It Cryptography
Shared Coursework in Cyber Security Instructions Manual
CybSec is an e-commerce company who sells products online. To support online
payments, CybSec has designed a network infrastructure illustrated in Figure 1.
This infrastructure includes an OuterFirewall, which controls incoming/outgoing
traffic, a DeMilitarized Zone (DMZ), where services are running, an
InnerFirewall, which controls incoming/outgoing traffic within the internal
network of the company.
Figure 1. Network Infrastructure of CybSec Company
In DMZ, several services run (SQL, Mail, Web etc.). Customers are accessing the
Web service to search for a product to buy. Upon decision, they enter personal
information (name, home address and card number) to buy products. Personal
information is stored in an SQL database.
Goal: Retrieve the credit card secret codes / owners names from the SQL
database.
Assumptions: You are an investigator/ethical hacker and your operating system
(OS) is Kali Linux.
What to do: Follow the steps provided to achieve your goals. Appendixes contain
information for linux and penetration testing commands that you can use to
achieve your goal.
How to access Investigators’s machine:
Start VMware Horizon View Client
Double click on the server icon named
nsq623ap.enterprise.internal.city.ac.uk.
Enter your login/password information (Same credentials as in City
University account).
If the VMWare Horizon Client is unavailable, use the RDP Client on City
University PC and Enter your VDI Name and enter your city login details
to login to the VDI. The VDI Assignment table is in the Coursework folder
on Moodle.
Double click cybsecX to load your Win 7 environment.
Once Win 7 loads double click Putty found in your desktop. Double click
the Investigator option in saved sessions menu and connect to Kali Linux
OS.
Login to Kali Linux OS
You are now in the Investigator’s machine. This is your environment to
perform attacks.
Attacking the system by finding SSH admin’s credentials:
1) Use Linux Terminal (similar to CMD in Win) to enter penetration testing
commands.
2) Investigate which network your Linux host belongs to (“Ifconfig”).
3) Discover your network and services running (“nmap”).
4) To access the discovered services found in DMZ, you will need to “guess”
admin’s password. Check if you can perform dictionary attack on the SSH service
and grant access. Dictionary files are located at “/root/bin/users.txt” for username
and “/root/bin/pass.txt” for passwords.
5) Establish remote connection to the DMZ server using SSH and the
credentials found in step 4.
Attacking the system by finding admin’s credentials in the SQL service:
6) After remote login to the DMZ server explore the folders to find anything
useful to attack to the SQL database. The Mailbox folders contain an
encrypted email which is located at “/usr/home//Maildir”. Break
the cipher and read the email.
7) Once the additional information on the SQL server is found, you need to close
the ssh session using the command “exit”.
8) You can copy the files you need from the SQL Server to the investigator’s
machine via SSH protocol using command “scp”.
9) In order to perform the brute force attack on some of the copied encrypted
files (if necessary) use command “john” to execute John the Ripper tool.
Accessing SQL service:
10) Once SQL Server login/password information is retrieved, login to the
SQL Server using command “mysql”.
11) Next, use SQL commands to retrieve financial information of the
company.
12) The credit card secret code is encrypted with RSA-copied cipher. Use RSA
parameters found in previous step (i.e., step 6) to perform RSA cryptanalysis
(i.e., find d secret RSA parameter - for more information go through the
Lecture material).
13) During the RSA cryptanalysis phase you will require a public key, e. The
calculation of e is done using Shamir’s secret sharing scheme (4,4). In Table
1 you will find the points and their coordinates (x, y). Work with members of
your group to calculate the secret share s (according to Shamir’s terminology),
which is your public key e.
14) Once you have RSA public key e, calculate RSA secret component d (use
extended ECD).
15) Once you calculate RSA secret d switch to bin/SageMath and run ./sage.
Using SageMath decrypt the credit card secret code.
Table 1 – Shamir’s Secret Table.
