H y D R
(C) 2001-2004 by Van Hauser/THC
<Vh@thc.org> http://www.thc.org
Ver 1, 4.5
Hydra 4.5 instructions for Chinese use (I have provided several examples in particular, this description is a free translation)
Term: freexploit
Author: allyesno
Date: 2005-1-22
1. Preface
------------
According to the password security research, many security vulnerability breakthroughs are based on passwords. This tool (Hydra) is used for security
Researchers and security consultants prove how light and easy it is to illegally obtain access to a remote system.
For example.
Once again, I would like to inform you that (the translator includes hackers, White guests, red guests, and green guests) Please use this tool legally !!!
If you want to use this tool for commercial purposes, refer to the license agreement.
File)
There are already several login hacker tools available, however none does
Either support more than one protocol to attack or support parallized
Connects.
There have been many remote cracking tools on the Internet, but none of them can support multiple Protocol cracking or support parallel
Protocol cracking. (TRANSLATOR: parallized is a new term)
Currently, this tool supports the following attacks:
Telnet, FTP, HTTP, https, HTTP-PROXY, LDAP, SMB, smbnt, MS-SQL, MySQL, rexec,
SOCKS5, VNC, POP3, IMAP, nntp, pcnfs, ICQ, SAP/R3, Cisco auth, Cisco enable,
SMTP-AUTH, SSH2, SNMP, CVS, Cisco AAA.
In any case, it is very easy to write module engines for new services, and it will not take too much time to support more services in the future.
We plan to support: SSH V1, Oracle, and more later.
We also appreciate those who have helped write these modules :)
2. How to compile (Linux/Unix)
------------
Enter./configure in the command line and then enter make and make install
If you have cygwin, you can follow the run prompt after entering./configure.
On the handheld computer, enter./configure-palm
Input. Configure-arm on the ARM processor
3. Support Platform for this tool
------------
All UNIX platforms (Linux, * BSD, Solaris, etc .)
Mac OS/X operating system
Windows operating system with cygwin installed (including IPv4 and IPv6)
Mobile System arm processors and Linux (such as zaurus and ipaq)
Handheld computer system
4. How to Use
------------
Enter./configure in the command line and enter make to compile Hydra.
After compilation, enter./hydra-h to view the command line parameters.
You can also enter make install to compile and install Hydra in the/usr/local/bin directory.
Note: we have not provided dictionary files. You can create a dictionary with weak passwords or download the dictionary from the Internet.
For Linux users, enter./xhydra.
5. Special parameter Module
---------------------------
By using the target service optional or-M parameter, you can pass a parameter to the module.
In fact, this is only required by a few modules.
The following is a list of these modules:
Optional parameters for the service module
========================================================== ======================================
WWW/HTTP/SSL/https
Specify the page to be verified (must be specified) "/secret" or
"Http://bla.com/foo/bar" or "https://test.com: 8080/members"
These methods are effective.
HTTP-proxy specifies the page to be validated (optional, default: http://www.suse.com /)
Smbnt valid value [L, LH, D, DH, B, BH] (required)
(L) detect a local account, (d) domain name account, or (B) any
(H) Use NTLM hashes to test the password
LDAP specifies the DN (optional, you can also use the-l parameter to specify the DN)
Cisco-enable specifies the logon password for the Cisco device (required)
Sapr3 specifies the Client ID, a number between 0 and 99
Telnet if you fail to use the default telnet password multiple times, you can also specify that the Telnet logon is successful.
Future string (delayed) (optional)
The following example demonstrates how to use the WWW module to pass the webpage for verification:
Hydra-l jdoe-P/tmp/passlist www.attack.com HTTP/members/
This is the same as the following:
Hydra-M/members/-l jdoe-P/tmp/passlist www.attack.com HTTP
Another example:
Hydra-m lh-l administrator-P Sam. Dump nt.microsoft.com smbnt
Another example is as follows:
Hydra-l Gast-P Gast-M 6-s 3200 sapr3.sap.com sapr3
Alternatively, you can:
Hydra-l bla-P blubb ms.com Telnet "Welcome hacker"
6. breakpoint cracking
---------------------------
When you use Ctrl + C to stop the Hydra cracking, it will record the information for restoring the cracking in the Hydra. Restore file
It is convenient for you to crack the breakpoint again. Hydra records the cracking point every 5 minutes by default.
