LabEx
Log InJoin For Free

Attack SMB Services with Hydra

HydraHydraBeginner
Practice Now

Introduction

In this lab, we will explore how to attack SMB services using Hydra, a powerful password cracking tool. The lab focuses on demonstrating how to identify and exploit weak credentials on an SMB server.

The lab begins by setting up a local SMB server using Samba, including installing the necessary packages, configuring the smb.conf file to create a shared directory, and setting appropriate permissions. We will then prepare user and password lists to be used in the Hydra attack. Finally, we will run the Hydra SMB attack and check the results to see if any credentials were successfully cracked.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL hydra(("Hydra")) -.-> hydra/HydraGroup(["Hydra"]) hydra/HydraGroup -.-> hydra/installation("Installation and Setup") hydra/HydraGroup -.-> hydra/password_creation("Password List Creation") hydra/HydraGroup -.-> hydra/username_creation("Username List Creation") hydra/HydraGroup -.-> hydra/target_ip("Target IP Specification") hydra/HydraGroup -.-> hydra/target_service("Target Service Selection") hydra/HydraGroup -.-> hydra/multiple_targets("Multiple Targets Attack") hydra/HydraGroup -.-> hydra/success_detection("Login Success Detection") hydra/HydraGroup -.-> hydra/troubleshooting("Basic Troubleshooting") subgraph Lab Skills hydra/installation -.-> lab-550761{{"Attack SMB Services with Hydra"}} hydra/password_creation -.-> lab-550761{{"Attack SMB Services with Hydra"}} hydra/username_creation -.-> lab-550761{{"Attack SMB Services with Hydra"}} hydra/target_ip -.-> lab-550761{{"Attack SMB Services with Hydra"}} hydra/target_service -.-> lab-550761{{"Attack SMB Services with Hydra"}} hydra/multiple_targets -.-> lab-550761{{"Attack SMB Services with Hydra"}} hydra/success_detection -.-> lab-550761{{"Attack SMB Services with Hydra"}} hydra/troubleshooting -.-> lab-550761{{"Attack SMB Services with Hydra"}} end

Set Up Local SMB Server

In this step, we will set up a local SMB (Server Message Block) server using Samba. SMB is a network file sharing protocol that allows applications on a computer to access files and resources on a remote server. Samba is a free software re-implementation of the SMB networking protocol. This will provide a target for our Hydra SMB attack in later steps.

First, let's install Samba. Open your terminal in the ~/project directory.

sudo apt update
sudo apt install samba -y

This command updates the package lists and then installs the Samba package. The -y flag automatically answers "yes" to any prompts during the installation.

Next, we need to configure Samba. We'll start by backing up the original configuration file.

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

Now, let's create a new, simplified configuration file. We'll use nano to edit the configuration file.

sudo nano /etc/samba/smb.conf

Paste the following configuration into the nano editor. This configuration creates a shared directory named share that is accessible to everyone on the network.

[global]
   workgroup = WORKGROUP
   server string = Samba Server %v
   netbios name = fileserver
   security = user
   map to guest = bad user
   name resolve order = bcast host lmhosts wins

[share]
   path = /home/labex/project/share
   browsable = yes
   writable = yes
   guest ok = yes
   read only = no

Press Ctrl+X, then Y, then Enter to save the file.

Now, let's create the shared directory.

mkdir ~/project/share
sudo chmod 777 ~/project/share

This creates a directory named share in your ~/project directory and sets its permissions to 777, which means everyone has read, write, and execute permissions. Note: In a real-world scenario, you would want to use more restrictive permissions. We are using 777 for simplicity in this lab environment.

Next, we need to add a Samba user. This user will be used to authenticate to the SMB server. We'll use the labex user that already exists on the system. First, set a Samba password for the labex user.

sudo smbpasswd -a labex

You will be prompted to enter a new password for the labex user. Enter a password and confirm it. Remember this password, as you will need it later.

Finally, restart the Samba service to apply the changes.

sudo systemctl restart smbd nmbd

Important Note: The systemctl command might not work directly in the Docker container environment. If you encounter an error, you can try restarting the Samba services using the following commands:

sudo /etc/init.d/smbd restart
sudo /etc/init.d/nmbd restart

Now, your local SMB server is set up. You have created a shared directory named share and added the labex user with a Samba password.