User Polynomial Prime p
from (mod p)
Public Value x-
coordinate
Share y-
coordinate
User1 19+42x+2800x^2+2418x^3 3917 2999 1557
User2 19+42x+2800x^2+2418x^3 3917 3502 693
User3 19+42x+2800x^2+2418x^3 3917 57 1739
User5 19+42x+2800x^2+2418x^3 3917 3645 3641
User4 17+2601x+2511x^2+4501x^3 5501 4866 404
User8 17+2601x+2511x^2+4501x^3 5501 1359 1841
User13 17+2601x+2511x^2+4501x^3 5501 3687 3085
User14 17+2601x+2511x^2+4501x^3 5501 2400 4196
User6 19+496x+492x^2+2996x^3 4733 2477 3497
User7 19+496x+492x^2+2996x^3 4733 95 2295
User11 19+496x+492x^2+2996x^3 4733 704 3670
User16 19+496x+492x^2+2996x^3 4733 3994 833
User12 21+1299x+3903x^2+154x^3 6653 293 955
User35 21+1299x+3903x^2+154x^3 6653 5730 1486
User40 21+1299x+3903x^2+154x^3 6653 4116 4680
User26 21+1299x+3903x^2+154x^3 6653 5411 6231
User15 17+2206x+789x^2+345x^3 2281 537 533
User27 17+2206x+789x^2+345x^3 2281 1068 115
User33 17+2206x+789x^2+345x^3 2281 2276 2083
User34 17+2206x+789x^2+345x^3 2281 333 1200
User17 19+26x+99x^2+731x^3 947 937 273
User18 19+26x+99x^2+731x^3 947 425 610
User19 19+26x+99x^2+731x^3 947 294 119
User20 19+26x+99x^2+731x^3 947 137 321
User21 19+760x+2122x^2+1217x^3 2351 2314 163
User22 19+760x+2122x^2+1217x^3 2351 1036 1589
User23 19+760x+2122x^2+1217x^3 2351 659 2238
User24 19+760x+2122x^2+1217x^3 2351 42 1336
User25 19+3243x+1422x^2+2071x^3 8501 6271 986
User28 19+3243x+1422x^2+2071x^3 8501 5830 6770
User29 19+3243x+1422x^2+2071x^3 8501 1275 2806
User30 19+3243x+1422x^2+2071x^3 8501 7073 2964
User31 19+1487x+2505x^2+5819x^3 7237 779 4707
User32 19+1487x+2505x^2+5819x^3 7237 5080 747
User36 19+1487x+2505x^2+5819x^3 7237 3036 2155
User37 19+1487x+2505x^2+5819x^3 7237 480 191
User38 17+52x+90x^2+58x^3 199 86 127
User41 17+52x+90x^2+58x^3 199 187 87
User43 17+52x+90x^2+58x^3 199 161 75
User46 17+52x+90x^2+58x^3 199 162 75
User39 19+204x+599x^2+756x^3 1009 676 488
User42 19+204x+599x^2+756x^3 1009 155 226
User44 19+204x+599x^2+756x^3 1009 216 505
User45 19+204x+599x^2+756x^3 1009 881 456
User47 19+7044x+6903x^2+645x^3 7159 124 731
User48 19+7044x+6903x^2+645x^3 7159 3120 2649
User49 19+7044x+6903x^2+645x^3 7159 3738 2925
User50 19+7044x+6903x^2+645x^3 7159 6103 720
APPENDIX A – Working with Linux file system
To work with files and directories, you will need to know a few basic commands:
cd – That ~ to the left of the prompt represents your home directory, which
is the terminal’s default directory. To change to another directory, you can
use the cd command. For example cd / would change to the root directory, cd
Downloads would change to the Downloads directory inside the current
directory (so this only opens your Downloads directory if the terminal is in
your home directory), cd /home/you/Downloads would change to your
Downloads directory from anywhere in the system, cd ~ would change to
your home directory, and cd .. would go up a directory.
ls – The ls command lists the files in the current directory.
mkdir – The mkdir command makes a new directory. mkdir
example would create a new directory named example in the current
directory, while mkdir /home/you/Downloads/test would create a new
directory named test in your Downloads directory.
rm – The rm command removes a file. For example, rm example removes
the file named example in the current directory and rm
/home/you/Downloads/example removes the file named example in the
Downloads directory.
cp – The cp command copies a file from one location to another. For
example, cp example /home/User/Downloads copies the file
named example in the current directory to /home/User/Downloads.
mv – The mv command moves a file from one location to another. It works
exactly like the cp command above, but moves the file instead of creating a
copy. mv can also be used to rename files. For example, mv original
renamed moves a file named original in the current directory to a file
named renamed in the current directory, effectively renaming it.