Note 1: When you use the-M parameter to crack more than two host passwords, this function will be automatically disabled.
NOTE 2: Hydra. Restore resumable file recovery cannot be used on different system platforms.
The author is too lazy to convert the file format)
7. How to Use the proxy server for cracking
----------------------------
The hydra_proxy_http variable parameter can be used to define the proxy server (only HTTP proxy can be used)
Syntax:
Hydra_proxy_http = "http: // FIG: 8080 /"
Hydra_proxy_connect = proxy.anonymizer.com: 8000
If your proxy requires a user name and password, use the hydra_proxy_auth variable parameter:
Hydra_proxy_auth = "the_login: the_password"
8. Other Tips
----------------------------
* Uniq your dictionary files! This can save you a lot of time
* Removing duplicate words in your dictionary can save you a lot of time. Linux uniq command
See http://www-900.ibm.com/developerWorks/cn/linux/l-tip-prompt/l-tiptex6/index.shtml)
Cat words.txt | sort | uniq> dictionary.txt
* If you know the password policy of the host, for example, the minimum length of the password is 6 and contains at least one letter and number.
You can use the PW-Inspector tool in the Hydra package to reduce the password dictionary.
Cat dictionary.txt | PW-Inspector-M 6-C 2-N> passlist.txt
9. parameters you will never see in Hydra
-----------------------------------
In this section, I will list some parameters that will never appear in Hydra and explain why.
? Enter the login name and password as standard (for example, John)
# This parameter is not implemented in Hydra for two reasons:
A) resumable function B) failure of Running multiple targets, such as factors that interfere with normal functions
So I won't write these parameters in.
10. Speed
----------------------------
Because of the parallel computing function of this tool, the cracking speed is faster than the previous one. Speed: POP3> ftp> telnet> IMAP
The speed can also be accelerated by adjusting the-t parameter. The larger the parameter value, the faster the cracking speed, but the denial of service should be prevented.
11. test reference
----------------------------
Running System: SuSE Linux 7.2 uses the-C file parameter for a total of 295 logon attempts (294 logon errors and 1 Successful Logon)
The average value of the number of threads tested three times per case (only one thread is tested) is recorded as follows:
Parallel thread
Service 1 4 8 16 32 50 64 100 128
---------------------------------------------------------------------------
Telnet *
FTP 45: 54
POP3 92: 10
IMAP 31: 05
(*)
Note: we can see that the Telnet cracking time is very different when 64 threads and 128 threads are used.
We tested a total of four times when 128 threads were used for cracking, which took a period of time from 28 seconds to 97 seconds.
The cause has not been found.
12. error reports & Suggestions
---------------
If you find this software vulnerability or write some new modules, you can email us:
Vh@thc.org
Type bits/keyid date user ID
Pub 2048/cdd6a571 Van Hauser/thc <vh@reptile.rug.ac.be>
----- PGP key -----
Version: 2.6.3i
Mqenazve0a4aaaeiaozkphkbdfdyetvmkq1xx6781tediygrkrsuel6voj8h8ciu
Sexducvu3jlmkitd6npmfj/dt0ikhgnhuzgdcqek/b1yhuyocig1dpgsg3wetx7l
Xl1m4dwqdvpz5quq + u + vhunouzgxfcjhhsjjj2qorvz/t5x4k3u960cmj11eovnc
Med/+ c6a2fflzj1_sj/kiz9huky/dvxdinojaalqc1myjkvfcpsszas4ddixidyc
Qckx + haxidmt7bjq5 + js6yspnbvizc55tb7ci2axtjwpkdzjbzikcoblwsdxnwyq
Bytes
Bytes
/3ucdgjs1cng/zplhruublysz1kimb9cbb/ufl1i4lym5wmyw + yfgn0p02oy4pvn
Cqn6ca5osqexhwfn7lxbt3lxepcckd + vb9lppczudps/zynokuxguqdpo69b04dl
Bytes
1qvxaqgrtwga05omurxhvbyfcvdabrmhx6pkbtivkh8hdja8idvuqhocyfz2l + xz
Paqy2wcqeakvss9xn9i28/pqz + 6tmqwum1_qgxe5mwkaxwxszkwrsq8hh + bcppsz
2/q3bxsfpege4ppwfwsajnymsnmhdvvvrt69grzjdm + imk0wr33 + rvtgjuj + i22x
Lpt5hlhufdatqzukmu4r84m1tbgnucnf0wicru4u503yca4dt/1emodxi0bqxmm/
Ygk9bo2icy + lw1wpodrwmg4tjhdigxuylnliu6tyqdyxja/c525cbbdqwoe + yvui
O7cn/bjn0bkg1y/bmthek3mprllwxvmryw =
= Mdzx
----- PGP key -----
Syntax: Hydra [[-l login |-l file] [-P pass |-P file] | [-C file] [-e ns]
[-O file] [-T tasks] [-M file [-T tasks] [-W time] [-F] [-s port] [-S] [- VV]
Server Service [opt]
Parameter List:
-R: resumes the last stopped cracking progress and continues cracking.
