Attack IPv6 Targets with Hydra

Introduction

In this lab, you will learn how to attack IPv6 targets using Hydra. The lab focuses on configuring a server with an IPv6 address and then using Hydra to attack its SSH service.

The lab begins by configuring the server with the IPv6 address 2001:db8:1::1/64 on the eth0 interface using the ip command. You will then enable the interface and verify the configuration. Finally, you will use Hydra with the -6 option to target the IPv6 SSH service and verify the attack results.

Configure Server with IPv6 Address

In this step, you will configure the LabEx VM with an IPv6 address. This is a crucial step for enabling IPv6 communication and preparing for the subsequent attack on the IPv6 SSH service.

First, let's understand the basics of IPv6 addressing. IPv6 addresses are 128-bit addresses, typically represented in hexadecimal notation. A typical IPv6 address looks like this: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

To simplify the configuration, you will assign the address 2001:db8:1::1/64 to the eth0 interface. The eth0 interface is a common network interface name in Linux systems.

Now, let's configure the IPv6 address. You will use the ip command, which is a powerful tool for managing network interfaces.

Add the IPv6 address to the eth0 interface:

Open your terminal in the LabEx VM. Execute the following command:
```
sudo ip addr add 2001:db8:1::1/64 dev eth0
```
This command adds the IPv6 address 2001:db8:1::1/64 to the eth0 interface. The /64 specifies the network prefix length, which determines the size of the IPv6 subnet.
Enable the eth0 interface:
```
sudo ip link set dev eth0 up
```
This command brings the eth0 interface up, enabling it to send and receive network traffic.

Verify the IPv6 address configuration:

To verify that the IPv6 address has been configured correctly, use the ip addr command again:

ip addr show eth0

The output should include the IPv6 address 2001:db8:1::1/64 in the inet6 section. You should see something similar to the following:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:08:6d:7a brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    altname ens5
    inet 172.16.50.97/24 metric 100 brd 172.16.50.255 scope global dynamic eth0
       valid_lft 1892159937sec preferred_lft 1892159937sec
    inet6 2001:db8:1::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe08:6d7a/64 scope link
       valid_lft forever preferred_lft forever

The line inet6 2001:db8:1::1/64 scope global confirms that the IPv6 address has been successfully configured.

Prepare for IPv6 SSH Attack

In this step, you will prepare for the IPv6 SSH service attack by understanding and using the -6 option with network tools. The -6 option is commonly used to specify a preference for IPv6 when interacting with network services. This is important because, by default, some tools might prefer IPv4 if both IPv4 and IPv6 addresses are available.

To ensure you are targeting the IPv6 address configured in the previous step, you will use the ping command with the -6 option. This will verify that you can reach the server using its IPv6 address.

Ping the IPv6 address:

Open your terminal in the LabEx VM. Execute the following command:

ping -6 2001:db8:1::1

This command sends ICMP Echo Request packets to the IPv6 address 2001:db8:1::1. If the server is reachable via IPv6, you should see replies from the server. The output should look similar to this:

PING 2001:db8:1::1(2001:db8:1::1) 56 data bytes
64 bytes from 2001:db8:1::1: icmp_seq=1 ttl=64 time=0.026 ms
64 bytes from 2001:db8:1::1: icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from 2001:db8:1::1: icmp_seq=3 ttl=64 time=0.035 ms
64 bytes from 2001:db8:1::1: icmp_seq=4 ttl=64 time=0.032 ms
^C
--- 2001:db8:1::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3078ms
rtt min/avg/max/mdev = 0.026/0.033/0.041/0.005 ms

Press Ctrl+C to stop the ping command after a few packets.

Understanding the -6 option:

The -6 option tells the ping command to use IPv6. Many other network tools, such as ssh, curl, and wget, also support the -6 option. Using this option ensures that the tool attempts to connect to the target host using IPv6.

In the next step, you will use Hydra to attack the SSH service. You will use the -6 option with Hydra to specifically target the IPv6 address of the SSH server. This ensures that you are testing the security of the IPv6 SSH configuration.

Attack IPv6 SSH Service

In this step, you will use Hydra to perform a brute-force attack on the SSH service running on the IPv6 address you configured earlier. Hydra is a powerful password cracking tool that supports various protocols, including SSH.

Before you start, you will create a simple password list. This list will contain the passwords that Hydra will try to use to authenticate to the SSH service.

Start the SSH service:

First, you need to ensure that the SSH service is running on the system. Execute the following command to start the SSH service:
```
sudo systemctl start ssh
```
You can verify that the SSH service is running by checking its status:
```
sudo systemctl status ssh
```
The output should show that the service is active and running.
Configure SSH to listen on IPv6:

By default, SSH may only listen on IPv4 addresses. You need to configure it to also listen on IPv6. First, check what addresses SSH is currently listening on:
```
ss -tlnp | grep :22
```
You should see output like LISTEN 0 128 0.0.0.0:22 0.0.0.0:*, which means SSH is only listening on IPv4.

Now, edit the SSH configuration file to enable IPv6 listening:
```
sudo nano /etc/ssh/sshd_config
```
Find the line that contains #AddressFamily any or AddressFamily inet and change it to:
```
AddressFamily any
```
If the line doesn't exist, add it. This tells SSH to listen on both IPv4 and IPv6 addresses.

Save the file by pressing Ctrl + X, then Y to confirm saving, and Enter to confirm the filename.