Move around your file system with cd, view files in the current directory with ls,
create directories with mkdir, and manage files with the rm, cp,
and mv commands.
APPENDIX B - Tab Completion
Tab completion is a very useful trick. While typing something – a command, file
name, or some other types of arguments – you can press Tab to autocomplete
what you’re typing. For example, if you type firef at the terminal and press
Tab, firefox automatically appears. This saves you from having to type things
exactly – you can press Tab and the shell will finish typing for you. This also
works with folders, file names, and package names. In many cases, the shell won’t
know what you’re trying to type because there are multiple matches. Press the
Tab key a second time and you’ll see a list of possible matches. Continue typing
a few more letters to narrow things down and press Tab again to continue. For
more information about command usage type “man ”.
For example “man ls” will show you manual for command “ls”.
APPENDIX C – ifconfig command
Name
ifconfig - configure a network interface
Synopsis
ifconfig [interface]
ifconfig interface [aftype] options | address ...
Description
Ifconfig is used to configure the kernel-resident network interfaces. It is used at
boot time to set up interfaces as necessary. After that, it is usually only needed
when debugging or when system tuning is needed.
If no arguments are given, ifconfig displays the status of the currently active
interfaces. If a single interface argument is given, it displays the status of the
given interface only; if a single -a argument is given, it displays the status of all
interfaces, even those that are down. Otherwise, it configures an interface.
Address Families
If the first argument after the interface name is recognized as the name of a
supported address family, that address family is used for decoding and displaying
all protocol addresses. Currently supported address families
include inet (TCP/IP, default), inet6(IPv6), ax25 (AMPR Packet
Radio), ddp (Appletalk Phase 2), ipx (Novell IPX) andnetrom (AMPR Packet
radio). All numbers supplied as parts in IPv4 dotted decimal notation may be
decimal, octal, or hexadecimal, as specified in the ISO C standard (that is, a
leading 0x or 0X implies hexadecimal; otherwise, a leading '0' implies octal;
otherwise, the number is interpreted as decimal). Use of hexamedial and octal
numbers is not RFC-compliant and therefore its use is discouraged and may go
away.
Options
interface
The name of the interface. This is usually a driver name followed by a unit
number, for example eth0 for the first Ethernet interface.
up
This flag causes the interface to be activated. It is implicitly specified if an
address is assigned to the interface.
down
This flag causes the driver for this interface to be shut down.
[-]arp
Enable or disable the use of the ARP protocol on this interface.
[-]promisc
Enable or disable the promiscuous mode of the interface. If selected, all
packets on the network will be received by the interface.
[-]allmulti
Enable or disable all-multicast mode. If selected, all multicast packets on
the network will be received by the interface.
metric N
This parameter sets the interface metric. It is not available under
GNU/Linux.
mtu N
This parameter sets the Maximum Transfer Unit (MTU) of an interface.
dstaddr addr
Set the remote IP address for a point-to-point link (such as PPP). This
keyword is now obsolete; use the pointopoint keyword instead.
netmask addr
Set the IP network mask for this interface. This value defaults to the usual
class A, B or C network mask (as derived from the interface IP address),
but it can be set to any value.
add addr/prefixlen
Add an IPv6 address to an interface.
del addr/prefixlen
Remove an IPv6 address from an interface.
tunnel ::aa.bb.cc.dd
Create a new SIT (IPv6-in-IPv4) device, tunnelling to the given
destination.
irq addr
Set the interrupt line used by this device. Not all devices can dynamically
change their IRQ setting.
io_addr addr
Set the start address in I/O space for this device.
mem_start addr
Set the start address for shared memory used by this device. Only a few
devices need this.
media type
Set the physical port or medium type to be used by the device. Not all
devices can change this setting, and those that can vary in what values they
support. Typical values for type are 10base2 (thin
Ethernet), 10baseT (twisted-pair 10Mbps Ethernet), AUI (external
transceiver) and so on. The special medium type of auto can be used to tell
the driver to auto-sense the media. Again, not all drivers can do this.