-S use SSL connection
-S port if the service is on a different default port, define it here
-S port number here, you can customize the port number to be cracked (replace the default port)
-L login or-l file login with login name, or load several logins from File
-L logon name or-l dictionary logon name or retrieve the logon list from the dictionary
-P pass or-P file try password pass, or load several passwords from File
-P password or-P dictionary: Use a single password or retrieve the password list from the dictionary
-E ns additional option. N indicates an empty password. s attempts to crack the password.
-C file colon seperated "login: Pass" format, instead of-L/-P options
-The C file uses a colon to separate the format, for example, "Login Name: Password" to replace the-L/-p parameter.
-M file server list for parallel attacks, one entry per line
-M file server list (TRANSLATOR: IP address list), one row
-O file write found login/password pairs to file instead of stdout
-O file writes the found password in the file, instead of outputting it to the screen.
-F stop cracking when the first pair of login names or passwords is found after the-M parameter is used
-T tasks run tasks Number of connects in parallel (default: 16)
-T scheduled tasks run several tasks at the same time (default value: 16)
-W time defines the Max wait time in seconds for responses (default: 30)
-W time defines the timeout time in seconds (default value: 30)
-V/-V detailed display of the username or password cracking process
Server the target server (use either this or the-M option)
Server server target (TRANSLATOR: the host on which you want to crack the password) (you can also use the-M parameter to specify)
Service the service to crack. Supported protocols:
[Telnet FTP POP3 imap smb smbnt HTTP httpshttp-proxy Cisco-enable LDAP
MSSQL MySQL nntp vnc SOCKS5 rexec snmp cvs icq pcnfs sapr3 SSH2 SMTP-auth]
Opt some service modules need special input (see Readme !)
Some service modules of OPT require special syntax input (for details, see 5. Special parameter modules)
Two examples:
Hydra-l login-P/tmp/passlist 192.168.0.1 FTP
Login is the username to be cracked, and passlist is the password dictionary library.
Hydra-l login-P passfile 192.168.0.1 SMB
Login is the login name to be cracked, passfile is the password dictionary library, and SMB operating system logon password cracking
Freexploit: allyesno
Postscript:
1. the Hydra dictionary refers to the 9-headed snake.
2. The translation below is not very good. Can someone help me correct it?
Options you will never see in Hydra
-----------------------------------
In this section I put feature request which I will never implement
Hydra-and why.
? Feeding login/passwords from stdin (e.g. From John)
# This will not be implemented as it wocould not be possible to use
A) The restore functionality and B) Multiple Targets
Workarounds for B) wocould be possible however uugly hacks which wowould
Sometimes not work. As this feature will therefore will not fit the other
Standard functionality, you will never see it here.
========================================================== ========================
H y D R
(C) 2001-2004 by Van Hauser/THC
<Vh@thc.org> http://www.thc.org
Introduction
------------
Number one of the biggest security holes are passwords, as every password
Security study shows.
This tool is a proof of concept code, to give researchers and security
Consultants the possiblity to show how easy it wocould be to gain unauthorized
Access from remote to a system.
This tool is for legal purposes only!
