N.A.N.Y. 2013 Submission - FreeNAS Brute Forcer

[Renegade]

NANY 2013 Entry Information

Application Name	FreeNAS Brute Forcer
Version	v1
Short Description	Recover lost user names and passwords for FreeNAS
Supported OSes	Windows XP SP3, Windows Vista, Windows 7, Windows 8
Web Page	http://cynic.me/2012...s-user-and-password/
Download Link	http://cynic.me/wp-c...NAS-Brute-Forcer.zip
System Requirements	.NET 4
Version History	First release - v1
Author	https://www.donation...le;u=2492;sa=summary

Description
I thought that I had forgotten my FreeNAS user name and password, so I wrote this little utility.

It is very simple - enter many possible user names and many possible passwords, and this will find the right combination of the 2 for you.

Instructions are in the program itself.

Check my blog post above (the program page) for more information about the program and why I wrote it.

Features
Brute forces the FreeNAS web interface to find your correct user name and password.

Planned Features
No future features are planned as it does what it is intended to do. If there is any interest in it, I may polish some more, depending on user feedback.

I will not turn this into a general brute force utility as that is too open to abuse.

Screenshots



Usage
Installation
Unzip the ZIP file then run the program. No installer. Source code is included.

Using the Application
There are directions in the program. Simply follow them. i.e.:

INSTRUCTIONS - IMPORTANT - READ THEM ALL:

1) Enter a list of possible user names.
2) Enter a list of possible passwords.
3) Enter the IP address of your FreeNAS box on your local network.
4) Click GO to load the login page.
5) Click the "Start Brute Force" button.

Once you are logged in:

1) Check the title bar for a user name/password pair.
2) Find that in the "User/password pairs" text box.
3) Your proper login is on the line above that.
4) Test it in your regular Internet browser.

SECURITY PRECAUTIONS:

1) To log out, click the "Clear Cookies" button.
2) When you are finished, click the "Securely Remove Users/Passwords" button so that you do not leave any traces of usernames/passwords. The program stores them in plain text while you are using it, and for the next time that you use it.

For more information, check http://cynic.me/.

Cheers,

Ryan

Uninstallation
Simply delete the file. No uninstallation is required.

HOWEVER - read the instructions... it saves your user names and passwords in plain text, but also includes a way to delete them.

Tips
If you have any problems, simply close the program, then reload it. Enter the proper IP address again and try again. It saves your users/passwords as they are longer.

Known Issues
No known issues with the software. However, the .NET WebBrowser control is based on the Trident engine (IE), and the FreeNAS web interface doesn't really like it, so once you are logged in, you need to go to your normal browser and login there to actually use FreeNAS.

[wraith808]

Just a suggestion- you might want to limit it to local ips to even further close it off from abuse.

i.e.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
169.254.0.0 -169.254.255.255

[Renegade]

Just a suggestion- you might want to limit it to local ips to even further close it off from abuse.

i.e.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
169.254.0.0 -169.254.255.255

-wraith808 (November 20, 2012, 11:50 PM)

Well, the source is available... so, it wouldn't be hard to change.  And it's unlikely that anyone has a front-facing FreeNAS box, so I kind of doubt that it can be reasonably used to attack off the LAN and on the WAN.

I thought about some additional features to make it more versatile, but decided that it does what it does, and anyone who wants to make it more general can easily do so. (e.g. I could turn it into a brute forcer for pretty much any web site pretty easily.) And the spammers already know all this stuff, so it's really only going to limit the low-grade spammer wannabes and script kiddies by not adding in more versatility - which is pretty much enough - you can't stop the more sophisticated professionals - they already have all this kind of stuff done anyways. e.g. A while back I needed a bunch of email addresses, so I slapped together a program to automatically create Gmail, Hotmail, and Yahoo email accounts from a list of usernames and passwords in a couple hours. It's not hard.

The only really cool thing in there is a tidbit of code to create N-ary Cartesian products. Found that at another site. It's pretty darn slick.

[Ath]

Sounds useful, but I hope I don't need it...

[Renegade]

Sounds useful, but I hope I don't need it...

-Ath (November 21, 2012, 03:23 AM)

Well, I posted it over at the FreeNAS forums... then found out that if you actually connect to the FreeNAS box, you can use option 7 to reset the WebGUI admin account.

