Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
Some important options used in Hydra are :
- -l
: use it you have a single user name - -L
: provide a list of users - -p
: for single password - -P
: password list - http-post-form "args" : for post request methods and the args are the data for related to our targets. it is divided into three parts " Path_for_target_page_or_form : field_name_to_brute_force : Check_strings_weather_failure_or_success ". And also note that at the check string part normally we can specify the failure results for example at wordpress login bruteforce, which returns "Error" at failure. And we can also put Success strings with S=, for exmaple in dvwa brute force we are using index.php which the dvwa will redirect if login attempt is successful. (the index.php string is returned by the response header at success.) Note : if the check strings is in the headers field, then it will just fine otherwise, sometimes it may not worked correctly.
- -V : for verbose mode
- -t
: specify number of thread to start (default is 16)
The required data is :
- The hostname/IP and URL
- Whether it is a HTTPS or HTTP service
- Whether the form supports GET or POST (or both)
- The parameters of the request
- The difference in response between success and failure
- Whether any session cookies are required to be set or maintained
- What lockout features and thresholds are enabled (if any)
Bruteforce web Logins :
For demonstration, i am using OWASPBWA vm, which you can download from here : https://sourceforge.net/projects/owaspbwa/. I am using wireshark to intercept the HTTP communication, you can also use other proxy tools like Burp suite, ZAP proxy etc. The url of the login page is "http://192.168.56.102/wordpress/wp-login.php". Now start wireshark at sniffing to virtual box "hostonly" network interface, and put the random username and password and hit login button.
Now go to wireshark and filter the sniffed data for http traffic
Now right click the packet with post requests and go to Follow > HTTP Stream
Now at the HTTP post requests we can see the format of login and password data.
which is ' log="username"&pwd="password"&submit=Login' , now this is the data we put on the bruteforce field. And in the response body there is an "Error" message.
So we can use this for weather it is failure or success. For this example i am using a username 'user' and a password list for passwords. Now the command will look like
hydra -l user -P /home/ajay/pentest/wordlist/general/common.txt 192.168.56.102 http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&submit=submit:Error" -V
The output is
Now lets try with another web app dvwa :
Now scroll down at the Follow HTTP Stream window in wireshark and at the POST request we can see the format, which is 'username="username"&password="password"&Login=Login'.
And for check string, this time we are going to use 'S' flag which is nothing but for Success condition, it means when login attempts is successful then the web app will return redirect header 'Location: index.php', so we are going to use it as a check string. Now the command for login bruteforce will look like
The output is
Brute Forcing SSH password :
Conclusion :
So these are the very basic use of hydra, now from here you can start experimenting with Hydra.
Now lets try with another web app dvwa :
Now scroll down at the Follow HTTP Stream window in wireshark and at the POST request we can see the format, which is 'username="username"&password="password"&Login=Login'.
And for check string, this time we are going to use 'S' flag which is nothing but for Success condition, it means when login attempts is successful then the web app will return redirect header 'Location: index.php', so we are going to use it as a check string. Now the command for login bruteforce will look like
hydra -l user -P /home/ajay/pentest/wordlist/general/common.txt 192.168.56.102 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:S=index.php" -V
The output is
Brute Forcing SSH password :
hydra 192.168.56.101 ssh -s 22 -l piuser -P pass.txt -e ns
Conclusion :
So these are the very basic use of hydra, now from here you can start experimenting with Hydra.