[-]broadcast [addr]
If the address argument is given, set the protocol broadcast address for this
interface. Otherwise, set (or clear) the IFF_BROADCAST flag for the
interface.
[-]pointopoint [addr]
This keyword enables the point-to-point mode of an interface, meaning
that it is a direct link between two machines with nobody else listening on
it.
If the address argument is also given, set the protocol address of the other
side of the link, just like the obsolete dstaddr keyword does. Otherwise,
set or clear theIFF_POINTOPOINT flag for the interface.
hw class address
Set the hardware address of this interface, if the device driver supports this
operation. The keyword must be followed by the name of the hardware
class and the printable ASCII equivalent of the hardware address.
Hardware classes currently supported
include ether (Ethernet), ax25 (AMPR
AX.25), ARCnet and netrom (AMPR NET/ROM).
multicast
Set the multicast flag on the interface. This should not normally be needed
as the drivers set the flag correctly themselves.
address
The IP address to be assigned to this interface.
txqueuelen length
Set the length of the transmit queue of the device. It is useful to set this to
small values for slower devices with a high latency (modem links, ISDN)
to prevent fast bulk transfers from disturbing interactive traffic like telnet
too much.
For more information type in the shell “man ifconfig”
APPENDIX D – nmap command
Name
nmap - Network exploration tool and security / port scanner
Synopsis
nmap [Scan Type...] [Options] {target specification}
Description
Nmap ("Network Mapper") is an open source tool for network exploration and
security auditing. It was designed to rapidly scan large networks, although it
works fine against single hosts. Nmap uses raw IP packets in novel ways to
determine what hosts are available on the network, what services (application
name and version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are in use, and
dozens of other characteristics. While Nmap is commonly used for security
audits, many systems and network administrators find it useful for routine tasks
such as network inventory, managing service upgrade schedules, and monitoring
host or service uptime.
The output from Nmap is a list of scanned targets, with supplemental information
on each depending on the options used. Key among that information is the
"interesting ports table".. That table lists the port number and protocol, service
name, and state. The state is either open, filtered, closed, or unfiltered. Open.
means that an application on the target machine is listening for
connections/packets on that port. Filtered. means that a firewall, filter, or other
network obstacle is blocking the port so that Nmap cannot tell whether it is open
or closed. Closed. ports have no application listening on them, though they could
open up at any time. Ports are classified as unfiltered. when they are responsive
to Nmap's probes, but Nmap cannot determine whether they are open or closed.
Nmap reports the state combinations open|filtered. and closed|filtered. when it
cannot determine which of the two states describe a port. The port table may also
include software version details when version detection has been requested.
When an IP protocol scan is requested (-sO), Nmap provides information on
supported IP protocols rather than listening ports.
In addition to the interesting ports table, Nmap can provide further information
on targets, including reverse DNS names, operating system guesses, device types,
and MAC addresses.
A typical Nmap scan is shown in Example 1. The only Nmap arguments used in
this example are -A, to enable OS and version detection, script scanning, and
traceroute; -T4 for faster execution; and then the two target hostnames.
Example 1. A representative Nmap scan
# nmap -A -T4 scanme.nmap.org
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.045s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e
(DSA)
|_2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA)
25/tcp closed smtp
53/tcp open domain
70/tcp closed gopher
80/tcp open http Apache httpd 2.2.3 ((CentOS))
|_html-title: Go ahead and ScanMe!
