attempts to find the right one for every key
in your key.. The brute force attacks accounted for 5 percent of reported breach cases
in 2017.Attacks by brute force are straightforward and trustworthy. Attackers let a
program do the job – for example, try various usernames and password combinations –
before they found a working one. The better counter is that criminals have access to the
network and become even tougher to catch and neutralize a brutal threat (PETTERS,
2020).
An attack by brute force uses test and erroneous devices to create login credentials,
encrypt keys or to find a hidden web page. Hackers use all possible variations to guess
correctly. These assaults are carried out by 'brute force' which means that they aim to
'force' their way into their privacy (s). It's an old method of attack, but with hackers it's
still successful and widespread. As cracking will take from a couple of seconds to
several years, depending on the duration and difficulty of the password (Kaspersky,
2020).
Seq. Attack Count % Time
no.
1. Old pattern (2 lowercase letters followed by 4 115,498 76.89 20 sec
digits)
2. Increase to length six(mixedalphaspexialnum) 12,056 8.03 2 min 12
sec
3. Digits only for length 7 to 12 656 0.44 3min
17sec
4. Increase length to 8 (lower custom charset) 7,094 4.72 22min
6sec
5. Length 9 and 10(mixed custom charset, 2,071 1.38 30 min
special pattern)
6. Increment to length 9(foreign language 36 0.03 15min
charset )

1
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

7. Improvedpattern (mixedalphanum length 8) 9701 6.46 10hr

20min
8. Length 10 lowercase English alphabet 67 0.05 49min
33sec
9 Length 10 lowercase English alphabet and 222 0.19 20 hr
digit s
1. All attacks with unique password counts and times of execution (L. Bošnjak*, 2018)

The table shows that more of those brute force attacks and the most cracked password
were old pattern passwords, with more hacking in 2 seconds, and less attacks were
applied to the foreign language character passwords, with a duration of up to 9
characters. Their passwords are more frequent than the previous pattern.

1.1 Current scenario

The internet has been afflicted for years by brute force attack by coercion. It's a very
basic concept: try any word/number combination before you're correct. We look at
current developments and what you can do to safeguard your company in this blog
post. During the first half of this year there was a drastic uptick in the number and scale
of brute-force attacks such as last year against the UK and Scotland parliament. Data
carried out on over five hundred websites worldwide shows that major attacks followed
a rise in the first half of the year, aside from the fall in February. Four attacks occurred
regularly in May and June; more than one attack a day in the previous three
months. The number of major brutal force attacks – described as over 30,000 malicious
requests over ten period – also increased with the severity of attacks, which ended at
an unexpected peak of more than 1.5 attacks a day after half that amount began the
year. We have put a few diagrams together to show a graphic image of what we saw.
The horizontal axis is the daily frequency of attacks for months beginning 1 January and
ending 22 June. Attacks were much rarer and less frequent two years ago, and the
brute force attacks today are just as commonplace (Murphy, 2018).

2
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

Figure 1 Expected large scale attack per day(monthly) (Murphy, 2018)

In less than 10 minutes, large scale attacks are described as over 10,000 malicious
requests.

Figure 2 Expected very large scale attack per day (Monthly) (Murphy, 2018)

'There are more than 30,000 malicious requests in less than 10 minutes for very large-
scale attacks. In June 3,547,074 became the biggest brute force assault. The average
assault was 55,993 between January and June (Murphy, 2018).

3
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

1.2 Problem Statement

Hackers or intruders will quickly exploit device and network defects including firewall,
IDS/IPS, Router Webserver and switches by simply launching brute force attack. This
project is commonly used to crack password. And is one of the quickest attack. These
atrocities represent the cyber-equivalent of a situation we always see in films: a door is
locked and the keyring of a person has no idea. Time has come out. Time has run out.
For any time now, the owner will be there. So, the individual tries a key after a key,
quick, until it matches a key. You usually use scripts or bots to target a webpage or an
application's login tab. A brute force attack is really aimed at accessing the confidential
and vulnerable information of a user which can then be used to access private accounts
and access the network of an organization.
The use of numerous applicable security techniques to deter the brutal force attack on
these information technology and systems. The only way to avoid a telnet and SMB
login brute force attack will be to lock the ports since the facilities are no longer used. It
is going to deliver the wanted and unwanted both as it is good and bad to use this
attack.