For using this tool was cially, see the licence file!
There are already several login hacker tools available, however none does
Either support more than one protocol to attack or support parallized
Connects.
Currently this tool supports:
Telnet, FTP, HTTP, https, HTTP-PROXY, LDAP, SMB, smbnt, MS-SQL, MySQL, rexec,
SOCKS5, VNC, POP3, IMAP, nntp, pcnfs, ICQ, SAP/R3, Cisco auth, Cisco enable,
SMTP-AUTH, SSH2, SNMP, CVS, Cisco AAA.
However the module engine for new services is very easy so it won't take
Long time until even more services are supported.
Planned are: SSH V1, Oracle and more.
Your help in writing these modules is highly appreciated !!
How to compile
--------------
Type "./configure" and then "make" and "make install ".
If you have cygwin, you have to follow the instructions "./configure" prints
After running.
For PalmPilot, run "./configure-Palm ".
For ARM processor mobiles, run "./configure-arm ".
Supported platforms
-------------------
All UNIX platforms (Linux, * BSD, Solaris, etc .)
Mac OS/x
Windows with cygwin (both IPv4 and IPv6)
Mobile Systems with arm processors and Linux (e.g. zaurus, ipaq)
Palmos
How to Use
----------
Type "./configure", followed by "make" to compile Hydra and then
"./Hydra-h" to see the command line options.
You make also type "make install" to install Hydra to/usr/local/bin.
Note that no login/password file is wrongly ded. generate them yourself.
For Linux users, a gtk gui is available, try "./xhydra"
Special options for Modules
---------------------------
Via the third command line parameter (target service optional) or the-m
CommandLine option, you can pass one option to a module.
Only some modules actually use this, a few require this.
Here is the complete list:
Service Module optional parameter
========================================================== ======================================
WWW/HTTP/SSL/https
Specifies the page to authentication at (required)
Value can be "/secret" or "http://bla.com/foo/bar" or
"Https://test.com: 8080/members"
HTTP-proxy specifies the page to authentication at (optional,
Default http://www.suse.com /)
Smbnt value [L, LH, D, DH, B, BH] (required)
(L) Check local accounts, (d) domain accounts, (B) either
(H) Interpret passwords as NTLM hashes
LDAP specifies the DN (optional, you can also specify the DN
As login with-l)
Cisco-enable specifies the logon password for the Cisco device (required)
Sapr3 specifies the Client ID, a number between 0 and 99 (required)
Telnet specified the string which is displayed after a successful
Login (Case Insensitive), use if the default in the Telnet
Module produces too defaults false positives (optional)
An example for how to use this with the WWW module to hand over the web page
To authenticate:
Hydra-l jdoe-P/tmp/passlist www.attack.com HTTP/members/
Is the same like:
Hydra-M/members/-l jdoe-P/tmp/passlist www.attack.com HTTP
Other example:
Hydra-m lh-l administrator-P Sam. Dump nt.microsoft.com smbnt
Still other example:
Hydra-l Gast-P Gast-M 6-s 3200 sapr3.sap.com sapr3
Or
Hydra-l bla-P blubb ms.com Telnet "Welcome hacker"
Restoring an aborted/crashed session
------------------------------------
When Hydra is aborted with control-C, killed or crashs, it leavs
"Hydra. Restore" file behind which contains all necessary information
Restore the session. This session file is written every 5 minutes.
Note: If you are cracking parallel hosts (-M option), this feature doesnt
Work, and is therefore disabled!
Note: The hydra. Restore file can not be copied to a different platform (e.g.
From little Indian to big Indian, or from Solaris to Aix)
How to scan/crack over a proxy
------------------------------
The environment variable hydra_proxy_http defines the Web Proxy (this works
Just for the HTTP/WWW Service !).
