Miroslav Vitula, the author of the book Learning zANTI2 for Android Pentesting, penned this article on Connecting to Open Ports, focusing on cracking passwords and setting up a remote desktop connection. Let’s delve into the topics.
(For more resources related to this topic, see here.)
Cracking passwords
THC Hydra is one of the best-known login crackers, supports numerous protocols, is flexible, and very fast. Hydra supports more than 30 protocols, including HTTP GET, HTTP HEAD, Oracle, pcAnywhere, rlogin, Telnet, SSH (v1 and v2 as well), and many, many more. As you might guess, THC Hydra is also implemented in zANTI2 and it eventually becomes an integral part of the app for its high functionality and usability. The zANTI2 developers named this section Password Complexity Audit and it is located under Attack Actions after a target is selected:
After selecting this option, you’ve probably noticed there are several types of attack. First, there are multiple dictionaries: Small, Optimized, Big, and a Huge dictionary that contains the highest amount of usernames and passwords.
To clarify, a dictionary attack is a method of breaking into a password-protected computer, service, or server by entering every word in a dictionary file as a username/password. Unlike a brute force attack, where any possible combinations are tried, a dictionary attack uses only those possibilities that are deemed most likely to succeed. Files used for dictionary attacks (also called wordlists) can be found anywhere on the Internet, starting from basic ones to huge ones containing more than 900,000,000 words for WPA2 WiFi cracking. zANTI2 also lets you use a
custom wordlist for the attack:
Apart from dictionary attacks, there is an Incremental option, which is used for brute force attacks. This attempts to guess the right combination using a custom range of letters/numbers:
To set up the method properly, ensure the cracking options are correctly set. The area of searched combinations is defined by min-max charset, where min stands for minimum length of the password, max for maximum length, and charset for character set, which in our case will be defined as lowercase letters.
The Automatic Mode, as the description says, automatically matches the list of protocols with the open ports on the target.
To select a custom protocol manually, simply disable the Automatic Mode and
select the protocol you want to perform the attack on:
In our case that would be the SSH protocol for cracking a password used to
establish the connection on port 22.
Since incremental is a brute force method, this might take an extremely long time to find the right combination. For instance, the password zANTI2-hacks would take about 350 thousand years for a desktop PC to crack; there are 77 character combinations and 43 sextillion possible combinations. Therefore, it is generally
better to use dictionary attacks for cracking passwords that might be longer than
just a few characters. However, if you have a few thousand years to spare, feel
free to use the brute force method.
If everything went fine, you should now be able to view the access password with the username. You can easily connect to the target by tapping the finished result using one of the installed SSH clients:
When connected, it’s all yours. All Linux commands can be executed using the app and you now have the power to list directories, change the password, and more.
Although connecting to port 22 might sound spicy, there is more to be discovered.
A remote desktop connection
Microsoft has made a handy feature called remote desktop. As the title suggests, this lets an ordinary user access his home computer when he is away, or be used for managing a server through a network. This is a great sign that we can intercept this connection and exploit an open port to set up a remote desktop connection between our mobile phone and a target.
There is, however, one requirement. Since the RDP (Remote Desktop Protocol)
port 3389 isn’t open by default, a user has to allow connections from other computers. This option can be set in the control panel of Windows, and only
then is port 3389 accessible.
If the option Allow remote connections to this computer is ticked on the victim’s machine, we’re good to go. This will leave the 3389 port open and listening for incoming broadcasts, including the ones from malicious attackers.
If we run a quick port discovery on the target, the remote desktop port with
number 3389 will pop up. This is a good sign for us, indicating that this port is
open and listening:
Tap the port (ms-wbt-server). You will be asked for login credentials once again.
Tap GO.
Now, if you haven’t got any remote desktop clients installed, zANTI2 will redirect you to Google Play to download one—the Parallels 2X RDP. This application, as
you can tell, is capable of establishing remote desktop access from your Android device. It is stable, fast, and works very well.
After downloading the application, go back to zANTI2 and connect to the port
once again. You will now be redirected directly to the app and a connection will
be established immediately.
As you can see in the following screenshot, here’s my computer—I’m currently working on the article! Apart from a simplified Windows user interface (using a basic XP look with no transparent bars and such), it is basically the same and you
can take control over the whole system.
The Parallels 2X RDP client offers a comfortable and easy way to move the mouse and use the keyboard. However, while connecting to port 445 a victim has no idea about an intruder accessing the files on his computer; connecting to this port will log the current user out from the current session. However, if the remote desktop is set to allow multiple sessions at once, it is possible for a victim to see what the attacker currently controls.
The quality seems to be good, although the resolution is only 804 x 496 pixels 32-bit color depth. Despite these conditions, it is still easy to access folders, view files,
or open applications.
As we can see in the practical demonstration, service ports should be accessible only by the authorized systems, not by anyone else. It is also a good way to teach you to secure login credentials on your machine to protect yourself not only from people behind your back but also mainly from people on the network.
Summary
In this article, we showed how a connection to these ports is established, how to crack password-protected ports, and how to access them afterwards using tools like ConnectBot or the remote desktop client.
Resources for Article:
Further resources on this subject:
- Saying Hello to Unity and Android[article]
- Speeding up Gradle builds for Android[article]
- Android and UDOO for Home Automation [article]