1.3 Aim and Objective

The Aims is to gives us knowledge about brute force attacks on Information
technology systems.

Objectives
 To learn about the brute force attack
 To know about the GNS3 and how to use it.
 Learn how to crack password using kali linux.
 To show the brute force attack form kali-linux to metaspoitable done by
us.
 In addition to brute force attacking, the user can also mitigate.

4
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

2. BACKGROUND
The term "brute force" explains how the attack is superficial. As the attack requires
passwords for unauthorized entry, the name can be easily seen. Brute force attacks can
be very successful, as primitive as they are. Most cyber-attackers who are specializing
in brute-force attacks use bots. Attackers typically have a set of true and often used
passwords and delegate their bots to attacking websites. Cracking by manual brute
strength takes time and most attackers use the applications and techniques for helping
them with brute force attack. With the resources available, attackers can use the right
session ID, including and try to input various combinations of passwords to access web
applications (Tucakov, 2020).

Figure 3BRUTE-FORCE ATTACK EVOLUTION(JAN -MAY, 2020)

In the above figure, RDP encryption vulnerability has allowed malicious actors to access
the machine unhindered and carry out a variety of activities. The HeimdalTM security
telemetry shows that the number of brute forces attacks has risen dramatically. For
example, the January-February period is 25,000% higher than in the previous interval
(December-January). The amplitude of the phenomena was reported in late March
despite the confusion due to the uncannily high percentage (over 9,000 brute-force
attacks in one day). In early April, the anomaly begins to decrease. Relative flatline at
the end of Can observed. In April, the telemetry of Heimdal Security showed both in
terms of strength and number a visible decrease. These figures are going to fall faster,
come May. This abrupt rate transition can not, though, be taken for granted as the Can

5
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

figures are considerably higher than our proposed baseline (January).The decision-
makers in our database will justify this sudden decline (~88 percent) by ordering
additional cybersecurity counters for remote employees HeimdalTM and the resulting
strengthening of the identification and mitigation grid. In January the phenomena
followed a discontinuous pattern. Distribution involved. Our data show a difference of 7
days at the start of the month. Gapping decreases in mid-January, with attacks split
between 2 and 3 days. The distance hits the lowest level in February (brute-force
attacks registered each day). There are no noticeable holes in BFAs as far as March
and April are concerned. In May the same declaration was validated. Statistical
research has shown a concentration of 98.5% along the RDP port (3389). The
remainder focused on the login display. There have been no important infringements or
data exfile (VLADIMIR, 2020).
There are five kinds of brutal assaults: simple attacks, dictionary attacks, hybrid attacks,
reverse attacks and authentication. Anyone with curiosity and a small expertise will
learn a brute force decrypting tool, a device that performs brute force attacks
automatically. Typically people use techniques of brute force to break passwords or to
decode hacked databases of passwords. The effectiveness and the computational
power of the individuals who developed the brute force tool. Your average lone-wolf
bedroom hacker cannot afford a computer's top-level password. But over time a
hacker's concept has shifted. Nowadays, a large number of Internet offenders have
access to the top password cracking strategies available, which are financed and
closely coordinated (academy, 2019).

