SolutionBase: Verify the strength of passwords with the hacker tool Brutus

Administrators can audit password security by learning how to use Brutus, one of the most popular password cracking tools that hackers use to compromise servers and Web sites.

If you have ever needed to break into one of your own Web sites or servers (or just wanted to see how easy it would be for a hacker to break in) then you’re probably aware that one of the quickest ways to break in is by guessing or cracking a password for a known username. One of the easiest ways of doing this is with a utility such as Brutus, a remote password cracking tool that is designed to decode a variety of password types. I’m going to show you how to use it.

Getting Brutus

Like most hacker tools, Brutus is available for free download from the Internet. The download consists of a small ZIP file. After downloading Brutus, there is no installation required. You can run Brutus immediately after downloading it by simply double-clicking the executable file (BrutusA2.exe).

Using Brutus

The user interface is shown in Figure A. Most of the options in the user interface are pretty self explanatory. At the top, there are fields for you to input the IP address of the system that you are trying to crack, and the port number. There are also a couple of slide bars that allow you to choose how many simultaneous connections you want to make to the remote host and what the timeout period is for a nonresponding connection. Both of these options are already set to optimum values and should not be changed under most circumstances.

Figure A

The other main option in the top portion of the user interface is a drop-down list that allows you to choose the type of crack that you want to perform. By default, Brutus is set to perform an HTTP crack using basic authentication. Other built-in options include HTTP (Form), FTP, POP3, Telnet, SMB (NetBIOS), Custom, and NetBus.

The next section of the user interface actually changes based on what type of crack you have selected. For example, as you can see in Figure A, if you are performing an HTTP crack then Brutus will allow you to select the HTTP method that you want to use (Head, Get, or Put). There is also a check box that you can use to try to keep the session alive as you attempt to crack the password. However, if you were to select SMB (NetBIOS) instead, the HTTP Method and Keep Alive options disappear and are replaced by a field that allows you to input a Windows NT domain name.

The third portion of the user interface consists of the authentication options. This section needs a little explaining. As shown in Figure A, there is a Use Username checkbox. This check box exists because some systems simply require a pin number or a password without a username. If you do need to enter a username, then make sure that this check box is selected. The next check box is the Single User box. Select this check box if you already know the username for the account that you want to crack. You can then enter the username into the text box below. In Figure A, this text box is labeled User File, but when the Single User check box is selected, the name of the text box changes to User ID.

You will notice in the figure that the User File text box is filled in with the file name USERS.TXT. USER.TXT is a file that comes with Brutus and contains a list of several common user names such as Administrator, Admin, and root. If this file is specified, then Brutus will attempt password cracks against each user name specified by the file. Best of all, since the USERS.TXT file is just a text file, you can add usernames to the file as needed.

The other half of the Authentication Options section consists of a Pass Mode and a Pass File option. As you can see in the figure, the default option is to use a word list. This is basically a standard dictionary crack. The Pass File is set to WORDS.TXT by default. WORDS.TXT is a text-based dictionary file. For a full blown dictionary-based crack, this file leaves a lot to be desired because it only has about 800 words within it. However, there are places on the Internet where you can download more comprehensive dictionary files. Besides, the Pass Mode option can be set to use the word list, a brute force crack, or a combination of the two techniques.

Once all of the cracking options have been set, just click the Start button. The progress bar at the bottom of the screen will show you how far along Brutus is, and the text box just above the progress bar will give you an occasional status report. The Positive Authentication Results section will display any passwords that you have managed to crack.

Normally, this would be the end of the story, but in this case, there is a lot more that you need to know. When I was preparing to write this article, I tried to use Brutus to crack some of the Web sites that I own, but didn’t have any luck. I then tried setting up some sample Web sites on test servers in my lab and tried again. Brutus was able to pick up on several accounts with blank passwords, but was only able to crack two of the passwords that I had set up to test. At first this might not sound so bad, but keep in mind that I tested Brutus on four separate servers. I used two Windows 2000 Servers, a Windows Server 2003 machine, and a Linux system. I tried every crack type that Brutus had to offer, and I even manually put my passwords into the dictionary file in an effort to make sure that Brutus would have every opportunity to decipher my passwords. In the end though, Brutus proved itself to be ineffective.

In most of my password cracking attempts, I received a message stating that Brutus was unable to verify the target system and to check my connection settings. This would be a perfectly valid message if a firewall was blocking me, but these were internal systems that I was trying to crack on my LAN. There was no firewall to contend with. As I wondered why Brutus was so ineffective, I noticed that the user interface showed that Brutus was released in January of 2000. Obviously, there have been a lot of security enhancements in the last four years. The cracking techniques that were so effective four years ago simply don’t work today.

Before I gave up on Brutus, I went to the Web site where I had downloaded Brutus to see if an update was available. While there were no new versions of Brutus, I did discover that Brutus is expandable. The Web site contains about a dozen ".BAD" files that you can download in order to make Brutus aware of newer types of password cracks. There are .BAD files available that will allow Brutus to crack Shiva LANRover, NNTP servers, SMTP accounts, and Cisco consoles. Additionally, the Web site contains an example file that you can download. This example file shows you how you can attack the root password from the current user account within a Telnet session.

End sum

In the end, I started to get a better feel for how Brutus really works. In doing so, my password cracking became much more effective, and with enough patience I was able to crack most of the passwords on my system.

Most hackers and script kiddies are probably fairly adept at using tools such as Brutus, so you should be, too. Download it and learn how to use it. Then use it to test the ease with which your most important system can have its passwords cracked.