Now the Tools – Pt.3 Hydra

Ok part 3 of the series of tools used for auditors is based around Hydra

Hydra was a software project developed by a German organization called “The Hacker’s Choice” (THC) that uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services. It was designed as a proof-of-concept utility to demonstrate the ease of cracking poorly chosen passwords.

The project supports a wide range of services and protocols: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA. It is licensed under version 2.0 of the GNU General Public License with the additional terms that the software may not be used for illegal purposes, and any commercial service or program that uses Hydra must give credit to THC.

The 5.0 release of Hydra, released in November 2005, marked the 10th anniversary of the hacking group. The current release is version 5.4, updated in March 2007.

THC-Hydra is a great login hacker: for Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support and is part of Nessus. If you visit the project web site you will find support for Win32, Palm and ARM binaries. It is also included on the BackTrack ISO.

To start off with you need a standard dictionary file. I personally use one of about 2 to 3GB in size, but for this tutorial I’m only going to use a small password list. A side note on dictionaries is that you want to cater them to the market you are auditing. I once audited an Alaskan Health Care organization that a large portion of the employed base spoke a language called Yupik. I compiled a dictionary around that language to use with Hydra for the audit.

The best word list page I have seen is off of sourceforge’s site http://wordlist.sourceforge.net/ please let me know if you have other good locations.

First step, download hydra either from it’s homepage (http://freeworld.thc.org/thc-hydra), or from the tools section on my site (http://greyhat-security.com/tools.html). Make sure if you download it from its actual homepage that you choose the Windows version, as that’s what this tutorial is written for. Download the zip file, extract it, and make sure you see the files below:

If you do, that’s good. Go to Start > Run > cmd to open the command prompt. Then change to your hydra folder using the “cd” command. For example my hydra folder was on the desktop, so I did this:

Now that you’ve done this, it’s time to execute Hydra for the first time! Sorry Windows fans, but there is only a GUI for Hydra for Linux systems, you you’re going to have to do it the old fashioned way. Just type “hydra.exe” without quotes, and watch the result:

Next, we will do a quick scan to think of some IP’s to attack. I would advise Nmap. You can download it fromhttp://nmap.org – make sure to download the windows installer. I will be doing a tutorial at some point in thr future. Install it. Find out your IP address, so that you know a possible IP range. In the command prompt sessions, type “ipconfig” and watch the results:

In my case, the range is at least 10.1.1.1-4, but I’ll go from 1 to 10 just to be safe. Fire up Nmap and do a ping scan “nmap -sP 10.1.1.1-10” to see what hosts are alive, and wait for the results:

Pick a host to port scan – I picked 10.1.1.1 because it is a router, and for most people the password is generally pretty simple, if not default. Port scan it using something like “nmap -sS -sV -P 0 -T5 -O 10.1.1.1” and see if it’s running any services (click on the “Ports/Hosts” tab at the end for a simpler view of the services running and their ports):

As I’ve indicated by circling, I’ll be attacking the Telnet port because I know that it works, because I know you guys think Telnet is the be-all and end-all of hacking, and because the Windows version of THC-Hydra isn’t compiled with LIBSSH support (unless you did it yourself), and as such I can’t attack SSH – otherwise I’d be doing that instead. It’s so much better. Head back to your command session, and review the output from Hydra before; it tells you the services it can crack. After looking through it, and realizing that Telnet definitely is there, we can now proceed to attack it with the command “hydra -l admin -P passlist.txt 10.1.1.1 telnet” as is demonstrated here:

An explanation of the command: -l admin was used because I assumed that the router would have the login of “admin”. You can use username lists as well if you wish. -P passlist.txt specified a password dictionary named “passlist.txt” – make sure to have the -P include the capital P, otherwise you’ll be specifying a password to try. 10.1.1.1 is the routers IP address, and telnet is the protocol we want to attack. Now obviously we could tell it to attack that protocol on a different port, but we won’t bother with that right now unless anyone else wants to see how. My dictionary only included 4 words for the purpose of this tutorial. You can see the cracked password circled at the end (which by the way, isn’t my password for the router, for those of you who know how to get my IP and want to try and break in ). And that’s how to do a basic hydra service crack on Windows.