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
113/tcp closed auth
31337/tcp closed Elite
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.31, Linux 2.6.18
Network Distance: 13 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
[Cut first 10 hops for brevity]
11 80.33 ms layer42.car2.sanjose2.level3.net (4.59.4.78)
12 137.52 ms xe6-2.core1.svk.layer42.net (69.36.239.221)
13 44.15 ms scanme.nmap.org (64.13.134.52)
Nmap done: 1 IP address (1 host up) scanned in 22.19 seconds
The newest version of Nmap can be obtained from http://nmap.org. The newest
version of this man page is available at http://nmap.org/book/man.html. It is
also included as a chapter of Nmap Network Scanning: The Official Nmap
Project Guide to Network Discovery and Security Scanning
(see http://nmap.org/book/).
Options Summary
This options summary is printed when Nmap is run with no arguments, and the
latest version is always available at http://nmap.org/data/nmap.usage.txt. It
helps people remember the most common options, but is no substitute for the in-
depth documentation in the rest of this manual. Some obscure options aren't even
included here.
Nmap 5.51 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude : Exclude hosts/networks
--excludefile : Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to
given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery
probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers : Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP scan flags
-sI : Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports : Scan most common ports
--port-ratio : Scan ports more common than
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=: is a comma separated list of
directories, script-files or script-categories
--script-args=: provide arguments to scripts
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup : Parallel host scan group sizes
--min-parallelism/max-parallelism : Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
probe round trip time.
--max-retries : Caps number of port scan probe retransmissions.
--host-timeout : Give up on target after this long
--scan-delay/--max-scan-delay : Adjust delay between probes
--min-rate : Send packets no slower than per second
--max-rate : Send packets no faster than per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu : fragment packets (optionally w/given MTU)
-D : Cloak a scan with decoys
-S : Spoof source address
-e : Use specified interface
-g/--source-port : Use given port number
--data-length : Append random data to sent packets
--ip-options : Send packets with specified ip options
--ttl : Set IP time-to-live field
--spoof-mac : Spoof your MAC
address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG : Output scan in normal, XML, s|
and Grepable format, respectively, to the given filename.
-oA : Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume : Resume an aborted scan
--stylesheet : XSL stylesheet to transform XML output to
HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and
traceroute
--datadir : Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE
OPTIONS AND EXAMPLES
For more information use the link: http://linux.die.net/man/1/nmap
APPENDIX E - SSH protocol
Secure Shell (SSH) is cryptographic network protocol for secure data
communication, remote command-line login, remote command execution, and
other secure network services between two networked computers. It connects, via
a secure channel over an insecure network, a server and a client running SSH
server and SSH client programs, respectively.[1] The protocol specification
distinguishes between two major versions that are referred to as SSH-1 and SSH-
2.
The best-known application of the protocol is for access to shell
accounts on Unix-like operating systems, but it can also be used in a similar
fashion for accounts on Windows. It was designed as a replacement
for Telnet and other insecure remote shell protocols such as the
Berkeley rsh and rexec protocols, which send information, notably passwords,
in plaintext, rendering them susceptible to interception and disclosure
using packet analysis. The encryption used by SSH is intended to provide
confidentiality and integrity of data over an unsecured network, such as
the Internet.
SSH uses public-key cryptography to authenticate the remote computer and
allow it to authenticate the user, if necessary. There are several ways to use SSH;
one is to use automatically generated public-private key pairs to simply encrypt
a network connection, and then use password authentication to log on.
Another is to use a manually generated public-private key pair to perform the
authentication, allowing users or programs to log in without having to specify a
password. In this scenario, anyone can produce a matching pair of different keys
(public and private). The public key is placed on all computers that must allow
access to the owner of the matching private key (the owner keeps the private key
secret). While authentication is based on the private key, the key itself is never
transferred through the network during authentication. SSH only verifies whether
the same person offering the public key also owns the matching private key. In
all versions of SSH it is important to verify unknown public keys, i.e., associate
the public keys with identities, before accepting them as valid. Accepting an
attacker's public key without validation will authorize an unauthorized attacker
as a valid user.
APPENDIX F - HYDRA
NAME
hydra - A very fast network logon cracker which support many different services
SYNOPSIS
hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns] [-4/6]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-
S] [-vV]
server service [OPT]
DESCRIPTION
Hydra is a parallized login cracker which supports numerous protocols to attack.