3. DEMONSTRATION

3.1 Architecture of virtual lab in GNS3

GNS is also known as Open source program is the Graphical Network Simulator that
simulates dynamic networks as similar to real networks as possible. All without
dedicated networks equipment including routers and switches. This software has an
elegant user interface for virtual networks architecture and configuration, runs on

6
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

standard PC hardware and can be applied on many operating systems including

Windows, Linux and MacOS X (cisco, 2014).
For network engineers, administrateurs, and certificates studying for Cisco CCNA,
CCNP, and CCIE, as well as Juniper JNCIA, JNCIS, and JNCIE, GNS3 is an excellent
replacement or supplementary platform. The networking and open source is also
sponsored. It may also be used for experimenting with functionality or to search for later
settings on actual computers. Their applications have interesting features, like
connecting the virtual network to actual networks.

Figure 4 GNS3 Architecture

In the above figure we have a router3725 which is named as Core_Router, Ethernet

switch as Core_SW and two VMware VMs which was added in the preferences and
then in the tropology the first name is kali Linux as Kali-Linux and second one is
metasploitable2 which name is Web_and_DB_Server and connected with link. We
configure the router and added the ip and added command. As router is connect to
Ethernet switch and switch is connected to two VMwares named as kali-Linux and
Web_and_DB_Server. We added the note as per their ip address in which fa0/0 is

7
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

10.10.10.1/24, kali-Linux is 10.10.10.254/24 and Web_and_DB_Server is

10.10.10.13/24.

3.2 Brute-force Attack form Kali-Linux to metasploitable2

We are using kali-Linux and inside it we are using hydra tool to crack the password of
the metasploitable2 as we don’t know the password yet. And we are downloading a file
from metasploitable2 to our system and at last me are putting a file which was created
by us in the metasploitable2 just to know how much the brute force attack works.
PART-1
At first me should open the both kali-Linux and metasploitable2 and we need to know
about the ip address as per the password crack and after knowing the ip of
metasploitable2 we are pinning at first from Kali-Linux to Metasploitable2.

Figure 5 pinning metasploitable2

If it is pinning than we are ready to move too next step as it is the sign of success.

8
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

Figure 6 Incorrect password

As shown in the figure we don’t know the password and we failed to attempt 3 login.
After trying 3 times we failed and message pops out saying maximum number of tries
exceeded.

Figure 7 files

After that we create a file where more we add lot of possible password in a file necause
brute force is all about this thing.

9
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

Figure 8 Hydra command

In the above figure, I am using hydra tool as it helps us in the password cracking.
And it is easy to use as well the command (hydra –l msfadmin –P passwordsearch
ftp://10.10.10.13 –V) means we are using hydra tool and we know that the username is
msfadmin and for password cracking we need a lot of random password which is in
passwordsearchwhich is used as a dictionary and ftp and add victim ip which is
10.10.101.14. the attempts are started as show in the figure.

10
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

Figure 9 successfully cracked password

In the above figure, we can clearly see the 100 attempts and after finding that the
password is msfadmin it automatically detect the correct one and message like target
successfully complete, 1 valid password found is shown. And shows the time and date
when was the password was cracked. This was the first step of this attack. And it was
done successfully done.

3.3 Transferring and downloading of files

PART-2

11
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

FTP refers to file transfer protocol which is made for exchange of file and data across
the network

Figure 10 FTP

After we know the password we will enter into the metasploible2 by using the ftp
command which will ask us for the username where we should put msfadmin and then
we are asked for the password which I cracked a minute ago. We entered the
password. It was login successful. And binary mode of file transfer is being used.

12
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

Figure 11 ls cd commands

After that I was looking the file by showing its list by the ls command after that I want to
the vulnerable directory by cd command and again show ls command for what was
inside this directory. We were shown as per the figure and we will try to download the
www.test.login.nat.com.

Figure 12 transferring file in our system

13
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

In this get command this command helps us to get this file as 150 opens binary mode
data connection for that file after that the transfer will show it is done. After that it will
show the file transfer in bytes in some seconds.

