Article directory
Tool introduction
Hydra, also known as Hydra, is a very powerful brute force cracking tool (the key to whether a password can be cracked depends on whether the dictionary is strong enough). It supports account and password cracking of multiple service protocols, including Web login, database, and SSH. , FTP and other services, supporting installation on Linux, Windows, and Mac platforms.
The tool supports blasting of the following protocols:
AFP,Cisco AAA,Cisco身份验证,Cisco启用,CVS,Firebird,FTP,HTTP-FORM-GET,HTTP-FORM-POST,HTTP-GET,HTTP-HEAD,HTTP-PROXY,HTTPS-FORM- GET,HTTPS-FORM-POST,HTTPS-GET,HTTPS-HEAD,HTTP-Proxy,ICQ,IMAP,IRC,LDAP,MS-SQL,MYSQL,NCP,NNTP,Oracle Listener,Oracle SID,Oracle,PC-Anywhere, PCNFS,POP3,POSTGRES,RDP,Rexec,Rlogin,Rsh,SAP / R3,SIP,SMB,SMTP,SMTP枚举,SNMP,SOCKS5,SSH(v1和v2),Subversion,Teamspeak(TS2),Telnet,VMware-Auth ,VNC和XMPP。
Tool installation
Hydra comes with kali. Here is the installation method under windows.
zip download address: https://gitcode.com/maaaaz/thc-hydra-windows/tree/master
Unzip after downloading:
Then add the thc-hydra-windows-master path to the system variable path
Then enter cmd in the current directory:
enter:
hydra -h
If a normal response appears, the installation is successful.
Detailed analysis of usage
Common parameters
Hydra is a command line tool. All operations are implemented through commands and parameters, see the table below:
Options | illustrate |
---|---|
-R | Continue the last crack |
-I | Ignore existing restore files (don't wait 10 seconds) |
-s PORT | Specify the port (without -s means specify the default port) |
-l LOGIN | Specify cracked login username |
-L FILE | Specify multiple usernames using a file |
-p PASS | Specify password |
-P FILE | Specify password dictionary |
-x MIN:MAX:CHARSET | Password brute force generation |
-y | The use of symbols in brute force attacks is prohibited |
-r | Use non-random method with option -x |
-e nsr | n: empty password test, s: test using specified user and password. |
-u | recurring users |
-C FILE | Colon separated username and password: "login:pass" format |
-M FILE | List of servers to attack, one entry per line, ':' specifies the port |
-o FILE | Write the found login/password to a file (save execution results) |
-b FORMAT | Specify -o output format, default text, optional json, jsonv1 |
-f / -F | Abort cracking after username/password is found, -f: each host, -F: all |
-t TASKS | Number of parallel threads per host, default 16 |
-T TASKS | Number of all parallel threads, default 64 |
-w / -W TIME | Maximum waiting time for response |
-c TIME | The waiting time for each login attempt of all processes |
-4 / -6 | IPv4(default)/IPv6 address |
-v / -V / -d | Detailed log mode/show only username and password for each attempt/debug mode |
-k | Do not redo failed attempts (applies to -M batch scans) |
-q | Don't print error connection messages |
-U | Service module detailed usage information |
-vV | show execution details |
Also available via hydra-h:
ftp service password cracking
This instance is essentially the same as burp blasting
Build an ftp server in Kali. The login account is admin and the password is 123. Prepare a password dictionary passwd.txt:
After knowing the user name admin, you can use hydra to crack:
hydra -l admin -P Desktop/passwd.txt ftp://127.0.0.1
The echo is as follows. Since the password corresponding to admin exists in the dictionary, the crack is successful:
If the username and password are not known, dictionary blasting is used for both. Every time the username is traversed, the password dictionary will be traversed in its entirety:
hydra -L ./username.txt -P ./password.txt -t 2 -f ftp://127.0.0.1
mysql password cracking
Build a mysql server locally on the host machine. The login account is root and the password is root:
Kali prepares a password dictionary passwd.txt:
After you know the user name is admin, you can use hydra on Kali to crack (make sure the two can ping):
hydra -l root -P Desktop/passwd.txt 192.168.xxx.xxx mysql
This case is for explanation only. Just replace 192.168.xxx.xxx with the target IP in the real environment.
If the username and password are not known, dictionary blasting is used for both. Every time the username is traversed, the password dictionary will be traversed in its entirety:
hydra -L ./user.txt -P ./password.txt -t 2 -f 192.168.xx.xx mysql
smb service password cracking
In the same way, the smb service can be cracked. An example is given as follows:
http service password cracking
Crack the http service and give an example as shown below:
hydra -l 账号 -P 字典 -vV -f 域名 http-post-form "/admin/index.php:user=^USER^&ps=^PASS^&action=login:login-error"
The URL of the form is /admin/index.php and has two fields: user and ps. ^USER^
and ^PASS^
are Hydra's placeholders to be replaced with values from the username and password dictionary when cracking. Finally, :login-error is the response to a failed login and is used to determine whether the password was successfully cracked.
In this example, ^USER^
it is always admin and ^PASS^
is traversed continuously.
In the construction of POC, parameters need to be known through packet capture.
Examples are as follows:
The interface of this website is logincheck.asp, and the form submission parameters are muser and passwd.