July 29, 2014 at 09:41Overview of New Intercepter-NG Features
The year of expectations did not go in vain and it is offset by quite interesting functions that have appeared in the new version of the tool. The release took place ahead of schedule and some of the previously planned functions were not included in it due to the fact that much more important innovations appeared.
In the new version, there is a previously demonstrated attack on Active Directory (Ldap Relay), a Java Injection function, an exploit for the HeartBleed, Plugin Detector vulnerability, but I would like to focus on completely different things.
Intercepter-NG introduced the network password bruteforce mode for a number of protocols: FTP \ IMAP \ POP3 \ SMTP \ SMB \ SSH \ LDAP \ HTTP. The reason for the creation of such functionality was once again the lack of a modern and functional brute force for Windows. Of the native tools, only Brutus comes to mind, which has not been updated for more than ten years and does not support, for example, SSH. All cygwin THC-Hydra builds were built without SSH support, and Ncrack, despite the claimed SSH support, did not work in any test. Of course, if you wish, you can assemble Hydra yourself, but in any case, that Hydra, that Ncrack, are basically console, and the GTK version of Hydra again requires additional assembly. Therefore, the creation of a modern window brute force was not meaningless.
Anyway, today THC-Hydra is the most advanced tool for network brute force with a large number of supported protocols and authorization methods. Initially, no attempts were made to compete with the leader, but the final results were very unexpected, we’ll talk about them ...
It is logical that upon completion of the work it was interesting to compare the search speed in Intercepter and Hydra. At first it was planned to add Ncrack to the comparison, but since in a number of tests, he skipped valid authorization, did not work with SSH, and in general, according to the results of othersThe tests were slower throughout the Hydra, it was decided to exclude it. In the comparison table, for each protocol, two busy times are indicated. The first, longer value is obtained by single-threaded enumeration. At Hydra, the term “thread” is referred to as “task” (= task). The second digit displays the best time received when increasing flows to the optimal number. A blind increase in flows by a factor of 2–5 does not give a similar increase in productivity, since each specific implementation of a network service has its own characteristics, one way or another, affecting the speed of multi-threaded work and suitability to brute force. Testing was carried out on a list of passwords of 2000 words.
As can be seen from the table, in the case of LDAP \ SMTP \ HTTP Intercepter and Hydra with multi-threaded brute force have the same results, and in the remaining FTP \ POP3 Intercepter was faster. The conclusion of this test is not that Intercepter is faster than Hydra, but that it is at least not slower and suitable for solving the corresponding problems.
The FTP \ IMAP \ POP3 \ SMTP \ LDAP protocols support standard plain-text authorization algorithms. Due to the fact that Intercepter is a native NT application, SMB bruteforce is implemented using system API functions, without regard to various authorization methods (NTLMv1, v2, Kerberos). For SSH, support for the password and keyboard interactive methods is implemented, and for HTTP: Basic Auth and HTTP, the POST method with the template is specified. The template is built in a similar way to Hydra. It is necessary to indicate the names of the variables transmitted to the server in it, as well as the keyword signaling that the authorization failed, for example, 'Error' or 'Invalid'. Included is a dictionary of 10,000 words, and there is also a heuristic brute force method. When using it, a keyword is set, on the basis of which a small number of derived variants are generated. When shooting a demo video, I randomly drove the word test into heuristic mode and, surprisingly, the program reported that a password was found. At first I thought that an error had occurred, but it turned out that the password is really working and belongs to some test forum account.
Another significant feature of the new version is that the original Intercepter can now be run under Wine. The main problem to do this before was caused by the fact that Winpcap and Wine are incompatible things. Some time ago, the so-called wrapper was discovered, which translated calls to winpcap functions into a unix libpcap. To still run Intercepter under Linux, I had to finish wrapper and Intercepter itself, as some winpcap features are missing from libpcap, and some have distinctive features across platforms.
Unfortunately, the used traffic routing method under Windows is not capable in Linux, therefore, complex MiTMs (sslstrip, ssl mitm, smb hijack, ldap relay, http injection) do not work, but arp poison, dhcp mitm, wpad mitm, dns over icmp works mitm, data recovery and a new mode of network brute force. Even in this form, it is many times superior to the console unix version of Intercepter and will be useful on security-oriented Linux distributions.
Thanks to a successful launch under Linux, there was a desire to conduct another Intercepter test in Hydra's native conditions, this time including SSH in the test.
In single-threaded tests, Intercepter's slight lags appeared, but with multithreading, both tools show the same results. We will separately consider SSH testing, in which Hydra turned out to be much slower.
The first test was conducted on an SSH server that supported the password method, which worked much faster than keyboard interactive. Apparently, Hydra ignored such a gift and tried to find the password using an interactive method, which takes much more time, hence the estimated time is 55 minutes, which I did not even wait until the end. Multithreaded testing took noticeably less time, but more than Intercepter's. The second test was conducted on an SSH server with password disabled, and here both tools performed on an equal footing. This test once again confirmed the high efficiency of Intercepter and the proximity of the results to such a highly specialized tool like THC-Hydra.