Figure 13 putting file in the target system

Figure 14 metasploitable2 showing the file we put

We are putting a file in their system which was made by us as demo to show that we
can put a file full of virus which may affect the system of the victim. As shown in the
figure, 200 port commands was shown successful and data of virus.file which was
created by us was sent and transfer was shown complete as 58bytes sent in 0sec. The
second figure shows it all that the file me put with the help of kali-Linux was successfully
injected.

14
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

4. Mitigation
1st step: Enabling the firewall in metasploitble2.

Figure 15 Enabling the firewall in metasploitble2.

In the above figure, Firewall status was deactivated. So, the execution of the order was
allowed to enable the firewall. After enabled, it was tested whether or not the status and
firewall setup is enabled. And commands is shown and the firewall is enable.
2nd step : denying the FTP client request

Figure 16 denying the FTP client request

15
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

In the above figure, the first command is used to deny any login form 10.10.10.254 to
any port and the rule is added it will block FTP client request form the mentioned ip
address and was successfully executed. The command “sudo ufw status verbose” show
the deny of the ip address mentioned before as the tcp and udp both are in the denied
states. It was also successfully executed.
3rd step: checking status

Figure 17 checking status

In the given figure, we were putting a command as the command should have showed
us enter username and password but after the command we had done before help the
metasploirtable2 as the note was seen as the host seems down.

4th step: FTP login from Linux

Figure 18FTP login from Linux

16
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

The FTP login attempt was carried out before when the firewall was disabled. It took
long time to execute at the first and then I did it again and leaved it for many minutes
the ftp connection timed out. This occurred when a firewall metasploitable2 dropped the
request from the FTP client.
5th step: lets accept the FTP client request from any where

Figure 19 lets accept the FTP client request from any where

The job was not finished simply by blocking the incoming Linux FTP client. Thus,
metasploitable2 also needed to approve FTP customer request from other
devices/hosts including Core_Router in the tropology. The allow anywhere was shown
and it was a success.
6th step: checking form Core_Router

17
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

Figure 20 checking form Core_Router

As shown in the above figure, the command before worked properly as the Core_Router
can got through it easily. It was a success at the last as the evaluation part is come to
an end.

5. Evaluation

5.1 Pros of brute force attacks mitigation strategy

 The password is really strong and there are so many answers to the
attack.
 It is a very simplistic attack which requires little work to establish or
initiate.
 Uses of SSH root users are safer than ever before.
 Implementation of account lockouts; after some failed attempts the user
fails to login on the server, gradual delays are made. This incremental
pauses help to realize that after certain attempts, the user is unable to log
into the device to avoid numerous rough force attacks.

18
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

 A brute force attack form kali linux cannot be carried out to be

metasploitable2 because the state of a login was previously locked.

5.2 Cons of Brute Force Attacks Mitigation Strategy

 Intensive hardware: use a lot of resources.
 Extends the time required to split the code to a large extent.
 There are a lot of bots out there which will try to log into the system over
SSH.
 When it comes to larger firms, it takes some time for 2FA to be introduced
for all actual consumers.
 Using special URLs can shut down the services and can also simply
expire.

5.3 Cost Benefit Analysis (CBA) Calculation

A cost-benefit analysis is a rigorous way of analyzing which choices companies
are to make and forget. The cost-benefit analyst adds up the possible benefits
anticipated by a scenario or intervention and subtracts the overall costs involved.
Incorporation of immaterial goods, such as advantages and costs associated with
living in a certain area, are also being developed by certain consultants or
analysts (HAYES, 2021).
Cautious administrators perform a cost-benefit study before constructing a new
facility or starting a new project, to determine the possible expenses and profits
from the projects that an organization might produce. The research results will
decide whether the proposal is financially viable or whether another project is to
be implemented by the firm. The cost-benefit analysis of certain models can also
influence the cost of opportunity for decision-making. Chance costs are potential
advantages that may have been achieved by selecting an alternative. In other
words, the expense of the chance is the opportunity that is forgiven or lost by a
choice or decision (HAYES, 2021).
Formula of CBA =Annual loss expectancy prior - Annual loss expectancy post –
annual cost of the safeguard