New modules are easy to add, beside that, it is flexible and very fast.
This tool gives researchers and security consultants the possiblity to show how
easy it would be to gain unauthorized access from remote to a system.
Currently this tool supports:
AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-
FORM-GET,
HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-
FORM-GET, HTTPS-FORM-POST,
HTTPS-GET, HTTPS-HEAD, ICQ, IMAP, IRC, LDAP, MS-
SQL, MYSQL, NCP, NNTP, PCNFS, POP3,
POSTGRES, REXEC, SAP/R3, SMB, SMTP, SNMP, SOCKS5, SSH(v1 and v
2),
Subversion, Teamspeak (TS2), TELNET, VMware-Auth, VNC and XMPP.
-R
restore a previous aborted/crashed session
-S
connect via SSL
-s PORT
if the service is on a different default port, define it here
-l LOGIN
or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS
or -P FILE try password PASS, or load several passwords from FILE
-e ns
additional checks, "n" for null password, "s" try login as pass
-c FILE
colon separated "login:pass" format, instead of -L/-P options
-m FILE
server list for parallel attacks, one entry per line
-o FILE
write found login/password pairs to FILE instead of stdout
-f
exit after the first found login/password pair (per host if -M)
-t TASKS
run TASKS number of connects in parallel (default: 16)
-w TIME
defines the max wait time in seconds for responses (default: 30)
-4 / -6
prefer IPv4 (default) or IPv6 addresses
-v / -V
verbose mode / show login+pass combination for each attempt
server
the target server (use either this OR the -M option)
service
the service to crack. Supported protocols: afp cisco cisco-enable cvs
firebird ftp[s] http[s]-{head|get} http[s]-{get|post}-form http-proxy icq irc
imap ldap2 ldap3[-{cram|digest}md5] mssql mysql ncp nntp oracle oracle-
listener oracle-sid pcnfs pop3 pcanywhere postgres rexec rlogin rsh sapr3
sip smb smtp smtp-enum snmp socks5 ssh svn teamspeak telnet vnc
vmauthd xmpp
OPT
some service modules need special input (see README!)
-h, --help
Show summary of options.
For more information type “man hydra” in the shell
APPENDIX G - SSH
NAME
ssh - OpenSSH SSH client (remote login program)
SYNOPSIS
ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D
[bind_address:]port] [-e escape_char] [-F configfile]
[-i identity_file] [-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R
[bind_address:]port:host:hostport] [-S ctl_path] [-w tunnel:tunnel]
[user@]hostname [command]
DESCRIPTION
ssh (SSH client) is a program for logging into a remote machine and for
executing commands on a remote machine. It is intended to replace rlogin
and rsh, and provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and arbitrary
TCP ports can also be forwarded over the secure channel.
ssh connects and logs into the specified hostname (with optional user
name). The user must prove his/her identity to the remote machine using
one of several methods depending on the protocol version used (see
below).
If command is specified, it is executed on the remote host instead of a
login shell.
The options are as follows:
-1 Forces ssh to try protocol version 1 only.
-2 Forces ssh to try protocol version 2 only.
-4 Forces ssh to use IPv4 addresses only.
-6 Forces ssh to use IPv6 addresses only.
-A Enables forwarding of the authentication agent connection. This
can also be specified on a per-host basis in a configuration
file.
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
the agent.
-a Disables forwarding of the authentication agent connection.
-b bind_address
Use bind_address on the local machine as the source address of
the connection. Only useful on systems with more than one
address.
-C Requests compression of all data (including stdin, stdout,
stderr, and data for forwarded X11 and TCP connections). The
compression algorithm is the same used by gzip(1), and the
"level" can be controlled by the CompressionLevel option for pro-
tocol version 1. Compression is desirable on modem lines and
other slow connections, but will only slow down things on fast
networks. The default value can be set on a host-by-host basis
in the configuration files; see the Compression option.
-c cipher_spec
Selects the cipher specification for encrypting the session.