Prepare User/Password Lists

In this step, we will create the user and password lists that Hydra will use to perform the SMB attack. These lists will contain potential usernames and passwords that Hydra will try to use to authenticate to the SMB server.

First, let's create the user list. We'll use nano to create a file named users.txt in the ~/project directory.

nano ~/project/users.txt

In this file, add the following usernames, one per line:

labex
admin
guest
user

Press Ctrl+X, then Y, then Enter to save the file.

Now, let's create the password list. We'll use nano to create a file named passwords.txt in the ~/project directory.

nano ~/project/passwords.txt

In this file, add the following passwords, one per line:

password
123456
labex
admin
guest

Press Ctrl+X, then Y, then Enter to save the file.

These are simple lists for demonstration purposes. In a real-world scenario, you would use much larger and more complex lists.

Now you have created two files: users.txt containing a list of usernames, and passwords.txt containing a list of passwords. Hydra will use these lists in the next step to attempt to crack the SMB server password.

Run Hydra SMB Attack

In this step, we will use Hydra to perform a brute-force attack against the SMB server we set up in the first step. Hydra is a parallelized login cracker which supports numerous protocols to attack.

Open your terminal in the ~/project directory.

Now, let's run the Hydra command to attack the SMB service.

hydra -L ~/project/users.txt -P ~/project/passwords.txt 127.0.0.1 smb

Let's break down this command:

  • hydra: This is the command to run the Hydra tool.
  • -L ~/project/users.txt: This specifies the path to the user list file.
  • -P ~/project/passwords.txt: This specifies the path to the password list file.
  • 127.0.0.1: This is the IP address of the target SMB server (localhost in this case).
  • smb: This specifies the service to attack (SMB).

Hydra will now start attempting to log in to the SMB server using the usernames and passwords from the lists you provided. It will try every combination of username and password until it finds a valid one or exhausts all possibilities.

The output will show the attempts being made. If Hydra finds a valid username and password combination, it will display it in the output.

Important Note: This attack is being performed on a local SMB server for educational purposes. Performing unauthorized attacks on remote systems is illegal and unethical.

The command might take some time to complete, depending on the size of your user and password lists. Observe the output to see if Hydra successfully cracks the password.

Check SMB Attack Results

In this step, we will analyze the output of the Hydra SMB attack to determine if any credentials were successfully cracked.

After running the Hydra command in the previous step, carefully examine the output in your terminal. Hydra will display any valid username and password combinations it finds.

The output will look something like this if a successful login is found:

[smb] host: 127.0.0.1   login: labex   password: <the_password>

If Hydra was successful, it will print the username and password that worked. In our example, if the password for the labex user was in the passwords.txt file, Hydra would have found it.

If Hydra did not find any valid credentials, it will display a message indicating that it exhausted all the username and password combinations without success.

If you successfully cracked the password, make a note of the username and password. You can then use these credentials to access the SMB share we created in the first step.

To test the cracked credentials, you can use the smbclient command. First, install it if it's not already installed:

sudo apt update
sudo apt install smbclient -y

Then, use the following command to connect to the SMB share, replacing <the_password> with the cracked password:

smbclient //127.0.0.1/share -U labex -p <the_password>

If the login is successful, you will be presented with an smb:\> prompt, indicating that you have successfully connected to the SMB share. You can then use SMB commands to browse and interact with the shared files.

If you did not crack the password, you can try adding more common passwords to the passwords.txt file and running the Hydra command again. Remember that the effectiveness of a brute-force attack depends on the quality and size of the password list.

Summary

In this lab, we began by setting up a local SMB server using Samba to create a target for a Hydra SMB attack. This involved installing the Samba package, backing up the original configuration file, and creating a new, simplified configuration file with a shared directory named share accessible to everyone.

The configuration included setting the workgroup, server string, netbios name, security settings, and defining the shared directory's path, browsability, writability, and guest access. We also created the shared directory and set its permissions to 777 for simplicity, noting that more restrictive permissions are recommended in real-world scenarios. The next step involves adding a Samba user.