So, this utility is really only useful for 2 things:

1) You want to get back the original login, i.e. NOT reset the login. (Which I wanted.)
2) You don't want to connect a monitor/keyboard because you hate cables. (Like me.)

I had set the root and WebGUI admin passwords to be the same, so I needed to get that back. Resetting won't do that for you.

Anyways, less useful than I originally thought, but still servers *some* purpose.

With some minor modifications, it could easily work on other web sites though.

[Stoic Joker]

Um... Is this supposed to open and automatically target a specific (private but non-local) IP address by default?

[Renegade]

Um... Is this supposed to open and automatically target a specific (private but non-local) IP address by default?

-Stoic Joker (November 21, 2012, 06:46 AM)

Well, the idea is that you'd use it on your own FreeNAS box on your own local network. You'd normally have it assigned a static IP address, or I would anyways. It doesn't target network paths like //freenas/shared/whatever.

It will work across the WAN to an exposed FreeNAS box though. Just slower...

But, it brute forces based on user names and passwords that you supply. It does not generate them. That makes it less open to abuse. Also, if anyone wanted to paste in a dictionary, well, they'll need to modify it and recompile. I've left something in there to prevent massive dictionary attacks. It will throw an error in that case. For its intended purpose, it's perfectly fine.

For automatic - it is automatic once you enter the possible user names, and possible passwords, and the IP address. From there on, it just goes.

[Stoic Joker]

Um... Is this supposed to open and automatically target a specific (private but non-local) IP address by default?

-Stoic Joker (November 21, 2012, 06:46 AM)

Well, the idea is that you'd use it on your own FreeNAS box on your own local network. You'd normally have it assigned a static IP address, or I would anyways. It doesn't target network paths like //freenas/shared/whatever.

-Renegade (November 21, 2012, 07:14 AM)

Understood ... It just struck me as odd that it (first time) started with a target already in mind. And thought that it might be leftover test data (leakage).

[Renegade]

Understood ... It just struck me as odd that it (first time) started with a target already in mind. And thought that it might be leftover test data (leakage).

-Stoic Joker (November 21, 2012, 07:25 AM)

Ah... That...

Yeah, I just put in some common users and the default password then stuck in a typical IP address for a LAN. Since 1 is the router, I just stuck on a zero for .10 there. It also serves as a simple example of what to enter, making explaining it simpler. It could have been 2, but I figured that's kind of silly as after the router, other computers would likely be on the network first, and 2 would be taken. Hence, 10.

[Stoic Joker]

It also serves as a simple example of what to enter, making explaining it simpler.

-Renegade (November 21, 2012, 07:42 AM)

[Insert Abject Horror Smiley] Pardon me for waxing elitist...but if they don't know what an IP address is, wouldn't it be safer if they stayed out of the box in question? 

If it's a case if input limitations (no name lookup code [gethostbyname(pstrHost)], etc.), I usually just use an IP address input control to force the issue for me. Or let a name/IP radio button set toggle textbox/IP address controls into view in the same location (all the user sees is the 3 dots appear and disapear).

[Renegade]

The initial navigation is done with this string:

Code: C# [Select]

1. string _url = "http://{0}/account/login";
2. // then later like this:
3. wbrFreeNas.Navigate(string.Format(_url, txtIpAddress.Text));

So, it will accept more than just IP address octets. It's a quick and dirty solution.

The main navigation for the actual brute forcing is actually much more robust and versatile with no reliance on an address:

Code: C# [Select]

1. wbrFreeNas.Document.Forms[0].InvokeMember("submit");

You can actually drop a page into the browser to load it, e.g. Drag & drop from Chrome into the browser. That will load another page for whatever. So, if you've got your FreeNAS open in another browser, you can drag it into the program to load that page. The IP address is only used to initially load the page.

e.g.



I didn't do a lot of validation and the like because, well, like you say, if you can't use it properly, you probably shouldn't be using it.

[Renegade]

Somebody found a decent use for it! Pen testing!

http://www.elithecom...s-brute-forcer-v1-0/

 

[wraith808]

That was a really good write up!  I'd never thought of using it for that either, but I'm sure as with everything else, there's a lot of people out there using FreeNAS in an unsafe environment that have bad security measures in place.