Restart the SSH service to apply the changes:
```
sudo systemctl restart ssh
```
Verify that SSH is now listening on both IPv4 and IPv6:
```
ss -tlnp | grep :22
```
You should now see SSH listening on both 0.0.0.0:22 (IPv4) and [::]:22 (IPv6).
Create a password list:

Open your terminal in the LabEx VM. You are currently in the ~/project directory. Use the nano editor to create a file named passwords.txt in this directory:
```
nano passwords.txt
```
Add the following passwords to the file, one password per line:
```
password
123456
qwerty
admin
labex
```
Save the file by pressing Ctrl + X, then Y to confirm saving, and Enter to confirm the filename.
Run Hydra to attack the IPv6 SSH service:

Now, you will use Hydra to attack the SSH service. You will use the -6 option to specify that you want to target the IPv6 address. You will also specify the username to attack (e.g., labex), the password list you created (passwords.txt), and the IPv6 address of the SSH server (2001:db8:1::1).

Execute the following command:
```
hydra -6 -l labex -P passwords.txt ssh://[2001:db8:1::1]
```
Let's break down this command:
- hydra: The command to run the Hydra tool.
- -6: Specifies that Hydra should use IPv6.
- -l labex: Specifies the username to attack. In this case, you are attacking the labex user.
- -P passwords.txt: Specifies the password list to use. In this case, you are using the passwords.txt file you created in the current ~/project directory.
- ssh://[2001:db8:1::1]: Specifies the target SSH service. The ssh:// prefix indicates that you are attacking an SSH service, and [2001:db8:1::1] is the IPv6 address of the server enclosed in square brackets (required for IPv6 addresses in Hydra).
Hydra will now start trying the passwords in the passwords.txt file against the SSH service. If Hydra finds a valid password, it will display the credentials. The output may look like this if no password is found:
```
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at YYYY-MM-DD HH:MM:SS
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 5 tasks per 1 server, overall 5 tasks, 5 login tries (l:1/p:5), ~1 try per task
[DATA] attacking ssh://[2001:db8:1::1]:22/
1 of 1 target completed, 0 valid password found
Hydra finished.
```
If no password is found, you can try adding more common passwords to your passwords.txt file. You can also use the -V option to see verbose output showing each attempt:
```
hydra -6 -V -l labex -P passwords.txt ssh://[2001:db8:1::1]
```
If Hydra successfully finds a password, the output would look like this:
```
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at YYYY-MM-DD HH:MM:SS
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 5 tasks per 1 server, overall 5 tasks, 5 login tries (l:1/p:5), ~1 try per task
[DATA] attacking ssh://[2001:db8:1::1]:22/
[22][ssh] host: 2001:db8:1::1   login: labex   password: [found_password]
1 of 1 target successfully completed, 1 valid password found
Hydra finished.
```
This output indicates that Hydra successfully cracked the password for the labex user.

Important Note: Brute-forcing passwords against a system without authorization is illegal and unethical. This lab is for educational purposes only, and you should only use these techniques on systems that you own or have explicit permission to test.

Verify IPv6 Attack Results

In this step, you will verify the results of the Hydra attack on the IPv6 SSH service. You will check if Hydra successfully cracked the password and, if so, attempt to log in to the SSH service using the cracked credentials.

Review Hydra output:

Carefully review the output from the Hydra command in the previous step. Look for a line that indicates successful password cracking. The output should look similar to this:
```
[22][ssh] host: 2001:db8:1::1   login: labex   password: [found_password]
```
If you see this line, it means that Hydra successfully cracked the password for the labex user. If no password was found, this demonstrates that the current password list doesn't contain the correct password, which is actually a good security sign.
Attempt to log in to the SSH service (if password was found):

If Hydra successfully found a password, you can attempt to log in to the SSH service using the ssh command. You will use the -6 option to specify that you want to connect to the IPv6 address.

Execute the following command, using the password that Hydra found:
```
ssh -6 labex@2001:db8:1::1
```
When prompted for the password, enter the cracked password. If the login is successful, you will be logged in to the SSH server.

If no password was found by Hydra, you can still test the SSH IPv6 connectivity by attempting to connect (it will prompt for a password, but you can press Ctrl+C to cancel):
```
ssh -6 labex@2001:db8:1::1
```
The fact that you get a password prompt confirms that SSH is properly configured for IPv6 and Hydra was able to connect to the service.
Security Recommendations:

This lab demonstrated the importance of using strong passwords and implementing security best practices to protect your SSH service. Here are some recommendations:
- Use strong passwords: Use passwords that are at least 12 characters long and contain a mix of uppercase letters, lowercase letters, numbers, and symbols.
- Disable password authentication: Consider disabling password authentication and using SSH keys instead. SSH keys are more secure than passwords because they are much harder to crack.
- Implement rate limiting: Use tools like fail2ban to implement rate limiting on SSH login attempts. This will prevent attackers from trying too many passwords in a short period of time.
- Keep your software up to date: Make sure that your SSH server software is up to date with the latest security patches.

Summary

In this lab, you configured a server with an IPv6 address, a crucial step for enabling IPv6 communication. This involved understanding IPv6 addressing basics and using the ip command to assign the address 2001:db8:1::1/64 to the eth0 interface.

You then enabled the interface and verified the configuration using ip addr show eth0, ensuring the IPv6 address was correctly assigned. You also configured SSH to listen on IPv6 addresses by modifying the SSH configuration file and restarting the service.

Finally, you used Hydra with the -6 option to target the IPv6 SSH service and successfully performed a brute-force attack. You then verified the attack results by logging into the SSH service using the cracked credentials. This lab demonstrated Hydra's capability to attack IPv6 targets and highlighted the importance of strong passwords and security best practices for SSH services.