Protocol version 1 allows specification of a single cipher. The
supported values are "3des", "blowfish", and "des". 3des
(triple-des) is an encrypt-decrypt-encrypt triple with three dif-
ferent keys. It is believed to be secure. blowfish is a fast
block cipher; it appears very secure and is much faster than
3des. des is only supported in the ssh client for interoperabil-
ity with legacy protocol 1 implementations that do not support
the 3des cipher. Its use is strongly discouraged due to crypto-
graphic weaknesses. The default is "3des".
For protocol version 2, cipher_spec is a comma-separated list of
ciphers listed in order of preference. The supported ciphers
are: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr,
aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blow-
fish-cbc, and cast128-cbc. The default is:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr
-D [bind_address:]port
Specifies a local "dynamic" application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server. Only root can forward privileged ports.
Dynamic port forwardings can also be specified in the configura-
tion file.
IPv6 addresses can be specified with an alternative syntax:
[bind_address/]port or by enclosing the address in square brack-
ets. Only the superuser can forward privileged ports. By
default, the local port is bound in accordance with the
GatewayPorts setting. However, an explicit bind_address may be
used to bind the connection to a specific address. The
bind_address of "localhost" indicates that the listening port be
bound for local use only, while an empty address or '*' indicates
that the port should be available from all interfaces.
-e escape_char
Sets the escape character for sessions with a pty (default: '~').
The escape character is only recognized at the beginning of a
line. The escape character followed by a dot ('.') closes the
connection; followed by control-Z suspends the connection; and
followed by itself sends the escape character once. Setting the
character to "none" disables any escapes and makes the session
fully transparent.
-F configfile
Specifies an alternative per-user configuration file. If a con-
figuration file is given on the command line, the system-wide
configuration file (/etc/ssh/ssh_config) will be ignored. The
default for the per-user configuration file is ~/.ssh/config.
-f Requests ssh to go to background just before command execution.
This is useful if ssh is going to ask for passwords or
passphrases, but the user wants it in the background. This
implies -n. The recommended way to start X11 programs at a
remote site is with something like ssh -f host xterm.
-g Allows remote hosts to connect to local forwarded ports.
-I smartcard_device
Specify the device ssh should use to communicate with a smartcard
used for storing the user's private RSA key. This option is only
available if support for smartcard devices is compiled in
(default is no support).
-i identity_file
Selects a file from which the identity (private key) for RSA or
DSA authentication is read. The default is ~/.ssh/identity for
protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro-
tocol version 2. Identity files may also be specified on a per-
host basis in the configuration file. It is possible to have
multiple -i options (and multiple identities specified in config-
uration files).
-k Disables forwarding (delegation) of GSSAPI credentials to the
server.
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a con-
nection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be spec-
ified with an alternative syntax:
[bind_address/]port/host/hostport or by enclosing the address in
square brackets. Only the superuser can forward privileged
ports. By default, the local port is bound in accordance with
the GatewayPorts setting. However, an explicit bind_address may
be used to bind the connection to a specific address. The
bind_address of "localhost" indicates that the listening port be
bound for local use only, while an empty address or '*' indicates
that the port should be available from all interfaces.
-l login_name
Specifies the user to log in as on the remote machine. This also
may be specified on a per-host basis in the configuration file.
-M Places the ssh client into "master" mode for connection sharing.
Multiple -M options places ssh into "master" mode with confirma-
tion required before slave connections are accepted. Refer to
the description of ControlMaster in ssh_config(5) for details.
-m mac_spec
Additionally, for protocol version 2 a comma-separated list of
MAC (message authentication code) algorithms can be specified in
order of preference. See the MACs keyword for more information.
-N Do not execute a remote command. This is useful for just for-
warding ports (protocol version 2 only).
-n Redirects stdin from /dev/null (actually, prevents reading from
stdin). This must be used when ssh is run in the background. A
common trick is to use this to run X11 programs on a remote
machine. For example, ssh -n shadows.cs.hut.fi emacs & will
start an emacs on shadows.cs.hut.fi, and the X11 connection will
be automatically forwarded over an encrypted channel. The ssh
program will be put in the background. (This does not work if
ssh needs to ask for a password or passphrase; see also the -f
option.)