One of the biggest security holes in any seemingly secure networks or systems are passwords. Install a $500 anti-virus, specifically hire a cyber security team, do anything and everything you can - But if your password is weak none of it will matter. THC-Hydra is a famous login cracker which supports numerous protocols to attack. It is a relatively easy to use and a highly efficient brute-forcer (Well, as efficient as a brute force attack can be). Although Brute-Force attacks are somewhat uncommon and never a recommended attack strategy, sometimes we just don’t have a choice. That’s where THC- Hydra comes in. (By the way, THC = The Hacker’s Choice)
►Installing Hydra - Much like Nessus, Hydra needs a few formalities before we can actually use it. We need to download, extract, install, and configure it. (We can do this in just a few commands) So let ‘s begin :
Open up the terminal(konsole) and type:
Once downloaded we now need to extract it:
»tar -xvf hydra-6.3-src.tar.gz
Now, configuring and installing (wait for the first command to complete, then type the second):
»./configure && make && install
►Using THC Hydra
(Note: If you are attacking FTP service then first make sure to run an nmap scan for any open FTP ports (by default it should be 21))
Now in order to brute-force a specific login form you need to set a username, for example a lot of networks use ‘admin’, and the admin account usually has the most privileges. (If you don’t know the username you can include a text file containing possible usernames). You also need a password wordlist, the service used for attacking and the page itself.(Read on..)
Specifying all these parameters, the attack command will look something like:
»./hydra -l admin -P /root/Words.txt website.com http-post-form “/login.php&username=^USER^&password=^PASS^”
First, you need to let the konsole know you are using hydra. Hence the “.//hydra”. Next you need to set up the various parameters and variables. The general format is first typing in the “switch”,
For example: ‘-l’ or ‘-P’ etc. And then right after a space the string or the value. The various parameters are given below :
► -l = The username
► -L = List of usernames (If you don’t know the login).
►-p = The password
►-P = The directory for the wordlists
(The -p parameter is almost never used, Why would you want to brute force if you already know the password ? -P is used almost always)
If we’re attacking a web form over http and the method is post then we use “http-post-form”. Another example, if the service is FTP simply use “ftp”. You will have to sniff around the website that you want to get access to find out exactly what it uses. Such information may be found in the URL, the “About” page or can be googled.(You can also Right click the page and click “View Source”)
Another thing you should be aware of is that the variables username and password are not always the same. They different depending on the website or service you are using. What I mean by this is while some website uses ‘admin’ another might be using ‘administrator’. Viewing the page source, you can generally easily find out in what variable they are storing the values.
This was a rather small example. Like every other tool, Hydra has a variety of parameters and options that can prove very useful in different cases and are more in number than can be discussed here. (‘Help’ command can help you explore, but there’s no substitute for actually experimenting.)
The above discussed parameters are the ones most often used. Below are a few more less common ones :
►-vV - The verbose mode. This mode shows you every login attempt hydra tries.
►-s - We specify the port on which we’re running our attack.
►-x - For brute-force parameters generation. We define our charset and minimum & maximum length of it.
►-R - Restores a previously aborted session of an attack.
►-e ns - Checks for blank or no password fields.
So an example of an advanced attack would look something like this:
»./hydra -L /root/usernames.txt
-e ns -vV -s 80
website.com http-post-form “/login.php&username=^USER^&password=^PASS^
(That’s all supposed to go within one command, one line)
Try deciphering what exactly this command does.