Instructions for launching Intercepter under wine will soon appear on the blog. A more detailed changelog on the site . Below is a demo video.
In the new version, there is a previously demonstrated attack on Active Directory (Ldap Relay), a Java Injection function, an exploit for the HeartBleed, Plugin Detector vulnerability, but I would like to focus on completely different things.
Intercepter-NG introduced the network password bruteforce mode for a number of protocols: FTP \ IMAP \ POP3 \ SMTP \ SMB \ SSH \ LDAP \ HTTP. The reason for the creation of such functionality was once again the lack of a modern and functional brute force for Windows. Of the native tools, only Brutus comes to mind, which has not been updated for more than ten years and does not support, for example, SSH. All cygwin THC-Hydra builds were built without SSH support, and Ncrack, despite the claimed SSH support, did not work in any test. Of course, if you wish, you can assemble Hydra yourself, but in any case, that Hydra, that Ncrack, are basically console, and the GTK version of Hydra again requires additional assembly. Therefore, the creation of a modern window brute force was not meaningless.
Anyway, today THC-Hydra is the most advanced tool for network brute force with a large number of supported protocols and authorization methods. Initially, no attempts were made to compete with the leader, but the final results were very unexpected, we’ll talk about them ...
It is logical that upon completion of the work it was interesting to compare the search speed in Intercepter and Hydra. At first it was planned to add Ncrack to the comparison, but since in a number of tests, he skipped valid authorization, did not work with SSH, and in general, according to the results of othersThe tests were slower throughout the Hydra, it was decided to exclude it. In the comparison table, for each protocol, two busy times are indicated. The first, longer value is obtained by single-threaded enumeration. At Hydra, the term “thread” is referred to as “task” (= task). The second digit displays the best time received when increasing flows to the optimal number. A blind increase in flows by a factor of 2–5 does not give a similar increase in productivity, since each specific implementation of a network service has its own characteristics, one way or another, affecting the speed of multi-threaded work and suitability to brute force. Testing was carried out on a list of passwords of 2000 words.
As can be seen from the table, in the case of LDAP \ SMTP \ HTTP Intercepter and Hydra with multi-threaded brute force have the same results, and in the remaining FTP \ POP3 Intercepter was faster. The conclusion of this test is not that Intercepter is faster than Hydra, but that it is at least not slower and suitable for solving the corresponding problems.
The FTP \ IMAP \ POP3 \ SMTP \ LDAP protocols support standard plain-text authorization algorithms. Due to the fact that Intercepter is a native NT application, SMB bruteforce is implemented using system API functions, without regard to various authorization methods (NTLMv1, v2, Kerberos). For SSH, support for the password and keyboard interactive methods is implemented, and for HTTP: Basic Auth and HTTP, the POST method with the template is specified. The template is built in a similar way to Hydra. It is necessary to indicate the names of the variables transmitted to the server in it, as well as the keyword signaling that the authorization failed, for example, 'Error' or 'Invalid'. Included is a dictionary of 10,000 words, and there is also a heuristic brute force method. When using it, a keyword is set, on the basis of which a small number of derived variants are generated. When shooting a demo video, I randomly drove the word test into heuristic mode and, surprisingly, the program reported that a password was found. At first I thought that an error had occurred, but it turned out that the password is really working and belongs to some test forum account.
Another significant feature of the new version is that the original Intercepter can now be run under Wine. The main problem to do this before was caused by the fact that Winpcap and Wine are incompatible things. Some time ago, the so-called wrapper was discovered, which translated calls to winpcap functions into a unix libpcap. To still run Intercepter under Linux, I had to finish wrapper and Intercepter itself, as some winpcap features are missing from libpcap, and some have distinctive features across platforms.
Unfortunately, the used traffic routing method under Windows is not capable in Linux, therefore, complex MiTMs (sslstrip, ssl mitm, smb hijack, ldap relay, http injection) do not work, but arp poison, dhcp mitm, wpad mitm, dns over icmp works mitm, data recovery and a new mode of network brute force. Even in this form, it is many times superior to the console unix version of Intercepter and will be useful on security-oriented Linux distributions.
Thanks to a successful launch under Linux, there was a desire to conduct another Intercepter test in Hydra's native conditions, this time including SSH in the test.
In single-threaded tests, Intercepter's slight lags appeared, but with multithreading, both tools show the same results. We will separately consider SSH testing, in which Hydra turned out to be much slower.
The first test was conducted on an SSH server that supported the password method, which worked much faster than keyboard interactive. Apparently, Hydra ignored such a gift and tried to find the password using an interactive method, which takes much more time, hence the estimated time is 55 minutes, which I did not even wait until the end. Multithreaded testing took noticeably less time, but more than Intercepter's. The second test was conducted on an SSH server with password disabled, and here both tools performed on an equal footing. This test once again confirmed the high efficiency of Intercepter and the proximity of the results to such a highly specialized tool like THC-Hydra.
Instructions for launching Intercepter under wine will soon appear on the blog. A more detailed changelog on the site . Below is a demo video.