The following syntax is valid:
Hydra_proxy_http = "http: // FIG: 8080 /"
For all other services, use the hydra_proxy_connect variable to scan/crack
Via a Web Proxy's Connect call. It uses the same syntax. eg:
Hydra_proxy_connect = proxy.anonymizer.com: 8000
If you require authentication for the proxy, use the hydra_proxy_auth
Environment variable:
Hydra_proxy_auth = "the_login: the_password"
Additional hints
----------------
* Uniq your dictionary files! This can save you a lot of time
Cat words.txt | sort | uniq> dictionary.txt
* If you know that the target is using a password policy (allowing users
Only to choose password with a minimum length of 6, containing a least one
Letter and one number, etc. Use the tool PW-Inspector which comes along
With the Hydra package to reduce the password list:
Cat dictionary.txt | PW-Inspector-M 6-C 2-N> passlist.txt
Options you will never see in Hydra
-----------------------------------
In this section I put feature request which I will never implement
Hydra-and why.
? Feeding login/passwords from stdin (e.g. From John)
# This will not be implemented as it wocould not be possible to use
A) The restore functionality and B) Multiple Targets
Workarounds for B) wocould be possible however uugly hacks which wowould
Sometimes not work. As this feature will therefore will not fit the other
Standard functionality, you will never see it here.
Speed
-----
Through the parallizing feature, this password cracker tool can be very
Fast, however it depends on the Protocol. The fastest is generally POP3,
Then FTP, then telnet, and the least IMAP.
Experiment with the task option (-T) to speed thinks up! The higher-
Faster (but too high, and it disables the Service)
Statistics
----------
Run against a SuSE Linux 7.2 on localhost with a "-C file" containing
295 entries (294 tries Invalid Logins, 1 valid). Every test was run three
Times (only for "1 Task" just once), and the average noted down.
P a r a l e l t a S K S
Service 1 4 8 16 32 50 64 100 128
---------------------------------------------------------------------------
Telnet *
FTP 45: 54
POP3 92: 10
IMAP 31: 05
(*)
Note: Telnet timings can be very different for 64 to 128 tasks! E.g.
128 tasks, running four times resulted in timings between 28 and 97 seconds!
The reason for this is unknown...
Guesses per task (rounded up ):
295 74 38 19 10 6 5 3
Guesses possible per connect (depends on the server software and config ):
Telnet 4
FTP 6
POP3 1
IMAP 3
Bugs & features
---------------
Email me if you find bugs or if you have written a new module.
Vh@thc.org
Type bits/keyid date user ID
Pub 2048/cdd6a571 Van Hauser/thc <vh@reptile.rug.ac.be>
----- Begin PGP Public Key Block -----
Version: 2.6.3i
Mqenazve0a4aaaeiaozkphkbdfdyetvmkq1xx6781tediygrkrsuel6voj8h8ciu
Sexducvu3jlmkitd6npmfj/dt0ikhgnhuzgdcqek/b1yhuyocig1dpgsg3wetx7l
Xl1m4dwqdvpz5quq + u + vhunouzgxfcjhhsjjj2qorvz/t5x4k3u960cmj11eovnc
Med/+ c6a2fflzj1_sj/kiz9huky/dvxdinojaalqc1myjkvfcpsszas4ddixidyc
Qckx + haxidmt7bjq5 + js6yspnbvizc55tb7ci2axtjwpkdzjbzikcoblwsdxnwyq
Bytes
Bytes
/3ucdgjs1cng/zplhruublysz1kimb9cbb/ufl1i4lym5wmyw + yfgn0p02oy4pvn
Cqn6ca5osqexhwfn7lxbt3lxepcckd + vb9lppczudps/zynokuxguqdpo69b04dl
Bytes
1qvxaqgrtwga05omurxhvbyfcvdabrmhx6pkbtivkh8hdja8idvuqhocyfz2l + xz
Paqy2wcqeakvss9xn9i28/pqz + 6tmqwum1_qgxe5mwkaxwxszkwrsq8hh + bcppsz
2/q3bxsfpege4ppwfwsajnymsnmhdvvvrt69grzjdm + imk0wr33 + rvtgjuj + i22x
Lpt5hlhufdatqzukmu4r84m1tbgnucnf0wicru4u503yca4dt/1emodxi0bqxmm/
Ygk9bo2icy + lw1wpodrwmg4tjhdigxuylnliu6tyqdyxja/c525cbbdqwoe + yvui
O7cn/bjn0bkg1y/bmthek3mprllwxvmryw =
= Mdzx
----- End PGP Public Key Block -----