19
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

There is a SIC firm, which was infected once every 3 months by the brute-
force attack, causing an incidence of $2 000. In order to decrease the risk at an
appropriate amount of $3000 annually, the company agreed to employ an entry
of pen-tester every 3 months. Without adding any hardware or software
components, pen-tester corrected all vulnerabilities related to the brute-force
attack. The annual loss expectation was thus lowered to $1500 as a result of the
brute force attack. The cost value estimate is now time to calculate.
Soln,
Here,
Annual loss due to brute force attack (ALEpost)= $1500
Annual rate of occurrence (ARO)=1 per 3 months = 4 times per annual
Annual Loss per incident = SLE * ARO
= $2000 * 4
= $8000
Annual loss expectancy prior (ALC) = $8000
Cost of pen-tester (ACS) = $3000
CBA = ALEprior –ALEpost -ACS
= $8000- $1500- $3000
=$3500
In this case, the costs of temporary recruitment by the annual expense are lower
than the anticipated losses attributed to brute-force attacks. The positive
advantage in recruiting the pen-tester.

20
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

Conclusion
In today’s world the technology and their system has grown so much. As the
growth of different firewall there grows different malware and attacking strategies
which can affect all the people around the world as the hackers hacks their
system and they can misused it so easily. The brute forces attack also an attack
which can affect the people who was or will be the victims of this attacks.
In this project the attack was delivered and show in the GNS3 was a success.
We performed a brute force attack into metasploitable2 to crack its password
with the help of hydra which is tool of kali Linux. In cracked the password with the
help of dictionary of more than 99 passwords. As brute force attack is the attack
in which we attends the password many times the password was correct at the
100th time and we cracked the password. After that we inter into the
metasploitable2 and download the file using FTP service and transfer out file to
their system. Finally, a vision of how to work in Kali Linux and Metasploitable2
was presented and the coursework and was quickly carried out. With the help of
teacher and a lot of research I was able to complete my coursework in time.

21
Ankit Shrestha
CC5004NI SECURITY IN COMPUTING

Bibliography
academy. (2019) academy [Online]. Available from: https://www.avast.com/c-what-is-a-
brute-force-attack [Accessed 20 April 2021].
cisco. (2014) electricmonk [Online]. Available from:
http://www.electricmonk.org.uk/2014/02/07/what-is-gns3/ [Accessed 20 April 2021].
HAYES, A. (2021) Incestopedia [Online]. Available from:
https://www.investopedia.com/terms/c/cost-benefitanalysis.asp [Accessed 21 April
2021].
Kaspersky. (2020) Kaspersky [Online]. Available from:
https://www.kaspersky.com/resource-center/definitions/brute-force-attack [Accessed 19
April 2021].
L. Bošnjak*, J.S.a.B.B. (2018) Brute-force and dictionary attack on hashed real-world
passwords. Maribor: Electronics and Microelectronics (MIPRO) University of Maribor,
Faculty of Electrical Engineering and Computer Science/Institute of Informatics.
Murphy, K. (2018) FOREFENIX [Online]. Available from:
https://www.foregenix.com/blog/stronger-and-frequent-brute-force-attacks-are-now-the-
norm [Accessed 19 April 2021].
PETTERS, J. (2020) VARONIS [Online]. Available from:
https://www.varonis.com/blog/brute-force-attack/ [Accessed 19 April 2021].
Tucakov, D. (2020) phoenixNAP [Online]. Available from:
https://phoenixnap.com/blog/brute-force-attack [Accessed 20 April 2021].
VLADIMIR. (2020) HEIMDAL SECURITY [Online]. Available from:
https://heimdalsecurity.com/blog/brute-force-attack/ [Accessed 20 April 2021].

22
Ankit Shrestha